Recently security.debian.org has been having some problems with maxing out its connection due to an X update. This reminded me of a conversation I had at DebConf5 about the feasibility of a Debian anycast instance. This was originally under the guise of ftp.debian.org, but there's no reason it wouldn't work nicely for security.debian.org as well.

The idea is that Debian would obtain a /24 of PI (or something unlikely to get filtered anyway; I think anything smaller wouldn't work) and their own AS. They'd then host instances of f.d.o/s.d.o around the world with ISPs that would route this AS for them. This would mean that big sponsors able to provide global routes would still be able to do so, but smaller sponsors (like Black Cat) would still be able to help out by announcing the route to their peers.

You'd need the servers involved to all be reliable push mirrors, so that they're as close to being in sync as possible. And I'm not sure how well TCP works over anycast; assuming stable routing I can't see why it'd be a problem (does the Akamai service work this way?). Certainly it seems to be quite common for major DNS servers these days. But it could end up with quite a few decent local mirrors with no work required on the part of the users to take advantage of them. Am I insane?