karl, we raised the question of anycast risk with SECSAC in response to your
concerns and the conclusion was that the risks had not materialized in the
operation of anycast in roots that had already deployed it.
There are lots of ways in which routing can be wedged - until we get some
form of authentication, that risk will be with us. Moreover, even with
authentication it is possible to misconfigure routing.
Any table driven system that does not have an obvious syntactic or semantic
way of detection a bad configuration is subject to these risks.
At 06:29 PM 11/30/2003 -0800, Karl Auerbach wrote:
The switch to anycast for root servers is a good thing. But it was hardly
without risks. For example, do we really fully comprehend the dynamics of
anycast should there be a large scale disturbance to routing on the order
of 9/11? Could the machinery that damps rapid swings of routes turn out
to create blacked out areas of the net in which some portion of the root
servers become invisible for several hours? Could one introduce bogus
routing information into the net and drag some portion of resolvers to
bogus root servers?
SVP Technology Strategy
22001 Loudoun County Parkway, F2-4115
Ashburn, VA 20147
703 886 1690 (v806 1690)
703 886 0047 fax