Internet2 Network Security SIG

[Steven Wallace <>]

Brad,

I’m thinking out loud, so I wouldn't change anything without better advice :-)

steve

On Nov 3, 2017, at 11:35 AM, Brad Fleming <> wrote:

On Nov 3, 2017, at 10:03 AM, Dave Diller <> wrote:

I think we need to be careful WRT to routes to roots. Roots are anycast, and since most of us local-pref TR-CPS/I2, this could lead to suboptimal DNS requests, both in terms of path used, and concentrating queries to fewer serves. This may already be happening. It would be good for someone to check the I2/CPS routing tables for the root anycast prefixes.

MAX had an I2-facing instantiation of D-root for a while last year.  From what I remember, there really was not a lot of traffic to it, as compared to the commodity-facing ones, and they redeployed.

Kinda makes sense, due to lower visibility in an isolated network, versus worldwide.

But it did not seem to suck in a lot of traffic simply due to query concentration / localpref.

-dd

KanREN hosts and announces availability to an L-Root instance running on dedicated hardware in the Kansas City area. We announce:

199.7.82.0/23

199.7.83.0/24

2001:500:3::/48

2001:500:9e::/47 

2001:500:9f::/48

to TR-CPS as well as R&E. They requested we announce the prefixes at all peering points; however, it might make sense for us to withdraw the paths from I2 routing tables simply to avoid the situation Steve points out.

I don’t wanna drag the thread too far off it’s original purpose so feel free to hit me up unicast with any profanity-laden emails about our backwater, hair-brained schemes. :D

--
Brad Fleming
Assistant Director for Technology
Kansas Research and Education Network

Attachment: smime.p7s
Description: S/MIME cryptographic signature