Comparing the Security Performance of Network-Layer and Application-Layer Anycast
We provide a theoretical analysis of the security performance of two anycast techniques that could be used as a countermeasure against DNS attacks exploiting vulnerabilities in the interdomain routing system. We argue that that the performance of the two techniques – network and ideal application layer anycast – does not differ in practice. This is achieved by showing that the performance can only differ if a family of special subgraphs that we characterize appears in the interdomain network topology. Our result supports our earlier experimental findings. While experimentation will remain a crucial method to accurately evaluate the behavior of complex routing systems in the future, we hope that analysis such as this one can help to understand and design routing protocols with better security, reliability and performance properties.