Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal Jain and Pragya Maru

What is a Routing Logic? Protocol designers and network operators need a way to describe and reason about protocol behavior. Properties: describe behavior Rules: reason about whether a certain property holds

Practical Uses for a Routing Logic Reason about BGP’s behavior Verify that BGP configurations satisfy properties Synthesize BGP configuration automatically Design protocol extensions that fix problems

Problems Underlying BGP Poor Integrity: Denial of service and data integrity attacks Slow Convergence: Path instability results in delayed convergence. Divergence : BGP’s policy based nature can give rise to configurations that diverge Unpredictability : Due to distributed, asynchronous nature, predicting the effects of a configuration change is extremely challenging. Poor control of information flow: Routing policies may expose information that is not intended for public knowledge, such as peering and transit relationships.

How to define "correct“ behavior? Does it advertise invalid routes? Validity Does every valid path have a corresponding route? Visibility Given a set of choices, will it converge to a unique, stable answer? Safety Is that answer affected by the ordering of messages or the set of available routes? Determinism Does the protocol expose information? Information-flow control

Routing Logic Inputs Specification of how protocol behaves Specification of protocol configuration  Policy configuration  General configuration, e.g. which routers exchange routing information Current version has no notion of time

Terminology Participant : An entity that advertises or receives routing messages Routing Domain: Group of one or more participants that behave according to one administrative policy. Route: Contains two fields- Next-hop and Next-RD Destination: might refer to a host, an overlay node or a logical host Destination-set: Refers to a set of nodes that share a route. Path: A path is a sequence of participants from one participants from one participants to a destination

Hierarchical Routing Scopes Scope i next-hop is i+1 destination (destination set)

Rules: Sufficient Conditions for Each Property Validity: a route implies a corresponding valid path

Validity and Visibility in BGP Underlying IGP result in persistent forwarding loop The fundamental operation of BGP with Route Reflection can violate Validity.

Applying the logic-Validity and Visibility There exists a route reflector configuration that causes BGP to violate validity. For an arbitrary configuration of route reflectors and route reflector clients, verifying progress is NP-complete. If the route reflector configuration for an AS along the path to a destination is RR-IGP-Safe, then BGP satisfies progress. If the route reflector in an AS are configured according to RR-Reflect-All, then BGP satisfies progress. If an AS uses full mesh iBGP, then BGP satisfies progress.

Information-flow Model Consists of objects, flow policy, partial ordering of security levels Policy Peering and transit agreements Router preferences Reachability Events affecting reachability Topology Internal network topology Inter-AS connectivity Information Objects

Information Flow Lattice Noninterference Rule Objects at higher security levels should not be visible to objects at lower levels Security level of message not higher than level of recipient

Applying the logic-Information Flow Control A stateless BGP implementation can violate standard information flow policy. The BGP route history attribute violates standard information flow policy.

Safety and Determinism AS changing the choice for the best route may result in policy oscillations or lead to dispute cycles and hence this shows that BGP doesn’t satisfy safety Some router configurations results in router’s best route depending on the order in which routes arrive or other non deterministic factors, which shows that BGP doesn’t satisfy determinism

Policy Dispute or Oscillations

Properties for Safety and Determinism to hold Safety Preference :- If a participant chooses a particular route as its best route, the participant re advertises that route No route history cycles: - Non existence of a route history cycle is sufficient to guarantee safety Determinism Time Immunity:- A participant relative ranking of two routes to a destination is independent of the order in which those routes arrive. Set Immunity:- A participant’s relative ranking of two routes is independent of other routes to that destination.

The properties: not complete, but important Validity: Will packets that use this route get there? basic correctness property Visibility: Is best route chosen from all possibilities? optimal routing, robustness in failure scenarios Safety: Is there policy-induced oscillation? network stability Determinism: Can a snapshot of the network state determine the result of the "computation"? ease of debugging, traffic engineering Information-flow Control: Is my network exposing information that should be hidden? competitive aspects

Reasoning about BGP’s Behavior The routing logic rules can be used to prove theorems about these properties. Verifying that an arbitrary route reflector configuration satisfies validity. Route reflectors that re-advertise all eBGP-learned routes will satisfy validity. Certain fixes to other problems (e.g., safety) can violate information-flow policy.

Conclusion Network operators and protocol designers need a logic to reason about routing protocols like BGP The routing logic provides  A set of properties to describe protocol behavior  Rules to reason about them Set of properties is not complete, but it is an important and interesting set Promising for reasoning, verification, and design