{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"本文最初發表於 Cloudflare 網站,經原作者 Marwan Fayed 授權,InfoQ 中文站翻譯並分享"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IP 尋址技術抑制了大規模運營中面向網絡和 Web 服務的創新。對於每個架構變更,開始設計新系統時,我們必須問的第一組問題是:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們可以使用哪個 IP 地址塊?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在 IPv4 中有足夠的資源嗎?若沒有,我們從哪裏或怎樣獲得?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們如何使用 IPv6 地址?這會影響 IPv6 的其他用途嗎?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"噢,還有,我們需要怎樣周密的計劃、檢查、時間和人力來進行遷移?"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不得不停下來擔心 IP 地址會耗費時間、金錢和資源。鑑於 40 多年前 "},{"type":"link","attrs":{"href":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc791","title":null,"type":null},"content":[{"type":"text","text":"IP 的出現"}]},{"type":"text","text":"具有遠見和彈性,這聽起來可能令人驚訝。就其設計本身而言,IP 地址應該是任何網絡都必須考慮的最後一件事。但是,如果說互聯網暴露了什麼,那就是那些小的或者看似無關緊要的弱點——在設計時常常看不到或無法看到——總能在足夠大的範圍內顯現出來。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有一件事我們確實知道。“更多的地址”永遠不應該是答案。在 IPv4 中,這種想法只會造成地址的稀缺性,從而進一步推高它的市場價格。IPv6 絕對必要,但它只是解決方案的一部分。舉例來說,在 IPv6 中,最佳實踐表明,僅供個人使用的最小分配是 \/56 —— 也就是 2⁷²個或大約 4722000000000000 個地址。這麼大的數字我肯定沒法推論,你能嗎?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在本文中,我們將解釋爲什麼 IP 尋址是 Web 服務的一個問題,它的根源是什麼,然後給出了一個創新的解決方案,我們稱之爲尋址敏捷性,以及我們學到的教訓。其中最精彩的部分可能是通過尋址敏捷性啓用的新系統和架構。完整的細節可以在我們最新的 ACM SIGCOMM 2021 "},{"type":"link","attrs":{"href":"https:\/\/research.cloudflare.com\/publications\/Fayed2021\/","title":null,"type":null},"content":[{"type":"text","text":"論文"}]},{"type":"text","text":"中找到。作爲預覽,以下是我們所學到的內容的概述。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/25\/25e74b19de5898b4b82355b76994cbb6.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這是真的!任何一個地址上可以出現的名稱的數量沒有限制;任何名稱的地址可以隨着每一個新的查詢而改變,無論在何處;而且地址的改變可以出於任何原因進行,比如服務供應、策略或性能評估,或者我們尚未遇到的其他原因……"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以下說明了爲什麼所有這些都是事實,如何實現,以及這些經驗對於任何規模的 HTTP 和 TLS 服務都非常重要。我們建立的關鍵洞察力是:與全球郵政系統一樣,在互聯網協議(IP)的設計中,"},{"type":"text","marks":[{"type":"strong"}],"text":"地址從來沒有、永遠不應該、也永遠不需要代表名稱"},{"type":"text","text":"。我們只是有時把地址當作是這樣的。相反,這項工作表明,所有的名稱都應該共享所有的地址,任何一組地址,甚至只有一個地址。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"“窄腰”是漏斗,也是瓶頸"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"幾十年來的慣例人爲地將 IP 地址與名稱和資源聯繫起來。這種情況是可以理解的,因爲驅動互聯網的架構和軟件是從一臺計算機有一個名稱和(最常見的)一個網絡接口卡的環境中發展起來的。因此,互聯網的發展使得 IP 地址與名稱和軟件進程相關聯是很自然的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而終端用戶和網絡運營商對名稱的需求不大,對監聽進程的需求也不大,這些 IP 綁定的影響不大。但是,名稱和進程約定對於所有的內容託管、分發和內容服務提供商(CSP)都有嚴格的限制。當名稱、接口和套接字被分配後,地址就基本上是靜態的,如果有可能改變的話,就需要努力、計劃和謹慎。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IP 的“窄腰”使互聯網得以實現,但正如 TCP 是傳輸協議和 HTTP 是應用協議,IP 已經成爲創新的瓶頸。下圖描述了這一想法,在圖中我們看到,原本獨立的通信綁定(帶有名稱)和連接綁定(帶有接口和套接字)在它們之間建立了傳遞關係。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/90\/90c2345e22bfce25a9f3bd494ebfcfcb.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"傳遞性鎖很難被打破,因爲任何一方的改變都會對另一方產生影響。另外,服務提供商經常用 IP 地址來表示政策和服務級別,而這些政策和服務級別本身就是獨立於名稱而存在的。歸根結底,IP 綁定是另一件需要考慮的事情,並且沒有什麼好的理由。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"咱們換個說法。在考慮新的設計、新的架構或者僅僅是更好的資源分配時,首要的問題絕不應該是“我們使用哪些 IP 地址?”或者“我們有這個 IP 地址嗎?”之類的問題及其回答會延緩發展和創新。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們意識到,IP 綁定不僅僅是人爲的,而且根據最初有遠見的 RFC 和標準,也是不正確的。實際上,將 IP 地址作爲可達性之外的代表的概念與其最初的設計相悖。在最初的 "},{"type":"link","attrs":{"href":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc791#section-2.3","title":null,"type":null},"content":[{"type":"text","text":"RFC"}]},{"type":"text","text":" 和相關的草案中,架構師們明確指出:“名稱、地址和路由之間是有區別的。名稱表明我們所尋找的東西。地址表明它在哪裏。路由表明如何到達那裏。”"},{"type":"text","marks":[{"type":"strong"}],"text":"在較高層協議中,任何 IP 信息(例如 SNI 或 HTTP 主機)的任何關聯都明顯違反了分層原則"},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"毫無疑問,我們的工作中沒有一項是孤立存在的。但是,它確實完成了將 IP 地址與其傳統用途脫鉤的長期演變,這種演變包括"},{"type":"link","attrs":{"href":"https:\/\/blog.cloudflare.com\/cloudflare-research-two-years-in\/","title":null,"type":null},"content":[{"type":"text","text":"站在"}]},{"type":"text","text":"巨人的肩膀上。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"演變中的過去"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"回首過去 20 年,我們不難發現,尋求尋址敏捷性的方法已經有一段時間了,Cloudflare 在這個領域的投入是巨大的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當谷歌的 "},{"type":"link","attrs":{"href":"https:\/\/research.google\/pubs\/pub44824\/","title":null,"type":null},"content":[{"type":"text","text":"Maglev"}]},{"type":"text","text":" 在幾年前就將等價多徑(Equal Cost MultiPath,ECMP)和一致哈希(consistent hashing)技術結合起來,在許多服務器之間傳播來自一個“虛擬” IP 地址的流量時,從而打破了 IP 和網卡接口之間幾十年來一對一綁定的局面。順帶一提,根據最初的互聯網協議 RFC,IP 的這種使用是被禁止的,而且不具有任何虛擬性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從那時起,GitHub、Facebook 等地方就出現了很多類似的系統,包括我們自己的 "},{"type":"link","attrs":{"href":"https:\/\/blog.cloudflare.com\/unimog-cloudflares-edge-load-balancer\/","title":null,"type":null},"content":[{"type":"text","text":"Unimog"}]},{"type":"text","text":"。近來,Cloudflare 設計了一種叫做 "},{"type":"link","attrs":{"href":"https:\/\/blog.cloudflare.com\/its-crowded-in-here\/","title":null,"type":null},"content":[{"type":"text","text":"bpf_sk_lookup"}]},{"type":"text","text":" 的可編程套接字架構,使 IP 地址與套接字和進程解耦。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"但是那些名稱呢"},{"type":"text","text":"?1997 年,HTTP 1.1 將主機字段定義爲必須的時候,“虛擬主機”的價值得到了鞏固。這是官方第一次承認多個名稱可以共存於一個 IP 地址上,並且必須由 TLS 在服務器名稱指示字段中複製。這些都是絕對的要求,因爲可能的名稱的數量比 IP 地址的數量多。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"……預示了敏捷的未來"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"展望未來,莎士比亞明智地問道:“名字代表什麼?”假如互聯網能夠說話,那麼它可能會說:“我們用任何其他地址標記的名字都一樣可以到達。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"假如莎士比亞反問:“地址代表什麼?”然後互聯網也會這樣回答:“我們用任何其他名字標記的地址也一樣可以到達。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這一點很有說服力地暗示了這些答案的真相:名稱和地址之間的映射是任意對任意的。如果這是真的,那麼只要一個名稱在一個地址可以到達,任何地址都可以用來到達一個名稱。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"事實上,自 1995 年以來,由於採用了"},{"type":"link","attrs":{"href":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc1794","title":null,"type":null},"content":[{"type":"text","text":"基於 DNS 的負載均衡"}]},{"type":"text","text":"技術,一個名稱的許多地址的版本就已經可用。所以,爲什麼不爲所有的名稱提供所有的地址,或者在任何給定的時間爲所有的名稱提供任何地址呢?或者,正如我們很快就會發現的,一個地址代表所有的名稱! 但是,讓我們先來談談實現尋址敏捷性的方式。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"譯註:莎士比亞在《羅密歐與朱麗葉》中有一句名言:“名字代表什麼?我們所稱的玫瑰,換個名字還是一樣芳香。”("},{"type":"text","marks":[{"type":"italic"}],"text":"What's in a name? That which we call a rose \/ By any other name would smell as sweet."},{"type":"text","text":")"}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"實現尋址敏捷性:忽略名稱,映射策略"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"尋址敏捷性的關鍵是權威的 DNS:但不是存儲在某種形式的記錄或查詢表中的靜態名稱到 IP 的映射。鑑於從任何客戶的角度來看,綁定只出現在“查詢時”。對映射的所有實際用途來說,查詢的響應是一個請求的生命週期的最後一個可能的時刻,在這個時刻,名稱可以被綁定到地址。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這樣就可以看到,名稱映射並不真正發生在某個記錄或區域文件中,而是在響應返回時發生。這一區別很小,但是很重要。現在的 DNS 系統用過一個名稱來找一組地址,然後有時使用一些策略來決定返回哪個具體地址。這一想法如下圖所示。在查詢到達時,查詢會顯示與該名稱相關的地址,然後返回其中的一個或多個地址。一般而言,額外的策略或邏輯過濾器用於縮小地址選擇範圍,例如服務級別或地理區域覆蓋。關鍵在於,在應用策略之前,地址首先被識別爲名稱。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/54\/54f649df566191dc7b9a6d78918146e2.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(a)常規權威 DNS"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/5d\/5dc1c61cb72637ca2168a7f1ac54833e.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(b)尋址敏捷性"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過顛倒這個關係,尋址敏捷性得以實現。我們的架構不是將 IP 地址預先分配給一個名稱,而是從一個可能(或在我們的案例中,不包括)包括一個名稱的策略開始。舉例來說,一個策略可以由諸如位置和賬戶類型等屬性表示,而忽略名稱(我們在部署中就是這樣做的)。這些屬性決定與該策略相關的地址池。這個池本身可能獨立於該策略,也可能有與其他池和策略共享的元素。此外,池中的所有地址都是等效的。也就是說,可以返回任意的地址(甚至可以隨機選擇)而無需檢查 DNS 查詢名稱。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在暫停一下,因爲每一個查詢響應中都會出現兩個真正值得注意的影響:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"可以在運行時或查詢時計算和分配 IP 地址。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"IP 到名稱映射的生存期是隨後的連接生存時間和下游緩存中的 TTL 中較大的一個。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其結果是強大的,意味着"},{"type":"text","marks":[{"type":"strong"}],"text":"綁定本身是短暫的,無需考慮之前的綁定、解析器、客戶端或目的即可進行更改"},{"type":"text","text":"。另外,規模也不是問題,我們知道,因爲我們把它部署到了邊緣。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"IPv6,皇帝的新衣"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"討論部署之前,先來解決“房間裏的大象”問題:IPv6。首先要明確的是,在本文討論的 IPv4 環境中的一切都適用於 IPv6。就像全球郵政系統一樣,地址就是地址,不管是在加拿大、柬埔寨、喀麥隆、智利還是中國,這包括它的相對靜態和缺乏彈性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"除了存在等價性之外,還有一個顯而易見的問題:僅僅改用 IPv6 就能滿足所有尋求尋址敏捷性的理由嗎?雖然答案可能是反直覺的,但答案是肯定的、絕對的否定!IPv6 可能會緩解地址枯竭的問題,至少在今天所有人的有生之年是這樣。但是由於 IPv6 前綴和地址的豐富特性,很難推理其餘名稱和資源的綁定。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"大量 IPv6 地址的使用還會帶來低效風險,因爲運營商可以利用位長和大前綴的優勢,將意義嵌入到 IP 地址中。這是 IPv6 的一項強大功能,但同時也意味着任何前綴中的許多地址都將會閒置。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"明確地說,Cloudflare 顯然是 IPv6 的最大倡導者之一,並且有充分的理由,特別是地址的豐富性確保了壽命。即便如此,IPv6 並沒有改變地址與名稱和資源綁定的方式,而尋址敏捷性則確保了它在生命週期中的靈活性和響應性。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"附帶說明:敏捷是爲每個人準備的"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對架構和它的可轉移性的最後一點說明——"},{"type":"text","marks":[{"type":"strong"}],"text":"對於任何運營權威 DNS 的服務,尋址敏捷性是可用的,甚至是理想的"},{"type":"text","text":"。其他以內容爲導向的服務供應商顯然是競爭對手,但小型運營商也是如此。大高校、企業和政府只是一些可以運營自己權威服務的機構的例子。只要返回的 IP 地址上的連接能夠被運營商接受,所有的人都有可能因此成爲尋址敏捷性的受益者。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"基於策略的隨機地址——大規模"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"自 2020 年 6 月以來,我們就一直在努力解決生產流量邊緣的敏捷性問題,具體如下:"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"超過 2000 萬個主機名和服務;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所有加拿大的數據中心(人口合理,具有多個時區);"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IPv4 的\/20(4096 個地址)和 IPv6 的\/44;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021 年 1 月至 2021 年 6 月 IPv4 的\/24(256 個地址);"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於每一個查詢,都會在前綴中生成一個隨機的主機部分。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要知道,當每次點擊服務器上的查詢都會產生隨機的地址時,真正測試敏捷性的方法是極端的。我們決定把這個想法真正付諸實施。2021 年 6 月,在我們的蒙特利爾數據中心,不久之後在多倫多,超過 2000 萬個區域都被映射到一個單一的地址。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"每一次針對策略所捕獲的域名的查詢,在一年內都會得到一個隨機選擇的地址:從一個少至 4096 個地址的集中,然後是 256 個,然後是 1 個。在內部,我們把 1 的地址集稱爲 Ao1,我們將在後面回到這一點。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"衡量成功的標準:“沒有什麼可看的”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們的讀者可能會悄悄地問自己一些問題:"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這對互聯網造成了什麼“破壞”?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這對 Cloudflare 系統有什麼影響?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果有可能,我將會看到什麼?"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對上述每個問題的簡短回答是沒有。不過,有一點非常重要,地址的隨機化的確暴露了依賴互聯網的系統設計中的弱點。這些弱點總是會出現,是因爲設計者賦予 IP 地址的意義超出了可達性。(而且,如果只是偶然,這些弱點中的每一個都是通過使用一個地址,或 \"Ao1 \"來規避的)。)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要更好地理解“沒有”的本質,讓我們從列表的底部開始回答上述問題。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"如果有可能,我將會看到什麼?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖中的例子說明了答案。對一個區域的查詢從我們部署之外的“世界其他地區”的所有數據中心返回相同的地址(這就是 Cloudflare 的全球任播系統)。相比之下,每一個進入部署數據中心的查詢將接收一個隨機的地址。以下是對兩個不同的數據中心的連續 dig 命令,可以看出這一點。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/18\/18e9dbd4b959ef7cbea92c5ad3d2581f.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你想了解後續請求的流量,是的,那就意味着服務器被配置成接受對地址池所有地址中的 2000 多萬個域名中的任何一個的連接請求。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"好吧,Cloudflare 的周邊系統肯定需要修改嗎?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不是的。它直接透明地改變了權威 DNS 的數據管道。每一個路由前綴在 BGP、DDoS、負載均衡器、分佈式緩存中,沒有一個需要改變的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是,有一個迷人的副作用:隨機化對於 IP 地址來說,就像一個好的哈希函數對於哈希表一樣:它將任意大小的輸入均勻地映射到一個固定數量的輸出。通過觀察隨機化前後每個 IP 負載的測量,可以看到這種效果,如下圖所示,數據取自一個數據中心 7 天內 1% 的請求樣本。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/82\/822700e10a1c248a9b674fa78673cacc.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"尋址敏捷性之前"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/33\/33393a1ae80d772c7077311f48329d98.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"\/20 隨機化"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/34\/340e89ef10a4ba7000e5e832f52ddd76.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"\/24 隨機化"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在隨機化之前,對於 Cloudflare 的 IP 空間的一小部分,(a) 每個 IP 的最大和最小請求之間的差異(左邊的 y1 軸)是 3 個數量級;同樣,每個 IP 的字節數(右邊的 y2 軸)幾乎是 6 個數量級。在隨機化之後,(b)對於以前佔據多個 \/20 的單一 \/20 上的所有域,這些分別減少到 2 和 3 個數量級。在 (c) 中,進一步下降到 \/24,將 2000 多萬個區隨機化到 256 個地址上,從而將負載的差異降低爲小的常數因子。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於任何考慮按 IP 地址提供資源的內容服務提供商來說,這一點非常重要。先驗預測用戶產生的負載是很困難的。上面的圖表表明,最好的方法就是將所有的地址都賦予名稱。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"這肯定在更廣泛的互聯網上“破壞”了一些東西?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這裏,答案也是否定的!好吧,也許更確切地說,“不,隨機化不會破壞任何東西……但是它能暴露系統及其設計中的弱點。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"受地址隨機化影響的任何系統似乎都有一個堅決條件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"任何可能受到地址隨機化影響的系統似乎都有一個先決條件:賦予 IP 地址的意義不僅在於可達性。尋址敏捷性使 IP 地址和互聯網的核心架構的語義得以保持甚至恢復,但是它會破壞對其意義作出假設的軟件系統。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"先來看幾個例子,說明爲什麼這些問題並不重要,然後再介紹一種繞過弱點(通過使用一個單一的 IP 地址)的解決敏捷性小變化的方法:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"HTTP 連接聚合"},{"type":"text","text":"(connection coalescing)允許客戶端重新使用現有的連接來請求來自不同來源的資源。像 Firefox 這樣的客戶端,在 URI 授權與連接相匹配時,允許聚合使用的客戶端不會受到影響。但是,要求 URI 主機解析到與給定連接相同的 IP 地址的客戶端將會失敗。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"非 TLS 或基於 HTTP 的服務"},{"type":"text","text":"可能會受到影響。一個例子是 ssh,它在其 know_hosts 中保留了一個主機名到 IP 的映射。這種關聯雖然可以理解,但是已經過時了,考慮到目前很多 DNS 記錄都會返回一個以上的 IP 地址,這種關聯已經被打破。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"非 SNI TLS"},{"type":"text","text":" 證書需要一個專用 IP 地址。供應商被迫收取一定的費用,因爲每個地址只能支持一個沒有 SNI 的證書。獨立於 IP 的更大的問題是在沒有 SNI 的情況下使用 TLS。我們已經開始試圖瞭解非 SNI,並希望結束這一不幸的遺產。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"依靠目的地 IP 的 DDoS 保護最初可能會受到阻礙。我們認爲,由於兩個原因,尋址敏捷性是有益的。首先,IP 隨機化將攻擊負載分佈在所有使用的地址上,有效地充當了第三層的負載均衡器。第二,DoS 緩解措施通常是通過改變 IP 地址而起作用的,該功能是尋址敏捷性所固有的。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"人人爲我,我爲人人"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們從數以萬計的地址綁定的 2000 多萬個區域開始,從 \/20 中的 4096 個地址和 \/24 中的 256 個地址成功爲它們提供了服務。這一趨勢自然會引出以下問題:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果隨機化在 n 個地址上有效,那麼爲什麼不在 1 個地址上進行隨機化呢?"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確實,爲什麼不呢?回想一下上面關於 IP 隨機化的評論,認爲它等同於哈希表中的完美哈希函數。設計良好的基於哈希的結構的特點是,對於任何大小的結構,即使是大小爲 1 的結構,它們都保留了自己的屬性。這種減少將是對構建尋址敏捷性的基礎的真正測試。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因此,我們進行了測試。從一個 \/20 地址集,到一個 \/24,然後,從 2021 年 6 月起,到一個 \/32 的地址集,等於是一個 \/128(Ao1)。這不僅僅是行之有效。這確實起作用了。Ao1 解決了可能因隨機化而暴露出來的問題。舉例來說,非 TLS 或非 HTTP 服務具有可靠的 IP 地址(或者至少是非隨機的,而且名稱還沒有發生策略變化)。另外,HTTP 連接聚合就像免費的一樣,是的,我們看到在使用 Ao1 的地方,聚合水平在提高。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"但 IPv6 中的地址爲何如此之多?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"反對與單一 IPv6 地址綁定的一個論點是,沒有必要,因爲地址不可能用盡。我們認爲,這是 cidr 之前的立場,往好裏說是良性的,往壞裏說是不負責任的。如上所述,IPv6 地址的數量使得對其進行推理非常困難。與其問爲什麼要使用單一的 IPv6 地址,不如問“爲什麼不呢?”"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"是否存在上游影響?是的,還有機會!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Ao1 從 IP 隨機化中揭示了一套完全不同的含義,可以說,它通過放大看似微不足道的行動可能帶來的影響,爲我們提供了一扇瞭解互聯網路由和可達性未來的窗口。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲什麼?宇宙中可能的可變長度名稱的數量永遠超過固定長度的地址的數量。這意味着,"},{"type":"text","marks":[{"type":"strong"}],"text":"根據"},{"type":"link","attrs":{"href":"https:\/\/en.wikipedia.org\/wiki\/Pigeonhole_principle","title":null,"type":null},"content":[{"type":"text","text":"鴿巢原理"}],"marks":[{"type":"strong"}]},{"type":"text","marks":[{"type":"strong"}],"text":"(pigeonhole principle),單個 IP 地址必須由多個名稱共享"},{"type":"text","text":",並且是來自不相關方的不同內容。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由 Ao1 放大的可能的上游效應值得提出,並將在下文中加以說明。不過,到目前爲止,我們並沒有在評估中看到這些情況,在上游網絡的溝通中也是如此。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"上游路由錯誤是即時和全面的"},{"type":"text","text":"。假如所有流量都到達一個地址(或前綴),那麼上游的路由錯誤將對一切產生同樣的影響。(這就是 Cloudflare 在非相鄰地址範圍內返回兩個地址的原因)。)但是,請注意,威脅阻斷也是如此。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"上游 DoS 保護措施可能被觸發"},{"type":"text","text":"。可以想象,集中在一個地址上的請求和流量可能會被上游視爲 DoS 攻擊,從而觸發可能存在的上游保護措施。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"無論哪種情況,這些操作都會減輕,因爲尋址敏捷性能足夠快速地大規模更改地址。還可以預防,但需要公開溝通和討論。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後一個上游效應仍然存在:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"在 IPv4 NAT 中,端口耗盡有可能會被加速,IPv6 可以解決這一問題"},{"type":"text","text":"!從客戶端來看,一個地址所允許的併發連接數量取決於傳輸協議的端口字段的大小,例如,在 TCP 中約爲 65K。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"例如,在 Linux 上的 TCP 中,直到最近,這還是一個問題。(見此"},{"type":"link","attrs":{"href":"https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/?id=90c337da1524863838658078ec34241f45d8394d","title":null,"type":null},"content":[{"type":"text","text":"提交"}]},{"type":"text","text":" 和 "},{"type":"link","attrs":{"href":"https:\/\/www.man7.org\/linux\/man-pages\/man7\/ip.7.html","title":null,"type":null},"content":[{"type":"text","text":"ip(7) man page"}]},{"type":"text","text":" 中的 SO_BIND_ADDRESS_NO_PORT)。 在 UDP 中,這個問題仍然存在。在 QUIC 中,連接標識符可以防止端口耗盡,但它們必須被使用。不過到目前爲止,我們還沒有看到任何證據表明這是個問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即便如此——也是最好的部分——就我們所知,這是唯一一個使用一個地址的風險,而且遷移到 IPv6 就可以立即得到解決。(所以,ISP 和網絡管理員們,快去實施 IPv6 吧!)"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"我們纔剛剛開始!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們就這樣結束了,就像我們開始的那樣。由於對任何單一 IP 地址上的名字數量沒有限制,能夠以任何理由按查詢改變地址,你能建立什麼?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/2d\/2d94c00cc725bf986b0a5c06e4737c8e.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"實際上,我們纔剛剛開始!由於尋址敏捷性所帶來的靈活性和麪向未來的特點,我們可以想象、設計和構建新的系統和架構。我們計劃爲任播系統、測量平臺等進行 BGP 路由泄漏檢測和緩解。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"關於以上內容的更多技術性細節,可以在"},{"type":"link","attrs":{"href":"https:\/\/research.cloudflare.com\/publications\/Fayed2021\/","title":null,"type":null},"content":[{"type":"text","text":"論文"}]},{"type":"text","text":"和簡短的"},{"type":"link","attrs":{"href":"https:\/\/youtu.be\/zg6944L-B3M?t=2137","title":null,"type":null},"content":[{"type":"text","text":"談話"}]},{"type":"text","text":"中找到。即使有了這些新的可能性,挑戰依然存在。存在很多開放的問題,其中包括但不限於:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"哪些策略可以合理表達或實施?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"是否有一種抽象的語法或文法來表達它們?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於錯誤的或衝突的策略,我們能否使用正式的方法和驗證嗎?"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"作者介紹:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Marwan Fayed,Cloudflare 研究主管。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文鏈接"},{"type":"text","text":":"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/blog.cloudflare.com\/addressing-agility\/","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/blog.cloudflare.com\/addressing-agility\/"}]}]}]}
解開 IP 的“窄腰”:名稱和 Web 服務的尋址敏捷性
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"italic"},{"type":"strong"}],"text":"本文最初發表於 Cloudflare 網站,經原作者 Marwan Fayed 授權,InfoQ 中文站翻譯並分享"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IP 尋址技術抑制了大規模運營中面向網絡和 Web 服務的創新。對於每個架構變更,開始設計新系統時,我們必須問的第一組問題是:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們可以使用哪個 IP 地址塊?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在 IPv4 中有足夠的資源嗎?若沒有,我們從哪裏或怎樣獲得?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們如何使用 IPv6 地址?這會影響 IPv6 的其他用途嗎?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"噢,還有,我們需要怎樣周密的計劃、檢查、時間和人力來進行遷移?"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不得不停下來擔心 IP 地址會耗費時間、金錢和資源。鑑於 40 多年前 "},{"type":"link","attrs":{"href":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc791","title":null,"type":null},"content":[{"type":"text","text":"IP 的出現"}]},{"type":"text","text":"具有遠見和彈性,這聽起來可能令人驚訝。就其設計本身而言,IP 地址應該是任何網絡都必須考慮的最後一件事。但是,如果說互聯網暴露了什麼,那就是那些小的或者看似無關緊要的弱點——在設計時常常看不到或無法看到——總能在足夠大的範圍內顯現出來。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有一件事我們確實知道。“更多的地址”永遠不應該是答案。在 IPv4 中,這種想法只會造成地址的稀缺性,從而進一步推高它的市場價格。IPv6 絕對必要,但它只是解決方案的一部分。舉例來說,在 IPv6 中,最佳實踐表明,僅供個人使用的最小分配是 \/56 —— 也就是 2⁷²個或大約 4722000000000000 個地址。這麼大的數字我肯定沒法推論,你能嗎?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在本文中,我們將解釋爲什麼 IP 尋址是 Web 服務的一個問題,它的根源是什麼,然後給出了一個創新的解決方案,我們稱之爲尋址敏捷性,以及我們學到的教訓。其中最精彩的部分可能是通過尋址敏捷性啓用的新系統和架構。完整的細節可以在我們最新的 ACM SIGCOMM 2021 "},{"type":"link","attrs":{"href":"https:\/\/research.cloudflare.com\/publications\/Fayed2021\/","title":null,"type":null},"content":[{"type":"text","text":"論文"}]},{"type":"text","text":"中找到。作爲預覽,以下是我們所學到的內容的概述。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/25\/25e74b19de5898b4b82355b76994cbb6.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這是真的!任何一個地址上可以出現的名稱的數量沒有限制;任何名稱的地址可以隨着每一個新的查詢而改變,無論在何處;而且地址的改變可以出於任何原因進行,比如服務供應、策略或性能評估,或者我們尚未遇到的其他原因……"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以下說明了爲什麼所有這些都是事實,如何實現,以及這些經驗對於任何規模的 HTTP 和 TLS 服務都非常重要。我們建立的關鍵洞察力是:與全球郵政系統一樣,在互聯網協議(IP)的設計中,"},{"type":"text","marks":[{"type":"strong"}],"text":"地址從來沒有、永遠不應該、也永遠不需要代表名稱"},{"type":"text","text":"。我們只是有時把地址當作是這樣的。相反,這項工作表明,所有的名稱都應該共享所有的地址,任何一組地址,甚至只有一個地址。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"“窄腰”是漏斗,也是瓶頸"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"幾十年來的慣例人爲地將 IP 地址與名稱和資源聯繫起來。這種情況是可以理解的,因爲驅動互聯網的架構和軟件是從一臺計算機有一個名稱和(最常見的)一個網絡接口卡的環境中發展起來的。因此,互聯網的發展使得 IP 地址與名稱和軟件進程相關聯是很自然的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而終端用戶和網絡運營商對名稱的需求不大,對監聽進程的需求也不大,這些 IP 綁定的影響不大。但是,名稱和進程約定對於所有的內容託管、分發和內容服務提供商(CSP)都有嚴格的限制。當名稱、接口和套接字被分配後,地址就基本上是靜態的,如果有可能改變的話,就需要努力、計劃和謹慎。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IP 的“窄腰”使互聯網得以實現,但正如 TCP 是傳輸協議和 HTTP 是應用協議,IP 已經成爲創新的瓶頸。下圖描述了這一想法,在圖中我們看到,原本獨立的通信綁定(帶有名稱)和連接綁定(帶有接口和套接字)在它們之間建立了傳遞關係。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/90\/90c2345e22bfce25a9f3bd494ebfcfcb.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"傳遞性鎖很難被打破,因爲任何一方的改變都會對另一方產生影響。另外,服務提供商經常用 IP 地址來表示政策和服務級別,而這些政策和服務級別本身就是獨立於名稱而存在的。歸根結底,IP 綁定是另一件需要考慮的事情,並且沒有什麼好的理由。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"咱們換個說法。在考慮新的設計、新的架構或者僅僅是更好的資源分配時,首要的問題絕不應該是“我們使用哪些 IP 地址?”或者“我們有這個 IP 地址嗎?”之類的問題及其回答會延緩發展和創新。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們意識到,IP 綁定不僅僅是人爲的,而且根據最初有遠見的 RFC 和標準,也是不正確的。實際上,將 IP 地址作爲可達性之外的代表的概念與其最初的設計相悖。在最初的 "},{"type":"link","attrs":{"href":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc791#section-2.3","title":null,"type":null},"content":[{"type":"text","text":"RFC"}]},{"type":"text","text":" 和相關的草案中,架構師們明確指出:“名稱、地址和路由之間是有區別的。名稱表明我們所尋找的東西。地址表明它在哪裏。路由表明如何到達那裏。”"},{"type":"text","marks":[{"type":"strong"}],"text":"在較高層協議中,任何 IP 信息(例如 SNI 或 HTTP 主機)的任何關聯都明顯違反了分層原則"},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"毫無疑問,我們的工作中沒有一項是孤立存在的。但是,它確實完成了將 IP 地址與其傳統用途脫鉤的長期演變,這種演變包括"},{"type":"link","attrs":{"href":"https:\/\/blog.cloudflare.com\/cloudflare-research-two-years-in\/","title":null,"type":null},"content":[{"type":"text","text":"站在"}]},{"type":"text","text":"巨人的肩膀上。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"演變中的過去"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"回首過去 20 年,我們不難發現,尋求尋址敏捷性的方法已經有一段時間了,Cloudflare 在這個領域的投入是巨大的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當谷歌的 "},{"type":"link","attrs":{"href":"https:\/\/research.google\/pubs\/pub44824\/","title":null,"type":null},"content":[{"type":"text","text":"Maglev"}]},{"type":"text","text":" 在幾年前就將等價多徑(Equal Cost MultiPath,ECMP)和一致哈希(consistent hashing)技術結合起來,在許多服務器之間傳播來自一個“虛擬” IP 地址的流量時,從而打破了 IP 和網卡接口之間幾十年來一對一綁定的局面。順帶一提,根據最初的互聯網協議 RFC,IP 的這種使用是被禁止的,而且不具有任何虛擬性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從那時起,GitHub、Facebook 等地方就出現了很多類似的系統,包括我們自己的 "},{"type":"link","attrs":{"href":"https:\/\/blog.cloudflare.com\/unimog-cloudflares-edge-load-balancer\/","title":null,"type":null},"content":[{"type":"text","text":"Unimog"}]},{"type":"text","text":"。近來,Cloudflare 設計了一種叫做 "},{"type":"link","attrs":{"href":"https:\/\/blog.cloudflare.com\/its-crowded-in-here\/","title":null,"type":null},"content":[{"type":"text","text":"bpf_sk_lookup"}]},{"type":"text","text":" 的可編程套接字架構,使 IP 地址與套接字和進程解耦。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"但是那些名稱呢"},{"type":"text","text":"?1997 年,HTTP 1.1 將主機字段定義爲必須的時候,“虛擬主機”的價值得到了鞏固。這是官方第一次承認多個名稱可以共存於一個 IP 地址上,並且必須由 TLS 在服務器名稱指示字段中複製。這些都是絕對的要求,因爲可能的名稱的數量比 IP 地址的數量多。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"……預示了敏捷的未來"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"展望未來,莎士比亞明智地問道:“名字代表什麼?”假如互聯網能夠說話,那麼它可能會說:“我們用任何其他地址標記的名字都一樣可以到達。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"假如莎士比亞反問:“地址代表什麼?”然後互聯網也會這樣回答:“我們用任何其他名字標記的地址也一樣可以到達。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這一點很有說服力地暗示了這些答案的真相:名稱和地址之間的映射是任意對任意的。如果這是真的,那麼只要一個名稱在一個地址可以到達,任何地址都可以用來到達一個名稱。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"事實上,自 1995 年以來,由於採用了"},{"type":"link","attrs":{"href":"https:\/\/datatracker.ietf.org\/doc\/html\/rfc1794","title":null,"type":null},"content":[{"type":"text","text":"基於 DNS 的負載均衡"}]},{"type":"text","text":"技術,一個名稱的許多地址的版本就已經可用。所以,爲什麼不爲所有的名稱提供所有的地址,或者在任何給定的時間爲所有的名稱提供任何地址呢?或者,正如我們很快就會發現的,一個地址代表所有的名稱! 但是,讓我們先來談談實現尋址敏捷性的方式。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"譯註:莎士比亞在《羅密歐與朱麗葉》中有一句名言:“名字代表什麼?我們所稱的玫瑰,換個名字還是一樣芳香。”("},{"type":"text","marks":[{"type":"italic"}],"text":"What's in a name? That which we call a rose \/ By any other name would smell as sweet."},{"type":"text","text":")"}]}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"實現尋址敏捷性:忽略名稱,映射策略"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"尋址敏捷性的關鍵是權威的 DNS:但不是存儲在某種形式的記錄或查詢表中的靜態名稱到 IP 的映射。鑑於從任何客戶的角度來看,綁定只出現在“查詢時”。對映射的所有實際用途來說,查詢的響應是一個請求的生命週期的最後一個可能的時刻,在這個時刻,名稱可以被綁定到地址。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這樣就可以看到,名稱映射並不真正發生在某個記錄或區域文件中,而是在響應返回時發生。這一區別很小,但是很重要。現在的 DNS 系統用過一個名稱來找一組地址,然後有時使用一些策略來決定返回哪個具體地址。這一想法如下圖所示。在查詢到達時,查詢會顯示與該名稱相關的地址,然後返回其中的一個或多個地址。一般而言,額外的策略或邏輯過濾器用於縮小地址選擇範圍,例如服務級別或地理區域覆蓋。關鍵在於,在應用策略之前,地址首先被識別爲名稱。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/54\/54f649df566191dc7b9a6d78918146e2.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(a)常規權威 DNS"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/5d\/5dc1c61cb72637ca2168a7f1ac54833e.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"(b)尋址敏捷性"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過顛倒這個關係,尋址敏捷性得以實現。我們的架構不是將 IP 地址預先分配給一個名稱,而是從一個可能(或在我們的案例中,不包括)包括一個名稱的策略開始。舉例來說,一個策略可以由諸如位置和賬戶類型等屬性表示,而忽略名稱(我們在部署中就是這樣做的)。這些屬性決定與該策略相關的地址池。這個池本身可能獨立於該策略,也可能有與其他池和策略共享的元素。此外,池中的所有地址都是等效的。也就是說,可以返回任意的地址(甚至可以隨機選擇)而無需檢查 DNS 查詢名稱。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在暫停一下,因爲每一個查詢響應中都會出現兩個真正值得注意的影響:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"可以在運行時或查詢時計算和分配 IP 地址。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"IP 到名稱映射的生存期是隨後的連接生存時間和下游緩存中的 TTL 中較大的一個。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其結果是強大的,意味着"},{"type":"text","marks":[{"type":"strong"}],"text":"綁定本身是短暫的,無需考慮之前的綁定、解析器、客戶端或目的即可進行更改"},{"type":"text","text":"。另外,規模也不是問題,我們知道,因爲我們把它部署到了邊緣。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"IPv6,皇帝的新衣"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"討論部署之前,先來解決“房間裏的大象”問題:IPv6。首先要明確的是,在本文討論的 IPv4 環境中的一切都適用於 IPv6。就像全球郵政系統一樣,地址就是地址,不管是在加拿大、柬埔寨、喀麥隆、智利還是中國,這包括它的相對靜態和缺乏彈性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"除了存在等價性之外,還有一個顯而易見的問題:僅僅改用 IPv6 就能滿足所有尋求尋址敏捷性的理由嗎?雖然答案可能是反直覺的,但答案是肯定的、絕對的否定!IPv6 可能會緩解地址枯竭的問題,至少在今天所有人的有生之年是這樣。但是由於 IPv6 前綴和地址的豐富特性,很難推理其餘名稱和資源的綁定。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"大量 IPv6 地址的使用還會帶來低效風險,因爲運營商可以利用位長和大前綴的優勢,將意義嵌入到 IP 地址中。這是 IPv6 的一項強大功能,但同時也意味着任何前綴中的許多地址都將會閒置。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"明確地說,Cloudflare 顯然是 IPv6 的最大倡導者之一,並且有充分的理由,特別是地址的豐富性確保了壽命。即便如此,IPv6 並沒有改變地址與名稱和資源綁定的方式,而尋址敏捷性則確保了它在生命週期中的靈活性和響應性。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"附帶說明:敏捷是爲每個人準備的"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對架構和它的可轉移性的最後一點說明——"},{"type":"text","marks":[{"type":"strong"}],"text":"對於任何運營權威 DNS 的服務,尋址敏捷性是可用的,甚至是理想的"},{"type":"text","text":"。其他以內容爲導向的服務供應商顯然是競爭對手,但小型運營商也是如此。大高校、企業和政府只是一些可以運營自己權威服務的機構的例子。只要返回的 IP 地址上的連接能夠被運營商接受,所有的人都有可能因此成爲尋址敏捷性的受益者。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"基於策略的隨機地址——大規模"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"自 2020 年 6 月以來,我們就一直在努力解決生產流量邊緣的敏捷性問題,具體如下:"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"超過 2000 萬個主機名和服務;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所有加拿大的數據中心(人口合理,具有多個時區);"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"IPv4 的\/20(4096 個地址)和 IPv6 的\/44;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2021 年 1 月至 2021 年 6 月 IPv4 的\/24(256 個地址);"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於每一個查詢,都會在前綴中生成一個隨機的主機部分。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要知道,當每次點擊服務器上的查詢都會產生隨機的地址時,真正測試敏捷性的方法是極端的。我們決定把這個想法真正付諸實施。2021 年 6 月,在我們的蒙特利爾數據中心,不久之後在多倫多,超過 2000 萬個區域都被映射到一個單一的地址。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"每一次針對策略所捕獲的域名的查詢,在一年內都會得到一個隨機選擇的地址:從一個少至 4096 個地址的集中,然後是 256 個,然後是 1 個。在內部,我們把 1 的地址集稱爲 Ao1,我們將在後面回到這一點。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"衡量成功的標準:“沒有什麼可看的”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們的讀者可能會悄悄地問自己一些問題:"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這對互聯網造成了什麼“破壞”?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這對 Cloudflare 系統有什麼影響?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果有可能,我將會看到什麼?"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對上述每個問題的簡短回答是沒有。不過,有一點非常重要,地址的隨機化的確暴露了依賴互聯網的系統設計中的弱點。這些弱點總是會出現,是因爲設計者賦予 IP 地址的意義超出了可達性。(而且,如果只是偶然,這些弱點中的每一個都是通過使用一個地址,或 \"Ao1 \"來規避的)。)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要更好地理解“沒有”的本質,讓我們從列表的底部開始回答上述問題。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"如果有可能,我將會看到什麼?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖中的例子說明了答案。對一個區域的查詢從我們部署之外的“世界其他地區”的所有數據中心返回相同的地址(這就是 Cloudflare 的全球任播系統)。相比之下,每一個進入部署數據中心的查詢將接收一個隨機的地址。以下是對兩個不同的數據中心的連續 dig 命令,可以看出這一點。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/18\/18e9dbd4b959ef7cbea92c5ad3d2581f.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果你想了解後續請求的流量,是的,那就意味着服務器被配置成接受對地址池所有地址中的 2000 多萬個域名中的任何一個的連接請求。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"好吧,Cloudflare 的周邊系統肯定需要修改嗎?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不是的。它直接透明地改變了權威 DNS 的數據管道。每一個路由前綴在 BGP、DDoS、負載均衡器、分佈式緩存中,沒有一個需要改變的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但是,有一個迷人的副作用:隨機化對於 IP 地址來說,就像一個好的哈希函數對於哈希表一樣:它將任意大小的輸入均勻地映射到一個固定數量的輸出。通過觀察隨機化前後每個 IP 負載的測量,可以看到這種效果,如下圖所示,數據取自一個數據中心 7 天內 1% 的請求樣本。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/82\/822700e10a1c248a9b674fa78673cacc.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"尋址敏捷性之前"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/33\/33393a1ae80d772c7077311f48329d98.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"\/20 隨機化"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/34\/340e89ef10a4ba7000e5e832f52ddd76.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"\/24 隨機化"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在隨機化之前,對於 Cloudflare 的 IP 空間的一小部分,(a) 每個 IP 的最大和最小請求之間的差異(左邊的 y1 軸)是 3 個數量級;同樣,每個 IP 的字節數(右邊的 y2 軸)幾乎是 6 個數量級。在隨機化之後,(b)對於以前佔據多個 \/20 的單一 \/20 上的所有域,這些分別減少到 2 和 3 個數量級。在 (c) 中,進一步下降到 \/24,將 2000 多萬個區隨機化到 256 個地址上,從而將負載的差異降低爲小的常數因子。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於任何考慮按 IP 地址提供資源的內容服務提供商來說,這一點非常重要。先驗預測用戶產生的負載是很困難的。上面的圖表表明,最好的方法就是將所有的地址都賦予名稱。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"這肯定在更廣泛的互聯網上“破壞”了一些東西?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在這裏,答案也是否定的!好吧,也許更確切地說,“不,隨機化不會破壞任何東西……但是它能暴露系統及其設計中的弱點。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"受地址隨機化影響的任何系統似乎都有一個堅決條件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"任何可能受到地址隨機化影響的系統似乎都有一個先決條件:賦予 IP 地址的意義不僅在於可達性。尋址敏捷性使 IP 地址和互聯網的核心架構的語義得以保持甚至恢復,但是它會破壞對其意義作出假設的軟件系統。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"先來看幾個例子,說明爲什麼這些問題並不重要,然後再介紹一種繞過弱點(通過使用一個單一的 IP 地址)的解決敏捷性小變化的方法:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"HTTP 連接聚合"},{"type":"text","text":"(connection coalescing)允許客戶端重新使用現有的連接來請求來自不同來源的資源。像 Firefox 這樣的客戶端,在 URI 授權與連接相匹配時,允許聚合使用的客戶端不會受到影響。但是,要求 URI 主機解析到與給定連接相同的 IP 地址的客戶端將會失敗。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"非 TLS 或基於 HTTP 的服務"},{"type":"text","text":"可能會受到影響。一個例子是 ssh,它在其 know_hosts 中保留了一個主機名到 IP 的映射。這種關聯雖然可以理解,但是已經過時了,考慮到目前很多 DNS 記錄都會返回一個以上的 IP 地址,這種關聯已經被打破。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"非 SNI TLS"},{"type":"text","text":" 證書需要一個專用 IP 地址。供應商被迫收取一定的費用,因爲每個地址只能支持一個沒有 SNI 的證書。獨立於 IP 的更大的問題是在沒有 SNI 的情況下使用 TLS。我們已經開始試圖瞭解非 SNI,並希望結束這一不幸的遺產。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"依靠目的地 IP 的 DDoS 保護最初可能會受到阻礙。我們認爲,由於兩個原因,尋址敏捷性是有益的。首先,IP 隨機化將攻擊負載分佈在所有使用的地址上,有效地充當了第三層的負載均衡器。第二,DoS 緩解措施通常是通過改變 IP 地址而起作用的,該功能是尋址敏捷性所固有的。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"人人爲我,我爲人人"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們從數以萬計的地址綁定的 2000 多萬個區域開始,從 \/20 中的 4096 個地址和 \/24 中的 256 個地址成功爲它們提供了服務。這一趨勢自然會引出以下問題:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果隨機化在 n 個地址上有效,那麼爲什麼不在 1 個地址上進行隨機化呢?"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"確實,爲什麼不呢?回想一下上面關於 IP 隨機化的評論,認爲它等同於哈希表中的完美哈希函數。設計良好的基於哈希的結構的特點是,對於任何大小的結構,即使是大小爲 1 的結構,它們都保留了自己的屬性。這種減少將是對構建尋址敏捷性的基礎的真正測試。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因此,我們進行了測試。從一個 \/20 地址集,到一個 \/24,然後,從 2021 年 6 月起,到一個 \/32 的地址集,等於是一個 \/128(Ao1)。這不僅僅是行之有效。這確實起作用了。Ao1 解決了可能因隨機化而暴露出來的問題。舉例來說,非 TLS 或非 HTTP 服務具有可靠的 IP 地址(或者至少是非隨機的,而且名稱還沒有發生策略變化)。另外,HTTP 連接聚合就像免費的一樣,是的,我們看到在使用 Ao1 的地方,聚合水平在提高。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"但 IPv6 中的地址爲何如此之多?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"反對與單一 IPv6 地址綁定的一個論點是,沒有必要,因爲地址不可能用盡。我們認爲,這是 cidr 之前的立場,往好裏說是良性的,往壞裏說是不負責任的。如上所述,IPv6 地址的數量使得對其進行推理非常困難。與其問爲什麼要使用單一的 IPv6 地址,不如問“爲什麼不呢?”"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"是否存在上游影響?是的,還有機會!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Ao1 從 IP 隨機化中揭示了一套完全不同的含義,可以說,它通過放大看似微不足道的行動可能帶來的影響,爲我們提供了一扇瞭解互聯網路由和可達性未來的窗口。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲什麼?宇宙中可能的可變長度名稱的數量永遠超過固定長度的地址的數量。這意味着,"},{"type":"text","marks":[{"type":"strong"}],"text":"根據"},{"type":"link","attrs":{"href":"https:\/\/en.wikipedia.org\/wiki\/Pigeonhole_principle","title":null,"type":null},"content":[{"type":"text","text":"鴿巢原理"}],"marks":[{"type":"strong"}]},{"type":"text","marks":[{"type":"strong"}],"text":"(pigeonhole principle),單個 IP 地址必須由多個名稱共享"},{"type":"text","text":",並且是來自不相關方的不同內容。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由 Ao1 放大的可能的上游效應值得提出,並將在下文中加以說明。不過,到目前爲止,我們並沒有在評估中看到這些情況,在上游網絡的溝通中也是如此。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"上游路由錯誤是即時和全面的"},{"type":"text","text":"。假如所有流量都到達一個地址(或前綴),那麼上游的路由錯誤將對一切產生同樣的影響。(這就是 Cloudflare 在非相鄰地址範圍內返回兩個地址的原因)。)但是,請注意,威脅阻斷也是如此。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"上游 DoS 保護措施可能被觸發"},{"type":"text","text":"。可以想象,集中在一個地址上的請求和流量可能會被上游視爲 DoS 攻擊,從而觸發可能存在的上游保護措施。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"無論哪種情況,這些操作都會減輕,因爲尋址敏捷性能足夠快速地大規模更改地址。還可以預防,但需要公開溝通和討論。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後一個上游效應仍然存在:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"在 IPv4 NAT 中,端口耗盡有可能會被加速,IPv6 可以解決這一問題"},{"type":"text","text":"!從客戶端來看,一個地址所允許的併發連接數量取決於傳輸協議的端口字段的大小,例如,在 TCP 中約爲 65K。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"例如,在 Linux 上的 TCP 中,直到最近,這還是一個問題。(見此"},{"type":"link","attrs":{"href":"https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/?id=90c337da1524863838658078ec34241f45d8394d","title":null,"type":null},"content":[{"type":"text","text":"提交"}]},{"type":"text","text":" 和 "},{"type":"link","attrs":{"href":"https:\/\/www.man7.org\/linux\/man-pages\/man7\/ip.7.html","title":null,"type":null},"content":[{"type":"text","text":"ip(7) man page"}]},{"type":"text","text":" 中的 SO_BIND_ADDRESS_NO_PORT)。 在 UDP 中,這個問題仍然存在。在 QUIC 中,連接標識符可以防止端口耗盡,但它們必須被使用。不過到目前爲止,我們還沒有看到任何證據表明這是個問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"即便如此——也是最好的部分——就我們所知,這是唯一一個使用一個地址的風險,而且遷移到 IPv6 就可以立即得到解決。(所以,ISP 和網絡管理員們,快去實施 IPv6 吧!)"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"我們纔剛剛開始!"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們就這樣結束了,就像我們開始的那樣。由於對任何單一 IP 地址上的名字數量沒有限制,能夠以任何理由按查詢改變地址,你能建立什麼?"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/2d\/2d94c00cc725bf986b0a5c06e4737c8e.jpeg","alt":"image.png","title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"實際上,我們纔剛剛開始!由於尋址敏捷性所帶來的靈活性和麪向未來的特點,我們可以想象、設計和構建新的系統和架構。我們計劃爲任播系統、測量平臺等進行 BGP 路由泄漏檢測和緩解。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"關於以上內容的更多技術性細節,可以在"},{"type":"link","attrs":{"href":"https:\/\/research.cloudflare.com\/publications\/Fayed2021\/","title":null,"type":null},"content":[{"type":"text","text":"論文"}]},{"type":"text","text":"和簡短的"},{"type":"link","attrs":{"href":"https:\/\/youtu.be\/zg6944L-B3M?t=2137","title":null,"type":null},"content":[{"type":"text","text":"談話"}]},{"type":"text","text":"中找到。即使有了這些新的可能性,挑戰依然存在。存在很多開放的問題,其中包括但不限於:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"哪些策略可以合理表達或實施?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"是否有一種抽象的語法或文法來表達它們?"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於錯誤的或衝突的策略,我們能否使用正式的方法和驗證嗎?"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"作者介紹:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Marwan Fayed,Cloudflare 研究主管。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文鏈接"},{"type":"text","text":":"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/blog.cloudflare.com\/addressing-agility\/","title":null,"type":null},"content":[{"type":"text","text":"https:\/\/blog.cloudflare.com\/addressing-agility\/"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章