11

It is my understanding that public IP blocks are assigned from IANA, which assigns sub-blocks to RIRs, which assigns sub-blocks to ISPs, which assigns sub-blocks to individual ASs as outlined in this question: How are IP addresses actually assigned?

This (and resources like this page) seems to imply a mapping of 1 public IP to 1 AS.

However, anycast seems to work by advertising the same public ip address from multiple locations, providing different paths to that IP. For example:

If public ips are supposed to resolve to a single AS, how does anycast work?

turtlemonvh
  • 293
  • 1
  • 8
  • 2
    There is no strict rule for "1 AS per address" either – just look at [192.88.99.0/24](http://bgp.he.net/net/192.88.99.0/24) used by 6to4. (Although it certainly becomes problematic...) – user1686 May 27 '17 at 18:07
  • 2
    Do you have a reference for the claim that IPs are assigned to ASs? It's been a few years, but I've only ever seen IP address blocks assigned to organizations. (The mappings you reference probably just tell you what AS(s) are advertising a particular block which is observing what's actually happening, not assigning.) – David Schwartz May 27 '17 at 20:40
  • How addresses are assigned to an entity really has nothing to do with how routes to the addresses are advertised on the Internet. It may be possible that _every_ ISP comprising the Internet could advertise that it has a route to a particular prefix, and it could be that every one of them has learned a route to a prefix from another ISP. Routing is just one router telling another that it know how to forward traffic to a network, and every Internet router could legitimately believe it knows one. Routers receiving multiple routes to a network will chose one of those routes to use. – Ron Maupin May 28 '17 at 00:12
  • @DavidSchwartz nope no reference for IP to AS assignment. After reading some of these responses and a few other articles I do not think that is right at all, it just seemed to be implied in a lot of resources (maybe since it is the most common case). – turtlemonvh May 30 '17 at 13:20
  • @RonMaupin I understand the separation of routing and ip block assignment. However BGP route announcements carry an AS_PATH section that is used for routing decisions (see: https://tools.ietf.org/html/rfc4271#section-4.3). My question is really about behavior when these route announcements are made from many ASs and each AS says it is the only AS in the path, i.e. they have a direct path to the IP address without any additional external routing. – turtlemonvh May 30 '17 at 13:30
  • There are many steps that BGP uses to determine the best path. The AS_PATH is just one of them. Also, it is unlikely that you would be connected to many ASes that each think they have a direct connection to the network. – Ron Maupin May 30 '17 at 13:33
  • @RonMaupin isn't the "connected to many ASes that each think they have a direct connection to the network" thing exactly what grawity's example shows? (or maybe I'm misunderstanding that...) – turtlemonvh May 30 '17 at 13:35
  • Normally, you will may have a few connections to a few other ISPs, Each will advertise the prefix, but each will probably get that prefix from other ASes, which get it from other ASes. You probably have different AS_PATH counts on each. If the prefix is advertised from each continent, an ISP in North America will have a much shorter AS_PATH to the prefix advertised from North America than from Europe or Asia.BGP has a complex set of criteria to determine a best path to a prefix. If you go through the entire process, and everything is still tied, it will simply use the oldest advertisement. – Ron Maupin May 30 '17 at 13:45
  • OK, so let's say I have connections to multiple ISPs and advertise a route to my IP block to each one. You're saying that those "direct" routes will not necessarily "win" for traffic originating in that ISP looking for my IP block since additional route advertisements will also come in to those ISPs from other ASs. Even though those route announcements come in with longer AS_PATHs, they still may be selected for at least a portion of the traffic. This seems possible, but it also seems likely that the "direct" route will be selected more often. (Thanks for helping me understand, btw!) – turtlemonvh May 30 '17 at 13:57

3 Answers3

11

An AS doesn't need to necessarily be constrained to a single physical location.

When anycasting, you run routers in many physical locations, each peering with different ISPs as the same AS, advertising a route to the anycasted IP addresses.

From BGP's perspective, it's not terribly dissimilar to what you'd do for redundancy with multiple ISPs from an AS in one site; in the "one site, multiple ISP" situation, one router's sending "I'm AS X, and I have IP range Y!" to multiple ISPs; in anycast, you're just instructing geographically disparate routers to all advertise their own nearly identical "I'm AS X, and I have IP range Y!" message to their own ISPs, claiming your AS and your anycast range and letting BGP select the best ISP to send the traffic to.

The ISPs don't know any different; the internet has no sense that the various available paths aren't just leading to the same highly-redundant site.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Or in other words, the Internet doesn't know that it isn't talking to the same server through your multi-billion-dollar secret underground fibre network. – user253751 May 28 '17 at 04:04
  • @immibis That's a good way to look at it, but one nitpick: in that case (routing back to one central server via your own internal network) we'd technically no longer fall under the definition of anycast, since the request wouldn't actually be handled in the geographically disparate sites. In the case I'm describing, you'd have nearly-identical servers at each site, instead of the secret backend network to get you to the right server. – Shane Madden May 28 '17 at 14:47
  • That's not a nitpick, that's the point. It's perfectly valid to have a private network between separate sites. And Internet routing protocols can't tell the difference between you having a private network, and you pretending to have one and using anycast instead. – user253751 May 28 '17 at 22:39
  • It's definitely valid to have a private network between sites, I was just saying that you wouldn't want to actually deploy anycast in that way (same server), since it'd be self-defeating. But I agree with your point: from the internet's perspective, they would look the same. – Shane Madden May 29 '17 at 16:05
  • This is a great answer. Can you add some links to standards docs or other external resources to show that what you said is true? (i.e. that anycast and multi-homing are basically the same thing) – turtlemonvh May 30 '17 at 12:46
5

There is no requirement that IP addresses or Internet routes for a prefix come from a single AS. ASNs are assigned to organizations, and addresses are also assigned to organizations. Registrars like ARIN don't link my address allocation to my ASN allocation. Even in new systems like Resource Public Key Infrastructure it still allows for multiple ASs to originate a route to a network. The Team Cymru page says this in the FAQs:

In some cases a network prefix will be announced by multiple, but disparate, networks or autonomous systems. The most likely reason for this is something known as "multihoming". This is perfectly normal. Depending on your view of the Internet topology and the originating network's policies, one of those originating networks will be the preferred path for sending and receiving traffic with the netblock in question.

Here's a (long) list of networks that are currently advertised from multiple ASs.

As to how it gets to where it's going: Routes are selected using a BGP path selection algorithm that chooses a path based on the information each router the traffic passes through knows about. Each router on the Internet has it's own view of the routing table, so traffic in one part of the Internet can end up in a different place and AS than traffic in another part of the Internet. There's not even a requirement to have every packet in a flow go to the same place, which can obviously make things interesting in the case of anycasting or multihoming.

dk1
  • 166
  • 2
  • Thanks dk1. The idea that public IP to AS mapping is 1:N and not 1:1 was the key point for me. This article was also helpful: https://serverfault.com/questions/137257/how-ip-addresses-are-mapped-to-autonomous-system-numbers, as were additional articles discussing AS peering, like: https://umbrella.cisco.com/blog/blog/2013/01/10/high-availability-with-anycast-routing/. That OpenDNS article also shows that their AS is globally distributed. – turtlemonvh May 30 '17 at 13:17
2

This (and resources like this page) seems to imply a mapping of 1 public IP to 1 AS.

Yes. That is true.

However, anycast seems to work by advertising the same public ip address from multiple locations,

Simply exactly by "just doing it". An AS is the entity that defines it's own routing internationally. It can connect the same IP address to multiple locations - as long as the routing does not change in the middle of a connection, that is ok.

Just be ignorant for a moment (because here ignorance works).

If you ask for IP x in USA, you go to a datacenter in the USA as per AS BGP rules. If you do so in Australia, you end up in a datacenter in australia. Finished. There is nothing that says that an IP can not be reused AS LONG AS THE ROUTING IS STABLE.

This is not a BGP hack as much as a normal use of BGP.

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • 1
    BGP does not use geopolitical divisions to decide where to send a packet, and it's not true that addresses belong to any one AS. – dk1 May 28 '17 at 11:47
  • You mention "as long as the routing does not change in the middle of a connection, that is ok". I thought that such routing changes were a known problem in anycast configurations, and that's part of the reason anycast is usu. reserved for connectionless protocols like udp? See: https://blog.cloudflare.com/cloudflares-architecture-eliminating-single-p/ – turtlemonvh May 30 '17 at 12:50