nanog mailing list archives
Re: Anycast but for egress
From: Adam Thompson <athompson () merlin mb ca>
Date: Tue, 27 Jul 2021 19:25:35 +0000
Without any sarcasm: to make it harder to block. If, say, Google, always crawled your site from 8.8.1.2 (random made-up example) then you would see a not-insignificant number of hosts and networks null-routing that IP. I have no idea why someone would do so, but I've seen it done many times. Mostly by people who don't understand how un-special they are on the internet. Also it would trigger IDS/IPS systems all over the place, having gobs and gobs of connections coming from a single IP. That's setting aside the technical issues involved; routing is often asymmetric, i.e. the return packet takes a different path than the inbound packet. So it would, as Owen implied, be nearly impossible to ensure the reply packets got back to the correct TCP stack. As an example, I'm multi-homed and use path-prepending, so if a packet claiming to be from 8.8.8.8 arrived on one of my commercial links, I would send the reply out the cheapest link, which in my case is a flat-rate R&E network (that has a path to Google), thus ensuring the reply does not get to the originating anycast node. When my clients make connections outbound to anycast addresses, the destination is more-or-less stable, and the replies come back to the client's unique IP, so anycast works in that direction. The guarantees are not present in the reverse direction. The logical extremity of this is that it would be nearly impossible for two anycast addresses to establish a TCP connection to each other. (In general. There will be lots of local cases where it does happen to work, by coincidence.) You'll find that even anycast nodes do not make connections outbound using their anycast address, pretty much for these reasons. -Adam Adam Thompson Consultant, Infrastructure Services [1593169877849] 100 - 135 Innovation Drive Winnipeg, MB, R3T 6A8 (204) 977-6824 or 1-800-430-6404 (MB only) athompson () merlin mb ca<mailto:athompson () merlin mb ca> www.merlin.mb.ca<http://www.merlin.mb.ca/> ________________________________ From: NANOG <nanog-bounces+athompson=merlin.mb.ca () nanog org> on behalf of Vimal <j.vimal () gmail com> Sent: July 27, 2021 12:54 To: nanog () nanog org <nanog () nanog org> Subject: Anycast but for egress (Unsure if this is the right forum to ask this question, but here goes:)
From what I understand, IP Anycast can be used to steer traffic into a server that's close to the client.
I am curious if anyone here has/encountered a setup where they use anycast IP on their gateways... to have a predictable egress IP for their traffic, regardless of where they are located? For example, a search engine crawler could in principle have the same IP advertised all over the world, but it looks like they don't... I wonder why? -- Vimal
Current thread:
- Anycast but for egress Vimal (Jul 27)
- Re: Anycast but for egress Owen DeLong via NANOG (Jul 27)
- Re: Anycast but for egress Daniel Corbe (Jul 27)
- Re: Anycast but for egress Bill Woodcock (Jul 27)
- Re: Anycast but for egress Mark Tinka (Jul 27)
- Re: Anycast but for egress Matt Harris (Jul 27)
- Re: Anycast but for egress Adam Thompson (Jul 27)
- Re: Anycast but for egress Vimal (Jul 28)
- Re: Anycast but for egress Daniel Corbe (Jul 27)
- Re: Anycast but for egress Andras Toth (Jul 27)
- Re: Anycast but for egress Vimal (Jul 28)
- Re: Anycast but for egress Bill Woodcock (Jul 28)
- Re: Anycast but for egress Vimal (Jul 28)
- Re: Anycast but for egress Baldur Norddahl (Jul 28)
- Re: Anycast but for egress Baldur Norddahl (Jul 28)
- Re: Anycast but for egress Mark Tinka (Jul 28)
- Re: Anycast but for egress Randy Bush (Jul 28)
- Re: Anycast but for egress Bill Woodcock (Jul 28)