Inter-Domain Routing: BGP, Routing Policies, etc. BGP Path Selection and Policy Routing Stable Path Problem and Policy Conflicts Stable BGP routing: Gao and Jennifer’s path selection guidelines Readings: Do the required readings CSci5221: BGP Policies

BGP Is Not Guaranteed to Converge! BGP is not guaranteed to converge to a stable routing. Policy inconsistencies can lead to “livelock” protocol oscillations. Goal: Design a simple, tractable and complete model of BGP modeling Example application: sufficient condition to guarantee convergence. CSci5221: BGP Policies

BGP is Solving What Problem? Underlying problem Shortest Paths Distributed means of computing a solution. X? RIP, OSPF, IS-IS BGP X can aid in the design of policy analysis algorithms and heuristics, aid in the analysis and design of BGP and extensions, help explain some BGP routing anomalies, provide a fun way of thinking about the protocol CSci5221: BGP Policies

Abstract Model of BGP A graph of nodes and edges, Each node represents an AS Each edge “connectivity” between two ASes Focus on only one prefix originated from node 0 Node 0 is thus referred as the origin For each non-zero node v, a set of permitted paths to the origin, Pv it always contains “null path”. Ranking function of permitted paths at node v Null path is always least preferred CSci5221: BGP Policies

Separate Dynamic v Static Semantics BGP policies  Stable Paths Problem Dynamic semantics: BGP  SPVP SPVP: Simple Path Vector Protocol A distributed algorithm for solving Stable Paths Problem CSci5221: BGP Policies

Ranking BGP Paths Highest local Preference Shortest AS path Length Origin: IGP < EGP < INCOMPLETE -- i.e., prefer the lower ranked origin Lowest MED value EBGP is preferred over IBGP Lowest IGP cost Tie breaking (e.g. using router id) CSci5221: BGP Policies

Stable Paths Problem 5 5 2 1 0 2 1 0 2 0 1 3 0 1 0 3 0 4 2 0 4 3 0 3 4 2 1 Ideal “Static” Version of BGP Path Selection Given set of permissible paths and ranking of paths at each node, Is there a “global” assignment of paths (Pv at each node v) such that Pv is permissible Pv is highest ranked path among paths that are consistent with those advertised/selected by neighbors If such a path assignment exists, we say SPP has a solution 2 most preferred … least preferred (not null) CSci5221: BGP Policies

A Solution to SPP Restated A solution is an assignment of permitted paths to each node such that node u’s assigned path is either the null path or is a path uwP, where wP is assigned to node w and {u,w} is an edge in the graph, each node is assigned the highest ranked path among those consistent with the paths assigned to its neighbors CSci5221: BGP Policies

A Solution to SPP 5 5 2 1 0 2 1 0 2 0 1 3 0 1 0 3 0 4 2 0 4 3 0 3 4 2 1 A solution need not represent a shortest path tree or a spanning tree CSci5221: BGP Policies

Multiple Solutions May Exist 1 2 1 2 0 1 0 2 1 0 2 0 First solution DISAGREE Second solution CSci5221: BGP Policies

Multiple Solutions Can Occur Due to Recovery: 1 0 1 2 3 0 1 0 1 2 3 0 1 1 1 2 3 primary link 2 3 0 2 1 0 2 3 0 3 1 0 2 2 backup link 3 2 1 0 3 0 3 3 3 2 1 0 3 0 Remove primary link Restore primary link CSci5221: BGP Policies

Bad Gadget: No Solution Stage 1: 1: [10] 2: [210] 3: [30] Stage 2: 1:[130] 2:[20] 3:[320] Back to stage 1 2 3 1 2 1 0 2 0 1 3 0 1 0 3 2 0 3 0 4 CSci5221: BGP Policies

Bad Gadget: No Solution 2 3 1 2 1 0 2 0 1 3 0 1 0 3 2 0 3 0 4 Stage 1: 1: [10] 2: [20] 3: [320] Stage 2: 1:[130] 2:[210] 3:[30] Back to stage 1 CSci5221: BGP Policies

Has A Solution, But Can Get Trapped: 1 2 1 2 0 1 0 2 1 0 2 0 3 4 5 6 5 3 1 0 5 6 3 1 2 0 5 3 1 2 0 6 3 1 0 6 4 3 1 2 0 6 3 1 2 0 4 3 1 0 4 5 3 1 2 0 4 3 1 2 0 3 1 0 3 1 2 0 As with DISAGREE, this part has two distinct solutions This part has a solution only when node 1 is assigned the direct path (1 0). CSci5221: BGP Policies

Has A Solution, But Can Get Trapped: 4 4 3 1 0 4 5 3 1 2 0 4 3 1 2 0 1 2 0 1 0 1 3 1 0 3 1 2 0 3 6 5 2 2 1 0 2 0 5 3 1 0 5 6 3 1 2 0 5 3 1 2 0 6 3 1 0 6 4 3 1 2 0 6 3 1 2 0 This part has a solution only when node 1 is assigned the direct path (1 0). As with DISAGREE, this part has two distinct solutions CSci5221: BGP Policies

How To Solve An SPP? Exponential complexity Just enumerate all path assignments, And check stability of each…. NP-complete 3-SAT can be reduced to SPP CSci5221: BGP Policies

SPVP Protocol SPVP: Simple Path Vector Protocol Distributed Algorithms to Solve SPP “dynamic” version of path selection Pick the best path available at any time process spvp[u] { receive P from w  { rib-in(uw) := u P if rib(u) != best(u) { rib(u) := best(u) foreach v in peers(u) { send rib(u) to v } CSci5221: BGP Policies

SPVP and SPP SPVP wanders around assignment space SPP Solvable SPVP Can Diverge must diverge must converge CSci5221: BGP Policies

A sufficient condition for sanity If an instance of SPP has an acyclic dispute digraph, then Static (SPP) solvable Dynamic (SPVP) unique solution safe (can’t diverge) predictable restoration all sub-problems uniquely solvable robust with respect to link/node failures See the optional paper [G+99] “Policy Disputed in Path Vector Protocols” by Timothy G. Griffin et al, Section 3.1 (pp.5-6) for a formal and detailed definition of dispute digraph CSci5221: BGP Policies

Dispute Digraph Given a set of permitted paths and their rankings at each AS, Dispute Digraph (DD) is constructed as follows each permitted path P is a node in dispute digraph two types of directed edges (arcs) in dispute digraph transmission arcs (denoted by a dotted arrow in DD) for two neighboring ASes u and v, if vP is permitted at v and (u,v)P is permitted at u, then we have a transmission arc vP ……> (u,v)P dispute arcs (denoted by a solid arrow in DD) for two neighboring ASes u and v, we have a dispute arc from Q P:=(u,v)R if the following conditions hold: 1) P is permitted at u, 2) Q is permitted at v; 3) (u,v)Q is not permitted at u, or ranking of (u,v)Q is lower than P at u ; 4) R is permitted at v, but is lower ranked than Q at v; CSci5221: BGP Policies

Dispute Digraph Example 2 0 1 0 2 1 4 3 1 3 0 1 0 2 1 0 2 0 4 2 0 4 3 0 3 4 2 0 3 0 4 2 0 2 1 0 CYCLE 3 4 2 0 4 3 0 1 3 0 BAD GADGET II 3 0 CSci5221: BGP Policies

Dispute Wheels u_0 At u_i, rank of Q_i is less than or equal to rank of R_iQ_(i+1) There exists a dispute wheel iff there exists cycle in the dispute digraph R_k R_0 u_k u_1 R_1 Q_0 u_2 Q_1 Q_k Q_2 Q_(I+1) Q_i u_(i+1) R_i u_i CSci5221: BGP Policies

Dispute Wheel Example 1 2 3 0 1 2 0 1 0 2 3 1 0 2 3 0 2 0 3 1 1 2 2 1 3 3 2 3 1 2 0 3 1 0 3 0 CSci5221: BGP Policies

Avoiding Divergence: A Dynamic Solution? Extend SPVP with a history attribute, A route’s history contains a path in the dispute digraph that “explains” how the route was obtained, A route history will contain a dispute cycle if and only if a policy dispute is dynamically realized. If a route’s history contains a cycle, then suppress it …. CSci5221: BGP Policies

How to Ensure No Policy Conflicts Strawman Proposal: Perform Global Policy Check Require each AS to publish its policies Detect and resolve conflicts Problems: ASes typically unwilling to reveal policies Checking for convergence is NP-complete Failures may still cause oscillations CSci5221: BGP Policies

Think Globally, Act Locally Key features of a good solution Safety: guaranteed convergence Expressiveness: allow diverse policies for each AS Autonomy: do not require revelation/coordination Backwards-compatibility: no changes to BGP Local restrictions on configuration semantics Ranking Filtering CSci5221: BGP Policies

Gao and Rexford Scheme Permit only two business arrangements Gao & Rexford, “Stable Internet Routing without Global Coordination”, IEEE/ACM ToN, 2001 Permit only two business arrangements Customer-provider Peering Constrain both filtering and ranking based on these arrangements to guarantee safety Surprising result: these arrangements correspond to today’s (common) behavior CSci5221: BGP Policies

Relationship #1: Customer-Provider Filtering Routes from customer: to everyone Routes from provider: only to customers From the customer To other destinations From other destinations To the customer providers customer advertisements traffic CSci5221: BGP Policies

Relationship #2: Peering Filtering Routes from peer: only to customers No routes from other peers or providers advertisements traffic customer peer CSci5221: BGP Policies

Rankings Prefer routes from customers over routes from peers Prefer routes from peers over routes from providers provider peer customer CSci5221: BGP Policies

Additional Assumption: Consistent AS Hierarchy Disallowed! CSci5221: BGP Policies

Safety: Proof Sketch System state: the current route at each AS Activation sequence: revisit some router’s selection based on those of neighboring ASes CSci5221: BGP Policies

Activation Sequence: Intuition Activation: emulates a message ordering Activated router has received and processed all messages corresponding to the system state “Fair” activation: all routers receive and process outstanding messages CSci5221: BGP Policies

Safety: Proof Sketch State: the current route at each AS Activation sequence: revisit some router’s selection based on those of neighboring ASes Goal: find an activation sequence that leads to a stable state Safety: satisfied if that activation sequence is contained within any “fair” activation sequence CSci5221: BGP Policies

Proof, Step 1: Customer Routes Activate ASes from customer to provider AS picks a customer route if one exists Decision of one AS cannot cause an earlier AS to change its mind An AS picks a customer route when one exists CSci5221: BGP Policies

Proof, Step 2: Peer & Provider Routes Activate remaining ASes from provider to customer Decision of one Step-2 AS cannot cause an earlier Step-2 AS to change its mind Decision of Step-2 AS cannot affect a Step-1 AS AS picks a peer or provider route when no customer route is available CSci5221: BGP Policies

Ranking and Filtering Interactions Allowing more flexibility in ranking Allow same preference for peer and customer routes Never choose a peer route over a shorter customer route … at the expense of stricter AS graph assumptions Hierarchical provider-customer relationship (as before) No private peering with (direct or indirect) providers Peering CSci5221: BGP Policies

Some problems Requires acyclic hierarchy (global condition) Cannot express many business relationships Abovenet Verio PSINet Sprint Customer Hang customers off of above net Label peering edges Question: Can we relax the constraints on filtering? What happens to rankings? CSci5221: BGP Policies