Page MenuHomePhabricator
Create Task
Maniphest T253666

Anycast: consistent routers->servers routing
Closed, DeclinedPublic
Actions

Description

The scenario we need to prevent is the following:

  1. User establish a TCP session to an anycasted VIP: packets are for example flowing through: user -> transit_A -> cr1 -> server1
  2. A routing change on the Internet happen and the user path becomes: user -> transit_B -> cr2 -> server2

This would cause the TCP session to break as server2 has no knowledge of that client.

The two possible ways for the infra to handle that use case are:

  • A) user -> transit_B -> cr2 -> server1 consistently
  • B) user -> transit_B -> cr2 -> cr1 -> server1

As hashing is done on source/dest L3 headers, the cr1->server1 step is consistent.

About A) I so far can't find any mention of it in Juniper's consistent hashing doc (here and there). Which mean we would need to test it to figure out if it works as we want it. Which is unlikely.
Regardless, Juniper consistent LB only works with single-hop eBGP, while we currently do multi-hop (as the servers peer with the routers loopback). And only on MPCs, so maybe not on MX204s.

As a side note, Juniper's consistent LB means that if the server pool is >2, adding/removing a server will not reshuffle all the sessions, which we don't need to care about right now as we only have 2 servers per sites.

However, it is possible to use BGP MEDs to achieve B). By having all servers tag a higher MED to a prefix when they advertise that prefix to the same router.

Edit: according to https://apps.juniper.net/feature-explorer/feature-info.html?fKey=6434&fn=Consistent%20load%20balancing%20for%20ECMP%20groups consistent-hash is available on MX204s.

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+49 -15Anycast: introduce new "deterministic" variable
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 StalledNoneT81605 Offer AuthDNS service over IPv6
 OpenNoneT98006 Anycast AuthDNS
 DeclinedayounsiT253666 Anycast: consistent routers->servers routing

Event Timeline

ayounsi triaged this task as Medium priority.May 26 2020, 5:23 PM
ayounsi created this task.
Restricted Application added a project: SRE. · View Herald TranscriptMay 26 2020, 5:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ayounsi added a subscriber: faidon.May 26 2020, 5:24 PM
BBlack added a comment.May 26 2020, 6:32 PM

Even if we could experimentally verify option A, we probably can't trust it across future firmware differences (between sites, or between two routers in a site). Option B via MEDs sounds like a good path forward for now, though!

Related: we have the issue of ICMP Packet-Too-Big routing: AFAIK Juniper doesn't even try to route a PTB from an intermediate router to the same server as the primary traffic it was referencing. This probably isn't a major issue for the authdns case, because (a) the client recursors should mostly be on server (rather than eyeball) networks with full MTU + (b) the overwhelming majority of all traffic is UDP with small-enough packet sizes to fit any reasonable network. However, it would be nice to be correct for edge cases like recursors in eyeball networks with MTU problems, and future-proof against increasing TCP usage in the future (for cookie init and other blind-injection-avoidance, and also DoTLS and future DNSSEC packet size increases). Cloudflare's generic answer to this problem has been https://github.com/cloudflare/pmtud , but there might be different and/or simpler approaches we want to try as well.

Also:

As a side note, Juniper's consistent LB means that if the server pool is >2, adding/removing a server will not reshuffle all the sessions, which we don't need to care about right now as we only have 2 servers per sites.

In the core sites, we have 3 servers for these (dns1001, dns1002, authdns1001, and similarly in codfw).

gerritbot added a comment.May 26 2020, 7:48 PM

Change 598836 had a related patch set uploaded (by Ayounsi; owner: Ayounsi):
[operations/puppet@production] Anycast: introduce new "deterministic" variable

https://gerrit.wikimedia.org/r/598836

gerritbot added a project: Patch-For-Review.May 26 2020, 7:48 PM
MoritzMuehlenhoff added a subscriber: MoritzMuehlenhoff.May 26 2020, 9:01 PM
Stashbot added a comment.May 27 2020, 7:54 AM

Mentioned in SAL (#wikimedia-operations) [2020-05-27T07:54:51Z] <XioNoX> test new bird conf on dns4001 - T253666

ayounsi mentioned this in T253732: Anycast: consistent ICMP packet too big routing.May 27 2020, 9:03 AM
ayounsi added a comment.May 27 2020, 9:16 AM

Option B via MEDs sounds like a good path forward for now, though!

https://gerrit.wikimedia.org/r/598836 has been tested and is ready to be merged.

Related: we have the issue of ICMP Packet-Too-Big routing

I created a dedicated task for that issue: T253732

In the core sites, we have 3 servers for these (dns1001, dns1002, authdns1001, and similarly in codfw).

Will that be the final/permanent state?
If so, we only made Bird peer with the routers' loopback for ease of configuration.
2 neighbors to set by site, vs. a neighbors list per server (as they are in different vlans).

ayounsi added a parent task: T98006: Anycast AuthDNS.May 27 2020, 9:17 AM
ema moved this task from Backlog to Network on the Traffic board.May 27 2020, 11:43 AM
ayounsi updated the task description. (Show Details)Jul 3 2020, 7:24 AM
ayounsi changed the task status from Open to Stalled.Aug 3 2020, 6:59 AM
ayounsi lowered the priority of this task from Medium to Low.
Aklapper added a project: Infrastructure-Foundations.Jun 21 2021, 9:00 PM
ayounsi removed ayounsi as the assignee of this task.Aug 4 2021, 9:26 AM
BBlack moved this task from Network to Icebox-Temp on the Traffic board.Oct 8 2021, 4:35 PM
BBlack edited projects, added Traffic-Icebox; removed Traffic.Oct 8 2021, 8:05 PM

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all tickets that aren't are neither part of our current planned work nor clearly a recent, higher-priority emergent issue. This is simply one step in a larger task cleanup effort. Further triage of these tickets (and especially, organizing future potential project ideas from them into a new medium) will occur afterwards! For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

gerritbot added a comment.Jul 5 2022, 8:43 AM

Change 598836 abandoned by Ayounsi:

[operations/puppet@production] Anycast: introduce new "deterministic" variable

Reason:

To be re-done with Bird2 if we still need it later on.

https://gerrit.wikimedia.org/r/598836

Maintenance_bot removed a project: Patch-For-Review.Jul 5 2022, 9:31 AM
cmooney added a subscriber: cmooney.Oct 5 2022, 12:25 PM
ayounsi mentioned this in T324992: cloudlb: create PoC on codfw.Dec 19 2022, 8:59 AM
ayounsi closed this task as Resolved.Aug 9 2023, 1:44 PM
ayounsi claimed this task.

Boldly closing this as Katran will solve some if not all those limitations.

ayounsi changed the task status from Resolved to Declined.Aug 9 2023, 1:44 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL