[BBLISA] BGP and multicast (thread renamed)

[Dean Anderson]

ISC isn't that big. $2million doesn't really go that far. Especially 
when the CEO take 1/8th off the top.  The 5 top employees all make 
around 80k or so.  So, you can see by the financials on the IRS 990, 
that its a small operation. 

On "net stability" smoke for TCP anycast: Yes, I do have the data that
none of the proponents had any data.  When dealing with critical
production systems, it is expected that changes are tested and proven
BEFORE being deployed. They faked the data: Daniel Karrenberg falsely
claimed to have data but didn't have anything about Anycast stability;  
And I have evidence that Paul Francis falsified his results on Anycast,
claiming it to be stable when his data actually showed instability.  
Paul Francis also falsely stated that there was some scientific
disagreement regarding TCP Anycast, but in fact, none of the sources he
cited asserted TCP Anycast was stable. I brought this to the attention
of Cornell authorities. I can't say there is a direct relationship from
kmy report, but Francis is no longer working at Cornell.

You have seized on another myth of anycast proponents: Route's have to
flap to have Anycast instability. Not so.  In fact, routes _don't_ need
to be "flapping" for TCP anycast to be unstable.  Some years ago, it was
common that routes were removed from cache every 60 seconds (by
default).  (remember that's true at at every hop, so divide 60seconds by
number of hops)  But it gets worse: As the route table grows, routes are
forced out of cache more frequently than 60 seconds. On replacement, any
equal cost path can be inserted on a subsequent packet.  The more equal
cost anycast paths you have anywhere in the path, the more likely
subsequent packets will go to different servers.  

IPV4 isn't idempotent. There is no guarentee that subsequent packets 
will be delivered to the same anycast host. This was written in RFC1546. 
Vixie and crew knew about this with the DNS serverid draft and the NSID 
draft.

DNS serverid draft failed because they realized that subsequent packets
couldn't be guarenteed to go the same server. So you can't make a query,
and then make another query to find out the serverid that answered the
query. This work was to identify Anycast servers. They knew that one
needed to modify the DNS protocol so that the same query also contained
a flag to say "answer the query and tell us who you are". That is
implemneted with the NSID RFC.

So they also knew that TCP can't be stable: This is demonstrated beyond
doubt by the history of Serverid and NSID standards and that two
subsequent packets won't go to the same host reliably enough for
serverid to work.  One can't know that two subsequent packets won't go
to the same host and also honestly think that TCP would be stable in
that condition.  They've been intentionally deceiving the public and the
government for years.

As to why people think Anycast is acceptable: Consider this: a lot of
people believe in faith healing and voodoo, too. There's no science and
most of it is really hokum. Luckily, most such people aren't really sick
and the deception is based in mostly in ignorance of the proponents.  
We usually just look askance as voodoo doctors, and but criminalize the
sale of fake pills.  The only difference is the knowledge of the
purveyor.

In our case, the public are deceived and lucky not to be using TCP DNS. 
But things are changing, and actually, it appears that fewer and fewer
people think this is acceptable.  And in our case, the proponents are 
well aware that they are pushing 
hokum. 

And one final thing to ponder: People thought investing with Bernie
Madoff was pretty acceptable for a long time. One guy discovered the
fraud 10 years ago, but no one listened. After the collapse everyone
said: "why didn't you investigate his claims?"  Well, I did something
very similar: I exposed a scam; actually several scams run by the same
people. In my case, Vixie/Cerf mafia have engaged in a series of lies
and threats (e.g. they've say 130.105/16 is hijacked, etc) in an effort
to threaten, intimindate, and silence me.



		--Dean


On Tue, 20 Jul 2010, Robert Keyes wrote:

> On Mon, 19 Jul 2010, Dean Anderson wrote:
> 
> >
> >>> through. I think some of the DNS root servers are using "anycast"
> >>> and small BGP announcements for redundancy purposes.
> >>
> >> Anycast! Yes I hadn't thought of that..it makes sense. Well, that's
> >> the first new thing I've learned today.
> >
> > <grin>For some reason, last year ISC (the principal anycast DNS
> > promoter)  has lost most of its ordinary funding. I've been trying to
> > figure out exactly what the makeup of that funding was, but whatever it
> > was, its gone now. Rick Adams had to make up $1.6 million out of about
> > $2 million. Vixie himself still takes $252,000 of the $2 million,
> > according to their IRS form 990.  [non-profits aren't supposed to inure
> > benefits to their founders beyond fair salary. Pretty much, no small
> > non-profits don't pay their CEOs roughly 12% of revenue--a company isn't
> > really non-profit at that rate--that's in the realm of a for-profit
> > S-Corp. Even large non-profits don't usually pay $252,000/yr to CEOs;
> > that's a scandalously large amount. That amount is an unconscionably
> > high both in dollars and in percentage of non-profit revenue; similar
> > numbers have been focus of TV news expose's).
> 
> I don't want to come to the defense of Vixie, nor start another flame war, 
> but perhaps some of the costs were related to running their rather large 
> net connection and servers. I see that as requiring network engineers, 
> sysops, programmers, and of course the corporate friction to go along with 
> it: accountants, secretaries, lawyers..so perhaps that's where some of the 
> money went.
> 
> > Anyway, pretty much everyone knows by now that Anycast isn't stable with
> > TCP. Anycast only works for stateless protocols and TCP isn't stateless.
> 
> Yeah, it makes sense that there's a possibility of an unseen routing 
> change due to anycast...but how often does that happen? and what happens 
> if the TCP connection gets hosed...does it (the dns server just try again? 
> Unless routes are flagging all over the place, I don't see this being a 
> really huge problem. Then again, it does speak to a rather kludgy protocol 
> design.
> 
> > And TCP is now on the top of the DNS list thanks to ... [drum roll]:
> > DNSSEC!! [DNSSEC is another Vixie-IETF-disaster for reasons Dan
> > Bernstein, myself, and others detailed some years ago; The Vixie/Cerf
> > mafia tried to silence us, but they failed at that, too]. That's not to
> > say they weren't successful in business, though. I just feel sorry for
> > the people who wasted their money on buying Anycast DNS services from
> > ISC, Affilias/Neustar etc. And I will someday feel sorry for the
> > Internet when some of the other DNS "Vixie-flaws" are eventually
> > exploited. But, aside from those things...I'm having a very happy year
> > :-)  </grin>
> 
> hrm, yes, well like I said it all depends on the stability of the net for 
> the course of TCP dns transactions, which may be sufficient. I don't have 
> enough data to say one way or the other. Do you?
> 
> I am not trying to pick a fight, just ponder why something which seems an 
> obvious fatal flaw on the surface would be considered acceptable. There 
> must be some reason.
> 
> -Bob
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 256 5494