Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.

Slides:



Advertisements
Similar presentations
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Advertisements

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Noam Nisan, Michael Schapira, Gregory Valiant, and Aviv Zohar.
Prepared by Ilya Kolchinsky.  n generals, communicating through messengers  some of the generals (up to m) might be traitors  all loyal generals should.
Sept Internet routing seminar (Fall 2000) An analysis of BGP convergence Properties Timothy G. Griffin Gordan Wilfong Presented by Tian Bu.
Does BGP Solve the Shortest Paths Problem? Timothy G. Griffin Joint work with Bruce Shepherd and Gordon Wilfong Bell Laboratories, Lucent Technologies.
Part IV BGP Modeling. 2 BGP Is Not Guaranteed to Converge!  BGP is not guaranteed to converge to a stable routing. Policy inconsistencies can lead to.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
1 Measurement of Highly Active Prefixes in BGP Ricardo V. Oliveira, Rafit Izhak-Ratzin, Beichuan Zhang, Lixia Zhang GLOBECOM’05.
(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)
STABLE PATH PROBLEM Presented by: Sangeetha A. J. Based on The Stable Path Problem and Interdomain Routing Timothy G. Griffin, Bruce Shepherd, Gordon Wilfong.
BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.
Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.
1 A UML Class Diagram Analyzer Tiago Massoni Rohit Gheyi Paulo Borba Software Productivity Group Informatics Center – UFPE October 2004.
Ashish Gupta Under Guidance of Prof. B.N. Jain Department of Computer Science and Engineering Advanced Networking Laboratory.
1 Policy Disputes in Path-Vector Protocols A Safe Path-Vector Protocol Zacharopoulos Dimitris
Compiler Challenges, Introduction to Data Dependences Allen and Kennedy, Chapter 1, 2.
1 An Experimental Analysis of BGP Convergence Time Timothy Griffin AT&T Research & Brian Premore Dartmouth College.
1 Draft of a Matchmaking Service Chuang liu. 2 Matchmaking Service Matchmaking Service is a service to help service providers to advertising their service.
Improving BGP Convergence Through Consistency Assertions Dan Pei, Lan Wang, Lixia Zhang UCLA Xiaoliang Zhao, Daniel Massey, Allison Mankin, USC/ISI S.
Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.
On the Stability of Rational, Heterogeneous Interdomain Route Selection Hao Wang Yale University Joint work with Haiyong Xie, Y. Richard Yang, Avi Silberschatz,
Analysis of Algorithms CS 477/677
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.
Rethinking Internet Traffic Management: From Multiple Decompositions to a Practical Protocol Jiayue He Princeton University Joint work with Martin Suchara,
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research Joint work with Lixin Gao.
Relating Two Formal Models of Path-Vector Routing March 15, 2005: IEEE INFOCOM, Miami, Florida Aaron D. Jaggard Tulane University Vijay.
Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
OSPF To route, a router needs to do the following: Know the destination address Identify the sources it can learn from Discover possible.
Formalizing and Analyzing Feature models in Alloy
Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.
A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
Problem Definition Chapter 7. Chapter Objectives Learn: –The 8 steps of experienced problem solvers –How to collect and analyze information and data.
CSCI 3160 Design and Analysis of Algorithms Tutorial 10 Chengyu Lin.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
Machine Learning Chapter 5. Artificial IntelligenceChapter 52 Learning 1. Rote learning rote( โรท ) n. วิถีทาง, ทางเดิน, วิธีการตามปกติ, (by rote จากความทรงจำ.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Search CPSC 386 Artificial Intelligence Ellen Walker Hiram College.
Pitch Patarasuk Policy Disputes in Path-Vector Protocol A Safe Path Vector Protocol The Stable Paths Problem and Interdomain routing.
Onlinedeeneislam.blogspot.com1 Design and Analysis of Algorithms Slide # 1 Download From
CSci5221: BGP Policies1 Inter-Domain Routing: BGP, Routing Policies, etc. BGP Path Selection and Policy Routing Stable Path Problem and Policy Conflicts.
ALLOY: A Formal Methods Tool Glenn Gordon Indiana University of Pennsylvania COSC 481- Formal Methods Dr. W. Oblitey 26 April 2005.
On the Relation Between Simulation-based and SAT-based Diagnosis CMPE 58Q Giray Kömürcü Boğaziçi University.
Doing Don’ts: Modifying BGP Attributes within an Autonomous System Luca Cittadini, Stefano Vissicchio, Giuseppe Di Battista Università degli Studi RomaTre.
Formal verification of distance vector routing protocols.
New Directions in Routing
An Analysis of BGP Convergence Properties
L. Cittadini, G. Di Battista, M. Rimondini, S. Vissicchio
COS 561: Advanced Computer Networks
Hao Wang Yale University Joint work with
Can Economic Incentives Make the ‘Net Work?
Inter-Domain Routing: BGP, Routing Policies, etc.
A stability-oriented approach to improving BGP convergence
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
Why this Paper isn’t useful ?
Lecture 10, Computer Networks (198:552)
COS 461: Computer Networks
Fixing the Internet: Think Locally, Impact Globally
Presentation transcript:

Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela Zave (AT&T Research)

Internet is a network of networks – autonomous systems BGP is the routing protocol between AS’s Why is BGP important

Each AS has a significant amount of freedom in choosing routes Node 1 may prefer the purple path over the orange path to node D AS Preferences in BGP D D

BGP Convergence An “Instance” is a topology and a set of AS preferences Some instances don’t converge (called Gadgets) – BGP’s routing protocol can oscillate. Finding gadgets is hard and has previously been done by hand We use lightweight modeling to automate gadget generation and analysis

Why Lightweight Model Formal modeling aids analysis – Requires rigorous definition of concepts Encoded in a way that is “shareable” between researchers – Automates analysis Lightweight modeling is easier – Small model of key concepts – Easier to develop than machine-verified proofs – Push-button analysis

Stable Path Problem Useful Model – Although static formulation of the BGP, captures important properties: SPP that is “solvable” is a prerequisite for BGP convergence Although doesn’t capture dynamic properties fully – Extensively Studied Used in proofs of a lot of previous work Our model of SPP (almost) as compact as original description Automatically finding gadgets hard in SPP

Alloy Wanted a tool to help us generate SPP gadgets Alloy is a declarative modeling language – Can test assertions on predicates Compiles to SAT problem – SAT solvers are fast (on a lot of cases) Given a set of predicates, 2 answers: – Satisfiable – Unsatisfiable & Counterexample

Explore All Small SPP Instances Small instances are often informative – SPP gives each node a lot of degrees of freedom So properties of small instances are often interesting And often generalize to larger ones – Counterexamples to assertions really useful Explores full search space – Can make generalized assertions Although only up to a certain size

Contributions Created lightweight model of SPP – Model very compact, machine and human readable – Full model in the paper Automatically generated unstable SPP gadgets – Bad Gadget, Disagree, many more Classified gadgets – Full list of interesting gadgets under 4 source nodes Verified new and known solvability predicates – “Absence of dispute wheel implies solvability”

Outline Review of SPP and Model Use 1: Gadget Generation Use 2: Test Known Solvability Predicates Discuss Future Work

SPP Topology D D Source Node Destination Node

SPP Permitted Paths D D 1d 12d 13d List of Permitted Paths

Representation In Alloy DstNode, SrcNode: Node Path: Sequence of Nodes – Sequence is an ordered list SrcNode.PermittedPaths: Sequence of Paths – First path in list most preferred 1 1 D D 1d 13d 21d

Ensure Valid Topology with Facts Facts define correctness of construction – Assertions only run on correct constructions Example: ValidNonEmptyPath – Sequence has at least one element – No node appears more than once – Last node is DstNode Many more…

SPP Selection D D 1d 12d 13d 21d 2d 32d 31d 3d Each node selects exactly one path

SPP Solution D D 1d 12d 13d 21d 2d 32d 31d 3d All nodes happy with their selection simultaneously

Individual Happiness (within constraints) Solution – Each node has selected the best of its choices. Why? – No node can pick a better choice. Pred SelectionIsSolution[selected] { let choices = GetChoices[selected] | selected = GetBest[choices] }

Constraint Dependencies Choices Node 1 Selection Node 2 Selection Node 1 Choices Node 2

SPP as a Model Each SPP instance has 0, 1, or 1+ solutions Having exactly 1 solution is necessary but not sufficient for safety. All Instances 1 SPP Solution Safety

Specify Solvability Predicate Logically, Pred OneSolvable: one selection where SelectionIsSolution Pred MultiSolvable: some selection where SelectionIsSolution Aside: Selection is a set – Quantifying over it requires 2 nd order logic – Hard-code quantifications on a set-size basis for 1 st order

No Solution (Bad Gadget) D D 12d 1d 23d 2d 31d 3d

Two Solutions (Disagree) D D 12d 1d 21d 2d 3d

Analysis Using the Model We know “all instances are one solvable” is incorrect => We use Alloy to give us example instances where predicate fails. Use model to test solvability predicates – “absence of dispute wheel implies one solvable”

Use 1: Generating Counterexamples Have Alloy Generate Counter Examples – Gadgets with no (multiple) solutions – Too Many ( for 4 source nodes) Want Interesting Counterexamples

Interesting Gadget D D 12d 1d 23d 2d 31d 3d

Uninteresting Gadget D D 12d 1d 13d 23d 2d 31d 3d

Gadget Generation Intuitively, small gadgets are most interesting Start small – Find all gadgets for size Size++ When analyzing bigger gadgets, exclude gadgets similar to those already found

Gadget Library pred Gadget123{ } Predicate detects gadgets similar to the gadget found Makes path rankings relative Corrects for isomorphic reordering of node #s Eliminate gadgets matching library predicates in future

Gadgets Found Unsolvable Gadgets Multiply Solvable Gadgets

Use 2: Evaluating Constraints Test Known Constraints Example: Create predicates for the dispute wheel – Verify “absence of a DW implies solvability” – Get instances that have a DW but are still solvable Quickly explore new conditions for solvability – See if they are sufficient or necessary – Get counterexamples of how they don’t fully capture solvability

Conclusion Created a lightweight model of BGP Used model to generate gadgets Used iterative elimination to get minimal set of interesting gadgets Model could be used for quick “push button” analysis of new constraints

Future Work Develop new solvability predicates and model existing ones Apply the model to checking BGP router configurations for solvability Model the dynamic SPVP

Thanks