SlideShare uma empresa Scribd logo
1 de 25
Baixar para ler offline
EDNS0 Client-Subnet for DNS based
CDNs
Matt Jansen
Akamai Technologies
MyNOG 4, Kuala Lumpur, August 21st 2014
©2012 AKAMAI | FASTER FORWARDTM
The world’s largest on-demand, distributed computing
platform delivers all forms of web content and applications
The Akamai Intelligent Platform
Typical daily traffic:
•  More than 2 trillion requests served
•  Delivering over 21 Terabits/second
•  15-30% of all daily web traffic
The Akamai Intelligent Platform:
150,000+
Servers
2,000+
Locations
92
Countries
1,200+
Networks
700+
Cities
©2012 AKAMAI | FASTER FORWARDTM
Kota Kinabalu
Kuala Lumpur
Johor
Penang
Kuching
Infrastructure Cluster
Current Presence in Malaysia
AANP Cluster (embedded in Network)
MyIX
MyIX
©2012 AKAMAI | FASTER FORWARDTM
When content is requested from CDNs, the user is
directed to the optimal server to serve this user
There’s 2 common ways to do that:
•  anycast: the content is served from the location the
request is received (easy to build, requires symmetric
routing to work well)
•  DNS based: the CDN decides where to best serve
the content from based on the resolver it receives the
request from, and replies with the optimal server
How CDNs Work
©2012 AKAMAI | FASTER FORWARDTM
Users querying a DNS-based CDNs will be returned
different A (and AAAA) records for the same hostname
depending on the resolver the request comes from
This is called “mapping”
The better the mapping, the better the CDN
How DNS based CDNs Work
©2012 AKAMAI | FASTER FORWARDTM
Example of Akamai mapping
• Notice the different A records for different locations:
[NYC]% host www.symantec.com
www.symantec.com CNAME e5211.b.akamaiedge.net.
e5211.b.akamaiedge.net. A 207.40.194.46
e5211.b.akamaiedge.net. A 207.40.194.49
[Boston]% host www.symantec.com
www.symantec.com CNAME e5211.b.akamaiedge.net.
e5211.b.akamaiedge.net. A 81.23.243.152
e5211.b.akamaiedge.net. A 81.23.243.145
How Akamai’s CDN works
©2012 AKAMAI | FASTER FORWARDTM
Akamai uses multiple criteria to choose the optimal
server
• These include standard network metrics:
• Latency
• Throughput
• Packet loss
• as well as internal ones such as:
• CPU load on the server
• HD space
• network utilization
How Akamai’s CDN works
©2012 AKAMAI | FASTER FORWARDTM
Mapping (simplified)
1)  end-user requests www.example.com from ISP NS
2)  ISP NS recursively (multiple iterations) looks up www.example.com being referred to
authoritative Akamai NS (by cname)
3)  ISP NS asks authoritative Akamai NS
4)  Akamai NS looks up IP of requestor (ISP NS) and replies with IP of optimal cluster
to serve content (local cluster in that ISP)
5)  ISP NS replies to end-user who
6)  requests content from local Cluster
end-user
ISP NS
1.2.3.4
root/tld/intermediate NS
(recursive lookup until
reaching authoritative NS)
Akamai NS
Local Akamai Cluster at ISP 5.6.7.8
example.com?
a212.g.akamai.net
1
3
6
2
NS 1.2.3.4?
best cluster =
5.6.7.8
4
5
©2012 AKAMAI | FASTER FORWARDTM
All of this works very well if the end-user used their
provider’s DNS servers.
However if the end-user is making use of a 3rd party
DNS service like
•  Google DNS (28 locations worldwide)
https://developers.google.com/speed/public-dns/faq#locations
•  OpenDNS (20 locations worldwide)
http://www.opendns.com/network-map/
a DNS-based CDN does not know which network the
request originated from, and can therefore in the best
case serve it in the rough geographic area
The Problem: 3rd Party DNS servers
©2012 AKAMAI | FASTER FORWARDTM
How 3rd party (open) resolvers typically work
global ‘frontend’ anycast address, local unique ‘backend’ address for
recursive queries
•  CDN can tell which NS location it came from (by backend-ip)
•  but not which end-user location or network
-> have to serve from a large infrastructure cluster (typically located at
the big IXs) to ensure we can reach any end-user
end-user
Akamai NS
NS 74.125.190.1?
best cluster =
?
Google DNS
Frontend 8.8.8.8
Backend 74.125.190.1
request to 8.8.8.8 request from 74.125.190.1
©2012 AKAMAI | FASTER FORWARDTM
relatively small numbers in most countries with a mature
internet ecosystem:
USA, Germany, Netherlands, Singapore: less than 1%
but very high percentage of users in developing
countries and/or countries performing some form of
DNS-based web-filtering:
Turkey: 22%, Indonesia: 22%, Bangladesh: 25%
Malaysia: 11%
Use of 3rd party DNS servers
©2012 AKAMAI | FASTER FORWARDTM
ISP	
  DNS	
   Google	
   OpenDNS	
   Others	
  
ISP	
  A	
   84.5%	
   11.0%	
   1.7%	
   2.9%	
  
ISP	
  B	
   87.9%	
   6.7%	
   0.8%	
   4.6%	
  
ISP	
  C	
   88.0%	
   6.4%	
   0.7%	
   4.9%	
  
ISP	
  D	
   88.4%	
   7.6%	
   0.5%	
   3.5%	
  
ISP	
  E	
   88.4%	
   5.5%	
   0.3%	
   5.9%	
  
ISP	
  F	
   89.5%	
   3.8%	
   0.1%	
   6.6%	
  
Use of 3rd party DNS servers in Malaysia
©2012 AKAMAI | FASTER FORWARDTM
Use end-user IP instead of NS IP for mapping
Problem: at the time of authoritative DNS answer end-
user IP is not known yet
•  HTTP redirect
•  Map based on DNS
•  Measure RTT of initial request from end-user received (and
therefore IP known), if over threshold:
•  Redirect to better positioned server to reach end-user IP
Problem: slow, not suitable for small objects
End User Mapping
©2012 AKAMAI | FASTER FORWARDTM
EDNS0 client-subnet
https://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02
The recursive resolver includes the end-user’s prefix in
the request to the authoritative nameserver
This allows the authoritative nameserver (the CDN) to
process this information and optimize the reply not
based on the requesting nameserver but the end-user’s
prefix
The Solution: EDNS0 client-subnet
©2012 AKAMAI | FASTER FORWARDTM
•  Open standard (draft)
•  Has to be supported by recursive resolver (3rd Party
DNS)
•  and by Authoritative NS (CDN)
•  Privacy: only prefix, not full address transmitted
The Solution: EDNS0 client-subnet
©2012 AKAMAI | FASTER FORWARDTM
Op0on-­‐Code	
  =	
  8	
  
Op0on-­‐Length	
  (in	
  bytes)	
  
Family	
  (1=v4,	
  2=v6)	
  
Source-­‐Netmask	
   Scope-­‐Netmask	
  
Address	
  
request: e.g. 24
0 for privacy
to be echoed
in reply
request = 0
reply can be <>
request, 0 for
not used
EDNS0 client-subnet implementation
©2012 AKAMAI | FASTER FORWARDTM
Mapping (EDNS0)
1)  end-user requests www.example.com from Google NS
2)  Google NS recursively looks up www.example.com being referred to authoritative
Akamai NS (by cname)
3)  Google NS asks Akamai NS including client-subnet
4)  Akamai NS looks up client-subnet and replies with IP of optimal cluster to serve
content (local cluster in that ISP)
5)  ISP NS replies to end-user who
6)  requests content from local Cluster
end-user
Google NS
8.8.8.8
root/tld/intermediate NS
(recursive lookup until
reaching authoritative NS)
Akamai NS
Local Akamai Cluster at ISP 5.6.7.8
example.com?
a212.g.akamai.net
1
3
6
2
NS 8.8.8.8 (whitelisted for edns0)
client subnet=1.1.1.0/24
best cluster =
5.6.7.8
4
5
©2012 AKAMAI | FASTER FORWARDTM
Only prefix, not full IP transmitted
CDN already gets your full IP anyways (in the
subsequent HTTP request)
Set source-netmask/address to 0.0.0.0/0
•  Google DNS honors forwards request with 0.0.0.0/0
•  OpenDNS ignores at time of writing
Do not use client-subnet capable resolver if intention is
to hide client origin
Privacy concerns
©2012 AKAMAI | FASTER FORWARDTM
Scanning/walking the mapping algorithm
•  double whitelist (at recursive resolver & auth NS)
•  enforced replacement of client-tagged edns0 option
by Google & OpenDNS before being send to Akamai
Amplification
•  double whitelist
•  echoing request in reply
•  standard rate limiting methods work
Cache pollution of recursive resolver can be a problem
•  separate reply stored for each prefix
Security concerns
©2012 AKAMAI | FASTER FORWARDTM
Google/OpenDNS currently always send client-subnet
as /24 (for privacy/caching-efficiency reasons)
Mapping system has view of internet from it’s partners
with differing prefix-lenghts
•  client-subnet more specific than Akamai
•  e.g. Akamai has /20 from partner-> can be mapped
•  scope-netmask send to resolver for caching purposes
•  client-subnet less specific than Akamai
•  e.g. Akamai has /26s from partner in different locations -> no
clear choice to map -> will take first match
•  also send scope-netmask to resolver for information
Prefix-Length
©2012 AKAMAI | FASTER FORWARDTM
2"Jan& 9"Jan& 16"Jan& 23"Jan& 30"Jan& 6"Feb& 13"Feb& 20"Feb& 27"Feb&
average&distance&
Open&DNS&India&
Improvements with edns0 client-subnet
©2012 AKAMAI | FASTER FORWARDTM
can be used within a partner’s network instead of
distributed DNS architecture
A partner might have a widespread network (especially
in countries spanning large geographical areas and/or
different islands like Malaysia)
•  Would like to deploy clusters around the network to
localize traffic
•  But central DNS infrastructure makes mapping traffic
accurately difficult
Additional Use-Case
©2012 AKAMAI | FASTER FORWARDTM
Kota Kinabalu
Kuala Lumpur (NS)
Johor
Penang
Kuching
Akamai Cluster
Nameserver
Example for distributed architecture
©2012 AKAMAI | FASTER FORWARDTM
Deploy additional NS in all locations
•  Benefit: better DNS responses, can use anycast frontend IP to
simplify administration/failover (announcing same frontend IP
to all end-users)
•  Drawback: additional CAPEX & support-costs
Virtual IPs on existing NS given to different geographic
sets of end-users
•  Benefit: no additional CAPEX, easy to implement
•  Drawback: more difficult to administer, will require manual
allocation of IPs to clusters on CDN side, no clear fallback
EDNS0 client-subnet within the providers network
•  Benefit: no additional CAPEX, only software change on the NS,
can dynamically adapt by changing announcements, can scale
for very small clusters in remote places
•  Drawback: needs compatible NS software
Solutions
©2012 AKAMAI | FASTER FORWARDTM
Matt Jansen mj@akamai.com
Questions?

Mais conteúdo relacionado

Mais procurados

Hping ile IP/ICMP ve UDP Paketleri Oluşturma
Hping ile IP/ICMP ve UDP Paketleri OluşturmaHping ile IP/ICMP ve UDP Paketleri Oluşturma
Hping ile IP/ICMP ve UDP Paketleri OluşturmaBGA Cyber Security
 
Disaster Recovery Options Running Apache Kafka in Kubernetes with Rema Subra...
 Disaster Recovery Options Running Apache Kafka in Kubernetes with Rema Subra... Disaster Recovery Options Running Apache Kafka in Kubernetes with Rema Subra...
Disaster Recovery Options Running Apache Kafka in Kubernetes with Rema Subra...HostedbyConfluent
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming TechniquesAPNIC
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service ProvidersBAKOTECH
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Netgate
 
Creating_scheduled_reports_with_Zabbix.pdf
Creating_scheduled_reports_with_Zabbix.pdfCreating_scheduled_reports_with_Zabbix.pdf
Creating_scheduled_reports_with_Zabbix.pdfITDispendik
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overviewBelsoft
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and TuningNGINX, Inc.
 
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?BGA Cyber Security
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series Amazon Web Services Korea
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Netgate
 
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...Amazon Web Services
 

Mais procurados (20)

Hping ile IP/ICMP ve UDP Paketleri Oluşturma
Hping ile IP/ICMP ve UDP Paketleri OluşturmaHping ile IP/ICMP ve UDP Paketleri Oluşturma
Hping ile IP/ICMP ve UDP Paketleri Oluşturma
 
Disaster Recovery Options Running Apache Kafka in Kubernetes with Rema Subra...
 Disaster Recovery Options Running Apache Kafka in Kubernetes with Rema Subra... Disaster Recovery Options Running Apache Kafka in Kubernetes with Rema Subra...
Disaster Recovery Options Running Apache Kafka in Kubernetes with Rema Subra...
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
BGP Multihoming Techniques
BGP Multihoming TechniquesBGP Multihoming Techniques
BGP Multihoming Techniques
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service Providers
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
 
Creating_scheduled_reports_with_Zabbix.pdf
Creating_scheduled_reports_with_Zabbix.pdfCreating_scheduled_reports_with_Zabbix.pdf
Creating_scheduled_reports_with_Zabbix.pdf
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and Tuning
 
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
Çalıştay | DDoS Saldırıları Nasıl Gerçekleştirilir?
 
Netflix Data Pipeline With Kafka
Netflix Data Pipeline With KafkaNetflix Data Pipeline With Kafka
Netflix Data Pipeline With Kafka
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
 
Sizma testi bilgi toplama
Sizma testi bilgi toplamaSizma testi bilgi toplama
Sizma testi bilgi toplama
 
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
Optimizing Network Performance for Amazon EC2 Instances (CMP308-R1) - AWS re:...
 

Semelhante a EDNS0 Client-Subnet for DNS based CDNs by Matt Jansen

Traffic Engineering for CDNs
Traffic Engineering for CDNsTraffic Engineering for CDNs
Traffic Engineering for CDNsMyNOG
 
Content Growth by Kams Yueng
Content Growth by Kams YuengContent Growth by Kams Yueng
Content Growth by Kams YuengMyNOG
 
Akamai company profile
Akamai company profileAkamai company profile
Akamai company profilerahulp9999
 
Traffic Engineering for CDNs by Matt Jansen [APRICOT 2015]
Traffic Engineering for CDNs by Matt Jansen [APRICOT 2015]Traffic Engineering for CDNs by Matt Jansen [APRICOT 2015]
Traffic Engineering for CDNs by Matt Jansen [APRICOT 2015]APNIC
 
BGP and Traffic Engineering with Akamai
BGP and Traffic Engineering with AkamaiBGP and Traffic Engineering with Akamai
BGP and Traffic Engineering with AkamaiInternet Society
 
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PROIDEA
 
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PROIDEA
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023MyNOG
 
India Internet Access Problems Whitepaper_Ver 2.2
India Internet Access Problems Whitepaper_Ver 2.2India Internet Access Problems Whitepaper_Ver 2.2
India Internet Access Problems Whitepaper_Ver 2.2Arin Burman
 
AWS Best Practices Version 2
AWS Best Practices Version 2AWS Best Practices Version 2
AWS Best Practices Version 2Kenichi Shibata
 
Scalable Web Applications in AWS, 2014
Scalable Web Applications in AWS, 2014Scalable Web Applications in AWS, 2014
Scalable Web Applications in AWS, 2014Vadim Zendejas
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
Scalable Web Applications Session at Codebase
Scalable Web Applications Session at CodebaseScalable Web Applications Session at Codebase
Scalable Web Applications Session at CodebaseIan Massingham
 
Денис Баталов, Принципы построения высоконагруженных сайтов на платформе АWS
Денис Баталов, Принципы построения высоконагруженных сайтов на платформе АWSДенис Баталов, Принципы построения высоконагруженных сайтов на платформе АWS
Денис Баталов, Принципы построения высоконагруженных сайтов на платформе АWSTanya Denisyuk
 
AWS Webinar 201: Designing scalable, available & resilient cloud applications
AWS Webinar 201: Designing scalable, available & resilient cloud applicationsAWS Webinar 201: Designing scalable, available & resilient cloud applications
AWS Webinar 201: Designing scalable, available & resilient cloud applicationsAmazon Web Services
 
GTM vs AWS Route 53 with Cisco umbrella
GTM vs AWS Route 53 with Cisco umbrellaGTM vs AWS Route 53 with Cisco umbrella
GTM vs AWS Route 53 with Cisco umbrellaDhruv Sharma
 
Cnvrgd hosted calculate
Cnvrgd hosted calculateCnvrgd hosted calculate
Cnvrgd hosted calculateBhanu Prathap
 

Semelhante a EDNS0 Client-Subnet for DNS based CDNs by Matt Jansen (20)

16 (IDNOG01) EDNS0 / How CDNS works by Matt Jansen
16 (IDNOG01) EDNS0 / How CDNS works by Matt Jansen16 (IDNOG01) EDNS0 / How CDNS works by Matt Jansen
16 (IDNOG01) EDNS0 / How CDNS works by Matt Jansen
 
EDNS0 Client-Subnet for DNS Based CDNs
EDNS0 Client-Subnet for DNS Based CDNs EDNS0 Client-Subnet for DNS Based CDNs
EDNS0 Client-Subnet for DNS Based CDNs
 
Traffic Engineering for CDNs
Traffic Engineering for CDNs Traffic Engineering for CDNs
Traffic Engineering for CDNs
 
Traffic Engineering for CDNs
Traffic Engineering for CDNsTraffic Engineering for CDNs
Traffic Engineering for CDNs
 
Content Growth by Kams Yueng
Content Growth by Kams YuengContent Growth by Kams Yueng
Content Growth by Kams Yueng
 
Akamai company profile
Akamai company profileAkamai company profile
Akamai company profile
 
Traffic Engineering for CDNs by Matt Jansen [APRICOT 2015]
Traffic Engineering for CDNs by Matt Jansen [APRICOT 2015]Traffic Engineering for CDNs by Matt Jansen [APRICOT 2015]
Traffic Engineering for CDNs by Matt Jansen [APRICOT 2015]
 
BGP and Traffic Engineering with Akamai
BGP and Traffic Engineering with AkamaiBGP and Traffic Engineering with Akamai
BGP and Traffic Engineering with Akamai
 
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
 
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
PLNOG 6: Christian Kaufmann - How Akamai delivers your packets - the insight
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
India Internet Access Problems Whitepaper_Ver 2.2
India Internet Access Problems Whitepaper_Ver 2.2India Internet Access Problems Whitepaper_Ver 2.2
India Internet Access Problems Whitepaper_Ver 2.2
 
AWS Best Practices Version 2
AWS Best Practices Version 2AWS Best Practices Version 2
AWS Best Practices Version 2
 
Scalable Web Applications in AWS, 2014
Scalable Web Applications in AWS, 2014Scalable Web Applications in AWS, 2014
Scalable Web Applications in AWS, 2014
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
Scalable Web Applications Session at Codebase
Scalable Web Applications Session at CodebaseScalable Web Applications Session at Codebase
Scalable Web Applications Session at Codebase
 
Денис Баталов, Принципы построения высоконагруженных сайтов на платформе АWS
Денис Баталов, Принципы построения высоконагруженных сайтов на платформе АWSДенис Баталов, Принципы построения высоконагруженных сайтов на платформе АWS
Денис Баталов, Принципы построения высоконагруженных сайтов на платформе АWS
 
AWS Webinar 201: Designing scalable, available & resilient cloud applications
AWS Webinar 201: Designing scalable, available & resilient cloud applicationsAWS Webinar 201: Designing scalable, available & resilient cloud applications
AWS Webinar 201: Designing scalable, available & resilient cloud applications
 
GTM vs AWS Route 53 with Cisco umbrella
GTM vs AWS Route 53 with Cisco umbrellaGTM vs AWS Route 53 with Cisco umbrella
GTM vs AWS Route 53 with Cisco umbrella
 
Cnvrgd hosted calculate
Cnvrgd hosted calculateCnvrgd hosted calculate
Cnvrgd hosted calculate
 

Mais de MyNOG

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10MyNOG
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksMyNOG
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersMyNOG
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureMyNOG
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network ControllerMyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformMyNOG
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalidsMyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXMyNOG
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in KubernetesMyNOG
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmMyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEMyNOG
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...MyNOG
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveMyNOG
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...MyNOG
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...MyNOG
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyNOG
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...MyNOG
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
 
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...MyNOG
 

Mais de MyNOG (20)

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
 

Último

LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 

Último (12)

LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 

EDNS0 Client-Subnet for DNS based CDNs by Matt Jansen

  • 1. EDNS0 Client-Subnet for DNS based CDNs Matt Jansen Akamai Technologies MyNOG 4, Kuala Lumpur, August 21st 2014
  • 2. ©2012 AKAMAI | FASTER FORWARDTM The world’s largest on-demand, distributed computing platform delivers all forms of web content and applications The Akamai Intelligent Platform Typical daily traffic: •  More than 2 trillion requests served •  Delivering over 21 Terabits/second •  15-30% of all daily web traffic The Akamai Intelligent Platform: 150,000+ Servers 2,000+ Locations 92 Countries 1,200+ Networks 700+ Cities
  • 3. ©2012 AKAMAI | FASTER FORWARDTM Kota Kinabalu Kuala Lumpur Johor Penang Kuching Infrastructure Cluster Current Presence in Malaysia AANP Cluster (embedded in Network) MyIX MyIX
  • 4. ©2012 AKAMAI | FASTER FORWARDTM When content is requested from CDNs, the user is directed to the optimal server to serve this user There’s 2 common ways to do that: •  anycast: the content is served from the location the request is received (easy to build, requires symmetric routing to work well) •  DNS based: the CDN decides where to best serve the content from based on the resolver it receives the request from, and replies with the optimal server How CDNs Work
  • 5. ©2012 AKAMAI | FASTER FORWARDTM Users querying a DNS-based CDNs will be returned different A (and AAAA) records for the same hostname depending on the resolver the request comes from This is called “mapping” The better the mapping, the better the CDN How DNS based CDNs Work
  • 6. ©2012 AKAMAI | FASTER FORWARDTM Example of Akamai mapping • Notice the different A records for different locations: [NYC]% host www.symantec.com www.symantec.com CNAME e5211.b.akamaiedge.net. e5211.b.akamaiedge.net. A 207.40.194.46 e5211.b.akamaiedge.net. A 207.40.194.49 [Boston]% host www.symantec.com www.symantec.com CNAME e5211.b.akamaiedge.net. e5211.b.akamaiedge.net. A 81.23.243.152 e5211.b.akamaiedge.net. A 81.23.243.145 How Akamai’s CDN works
  • 7. ©2012 AKAMAI | FASTER FORWARDTM Akamai uses multiple criteria to choose the optimal server • These include standard network metrics: • Latency • Throughput • Packet loss • as well as internal ones such as: • CPU load on the server • HD space • network utilization How Akamai’s CDN works
  • 8. ©2012 AKAMAI | FASTER FORWARDTM Mapping (simplified) 1)  end-user requests www.example.com from ISP NS 2)  ISP NS recursively (multiple iterations) looks up www.example.com being referred to authoritative Akamai NS (by cname) 3)  ISP NS asks authoritative Akamai NS 4)  Akamai NS looks up IP of requestor (ISP NS) and replies with IP of optimal cluster to serve content (local cluster in that ISP) 5)  ISP NS replies to end-user who 6)  requests content from local Cluster end-user ISP NS 1.2.3.4 root/tld/intermediate NS (recursive lookup until reaching authoritative NS) Akamai NS Local Akamai Cluster at ISP 5.6.7.8 example.com? a212.g.akamai.net 1 3 6 2 NS 1.2.3.4? best cluster = 5.6.7.8 4 5
  • 9. ©2012 AKAMAI | FASTER FORWARDTM All of this works very well if the end-user used their provider’s DNS servers. However if the end-user is making use of a 3rd party DNS service like •  Google DNS (28 locations worldwide) https://developers.google.com/speed/public-dns/faq#locations •  OpenDNS (20 locations worldwide) http://www.opendns.com/network-map/ a DNS-based CDN does not know which network the request originated from, and can therefore in the best case serve it in the rough geographic area The Problem: 3rd Party DNS servers
  • 10. ©2012 AKAMAI | FASTER FORWARDTM How 3rd party (open) resolvers typically work global ‘frontend’ anycast address, local unique ‘backend’ address for recursive queries •  CDN can tell which NS location it came from (by backend-ip) •  but not which end-user location or network -> have to serve from a large infrastructure cluster (typically located at the big IXs) to ensure we can reach any end-user end-user Akamai NS NS 74.125.190.1? best cluster = ? Google DNS Frontend 8.8.8.8 Backend 74.125.190.1 request to 8.8.8.8 request from 74.125.190.1
  • 11. ©2012 AKAMAI | FASTER FORWARDTM relatively small numbers in most countries with a mature internet ecosystem: USA, Germany, Netherlands, Singapore: less than 1% but very high percentage of users in developing countries and/or countries performing some form of DNS-based web-filtering: Turkey: 22%, Indonesia: 22%, Bangladesh: 25% Malaysia: 11% Use of 3rd party DNS servers
  • 12. ©2012 AKAMAI | FASTER FORWARDTM ISP  DNS   Google   OpenDNS   Others   ISP  A   84.5%   11.0%   1.7%   2.9%   ISP  B   87.9%   6.7%   0.8%   4.6%   ISP  C   88.0%   6.4%   0.7%   4.9%   ISP  D   88.4%   7.6%   0.5%   3.5%   ISP  E   88.4%   5.5%   0.3%   5.9%   ISP  F   89.5%   3.8%   0.1%   6.6%   Use of 3rd party DNS servers in Malaysia
  • 13. ©2012 AKAMAI | FASTER FORWARDTM Use end-user IP instead of NS IP for mapping Problem: at the time of authoritative DNS answer end- user IP is not known yet •  HTTP redirect •  Map based on DNS •  Measure RTT of initial request from end-user received (and therefore IP known), if over threshold: •  Redirect to better positioned server to reach end-user IP Problem: slow, not suitable for small objects End User Mapping
  • 14. ©2012 AKAMAI | FASTER FORWARDTM EDNS0 client-subnet https://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 The recursive resolver includes the end-user’s prefix in the request to the authoritative nameserver This allows the authoritative nameserver (the CDN) to process this information and optimize the reply not based on the requesting nameserver but the end-user’s prefix The Solution: EDNS0 client-subnet
  • 15. ©2012 AKAMAI | FASTER FORWARDTM •  Open standard (draft) •  Has to be supported by recursive resolver (3rd Party DNS) •  and by Authoritative NS (CDN) •  Privacy: only prefix, not full address transmitted The Solution: EDNS0 client-subnet
  • 16. ©2012 AKAMAI | FASTER FORWARDTM Op0on-­‐Code  =  8   Op0on-­‐Length  (in  bytes)   Family  (1=v4,  2=v6)   Source-­‐Netmask   Scope-­‐Netmask   Address   request: e.g. 24 0 for privacy to be echoed in reply request = 0 reply can be <> request, 0 for not used EDNS0 client-subnet implementation
  • 17. ©2012 AKAMAI | FASTER FORWARDTM Mapping (EDNS0) 1)  end-user requests www.example.com from Google NS 2)  Google NS recursively looks up www.example.com being referred to authoritative Akamai NS (by cname) 3)  Google NS asks Akamai NS including client-subnet 4)  Akamai NS looks up client-subnet and replies with IP of optimal cluster to serve content (local cluster in that ISP) 5)  ISP NS replies to end-user who 6)  requests content from local Cluster end-user Google NS 8.8.8.8 root/tld/intermediate NS (recursive lookup until reaching authoritative NS) Akamai NS Local Akamai Cluster at ISP 5.6.7.8 example.com? a212.g.akamai.net 1 3 6 2 NS 8.8.8.8 (whitelisted for edns0) client subnet=1.1.1.0/24 best cluster = 5.6.7.8 4 5
  • 18. ©2012 AKAMAI | FASTER FORWARDTM Only prefix, not full IP transmitted CDN already gets your full IP anyways (in the subsequent HTTP request) Set source-netmask/address to 0.0.0.0/0 •  Google DNS honors forwards request with 0.0.0.0/0 •  OpenDNS ignores at time of writing Do not use client-subnet capable resolver if intention is to hide client origin Privacy concerns
  • 19. ©2012 AKAMAI | FASTER FORWARDTM Scanning/walking the mapping algorithm •  double whitelist (at recursive resolver & auth NS) •  enforced replacement of client-tagged edns0 option by Google & OpenDNS before being send to Akamai Amplification •  double whitelist •  echoing request in reply •  standard rate limiting methods work Cache pollution of recursive resolver can be a problem •  separate reply stored for each prefix Security concerns
  • 20. ©2012 AKAMAI | FASTER FORWARDTM Google/OpenDNS currently always send client-subnet as /24 (for privacy/caching-efficiency reasons) Mapping system has view of internet from it’s partners with differing prefix-lenghts •  client-subnet more specific than Akamai •  e.g. Akamai has /20 from partner-> can be mapped •  scope-netmask send to resolver for caching purposes •  client-subnet less specific than Akamai •  e.g. Akamai has /26s from partner in different locations -> no clear choice to map -> will take first match •  also send scope-netmask to resolver for information Prefix-Length
  • 21. ©2012 AKAMAI | FASTER FORWARDTM 2"Jan& 9"Jan& 16"Jan& 23"Jan& 30"Jan& 6"Feb& 13"Feb& 20"Feb& 27"Feb& average&distance& Open&DNS&India& Improvements with edns0 client-subnet
  • 22. ©2012 AKAMAI | FASTER FORWARDTM can be used within a partner’s network instead of distributed DNS architecture A partner might have a widespread network (especially in countries spanning large geographical areas and/or different islands like Malaysia) •  Would like to deploy clusters around the network to localize traffic •  But central DNS infrastructure makes mapping traffic accurately difficult Additional Use-Case
  • 23. ©2012 AKAMAI | FASTER FORWARDTM Kota Kinabalu Kuala Lumpur (NS) Johor Penang Kuching Akamai Cluster Nameserver Example for distributed architecture
  • 24. ©2012 AKAMAI | FASTER FORWARDTM Deploy additional NS in all locations •  Benefit: better DNS responses, can use anycast frontend IP to simplify administration/failover (announcing same frontend IP to all end-users) •  Drawback: additional CAPEX & support-costs Virtual IPs on existing NS given to different geographic sets of end-users •  Benefit: no additional CAPEX, easy to implement •  Drawback: more difficult to administer, will require manual allocation of IPs to clusters on CDN side, no clear fallback EDNS0 client-subnet within the providers network •  Benefit: no additional CAPEX, only software change on the NS, can dynamically adapt by changing announcements, can scale for very small clusters in remote places •  Drawback: needs compatible NS software Solutions
  • 25. ©2012 AKAMAI | FASTER FORWARDTM Matt Jansen mj@akamai.com Questions?