We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byIngrid Beresford
Modified about 1 year ago
EDNS0 Client-Subnet for DNS based CDNs Matt Jansen Akamai Technologies HKNOG 1, Hong Kong, September 1 st 2014
©2012 AKAMAI | FASTER FORWARD TM The world’s largest on-demand, distributed computing platform delivers all forms of web content and applications The Akamai Intelligent Platform Typical daily traffic: More than 2 trillion requests served Delivering over 21 Terabits/second 15-30% of all daily web traffic The Akamai Intelligent Platform: 150,000+ Servers 2,000+ Locations 92 Countries 1,200+ Networks 700+ Cities
©2012 AKAMAI | FASTER FORWARD TM When content is requested from CDNs, the user is directed to the optimal server to serve this user There’s 2 common ways to do that: anycast: the content is served from the location the request is received (easy to build, requires symmetric routing to work well) DNS based: the CDN decides where to best serve the content from based on the resolver it receives the request from, and replies with the optimal server How CDNs Work
©2012 AKAMAI | FASTER FORWARD TM Users querying a DNS-based CDNs will be returned different A (and AAAA) records for the same hostname depending on the resolver the request comes from This is called “mapping” The better the mapping, the better the CDN How DNS based CDNs Work
©2012 AKAMAI | FASTER FORWARD TM Example of Akamai mapping Notice the different A records for different locations: [NYC]% host CNAME e5211.b.akamaiedge.net. e5211.b.akamaiedge.net. A e5211.b.akamaiedge.net. A [Boston]% host CNAME e5211.b.akamaiedge.net. e5211.b.akamaiedge.net. A e5211.b.akamaiedge.net. A How Akamai’s CDN works
©2012 AKAMAI | FASTER FORWARD TM Akamai uses multiple criteria to choose the optimal server These include standard network metrics: Latency Throughput Packet loss as well as internal ones such as: CPU load on the server HD space network utilization How Akamai’s CDN works
©2012 AKAMAI | FASTER FORWARD TM Mapping (simplified) 1)end-user requests from ISP NS 2)ISP NS recursively (multiple iterations) looks up being referred to authoritative Akamai NS (by cname) 3)ISP NS asks authoritative Akamai NS 4)Akamai NS looks up IP of requestor (ISP NS) and replies with IP of optimal cluster to serve content (local cluster in that ISP) 5)ISP NS replies to end-user who 6)requests content from local Cluster end-user ISP NS root/tld/intermediate NS (recursive lookup until reaching authoritative NS) Akamai NS Local Akamai Cluster at ISP example.com? a212.g.akamai.net request content deliver content NS ? best cluster =
©2012 AKAMAI | FASTER FORWARD TM All of this works very well if the end-user used their provider’s DNS servers. However if the end-user is making use of a 3 rd party DNS service like Google DNS (28 locations worldwide) https://developers.google.com/speed/public-dns/faq#locations OpenDNS (20 locations worldwide) a DNS-based CDN does not know which network the request originated from, and can therefore in the best case serve it in the rough geographic area The Problem: 3 rd Party DNS servers
©2012 AKAMAI | FASTER FORWARD TM How 3 rd party (open) resolvers typically work global ‘frontend’ anycast address, local unique ‘backend’ address for recursive queries CDN can tell which NS location it came from (by backend-ip) but not which end-user location or network -> have to serve from a large infrastructure cluster (typically located at the big IXs) to ensure we can reach any end-user end-user Akamai NS NS ? best cluster = ? Google DNS Frontend Backend request to request from
©2012 AKAMAI | FASTER FORWARD TM relatively small numbers in most countries with a mature internet ecosystem: USA, Germany, Netherlands, Singapore: less than 1% but very high percentage of users in developing countries and/or countries performing some form of DNS-based web-filtering: Turkey: 22%, Indonesia: 22%, Bangladesh: 25% Hong Kong: 2% Use of 3 rd party DNS servers
©2012 AKAMAI | FASTER FORWARD TM ISP DNSGoogleOpenDNSOthers ISP F96.1%1.9%0.2%1.8% ISP A95.9%2.0%0.2%1.9% ISP C94.8%2.9%0.2%2.1% ISP D92.8%3.1%0.4%3.8% ISP E92.0%5.8%0.2%2.1% ISP B76.0%15.7%0.4%7.9% Use of 3 rd party DNS servers in Hong Kong
©2012 AKAMAI | FASTER FORWARD TM Use end-user IP instead of NS IP for mapping Problem: at the time of authoritative DNS answer end- user IP is not known yet HTTP redirect Map based on DNS Measure RTT of initial request from end-user received (and therefore IP known), if over threshold: Redirect to better positioned server to reach end-user IP Problem: slow, not suitable for small objects End User Mapping
©2012 AKAMAI | FASTER FORWARD TM EDNS0 client-subnet https://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 The recursive resolver includes the end-user’s prefix in the request to the authoritative nameserver This allows the authoritative nameserver (the CDN) to process this information and optimize the reply not based on the requesting nameserver but the end-user’s prefix The Solution: EDNS0 client-subnet
©2012 AKAMAI | FASTER FORWARD TM Open standard (draft) Has to be supported by recursive resolver (3 rd Party DNS) and by Authoritative NS (CDN) Privacy: only prefix, not full address transmitted The Solution: EDNS0 client-subnet
©2012 AKAMAI | FASTER FORWARD TM Option-Code = 8 Option-Length (in bytes) Family (1=v4, 2=v6) Source-NetmaskScope-Netmask Address request: e.g for privacy to be echoed in reply request = 0 reply can be <> request, 0 for not used EDNS0 client-subnet implementation
©2012 AKAMAI | FASTER FORWARD TM Mapping (EDNS0) 1)end-user requests from Google NS 2)Google NS recursively looks up being referred to authoritative Akamai NS (by cname) 3)Google NS asks Akamai NS including client-subnet 4)Akamai NS looks up client-subnet and replies with IP of optimal cluster to serve content (local cluster in that ISP) 5)ISP NS replies to end-user who 6)requests content from local Cluster end-user Google NS root/tld/intermediate NS (recursive lookup until reaching authoritative NS) Akamai NS Local Akamai Cluster at ISP example.com? a212.g.akamai.net client-subnet= / request content deliver content NS (whitelisted for edns0) client subnet= /24 best cluster =
©2012 AKAMAI | FASTER FORWARD TM Only prefix, not full IP transmitted CDN already gets your full IP anyways (in the subsequent HTTP request) Set source-netmask/address to /0 Google DNS honors forwards request with /0 OpenDNS ignores at time of writing Do not use client-subnet capable resolver if intention is to hide client origin Privacy concerns
©2012 AKAMAI | FASTER FORWARD TM Scanning/walking the mapping algorithm double whitelist (at recursive resolver & auth NS) enforced replacement of client-tagged edns0 option by Google & OpenDNS before being send to Akamai Amplification double whitelist echoing request in reply standard rate limiting methods work Cache pollution of recursive resolver can be a problem separate reply stored for each prefix Security concerns
©2012 AKAMAI | FASTER FORWARD TM Google/OpenDNS currently always send client-subnet as /24 (for privacy/caching-efficiency reasons) Mapping system has view of internet from it’s partners with differing prefix-lenghts client-subnet more specific than Akamai e.g. Akamai has /20 from partner-> can be mapped scope-netmask send to resolver for caching purposes client-subnet less specific than Akamai e.g. Akamai has /26s from partner in different locations -> no clear choice to map -> will take first match also send scope-netmask to resolver for information Prefix-Length
©2012 AKAMAI | FASTER FORWARD TM Improvements with edns0 client-subnet
©2012 AKAMAI | FASTER FORWARD TM can be used within a partner’s network instead of distributed DNS architecture A partner might have a widespread network (especially in countries spanning large geographical areas and/or different islands like Australia or Indonesia) Would like to deploy clusters around the network to localize traffic But central DNS infrastructure makes mapping traffic accurately difficult Additional Use-Case
©2012 AKAMAI | FASTER FORWARD TM Batam Jakarta (NS) Surabaya Banjamarsin Makassar Denpasar Akamai Cluster Nameserver Example for distributed architecture
©2012 AKAMAI | FASTER FORWARD TM Deploy additional NS in all locations Benefit: better DNS responses, can use anycast frontend IP to simplify administration/failover (announcing same frontend IP to all end-users) Drawback: some additional CAPEX & support-costs Virtual IPs on existing NS given to different geographic sets of end-users Benefit: no additional CAPEX, easy to implement Drawback: more difficult to administer, will require manual allocation of IPs to clusters on CDN side, no clear fallback EDNS0 client-subnet within the providers network Benefit: no additional CAPEX, only software change on the NS, can dynamically adapt by changing announcements, can scale for very small clusters in remote places Drawback: needs compatible NS software Solutions
©2012 AKAMAI | FASTER FORWARD TM Matt Jansen Questions?
Version 4.1 CCNA Discovery 2– Chapter 7. Contents 7.1: ISP Services : TCP / IP Protocols 7.2: 7.3: DNS 7.3: 7.4: Application Layer Protocols 7.4.
The Web and Content Distribution Networks Nick Feamster CS 6250 Fall 2011 (some notes from David Andersen and Christian Kauffman)
Domain Name System (DNS) Adapted from a presentation by Ayitey Bulley DNS Fundamentals.
Telephone Numbers and E9-1-1 for Video Relay Service - Leveraging Existing Solutions December 4, 2007 Adapted from a presentation given to NECA TRS Subcommittee.
HTTP and the Web Nick Feamster CS 3251: Computer Networking I Spring 2013.
Architectural Approaches to Multi-Homing for IPv6 A Walk-Through of draft-huston-multi6-architectures-00 Geoff Huston June 2004.
Chapter 3 The Basics of Networking. Copyright © 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Learning Objectives Tell whether a communication.
Identity and Locators in IPv6 IAB Meeting IETF 60 August 2004.
What happened to IPv5? and other oft asked IPv6 questions The Internet Society, IPv6 and You Susan Estrada.
Winter 2001 VoN Developers Conference -- January 24, 2001 SIP Proxies Jonathan Rosenberg Chief Scientist.
Introduction to computer networking Objective: To be acquainted with: The definitions of networking Network topology Network peripherals, hardware and.
Windows 2008 Active Directory Configuration – Week 4 of 6 Microsoft Test: Mark McCoy MCSE, CNE, CISSP.
Computer Networking Lecture 25 – The Web. Lecture 19: Outline HTTP review and details (more in notes) Persistent HTTP review HTTP caching.
Distributed Computing Dr. Eng. Ahmed Moustafa Elmahalawy Computer Science and Engineering Department.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 9 Applications Copyright © 2010, Elsevier Inc. All rights Reserved.
Approaches to Multi-Homing for IPv6 An Architectural View of IPv6 MultiHoming proposals Geoff Huston 2004.
© AT&T Inc Detection of DNS Traffic Anomalies Anestis Karasaridis, PhD,CISSP.
E-Commerce Infrastructures Internet and Web Technologies.
Computer Networking Lent Term M/W/F 11-midday LT1 in Gates Building Slide Set 6 Andrew W. Moore February
Phones OFF Please The Internet and TCP/IP Brian Bramer Home:
Scalability and efficiency: Introducing a new mechanism to the internet must not jeopardize its efficiency. Enhancing IP for mobility must not generate.
Distributed Processing, Client/Server and Clusters Chapter 16.
Chapter 15 Networks Addresses. 2 Networking Computer network: A collection of computing devices that are connected in various ways in order to communicate.
NSI wg Architecture Elements John Vollbrecht Internet2.
Windows 2008 Active Directory Configuration – Week 3 of 6 Microsoft Test: Mark McCoy MCSE, CNE, CISSP.
Instrumentation Strategies for Response Time Management of Distributed Systems Greg Rogers MACP Consulting.
The Internet. Contents Internet vs WWW Internet vs WWW Pages vs Sites Pages vs Sites How the Internet Works How the Internet Works Getting a Web Presence.
A Primer on the Domain Name System Joint ITU/WIPO Multilingual Name Symposium 6 December 2001 David C Lawrence.
Network Services for Enhanced Cloud Computing T. V. Lakshman Bell Labs (Jointly with F. Hao, S. Mukherjee, H. Song)
© 2016 SlidePlayer.com Inc. All rights reserved.