Anycast


Anycast is a network addressing and routing methodology in which a single destination address has multiple routing paths to two or more endpoint destinations. Routers will select the desired path on the basis of number of hops, distance, lowest cost, latency measurements or based on the least congested route. Anycast networks are widely used for content delivery network products to bring their content closer to the end user.

Addressing methods

The Internet Protocol and other network addressing systems recognize five main addressing methods:
Anycast can be implemented by using Border Gateway Protocol. Multiple hosts are given the same unicast IP address and different routes to the address are announced through BGP. Routers consider these to be alternative routes to the same destination, though they are actually routes to different destinations with the same address. As usual, routers select a route by whatever distance metric is in use. Selecting a route in this setup amounts to selecting a destination.
The pitfall of this approach is that a connection to an anycast address may fail because the network can change the routing of packets in mid-connection due to congestion or changes in the network, with the result that the destination changes mid-connection, though the new destination is not aware of the connection and is not maintaining the connection state. These conditions are typically referred to as a "PoP switch". With a normal unicast address a routing change would not be a problem, as this merely results in a different route to the same eventual destination. All packets within a connection do not normally need to follow the same path. But when the address is actually an anycast address masquerading as a unicast address, a routing change could be a destination change.
Because of the possibility of a "PoP switch" in IPv4, anycast is generally used with connectionless protocols based on UDP, as a way to provide high availability and load balancing for stateless services. For example, one of the well-known applications of IPv4 anycast is the Domain Name System. This is well-suited to anycast because it is a UDP-based service providing connectionless access to domain name data which is replicated across multiple, geographically-dispersed, stateless servers, with severe demands for availability and scalability.
Because anycast is more error-prone with connection-oriented protocols such as TCP where the destination maintains state, it is less commonly used with these protocols. Some custom IP stacks use proprietary methods to provide healing of stateful protocols when necessary, mitigating problems due to anycast PoP switches. These methods usually involve some form of Network function virtualization in form of packet rewriting as has been demonstrated by AWS HyperPlane, and Google Maglev and/or packet encapsulation as laid out by protocols like Generic Routing Encapsulation, IPOP.

Internet Protocol version 6

Anycast is supported explicitly in IPv6., which covers IPv6 addressing architecture, reserves Interface Identifier 0 within an IPv6 subnet as the "Subnet Router" anycast address. In addition, reserves a block of 128 Interface Identifiers within a subnet as anycast addresses.
Most IPv6 routers on the path of an anycast packet through the network will not distinguish it from a unicast packet, but special handling is required from the routers near the destination as they are required to route an anycast packet to the "nearest" interface within that scope which has the proper anycast address, according to whatever measure of distance is being used.
The method used in IPv4 of advertising multiple routes in BGP to multiply-assigned unicast addresses also still works in IPv6, and can be used to route packets to the nearest of several geographically dispersed hosts with the same address. This approach, which does not depend on anycast-aware routers, has the same use-cases together with the same problems and limitations as in IPv4.

Applications

With the growth of the Internet, network services increasingly have high-availability requirements. As a result, operation of anycast services has grown in popularity among network operators.

Domain Name System

All Internet root nameservers are implemented as clusters of hosts using anycast addressing. All thirteen root servers A–M exist in multiple locations, with eleven on multiple continents. The servers use anycast address announcements to provide a decentralized service. This has accelerated the deployment of physical root servers outside the United States. documents the use of anycast addressing to provide authoritative DNS services. Many commercial DNS providers have switched to an IP anycast environment to increase query performance and redundancy, and to implement load balancing.

IPv6 transition

In IPv4 to IPv6 transitioning, anycast addressing may be deployed to provide IPv6 compatibility to IPv4 hosts. This method, 6to4, uses a default gateway with the IP address 192.88.99.1, as described in. This allows multiple providers to implement 6to4 gateways without hosts having to know each individual provider's gateway addresses.

Content delivery networks

s may use anycast for actual HTTP connections to their distribution centers, or for DNS. Because most HTTP connections to such networks request static content such as images and style sheets, they are generally short-lived and stateless across subsequent TCP sessions. The general stability of routes and statelessness of connections makes anycast suitable for this application, even though it uses TCP.

Connectivity between Anycast and Multicast network

Anycast rendezvous point can be used in Multicast Source Discovery Protocol and it's advantageous application as Anycast RP is an intradomain feature that provides redundancy and load-sharing capabilities. If the multiple Anycast rendezvous point is used, IP routing automatically will select the topologically closest rendezvous point for each source and receiver. It would provide a multicast network with the fault tolerance requirements.

Security

Anycast allows any operator whose routing information is accepted by an intermediate router to hijack any packets intended for the anycast address. While this at first sight appears insecure, it is no different from the routing of ordinary IP packets, and no more or less secure. As with conventional IP routing, careful filtering of who is and is not allowed to propagate route announcements is crucial to prevent man-in-the-middle or blackhole attacks. The former can also be prevented by encrypting and authenticating messages, such as using Transport Layer Security, while the latter can be frustrated by onion routing.

Reliability

Anycast is normally highly reliable, as it can provide automatic failover. Anycast applications typically feature external "heartbeat" monitoring of the server's function, and withdraw the route announcement if the server fails. In some cases this is done by the actual servers announcing the anycast prefix to the router over OSPF or another IGP. If the servers die, the router will automatically withdraw the announcement.
"Heartbeat" functionality is important because, if the announcement continues for a failed server, the server will act as a "black hole" for nearby clients; this failure mode is the most serious mode of failure for an anycast system. Even in this event, this kind of failure will only cause a total failure for clients that are closer to this server than any other, and will not cause a global failure.

Mitigation of denial-of-service attacks

In denial-of-service attacks, a rogue network host may advertise itself as an anycast server for a vital network service, to provide false information or simply block service.
Anycast methodologies on the Internet may be exploited to distribute DDoS attacks and reduce their effectiveness: As traffic is routed to the closest node, a process over which the attacker has no control, the DDoS traffic flow will be distributed amongst the closest nodes. Thus, not all nodes might be affected. This may be a reason to deploy anycast addressing.
The effectiveness of this technique to divert attacks is questionable, however, because unicast addresses can be easy to obtain, at least on IPv6. Now obsoleted defined that "An anycast address must not be used as the source address of an IPv6 packet." Therefore, pinging an anycast address will return the unicast address of the closest node, since the reply must come from a unicast address. An attacker can then attack individual nodes from any location, bypassing anycast addressing methods. This same method works on some, but not all, IPv4 anycast addresses. also restricted anycast IPv6 addresses to routers only. However, both of these restrictions were lifted in.
Authentication of anycast transmissions may solve this problem.

Local and global nodes

Some anycast deployments on the Internet distinguish between local and global nodes to benefit the local community, by addressing local nodes preferentially. An example is the Domain Name System. Local nodes are often announced with the no-export BGP community to prevent hosts from announcing them to their peers, i.e. the announcement is kept in the local area. Where both local and global nodes are deployed, the announcements from global nodes are often AS prepended to make the path longer so that a local node announcement is preferred over a global node announcement.