nanog mailing list archives
Re: DNS hardening, was Re: Dan Kaminsky
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 6 Aug 2009 11:44:43 -0400
On Thu, Aug 6, 2009 at 11:16 AM, Paul Vixie<vixie () isc org> wrote:
note, i went off-topic in my previous note, and i'll be answering florian on namedroppers@ since it's not operational. chris's note was operational:Date: Thu, 6 Aug 2009 10:18:11 -0400 From: Christopher Morrow <morrowc.lists () gmail com> awesome, how does that work with devices in the f-root-anycast design? (both local hosts in the rack and if I flip from rack to rack) If I send along a request to a host which I do not have an association created do I get a failure and then re-setup? (inducing further latency)yes. so, association setup cost will occur once per route-change event. note that the f-root-anycast design already hashes by flow within a rack
pulling something I didn't previously understand from an ongoing discussion on the LISP/v6ops mailing lists... most routers today only hash on tcp/udp so.. sctp isn't going to hash in the same 'deterministic' manner, or someone should probably test that that is the case.
to keep TCP from failing, so the only route-change events of interest to this point are in wide area BGP.
right, and the (I think K-root) K-root folks had a study showing <1% of sessions seemed to be failing in this manner? (nanog in Toronto I think?)
...: "Do loadbalancers, or loadbalanced deployments, deal with this properly?" (loadbalancers like F5, citrix, radware, cisco, etc...)as far as i know, no loadbalancer understands SCTP today. if they can be made to pass SCTP through unmodified and only do their enhanced L4 on UDP and TCP as they do now, all will be well. if not then a loadbalancer upgrade or removal will be nec'y for anyone who wants to deploy SCTP. it's interesting to me that existing deployments of L4-aware packet level devices can form a barrier to new kinds of L4. it's as if the internet is really just the web, and our networks are TCP/UDP networks not IP networks.
sadly, people have (and continue) to make simplifying assumptions while designing/deploying equipment. -Chris
Current thread:
- Re: DNS hardening, was Re: Dan Kaminsky, (continued)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 05)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Jakma (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Paul Vixie (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Ross Vandegrift (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Steven M. Bellovin (Aug 07)
- Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 10)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- A DNSSEC irony Edward Lewis (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
- Re: Fwd: Dan Kaminsky Dave Israel (Aug 03)
- Re: Dan Kaminsky Jorge Amodio (Aug 05)