Routing Via Anycast
At its most basic, anycast can be defined as communication between a single client and the topologically closest instance of a network service that is represented in multiple places by a common IP address.
IP anycasting allows a single name server IP address to exist in multiple locations at a given time. In this approach, DNS requests are routed between a single source (the client’s DNS recursive name server) and the topologically closest authoritative node. In theory, the client reaches the topologically closest anycast instance, as determined by Internet routing protocol metrics; however, all instances are configured with the same IP address and provide exactly the same service.
Although anycast is ideal in environments with highly variable routing conditions and short-lived, connectionless transactions, the possibility of transient routing systems or forwarding path changes lessens its suitability for long-lived, persistent TCP transactions and similar scenarios. In all cases, anycast must be configured carefully to avoid widespread resolution failure.
ANYCAST BENEFITS AND CHALLENGES
- Enables organizations to expand footprint and capacity available on a given IP service address.
- Reduces latency and enhances performance by optimizing for client proximity to authoritative name servers.
- Helps balance, distribute, and localize query loads.
- Provides massive scalability via inherent caching processes and a distributed, decentralized resolution database architecture.
- Strengthens resistance to denial of service (DoS) and distributed denial of service (DDoS) attacks by increasing redundancy and distributing resolution activities across more geographically disperse locations.
- Occasionally succumbs to resolution anomalies or conflicts that impede resolution and compromise availability; occasionally introduces difficult-to-diagnose pockets of suboptimal routing when new servers use new paths to resolve an IP address.
- Increases complexity of configuring zones, distributing zone updates, and maintaining near real-time zone coherency.
- Potentially interferes with performance monitoring. IP-based monitoring is topologically dependent on the underlying routing system. Depending on the system’s routing preferences, some monitoring queries may be directed to the wrong servers, simply because those servers respond more quickly than others in the zone.
- Impairs troubleshooting and problem diagnosis. Identifying a specific anycast instance or corresponding intermediate network elements that could be causing problems for a given set of clients is significantly more difficult.
- Increases difficulty of detecting security threats. Detecting rogue routing system elements (e.g., route hijacks), static routed instances (only visible in the data path), and Byzantine failures is more difficult when systems become more complex, and a single persistent and more deterministic data path to the service address no longer exists.