Information about Anycast

Routing Schemes
anycast
broadcast
multicast
unicast

Anycast is a network addressing and routing scheme whereby data is routed to the "nearest" or "best" destination as viewed by the routing topology.

The term is intended to echo the terms unicast, broadcast and multicast.

• In unicast, there is a one-to-one association between network address and network endpoint: each destination address uniquely identifies a single receiver endpoint.
• In broadcast and multicast, there is a one-to-many association between network addresses and network endpoints: each destination address identifies a set of receiver endpoints, to which all information is replicated.
• In anycast, there is also a one-to-many association between network addresses and network endpoints: each destination address identifies a set of receiver endpoints, but only one of them is chosen at any given time to receive information from any given sender.

On the Internet, anycast is usually implemented by using BGP to simultaneously announce the same destination IP address range from many different places on the Internet. This results in packets addressed to destination addresses in this range being routed to the "nearest" point on the net announcing the given destination IP address.

Anycast is best suited to connectionless protocols (generally built on UDP), rather than connection-oriented protocols such as TCP that keep their own state, since the receiver selected for any given source may change from time to time as optimal routes change, silently breaking any conversations that may be in progress at the time. For stateful protocols where it is required that an entire session will use the same server, systems like GeoDNS are more appropriate.

For this reason, anycast is generally used as a way to provide high availability and load balancing for stateless services such as access to replicated data, for example DNS service is a distributed service over multiple geographically dispersed servers.

Use of anycast to implement DNS

A number of the Internet root nameservers are implemented as large numbers of clusters of machines using anycast. The C, F, I, J, K and M servers exist in multiple locations on different continents, using anycast announcements to provide a decentralized service. As a result most of the physical, rather than nominal, root servers are now outside the United States. RFC 3258 documents how anycast is used to provide authoritative DNS services.

Use of anycast to implement IPv6 transition

There is a 6to4 (IPv6 transition protocol) anycast default gateway available with the IP address 192.88.99.1. (See RFC 3068 for details.) This allows multiple providers to implement 6to4 gateways without hosts needing to know each individual provider's gateway addresses.

Security of anycast

Anycast allows any operator whose routing information is accepted by an intermediate router to hijack any packets intended for the anycast address. While this at first sight appears insecure, it is no different from the routing of ordinary IP packets, and no more or less secure. As with conventional IP routing, careful filtering of who is and is not allowed to propagate route announcements is crucial to prevent man-in-the-middle or blackhole attacks.

Reliability of anycast

Anycast is normally highly reliable, as it can provide automatic failover. Anycast applications typically feature external "heartbeat" monitoring of the server's function, and withdraw the route announcement if the server fails. In some cases this is done by the actual servers announcing the anycast prefix to the router over OSPF or another IGP protocol. If the servers die, the router will automatically withdraw the announcement.

"Heartbeat" functionality is important because, if the announcement continues for a failed server, the server will act as a "black hole" for nearby clients; this failure mode is the most serious mode of failure for an anycast system. Even in this event, this kind of failure will only cause a total failure for clients that are closer to this server than any other, and will not cause a global failure.

(D)DoS and anycast

Anycast on the internet can help to distribute DDoS attacks and reduce their effectiveness. As traffic is routed to the closest node (and the attacker has no control over this behaviour) the DDoS traffic flow will be distributed amongst the closest nodes. This often means that not all nodes will be affected. This is often an important reason to deploy anycast.

The effectiveness of this can be decreased, however, because unicast addresses (used for maintenance) are easy to recover. An attacker can then attack every node from any location, just as if there was no anycast and all nodes were separate servers.

Local vs Global

In some situations of anycast deployment on the internet there is a difference between local and global nodes. Local nodes are often more intended to provide benefit for the direct local community. Local node announcements are often announced with the no-export BGP community to prevent peers from announcing them to their peers (i.e. the announcement is kept in the local area). Where both local and global nodes are deployed, the announcements from global nodes are often AS prepended (i.e. the AS is added a few more times) to make the path longer so that a local node announcement is preferred over a global node announcement.

Both F and K root name servers currently use local and global nodes.

External links

• Anycast Addressing on the Internet
• Distributing Authoritative Name Servers via Shared Unicast Addresses, IETF RFC describing the distribution of authoritative DNS servers using anycast.
• Hierarchical Anycast for Global Service Distribution, ISC document on anycast
• Effect of anycast on K-root, presentation by Lorenzo Colitti (RIPE NCC) at DNS-OARC in July 2005
• The Impact of anycast on Root DNS Servers: The Case of K-root, presentation by Lorenzo Colitti (RIPE NCC) at RIPE 52 in April 2006
• Icann DNS Attack Fact Sheet Report by ICANN on how the Anycast technology contributed to the resistance against the ddos-attack on the DNS-RootServers on the 6th of February 2007