L. Cittadini, G. Di Battista, M. Rimondini, S. Vissicchio

Slides:

Advertisements

Similar presentations

ABSTRACT Due to the Internets sheer size, complexity, and various routing policies, it is difficult if not impossible to locate the causes of large volumes.

Advertisements

Path Splicing with Network Slicing

Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.

The Connectivity and Fault-Tolerance of the Internet Topology

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

Does BGP Solve the Shortest Paths Problem? Timothy G. Griffin Joint work with Bruce Shepherd and Gordon Wilfong Bell Laboratories, Lucent Technologies.

Part IV BGP Modeling. 2 BGP Is Not Guaranteed to Converge!  BGP is not guaranteed to converge to a stable routing. Policy inconsistencies can lead to.

Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira Joint work with Yaping Zhu and Jennifer Rexford (Princeton University)

1 Interdomain Routing and Games Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

SCHOOL OF INFORMATION UNIVERSITY OF MICHIGAN si.umich.edu Searching for Stability in Interdomain Routing Rahul Sami (University of Michigan) Michael Schapira.

Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.

Inferring Autonomous System Relationships in the Internet Lixin Gao.

Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!

Distributed Route Aggregation on the Global Network (DRAGON) João Luís Sobrinho 1 Laurent Vanbever 2, Franck Le 3, Jennifer Rexford 2 1 Instituto Telecomunicações,

STABLE PATH PROBLEM Presented by: Sangeetha A. J. Based on The Stable Path Problem and Interdomain Routing Timothy G. Griffin, Bruce Shepherd, Gordon Wilfong.

BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.

Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.

1 Tutorial 5 Safe “Peering Backup” Routing With BGP Based on:

1 Policy Disputes in Path-Vector Protocols A Safe Path-Vector Protocol Zacharopoulos Dimitris

CPSC 668Set 3: Leader Election in Rings1 CPSC 668 Distributed Algorithms and Systems Spring 2008 Prof. Jennifer Welch.

Tutorial 5 Safe Routing With BGP Based on: Internet.

Parallel Routing Bruce, Chiu-Wing Sham. Overview Background Routing in parallel computers Routing in hypercube network –Bit-fixing routing algorithm –Randomized.

Internet Networking Spring 2004 Tutorial 5 Safe “Peering Backup” Routing With BGP.

Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.

On the Stability of Rational, Heterogeneous Interdomain Route Selection Hao Wang Yale University Joint work with Haiyong Xie, Y. Richard Yang, Avi Silberschatz,

Interdomain Routing as Social Choice Ronny R. Dakdouk, Semih Salihoglu, Hao Wang, Haiyong Xie, Yang Richard Yang Yale University IBC ’ 06.

Interdomain Routing Establish routes between autonomous systems (ASes). Currently done with the Border Gateway Protocol (BGP). AT&T Qwest Comcast Verizon.

Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)

The Byzantine Generals Strike Again Danny Dolev. Introduction We’ll build on the LSP presentation. Prove a necessary and sufficient condition on the network.

Relating Two Formal Models of Path-Vector Routing March 15, 2005: IEEE INFOCOM, Miami, Florida Aaron D. Jaggard Tulane University Vijay.

ROUTING PROTOCOLS Rizwan Rehman. Static routing  each router manually configured with a list of destinations and the next hop to reach those destinations.

Routing of Outgoing Packets with MP-TCP draft-handley-mptcp-routing-00 Mark Handley Costin Raiciu Marcelo Bagnulo.

Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.

Developing Analytical Framework to Measure Robustness of Peer-to-Peer Networks Niloy Ganguly.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.

1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.

How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.

CS4231 Parallel and Distributed Algorithms AY 2006/2007 Semester 2 Lecture 10 Instructor: Haifeng YU.

Lecture 4: BGP Presentations Lab information H/W update.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.

© 2002, Cisco Systems, Inc. All rights reserved..

David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)

More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.

Pitch Patarasuk Policy Disputes in Path-Vector Protocol A Safe Path Vector Protocol The Stable Paths Problem and Interdomain routing.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Multihomed BGP Networks.

CSci5221: BGP Policies1 Inter-Domain Routing: BGP, Routing Policies, etc. BGP Path Selection and Policy Routing Stable Path Problem and Policy Conflicts.

15-849: Hot Topics in Networking Policy and Networks Srinivasan Seshan 1.

Doing Don’ts: Modifying BGP Attributes within an Autonomous System Luca Cittadini, Stefano Vissicchio, Giuseppe Di Battista Università degli Studi RomaTre.

Formal verification of distance vector routing protocols.

Theory of Computational Complexity Probability and Computing Chapter Hikaru Inada Iwama and Ito lab M1.

IP – Subnetting and CIDR

An Analysis of BGP Convergence Properties

COMP 3270 Computer Networks

COS 561: Advanced Computer Networks

Hao Wang Yale University Joint work with

Routing: Distance Vector Algorithm

Inter-Domain Routing: BGP, Routing Policies, etc.

A stability-oriented approach to improving BGP convergence

Instructor: Shengyu Zhang

COS 561: Advanced Computer Networks

Dynamic Routing and OSPF

COS 561: Advanced Computer Networks

COS 561: Advanced Computer Networks

COS 461: Computer Networks

Fixing the Internet: Think Locally, Impact Globally

BGP Instability Jennifer Rexford

Stable and Practical AS Relationship Inference with ProbLink

Minimum Spanning Trees

Presentation transcript:

Wheel + Ring = Reel: the Impact of Route Filtering on the Stability of Policy Routing L. Cittadini, G. Di Battista, M. Rimondini, S. Vissicchio Roma Tre University

Background: Routing Policies What does a routing policy look like? It boils down to route filtering route ranking A simple BGP policy might look like this ip as-path access-list 1 deny _31337_ ip as-path access-list 1 permit .*$ route-map myPolicy permit 10 match as-path 1 set local-preference 120 route Filtering route Ranking

Autonomy and Expressiveness BGP provides the expressiveness to specify arbitrary rankings and filters ASes can autonomously specify their routing policies Consequence: BGP policies can [GriffinShepherdWilfong02] and do [Carlzon06, Berger01] lead to oscillations Problem assume that ASes preserve complete autonomy and filtering expressiveness how expressive can rankings be? AKA Safety Under Filtering (SUF) problem [FeamsterJohariBalakrishnan05]

Definitions and State of the Art Safety a BGP configuration is safe if it is free from oscillations a sufficient condition for safety (“no dispute wheel”) is given in [GriffinShepherdWilfong99,02] Safety under Filtering (SUF) a BGP configuration is SUF if it is safe under any combination of routing filters a necessary condition for SUF (“no dispute ring”) is given in [FeamsterJohariBalakrishnan05]

The “big picture” NO DW SUF SAFE HAS A STABLE STATE NO Dispute Ring Motivation: Fill the large gap between known necessary and sufficient conditions for stability

Our Contributions a characterization for SUF we bind SUF to a particular structure (Dispute Reel) which depends only on the policies and the network topology does not depend on protocol dynamics a proof that robustness does not imply SUF robustness is safety under any link failures filters are more dangerous than link failures! a debugging technique for multiple stable states multiple stable states imply unsafety [SamiSchapiraZohar09] given two stable states, it is possible find a DR i.e., pinpoint the trouble points in the configuration

The new “big picture” HAS A STABLE STATE NO DW SAFE NO DISPUTE REEL SUF Filthy Gadget ROBUST NO Dispute Ring Deeper understanding of the interplay between autonomy, expressiveness, and stability

The Model: SPP BGP peerings are represented by a graph the destination prefix is originated by special node 0 BGP policies are encoded in lists of paths paths that do not appear in a list have been filtered the list is ordered according to route rankings 140 10 20 210 1 2 40 410 4320 4 3 320

Wheels A Dispute Wheel is a cyclic structure of preferences the structure is made of pivot nodes each pivot has a direct route each pivot has a route via its successor each pivot prefers the route via its successor to the direct route RU Qv QU Spoke Path Rim Path U Ru W Qu V Qv Pivot Node No Dispute Wheel => SUF [GriffinShepherdWilfong99,02]

Ideal vs Real Wheels When we think about a DW, we imagine it to be clean and simple Actually, a DW in a BGP configuration could be quite complex e.g., intersections between spoke/rim paths

Rings A Dispute Ring is a DW such that each node appears only once in the wheel SUF => No Dispute Ring [FeamsterJohariBalakrishnan05] Intuition meet in the middle to characterize SUF right! too complex too simple

Wheel + Ring = Reel A Dispute Reel (DR) is a particular kind of DW and a generalization of a Dispute Ring. A DR is a DW such that Pivot vertices appear in exactly three paths Spoke and rim paths do not intersect Spoke paths form a tree only intersections among rim paths are allowed A DW that does not satisfy these conditions does not pose stability problems

Roadmap to characterization Theorem (5.1): No DR => SUF (not shown in this presentation) an oscillation implies a DW having special properties [GriffinShepherdWilfong02] such a DW is (or contains) a DR Theorem (4.1): Existence of a DR => Not SUF we first apply filters to the network then we show a routing oscillation

DR => Not SUF The proof is based on two different “types” of routing oscillations synchronous oscillations for DR having 2 pivots asynchronous oscillations for DR with >2 pivots

DRs with only 2 pivots Lemma (4.1): A DR consisting of two pivots can oscillate filter any path that does not appear in the DR synchronous oscillation U V

DRs with >2 pivots Lemma (4.3): A DR with >2 pivots can oscillate filter any path that does not appear in the DR asynchronous oscillation u x v y

Did I say “easy”? Spoke paths of DRs have a simple tree structure Rim paths, instead, can be complex Ui+2 Ui Ui+1 When a DR has arbitrarily complex rim paths, showing an oscillation is not trivial

Some gory details What if a DR with 2 pivots has intersections between rim paths? this prevents the synchronous oscillation! Lemma (4.2): if there exists a DR with 2 pivots then there is a DR with 2 pivots and no intersections between rim paths What if a DR with >2 pivots is such that the announcement of a pivot cannot reach the next one (e.g., due to routing preferences)? this prevents the asynchronous oscillation! Lemma (4.4): in this case, we can find another DR having only 2 pivots

Multiple stable states Multiple stable states (e.g., BGP wedgies) imply the presence of a DR (Theorem 4.2) as a consequence, the network is provably not SUF If we are given two stable states then we can find a DW [GriffinShepherdWilfong02] we show that this DW is actually a DR as such, it does pose stability problems that is, it is possible to pinpoint trouble points in the network (pivot nodes of the DR) just by analyzing the routing tables, no need to know the routing policies analysis takes linear time

Filters vs Cable Cuts SUF trivially implies Robustness (i.e., stability under arbitrary link faults) The converse does not hold this network (“Filthy-Gadget”) is robust but is not SUF misconfigured filters are worse than cable cuts! X 2 3 1 1XY20 10 230 20 3ZX40 30 Y Z 4 X40 XY20 4YZ10 40 Y230 Y20 YZ10 Z10 ZX40

Conclusions Step forward in BGP formal analysis Practical implication Characterization for SUF SUF bound to a structure of routing policies such a property does not depend on network dynamics Robustness does not imply SUF NOCs might be more dangerous than scissors Practical implication Easy to find trouble points given multiple stable states without knowledge of the policies Future Work How hard is finding a DR in a BGP configuration? Implications on iBGP?