Download presentation
Presentation is loading. Please wait.
1
Control Plane Resilience: The Method of Strong Detectio n Raj Kumar Vishal Misra Dan Rubenstein Allerton, 9/28/06
2
Routing Protocols with Misconfigurati ons Routing Protocols in “friendly” environments are well understood, e.g., –Link State: global knowledge, centralized approach –Distance Vector (a.k.a. Bellman-Ford): known to converge (quickly), adapt to changes, etc. –BGP (Path-Vector): some problems in converging when routes change, significant literature evaluating/understanding Critical Assumption for correctness: Nodes follow the proper protocol procedure Q: What happens when nodes don’t follow the protocol like they’ re supposed to?
3
History Shows: Misbehaving nodes can be a big pro blem The infamous BGP AS 7007 Incident: Consider routes to node 8765 700751654345707469572134 AS #7007’s Distance 21342 43451 51653 69572 70741 …… 87658 … Traffic goes where it is supposed to
4
Nodes don’t always “behave” The infamous BGP AS 7007 Incident: 700751654345707469572134 AS #7007’s Distance 21341 43451 51651 69571 70741 …… 87651 … Traffic enters “black hole”
5
Theory to detect “Bad” Nodes Rules: –“Bad” nodes can cheat, “Good” nodes can attempt to detec t the bad nodes –“Good” nodes must limited to infor mation provided by the rou ting protocol Want to exchange additi onal info, modify the protocol Challenge: When can a good node det ermine something isn’t rig ht? Can I tell if my neighbors are giving me the correct information?
6
A Node’s Info: Its State A node’s state is its (only) view of the network – e.g., Distance-Vector (a.k.a. Bellman-Ford) Dest/ Neighbor ABE A0112 B107 C7138 D596 E960 F121513 G492 A B C E G F D Note our convention: (I,J) in state table reports node I’s distance to J (not local node’s distance to J through I)
7
Detection Assume: Routes have stabilized (routing protocol inactive) Q: For routing protocol P, given a good node’s state, what misconfigurations can it detect/observe with in the network? Note: A node can’t always detect a problem NXY 11 D(X,Y) = 3 NXY 13 An undetectable misconfig at node N:
8
Prior Work: “Weak” Detection Process for constructing a weak detection method: –Find a property that a node’s state should exhibit –Check the property in a node’s state –Declare misconfiguration in network if property is violate d A detection method is “Weak” if it fails to identify a misconfiguration that is det ectable using another method (on same state)
9
A Weak Detection Method: Symmetry In an undirected graph, D(X,Y) = D(Y,X) –Here, D(A,B) = 1 –But D(B,A) = 4 Using symmetry, found a misconfiguration So why is Symmetry weak? Dest/ Neighbor ABE A0112 B407 C 138 D596 E964 F121513 G492
10
Another Weak Detection Method: Triangle Inequality [DMZ’03] Triangle inequality should hold: D(X,Z) ≤ D(X,Y) + D(Y,Z) Violated here: –D(B,E) = 3 –D(B,A) = 1 –D(A,E) = 1 –D(B,E) > D(B,A) + D(A,E) Note: symmetry property not violated Dest/ Neighbor ABE A011 B103 C12138 D596 E130 Example shows why detection via symmetry is weak: failed to identify a detectable misconfiguration So why is triangle inequality weak?
11
Weakness of Triangle Inequality Suppose graph edge lengths ar e all 1 No violation of symmetry or tr iangle inequality Dest/ Neighbor AB A02 B20 C31 D33 A B C C is distance 1 from B D D is distance 3 from both A & B: nowhere to put connecting edge A and B are our neighbors Where to place edges?
12
“Strong” Detection A detection method is “strong” if it always detects detectable misconfigurations More formally, Let –μ be a method to detect misconfigurations –C = {N} be the set of valid networks (what the network might look like) –N R : the actual network (Note N R є C) –s n (N) is state of node n when the routing protocol is executed correc tly (and stabilized) within a network N є C –s’ n (N R ) be the state actually computed at node n (possibly with misconf igurations) in network N R μ is a strong detection method if one of the following holds wh enever s’ n (N R ) ≠ s n (N R ): –Detected: μ detects that s n (N R ) ≠ s’ n (N R ) –Undetectable: No method μ ’ exists that can detect s n (N R )≠s’ n (N R )
13
A High- Complexity Strong Detection Algor ithm Input: –State s’ n (N R ) of node n for the “real” but unknown network N R –Description of set of allowable networks, C = {N} Algorithm: For each N є C –Compute s n (N) –If s n (N) = s’ n (N R ) then return MISCONFIG UNDETECTABLE (N might be the va lid network) If no N є C matches, then misconfiguration detected Algorithm Complexity is Ω(C), often huge!
14
Low-Complexity Strong-Detection Q: Can Strong Detection be achieved with low comple xity? A: Sometimes: we show how to do it for Bellman- Ford (a.k.a. Distance Vector)
15
Strong Detection for D.V. Input at node n: –S’ n (N R ): a single node’s (steady stat e) state table that reports e ach neighbor’s (supposed) distance to all nodes –Set C of all allowable netw orks defined by {A xy }: A xy is the set of allowa ble lengths of edges b etween node x and y E.g., A xy = [0,3) U [4,4] U [7,100] Dest/ Neighbor ABE A0112 B407 C 138 D5912 E964 F 1513 G492 S’ n (N R )
16
Strong Detection in D.V. at a node, n Take node n’s state, s’ n (N R ) Use this state to build the canonical graph, M є C Simulate D.V. on M to generate simulated state s n (M) We will prove: –If s n (M) ≠ s’ n (N R ), then misconfiguration dete cted –Else, either there is no misconfi guration, or it is undetectable (using node n’s state) because M might be the ac tual network Dest/ Neighbor ABE A0112 B407 C 138 D5912 E964 F 1513 G492 Dest/ Neighbor ABE A0112 B407 C 138 D5912 E964 F 1513 G492 s’ n (N R ) s n (M) G A B C E F D G A B C n E F D M n
17
Creating the Canonical Graph, M for an undirected network For each pair of nodes (x,y): –Create edge (x,y) with length e xy = smallest value in A xy ≥ max m є V(n) |d(m,x) – d(m,y)| –e xy = ∞ if all values in A xy too small Consider state table on left –e CD ≥ max(|12-5|, |13-9|, |8-12|) = 7 –If A CD = [1,1] U [4,6] U [8,10], then e CD = 8 Dest/ Neighbor ABE A0112 B407 C 138 D5912 E964 F 1513 G492
18
Proving Strongness of the Canonica l Graph Method N: a network for which s n (N) = s’ n (N R ), when such a network N exists M: the canonical graph constructed by n from s’ n (N R ) f xy : length of edge (x,y) in N (when the edge exists) e xy : length of edge (x,y) in M (edges always exist) d G (x,y): shortest path distance from x to y in network G Assume: all edges have positive length (easy to extend when edges ca n also have length 0) High Level Sketch of Proof: –If N exists where s n (N) = s’ n (N R ), then s n (M) = s n (N) = s’ n (N R ) –If N does not exist, then s n (M) ≠ s’ n (N R )
19
Bounds on e xy Lemma 1: If s n (N) = s’ n (N R ) for some N є C and edge (x,y) exists in N with length f xy, then e xy ≤ f xy Proof: In N, x & y’s distances to any neighbor v must differ by at most f xy, i.e.: For each neighbor v, |d N (v,y) – d N (v,x)| ≤ f xy Hence max m є V(n) |d(m,x) – d(m,y)| ≤ f xy Recall e xy = smallest value in A xy ≥ max m є V(n) |d(m,x) – d(m,y)| Since N є C, we have f xy є A xy and so e xy ≤ f xy n x y f xy v
20
Lemma 2 : If s n (N) = s’ n (N R ) for some N є C, then d M (v,x) ≤ d N (v,x) for all neighbors v and all nodes x Proof: by contradiction. Select x with smallest d N (v,x) where d M (v,x) > d N (v,x) Let y be a preceding node on a shortest path from v to x in N: f xy is the edge connecting y to x on this path, so d N (v,y) < d N (v,x) and |d N (v,x) – d N (v,y)| = f xy d N (v,y) < d N (v,x), hence y not blue d M (v,y) ≤ d N (v,y), so d M (v,y) ≤ d N (v,y) < d N (v,x) < d M (v,x) f xy = |d N (v,x) – d N (v,y)| < |d M (v,x) – d M (v,y)| ≤ e xy v x Distance from v in N y f xy Blue nodes t satisfy d M (v,t) > d N (v,t) n Contradicts Lemma 1 (which states e xy ≤ f xy )!! e xy x y in M:
21
Lemma 3 : If s n (N) = s’ n (N R ) for some N є C, then d M (v,x) ≥ d N (v,x) for all neighbors v and all nodes x Proof: by contradiction. Select x with smallest d M (v,x) where d M (v,x) < d N (v,x) Let y be the node preceding x on a shortest path from v to x in M where ed ge e xy connects y to x on this path: hence d M (v,y) < d M (v,x) and e xy = d M (v,x) - d M (v,y) d M (v,y) < d M (v,x), hence y not blue d M (v,y) ≥ d N (v,y) Hence e xy = d M (v,x) - d M (v,y) < d N (v,x) - d N (v,y) = | d N (v,x) - d N (v,y) | v x Distance from v in M Blue nodes t satisfy d M (v,t) < d N (v,t) y e xy n x y in N: But e xy = max m |d N (m,x) – d N (m,y)|, and max m |d N (m,x) – d N (m,y)|≥ |d N (v,x) – d N (v,y)| !! Contradiction!
22
The Main Result Some N є C produces state s n (N) = s’ n (N R ) s n (M) = s’ n (N R ) Proof: – Follows from Lemma 2 (d M (v,x) ≤ d N (v,x)) and Lemma 3 (d M (v,x) ≥ d N (v,x)) – If no N є C produces state s’ n (N), since M є C, M cannot produce state = s’ n (N) In other words, only need to check if s n (M) = s’ n (N R ) Complexity: O(|V| 3 ) –Construct the canonical graph, M –Simulate Bellman-Ford –Compare State Tables
23
Extensions / Future Directions Same idea works for: –Directed graphs –Using state info from a set of trusted nodes Similar canonical graph construction works for pat h-vector variants Future Directions: –Identifying the offending node (not just its existence) –Performing Strong Detection for other routing protocols (Ad-hoc network, geographical positioning)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.