Presentation is loading. Please wait.

Presentation is loading. Please wait.

Control Plane Resilience: The Method of Strong Detectio n Raj Kumar Vishal Misra Dan Rubenstein Allerton, 9/28/06.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Control Plane Resilience: The Method of Strong Detectio n Raj Kumar Vishal Misra Dan Rubenstein Allerton, 9/28/06."— Presentation transcript:

1 Control Plane Resilience: The Method of Strong Detectio n Raj Kumar Vishal Misra Dan Rubenstein Allerton, 9/28/06

2 Routing Protocols with Misconfigurati ons Routing Protocols in “friendly” environments are well understood, e.g., –Link State: global knowledge, centralized approach –Distance Vector (a.k.a. Bellman-Ford): known to converge (quickly), adapt to changes, etc. –BGP (Path-Vector): some problems in converging when routes change, significant literature evaluating/understanding Critical Assumption for correctness: Nodes follow the proper protocol procedure Q: What happens when nodes don’t follow the protocol like they’ re supposed to?

3 History Shows: Misbehaving nodes can be a big pro blem The infamous BGP AS 7007 Incident: Consider routes to node 8765 700751654345707469572134 AS #7007’s Distance 21342 43451 51653 69572 70741 …… 87658 … Traffic goes where it is supposed to

4 Nodes don’t always “behave” The infamous BGP AS 7007 Incident: 700751654345707469572134 AS #7007’s Distance 21341 43451 51651 69571 70741 …… 87651 … Traffic enters “black hole”

5 Theory to detect “Bad” Nodes Rules: –“Bad” nodes can cheat, “Good” nodes can attempt to detec t the bad nodes –“Good” nodes must limited to infor mation provided by the rou ting protocol Want to exchange additi onal info, modify the protocol Challenge: When can a good node det ermine something isn’t rig ht? Can I tell if my neighbors are giving me the correct information?

6 A Node’s Info: Its State A node’s state is its (only) view of the network – e.g., Distance-Vector (a.k.a. Bellman-Ford) Dest/ Neighbor ABE A0112 B107 C7138 D596 E960 F121513 G492 A B C E G F D Note our convention: (I,J) in state table reports node I’s distance to J (not local node’s distance to J through I)

7 Detection Assume: Routes have stabilized (routing protocol inactive) Q: For routing protocol P, given a good node’s state, what misconfigurations can it detect/observe with in the network? Note: A node can’t always detect a problem NXY 11 D(X,Y) = 3 NXY 13 An undetectable misconfig at node N:

8 Prior Work: “Weak” Detection Process for constructing a weak detection method: –Find a property that a node’s state should exhibit –Check the property in a node’s state –Declare misconfiguration in network if property is violate d A detection method is “Weak” if it fails to identify a misconfiguration that is det ectable using another method (on same state)

9 A Weak Detection Method: Symmetry In an undirected graph, D(X,Y) = D(Y,X) –Here, D(A,B) = 1 –But D(B,A) = 4 Using symmetry, found a misconfiguration So why is Symmetry weak? Dest/ Neighbor ABE A0112 B407 C 138 D596 E964 F121513 G492

10 Another Weak Detection Method: Triangle Inequality [DMZ’03] Triangle inequality should hold: D(X,Z) ≤ D(X,Y) + D(Y,Z) Violated here: –D(B,E) = 3 –D(B,A) = 1 –D(A,E) = 1 –D(B,E) > D(B,A) + D(A,E) Note: symmetry property not violated Dest/ Neighbor ABE A011 B103 C12138 D596 E130 Example shows why detection via symmetry is weak: failed to identify a detectable misconfiguration So why is triangle inequality weak?

11 Weakness of Triangle Inequality Suppose graph edge lengths ar e all 1 No violation of symmetry or tr iangle inequality Dest/ Neighbor AB A02 B20 C31 D33 A B C C is distance 1 from B D D is distance 3 from both A & B: nowhere to put connecting edge A and B are our neighbors Where to place edges?

12 “Strong” Detection A detection method is “strong” if it always detects detectable misconfigurations More formally, Let –μ be a method to detect misconfigurations –C = {N} be the set of valid networks (what the network might look like) –N R : the actual network (Note N R є C) –s n (N) is state of node n when the routing protocol is executed correc tly (and stabilized) within a network N є C –s’ n (N R ) be the state actually computed at node n (possibly with misconf igurations) in network N R μ is a strong detection method if one of the following holds wh enever s’ n (N R ) ≠ s n (N R ): –Detected: μ detects that s n (N R ) ≠ s’ n (N R ) –Undetectable: No method μ ’ exists that can detect s n (N R )≠s’ n (N R )

13 A High- Complexity Strong Detection Algor ithm Input: –State s’ n (N R ) of node n for the “real” but unknown network N R –Description of set of allowable networks, C = {N} Algorithm: For each N є C –Compute s n (N) –If s n (N) = s’ n (N R ) then return MISCONFIG UNDETECTABLE (N might be the va lid network) If no N є C matches, then misconfiguration detected Algorithm Complexity is Ω(C), often huge!

14 Low-Complexity Strong-Detection Q: Can Strong Detection be achieved with low comple xity? A: Sometimes: we show how to do it for Bellman- Ford (a.k.a. Distance Vector)

15 Strong Detection for D.V. Input at node n: –S’ n (N R ): a single node’s (steady stat e) state table that reports e ach neighbor’s (supposed) distance to all nodes –Set C of all allowable netw orks defined by {A xy }: A xy is the set of allowa ble lengths of edges b etween node x and y E.g., A xy = [0,3) U [4,4] U [7,100] Dest/ Neighbor ABE A0112 B407 C 138 D5912 E964 F 1513 G492 S’ n (N R )

16 Strong Detection in D.V. at a node, n Take node n’s state, s’ n (N R ) Use this state to build the canonical graph, M є C Simulate D.V. on M to generate simulated state s n (M) We will prove: –If s n (M) ≠ s’ n (N R ), then misconfiguration dete cted –Else, either there is no misconfi guration, or it is undetectable (using node n’s state) because M might be the ac tual network Dest/ Neighbor ABE A0112 B407 C 138 D5912 E964 F 1513 G492 Dest/ Neighbor ABE A0112 B407 C 138 D5912 E964 F 1513 G492 s’ n (N R ) s n (M) G A B C E F D G A B C n E F D M n

17 Creating the Canonical Graph, M for an undirected network For each pair of nodes (x,y): –Create edge (x,y) with length e xy = smallest value in A xy ≥ max m є V(n) |d(m,x) – d(m,y)| –e xy = ∞ if all values in A xy too small Consider state table on left –e CD ≥ max(|12-5|, |13-9|, |8-12|) = 7 –If A CD = [1,1] U [4,6] U [8,10], then e CD = 8 Dest/ Neighbor ABE A0112 B407 C 138 D5912 E964 F 1513 G492

18 Proving Strongness of the Canonica l Graph Method N: a network for which s n (N) = s’ n (N R ), when such a network N exists M: the canonical graph constructed by n from s’ n (N R ) f xy : length of edge (x,y) in N (when the edge exists) e xy : length of edge (x,y) in M (edges always exist) d G (x,y): shortest path distance from x to y in network G Assume: all edges have positive length (easy to extend when edges ca n also have length 0) High Level Sketch of Proof: –If N exists where s n (N) = s’ n (N R ), then s n (M) = s n (N) = s’ n (N R ) –If N does not exist, then s n (M) ≠ s’ n (N R )

19 Bounds on e xy Lemma 1: If s n (N) = s’ n (N R ) for some N є C and edge (x,y) exists in N with length f xy, then e xy ≤ f xy Proof: In N, x & y’s distances to any neighbor v must differ by at most f xy, i.e.: For each neighbor v, |d N (v,y) – d N (v,x)| ≤ f xy Hence max m є V(n) |d(m,x) – d(m,y)| ≤ f xy Recall e xy = smallest value in A xy ≥ max m є V(n) |d(m,x) – d(m,y)| Since N є C, we have f xy є A xy and so e xy ≤ f xy n x y f xy v

20 Lemma 2 : If s n (N) = s’ n (N R ) for some N є C, then d M (v,x) ≤ d N (v,x) for all neighbors v and all nodes x Proof: by contradiction. Select x with smallest d N (v,x) where d M (v,x) > d N (v,x) Let y be a preceding node on a shortest path from v to x in N: f xy is the edge connecting y to x on this path, so d N (v,y) < d N (v,x) and |d N (v,x) – d N (v,y)| = f xy d N (v,y) < d N (v,x), hence y not blue  d M (v,y) ≤ d N (v,y), so d M (v,y) ≤ d N (v,y) < d N (v,x) < d M (v,x) f xy = |d N (v,x) – d N (v,y)| < |d M (v,x) – d M (v,y)| ≤ e xy v x Distance from v in N y f xy Blue nodes t satisfy d M (v,t) > d N (v,t) n Contradicts Lemma 1 (which states e xy ≤ f xy )!! e xy x y in M:

21 Lemma 3 : If s n (N) = s’ n (N R ) for some N є C, then d M (v,x) ≥ d N (v,x) for all neighbors v and all nodes x Proof: by contradiction. Select x with smallest d M (v,x) where d M (v,x) < d N (v,x) Let y be the node preceding x on a shortest path from v to x in M where ed ge e xy connects y to x on this path: hence d M (v,y) < d M (v,x) and e xy = d M (v,x) - d M (v,y) d M (v,y) < d M (v,x), hence y not blue  d M (v,y) ≥ d N (v,y) Hence e xy = d M (v,x) - d M (v,y) < d N (v,x) - d N (v,y) = | d N (v,x) - d N (v,y) | v x Distance from v in M Blue nodes t satisfy d M (v,t) < d N (v,t) y e xy n x y in N: But e xy = max m |d N (m,x) – d N (m,y)|, and max m |d N (m,x) – d N (m,y)|≥ |d N (v,x) – d N (v,y)| !! Contradiction!

22 The Main Result Some N є C produces state s n (N) = s’ n (N R )  s n (M) = s’ n (N R ) Proof: –  Follows from Lemma 2 (d M (v,x) ≤ d N (v,x)) and Lemma 3 (d M (v,x) ≥ d N (v,x)) –  If no N є C produces state s’ n (N), since M є C, M cannot produce state = s’ n (N) In other words, only need to check if s n (M) = s’ n (N R ) Complexity: O(|V| 3 ) –Construct the canonical graph, M –Simulate Bellman-Ford –Compare State Tables

23 Extensions / Future Directions Same idea works for: –Directed graphs –Using state info from a set of trusted nodes Similar canonical graph construction works for pat h-vector variants Future Directions: –Identifying the offending node (not just its existence) –Performing Strong Detection for other routing protocols (Ad-hoc network, geographical positioning)

Download ppt "Control Plane Resilience: The Method of Strong Detectio n Raj Kumar Vishal Misra Dan Rubenstein Allerton, 9/28/06."

Similar presentations

Maximum flow Main goals of the lecture:

Maximum flow Main goals of the lecture:
Lecture 7. Network Flows We consider a network with directed edges. Every edge has a capacity. If there is an edge from i to j, there is an edge from.

Lecture 7. Network Flows We consider a network with directed edges. Every edge has a capacity. If there is an edge from i to j, there is an edge from.
C&O 355 Lecture 23 N. Harvey TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A.

C&O 355 Lecture 23 N. Harvey TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A.
15-251 Great Theoretical Ideas in Computer Science for Some.

Great Theoretical Ideas in Computer Science for Some.
Lecture 24 Coping with NPC and Unsolvable problems. When a problem is unsolvable, that's generally very bad news: it means there is no general algorithm.

Lecture 24 Coping with NPC and Unsolvable problems. When a problem is unsolvable, that's generally very bad news: it means there is no general algorithm.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
What is “Routing”? Routing algorithm that part of the network layer responsible for deciding on which output line to transmit an incoming packet Adaptive.

What is “Routing”? Routing algorithm that part of the network layer responsible for deciding on which output line to transmit an incoming packet Adaptive.
1 Discrete Structures & Algorithms Graphs and Trees: II EECE 320.

1 Discrete Structures & Algorithms Graphs and Trees: II EECE 320.
Routing - I Important concepts: link state based routing, distance vector based routing.

Routing - I Important concepts: link state based routing, distance vector based routing.
Approximation Algorithms: Combinatorial Approaches Lecture 13: March 2.

Approximation Algorithms: Combinatorial Approaches Lecture 13: March 2.
Shortest Paths Definitions Single Source Algorithms –Bellman Ford –DAG shortest path algorithm –Dijkstra All Pairs Algorithms –Using Single Source Algorithms.

Shortest Paths Definitions Single Source Algorithms –Bellman Ford –DAG shortest path algorithm –Dijkstra All Pairs Algorithms –Using Single Source Algorithms.
A general approximation technique for constrained forest problems Michael X. Goemans & David P. Williamson Presented by: Yonatan Elhanani & Yuval Cohen.

A general approximation technique for constrained forest problems Michael X. Goemans & David P. Williamson Presented by: Yonatan Elhanani & Yuval Cohen.
The max flow problem 7 11 5 -2 2 1 10 5 4 9.

The max flow problem
Network Layer Design Isues Store-and-Forward Packet Switching Services Provided to the Transport Layer The service should be independent of the router.

Network Layer Design Isues Store-and-Forward Packet Switching Services Provided to the Transport Layer The service should be independent of the router.
Dept. of Computer Science Distributed Computing Group Asymptotically Optimal Mobile Ad-Hoc Routing Fabian Kuhn Roger Wattenhofer Aaron Zollinger.

Dept. of Computer Science Distributed Computing Group Asymptotically Optimal Mobile Ad-Hoc Routing Fabian Kuhn Roger Wattenhofer Aaron Zollinger.
Shortest Paths Definitions Single Source Algorithms

Shortest Paths Definitions Single Source Algorithms
4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.

4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.
Theoretical Bounds on Control Plane Monitoring in Routing Protocols Dan Rubenstein Joint work with Raj Kumar, Vishal Misra.

Theoretical Bounds on Control Plane Monitoring in Routing Protocols Dan Rubenstein Joint work with Raj Kumar, Vishal Misra.
Strong Detection of Misconfigurations Raj Kumar Rajendran Vishal Misra Dan Rubenstein.

Strong Detection of Misconfigurations Raj Kumar Rajendran Vishal Misra Dan Rubenstein.
1 Graph Algorithms Single source shortest paths problem Dana Shapira.

1 Graph Algorithms Single source shortest paths problem Dana Shapira.

Similar presentations

Ads by Google