1 Interdomain Routing and Games Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University

2 On the Agenda Motivation: Are Internet protocols incentive compatible? Interdomain routing & path vector protocols Convergence issues BGP as a game Hardness of approximation of social welfare Incentive compatibility Conclusions

3 Are Current Network Protocols Incentive Compatible? Protocols for the network have been dictated by some designer Okay for cooperative settings But what if nodes try to optimize regardless of harm to others? Example: TCP congestion control –Requires sender to transmit less when the network is congested –This is not optimal for the sender (always better off sending more)

4 Secure Network Protocols A lot of effort is going into re-designing network protocols to be secure. Routing protocols are currently known to be very susceptible to attacks. –Even inadvertent configuration errors of routers have caused global catastrophes. Designers are also concerned about incentive issues in this context. Our work highlights some connections between incentives and security of BGP.

5 Interdomain Routing Messages in the Internet are passed from one router to the other until reaching the destination. Goal of routing protocols: decide how to route packets between nodes on the net. The network is partitioned into Autonomous Systems (ASes) each owned by an economic entity. –Within ASes routing is cooperative –Between ASes inherently non-cooperative Routing preferences are complex and uncoordinated. AT&T Qwest Comcast UUNET My link to UUNET is for backup purposes only. Load-balance my outgoing traffic. Always choose shortest paths. Avoid routes through AT&T if at all possible.

6 Path Vector Protocols receive routes from neighbors choose “best” neighbor send updates to neighbors The only protocol currently used to establish routes between ASes (interdomain routing): The Border Gateway Protocol (BGP). Performed independently for every destination autonomous system in the network. The computation by each node is an infinite sequence of actions:

7 Example of BGP Execution d d d d 1d 3d 41d 23d receive routes from neighbors choose “best” neighbor send updates to neighbors

8 Theorem: In “reasonable economic settings”, BGP is almost incentive- compatible (And can be tweaked to be incentive compatible). Theorem: In these same settings it is also almost collusion proof. –To make it fully collusion proof we need a somewhat stronger assumption. Our Main Results Informally

9 BGP – Not Guaranteed to Converge Other examples may fail to converge for certain timings and succeed for others. 12 d 3 31d 3d … 23d 2d... 12d 1d … 1d 31d 2d 12d

10 Finding Stable States Previously known: It’s NP-Hard to determine if a stable state even exists. [Griffin, Wilfong] We add: Theorem: Determining the existence of a stable state requires exponential communication. In practice, BGP does converge in the Internet! Why?

11 The Gao-Rexford Framework: An economic explanation for network convergence. peer providers customers peer Neighboring pairs of ASes have one of: a customer-provider relationship a peering relationship Restrict the possible graphs and preferences: No customer-provider cycles (cannot be your own customer) Prefer to route through customers over peers, and peers over providers. Only provide transit services to customers. Guarantees convergence of BGP.

12 Dispute Wheels A Dispute Wheel [Griffin et. al.] –A sequence of nodes u i and routes R i, Q i. –u i prefers R i Q i+1 over Q i. If the network has no dispute wheels, BGP will always converge. Also guarantees convergence with node & link failures. Gao-Rexford No Dispute Wheel Robust Convergence Shortest Path

13 Modeling Path Vector Protocols as a Game The interaction is very complex. –Multi-round –Asynchronous –Partial-information Network structure, schedule, other player’s types are all unknown. No monetary transfers! –More realistic –Unlike most works on incentive-compatibility in interdomain routing.

14 Routing as a Game The source-nodes are the strategic agents Agent i has a value v i (R) for any route R The game has an infinite number of rounds Timing decided by an entity called the scheduler –Decides which nodes are activated in each round. –Delays update messages along selective links.

15 Routing as a Game (2) A node that is activated in a certain round can –Read update messages announcing routes. –Send update messages announcing routes. –Choose a neighboring node to forward traffic to. The gain of node i from the game is: –v i (R) if from some point on it has an unchanging route R. –0 otherwise. (can be defined as the maximal gained path in an oscillation as well). a node’s strategy is its choice of a routing protocol. –Executing BGP is a strategy.

16 Approximating Social Welfare Theorem: Getting an approximation to the optimal social welfare is impossible unless P=NP even in Gao-Rexford settings. (Improvement on a bound achieved by [Feigenbaum,Sami,Shenker]) Theorem: It requires exponential communication to approximate social welfare up to

17 Manipulating in The Protocol A node is said to deviate from BGP (or to manipulate BGP) if it does not follow BGP. We want nodes to comply with the alg. Otherwise, suffer a loss when they deviate Which forms of manipulation are available to nodes? –Misreporting preferences. –Reporting inconsistent information. –Announcing nonexistent routes. –Denying routes. –…–…

18 No Optimal Protocols Theorem: Any routing protocol that: 1.Guarantees convergence to a solution for any timing with any preference profile 2.Resists manipulation Must contain a (weak) dictator: A node that always gets its most preferred path. (Simple to prove using a variant of the Gibbard-Satterthwaite theorem)

19 Suppose node 1 is a weak dictator. If it wants some crazy path, it must get it. This feels like an unreasonable protocol d

20 Is BGP Incentive-Compatible? Theorem: BGP is not incentive compatible even in Gao-Rexford settings. m 1 2 d m1d m12d 2md 2d 12d 1d with manipulation m 1 2 d m1d m12d 2md 2d 12d 1d without manipulation

21 We define a property: –Route verification means that an AS can verify that a route is available to a neighboring AS. Route verification is: –Achievable via computational means (cryptographic signatures). –An important part of secure BGP implementation. Can we fix this?

22 Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is incentive-compatible in ex- post Nash equilibrium. Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is collusion-proof in ex-post Nash equilibrium. Incentive Compatibility

23 Open Questions Characterizing robust BGP convergence (“No dispute wheel” is sufficient but not necessary). Does robust BGP convergence with route verification imply incentive compatibility? Can network formation games help to explain the Internet’s commercial structure? Maintain incentive compatibility if the protocol is changed to deal with attacks and other security issues? How do congestion and load fit in?

24 Conclusions Our results help explain BGP’s resilience to manipulation in practice. –Manipulation requires extensive knowledge on network topology & preferences of ASes. –Faking routes requires manipulation of TCP/IP too. –Manipulations by coalitions require Herculean efforts, and tight coordination. We show that proposed security improvements would benefit incentives in the protocol. Work in progress: other natural asynchronous games. – “Best Reply Mechanisms” with Noam Nisam and Michael Schapira