Re: Anycast but for egress

[Adam Thompson <athompson () merlin mb ca>]

Without any sarcasm: to make it harder to block.
If, say, Google, always crawled your site from 8.8.1.2 (random made-up example) then you would see a not-insignificant 
number of hosts and networks null-routing that IP.  I have no idea why someone would do so, but I've seen it done many 
times.  Mostly by people who don't understand how un-special they are on the internet.  Also it would trigger IDS/IPS 
systems all over the place, having gobs and gobs of connections coming from a single IP.

That's setting aside the technical issues involved; routing is often asymmetric, i.e. the return packet takes a 
different path than the inbound packet.  So it would, as Owen implied, be nearly impossible to ensure the reply packets 
got back to the correct TCP stack.  As an example, I'm multi-homed and use path-prepending, so if a packet claiming to 
be from 8.8.8.8 arrived on one of my commercial links, I would send the reply out the cheapest link, which in my case 
is a flat-rate R&E network (that has a path to Google), thus ensuring the reply does not get to the originating anycast 
node.

When my clients make connections outbound to anycast addresses, the destination is more-or-less stable, and the replies 
come back to the client's unique IP, so anycast works in that direction.  The guarantees are not present in the reverse 
direction.

The logical extremity of this is that it would be nearly impossible for two anycast addresses to establish a TCP 
connection to each other.  (In general.  There will be lots of local cases where it does happen to work, by 
coincidence.)

You'll find that even anycast nodes do not make connections outbound using their anycast address, pretty much for these 
reasons.

-Adam

Adam Thompson
Consultant, Infrastructure Services
[1593169877849]
100 - 135 Innovation Drive
Winnipeg, MB, R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
athompson () merlin mb ca<mailto:athompson () merlin mb ca>
www.merlin.mb.ca<http://www.merlin.mb.ca/>
________________________________
From: NANOG <nanog-bounces+athompson=merlin.mb.ca () nanog org> on behalf of Vimal <j.vimal () gmail com>
Sent: July 27, 2021 12:54
To: nanog () nanog org <nanog () nanog org>
Subject: Anycast but for egress

(Unsure if this is the right forum to ask this question, but here goes:)

> From what I understand, IP Anycast can be used to steer traffic into a server that's close to the client.

I am curious if anyone here has/encountered a setup where they use anycast IP on their gateways... to have a 
predictable egress IP for their traffic, regardless of where they are located?

For example, a search engine crawler could in principle have the same IP advertised all over the world, but it looks 
like they don't...  I wonder why?

--
Vimal