internet inter-as routing: bgpweb.eecs.umich.edu/~sugih/courses/eecs589/f16/07-stablepath.pdfbgp...
Post on 09-Jul-2020
4 Views
Preview:
TRANSCRIPT
[GSW99]Griffin,Shepherd,andWilfong,“PolicyDisputesinPath-VectorProtocols,”Proc.ofInt’lConf.onNetworkProtocols’99,Nov.1999[GR01]GaoandRexford,“StableInternetRoutingwithoutGlobalCoordination,”IEEE/ACMTrans.onNetworking,9(6):681-692,Dec.2001[GSW02]Griffin,Shepherd,andWilfong,“TheStablePathsProblemandInterdomainRouting,”IEEE/ACMTrans.onNetworking(TON),10(2):232-243,Apr.2002
Advanced!Computer Networks
Internetinter-ASRouting:BGPBGP(BorderGatewayProtocol),released07/94,isdefactostandardforinter-ASroutingBGPprovideseachASameansto:• advertiseAddressPrefixes(APs)reachabilityinformationtoneighboringASs(witheBGP)• propagateAP-reachabilitytoallAS-internalrouters(withiBGP)• determine“good”routestoAPsbasedonreachabilityandpolicy• inter-ASroutingispolicydriven,notload-sensitive,generallynotQoS-based
BGPRoutingPolicyExample
A,B,CareprovidernetworksX,W,Yarecustomers(ofprovidernetworks)Xismulti-homed:attachedto≥2networksXdoesnotwanttoroutefromBviaXtoC�..soXwillnotadvertisetoBaroutetoC
BGPRoutingPolicyExample
AadvertisestoBthepathAWBadvertisestoXthepathBAWBdoesnotadvertisetoCthepathBAW • Bgetsno“revenue”forroutingCBAWsinceneitherWnorCareB’scustomers• BwantstoforceCtoroutetoWviaA • Bwantstorouteonlyto/fromitscustomers!
PathAttributes&BGPRoutesBGPassociatesBGPattributeswitheachAP
Twoimportantattributes:• AS_PATH:thepathvectorofASsthroughwhichtheadvertisementforaprefixpassedthrough
• NEXT_HOP:thespecificrouteratneighborAS(theremaybemultipleexitsfromcurrentAStoneighborAS)
SampleBGProutingtableentry:AP NEXT_HOP AS_PATH 198.32.163.0/24 202.232.1.8 2497 2914 3582 4600
• addressprefix198.32.163.0/24isinAS4600 • togetthere,sendtorouterataddress202.232.1.8 • thepathgoesthroughASs2497,2914,3582,inorder
BGPPolicyToolsExportpolicies:inadditiontoAS_PATH,anAScansettheseadditionalattributeswhenadvertisinganAP:• multiple-exitdiscriminator(MED):anAScantellaneighboritspreferredingresspoint• communityset(c_set):anAScantagcertainAPsasbelongingtothesamegroup,e.g.,customer,peer,back-up
Importpolicies:anASmaylearnofmorethanoneroutestosomeAPs• local_preference:anAScanspecifyitspreferredegresspointforanAP,e.g.,prefercustomeroverpeer
AT&T Sprint
Customer
Tier-2
Tier-3
Local-pref=100
Local-pref=90
BGPImplicitPoliciesImplicitimportpolicies:• setsNEXT_HOPandlocalpreference• discardssomerouteannouncements,topreventroutingloop,configurationmistakes,andattacks• discardrouteifASalreadyappearsinAS_PATH • discardrouteifAPadvertisedbycustomerisnotownedbycustomer• discardcustomeradvertisementthatcontainsotherlargeISPinitsAS_PATH
Implicitexportpolicies:• setsMEDvalues• prependsAStoAS_PATH
BGPPolicyinPlayHowanASsetstheattributesofitadvertisementsinfluencesitsneighbors’behavior
• ASprepending:artificiallyinflatetheASpathlength(byrepeatingtheASnumberinAS_PATH)toconvinceneighborstouseadifferentAS
• cold-potatorouting:AS1setsMEDinadvertisementforAPdtoprefertrafficingressclosesttod
• hot-potatorouting:AS2prefersegress(local_preference)closesttotrafficsource(ignoringtheotherAS’sMED)
d
d
d
s
AS1
AS2
BGPPolicy:Implementation
BestRouteSelection
ApplyImportPolicies
BestRouteTable
ApplyExportPolicies
Installforwardingentriesforbestroutes
ReceiveBGPUpdates
BestRoutes
TransmitBGPUpdates
ApplyPolicy=filterroutes&tweakattributes
BasedonAttributeValues
IPForwardingTable
ApplyPolicy=filterroutes&tweakattributes
Openendedprogramming,constrainedonlybyvendorconfigurationlanguage
[Rexford]
BGProuteselectioninorder:1. highestlocal_preference 2. shortestAS_PATH 3. lowestMEDvalue4. tiebreakbyNEXT_HOP
IPaddress
PolicyDisputesBGPallowspathchoicestobedictatedbypolicyinsteadofdistancemetric
EachASsetsitsownpolicy,withoutanyglobalcoordination
Problem:thereareunsafecollectionsofroutingpoliciesthatcancauseBGPtodiverge(exchangingBGProutingmessagesindefinitely)
Griffin,Shepherd,andWilfongpresentsufficientconditionsonroutingpoliciesthatguaranteeBGPsafety[GSW99]
PolicySafetyStepstoensureacollectionofpoliciesissafe:1. modelBGPasSimplePathVectorProtocol(SPVP)
2. checkfordisputecycle(or,equivalently,disputewheel)inanSPVPspecification
3. nodisputewheelmeansanSPVPspecissafe
SimplePathVectorProtocol(SPVP):• aformalsystemdesignedtocapturetheunderlyingsemanticsofBGP
• stripsawayallbuttheessentialsofBGP,leavingonly:• permittedpathstoadestination
• therankingofthosepaths
SPVPandSolvabilitySimplePathVectorProtocol(SPVP)specification:• eachnode,representinganAS,hasasetofpermittedpathstoasingledestination• andarankingfunctionthatranksitspermittedpathsbypreference
SolutionstoanSPVPspecificationareroutingtreesthatsatisfycertainstabilityconditions• staticsolvabilityofSPVPisstillNP-complete• butadynamicevaluationheuristicgrowsastablepathassignment(aroutingtree)inagreedymanner[GSW02]• thestablestatesofthedynamicevaluationaresolutionstotheSPVPspecification
Terminology
G(V, E)anetworkofnodes,V = {0, 1, 2, ..., n}Node0:theorigin,aspecialnodethatisthedestinationnodetowhichallothernodesattempttoestablishapathPermittedpath(P):apaththathasnotbeenfilteredoutbypolicyalongtheway
Rankingfunction(λi(P)):givesnodei’srankingofpermittedpathPbypolicypreference;largerλ()meanshigherpreference
TerminologyandNotationApathinG,P = vk, vk−1, ..., v1, v0,s.t.∀i > 1, {vi, vi−1} ∈ E
PQ:concatenationofPandQ,thelastnodeinPmustbethesameasthefirstnodeinQ
(u, vk)P = u, vk, vk−1, ..., v0(vkmustbethefirstnodeinP)
εP = Pε = P,εemptypath
P[vi, vj]:subpathvi, vi−1, ..., vjofsimplepathP
P v:setofpermittedpathsfromvtotheorigin
ForP1,P2∈Pv,andλv(P1)<λv(P2),thenP2issaidtobe
preferredoverP1(largerλ(),higherpreference)
SPVPForP=∪v∈VP
v,thesetofallpermittedpathstotheorigin,andΛ={λv|v ∈ V−{0}},thesetofallrankingfunctions,anSPVPspecificationisS = (G, P, Λ)RestrictionsonΛandP:• foreachv ∈ V,ε ∈ P v(it’soknottohaveapath)• foreachv ∈ V,λv(ε) = 0• Ifλv(P1)=λv(P2),thenP1=P2orP1= (v, u)P’1andP2= (v, u)P’2(P1andP2havethesamenexthop)
• ifpathP∈P v,Pisasimplepath(norepeatednodes)• ifpathP∈ P v,andnodew≠0isinP,thenP[w, 0] ∈Pw
(consistency:tailofapermittedpathmustbeapermittedpath)
StabilityandSolvabilityAroutingtreeT = (P1, P2, ..., Pn)isavectorofpathswithPi∈P
is.t.theunionofthesepathsisatreeNodeiisstablewithrespecttoTifλi((i, j)Pj)≤λ
i(Pi)whenever(i, j)Pj∈P
i,i.e.,analternatepermittedpathisnotpreferredovercurrentpathTisstableifeverynodeisstableSissolvableif∃astableT⇒TisasolutiontoS
Example1:GOODGADGET
SPVPspecification:aroutingtree/solution:nonodecouldpickamorepreferredpath
Solutiontospecification:
pathrankinghighestpreferencelowestpreference�
(1 3 0)(2 0)(3 0)
(4 3 0)
DynamicEvaluationNowconsidercollectionofpermittedpathsatallnodesatanyonetimeasastateAstateforSPVPSisavectors = (P1, P2, ..., Pn),wherePi∈P
i• sisnotalwaysatree(couldbecyclic)Indynamicevaluation, Eval(S),theSPVPmovesfromonestatetoanotherwhereeach“activated”node(anodethatmustrecomputepath):• processesallneighbors’updates• computesanychangestopreferredroutes• andsendsupdatestoitsneighbors
(1 3 0)(2 0)(3 0)
(4 3 0)
Example1
(1 0)(2 0)(3 0)
(4 3 0)
(1 3 0)(2 1 0)(3 0)
(4 3 0)
(1 3 0)(2 0)(3 0)
(4 3 0)
unstableinitialstate
nodes1and2preferhigherrankedpathsavailable
node2lostpreferredpath,acceptinglowerrankedpath:solutionstabilizes:nonodecouldpickamorepreferredpath
SPVPspecification:aroutingtree/solution:nonodecouldpickamorepreferredpath
(1 3 0)(2 0)(3 0)
(4 3 0)
Statetransitiondiagramorevaluationdigraph,
Eval(S)
stablestate
GOOD GADGETissafe
pathrankinghighestpreferencelowestpreference
�
DisputeCycle
CapturesacertaintypeofcircularpolicyinconsistencyAnSPVPspecificationwithnodisputecyclealwayshasauniquesolutionandissafe• itsdynamicevaluationwillalwaysarriveatastablestate
Example2
Hasnosolution,dynamicevaluationdiverges:
(1 0)(2 0)(3 0)
()
(1 3 0)(2 1 0)(3 0)
(4 2 0)
(1 3 0)(2 0)
(3 4 2 0)(4 3 0)
(1 0)(2 0)(3 0)
(4 2 0)
(1 3 0)(2 1 0)
(3 4 2 0)(4 2 0)
(1 0)(2 0)(3 0)
()
SPVPspecification:
{1, 2, 4} {2, 3, 4} {1, 3, 4} {1, 2, 3} {1, 2, 3, 4}
{1, 2, 4}
BAD GADGETisnotsolvable
cycle�Sdiverges
pathrankinghighestpreferencelowestpreference
�
Example3
SPVPspecification:
SameuniquesolutionasGOODGADGET:Butdynamicevaluationdiverges:
(1 3 0)(2 0)(3 0)
(4 3 0)
NAUGHTY GADGETissolvablebutnotsafe
pathrankinghighestlowest
�
DynamicEvaluation:FormallyLet:• A ⊆ V ≠ ∅bethesetofnodesthatmustupdatepaths(activatednodes),• s = (P1, ..., Pn)betheSPVPstatebeforetheupdates,and• s’ = (P’1, …, P’n)betheSPVPstateafternodesinA updatetheirpaths
Piifi∉A(i’spathdoesn’tchange),P∈P is.t.λi(P)ismaximal
s→s’denotesthistransition
P’i =
A
(1 0)(2 0)(3 0)
(4 3 0)
(1 3 0)(2 1 0)(3 0)
(4 3 0)
{1, 2}
StableState
Astatesisstableifs→sforeveryA,i.e.,nonodecouldpickabetterpaththanitscurrentpathAnupdatesequenceσisafunctions.t.σ(t) ⊆ V, foreacht ≥ 0, i.e.,σ(1) = A1, σ(2) = A2, …, σ(t) = Atσ(s0, t) = st: s0 → s1 → s2 → … → st
A
A1 A2 A3 At
ConvergenceandSafety
Sissaidtoconvergewithrespecttoσands0if∃ts.t.σ(s0, t)isstableOtherwiseitissaidtodivergewithrespecttoσands0σisfairifforeachnodeu,u∈σ(t)forinfinitelymanyt’s(σmakesprogress)Sissafeifitconvergesforeveryfairσandeveryinitialstates0
DisputeDigraphAdisputedigraphofS(DD(S))consistsofnodesandarcswhere:• eachnoderepresentsapermittedpath• anarciseitheratransmissionarcoradisputearc• transmissionarc(-->):apermittedpathatonenodeallowinganotherpermittedpathatanothernode• disputearc(→):policydisputebetweennodesthatdisallowapermittedpathatoneofthenodes
DD(GOOD GADGET):
DisputeCycle
Acycleinthedisputedigraph
0
DisputeWheelGeneralization(“long-distance”)andformalizationofdisputecycleusedtoprovesolvabilityandsafetyofSPVPspecification
DisputewheelconstructedfromasetofnodeswhereeachnodeukhastwopermittedpathsQk andRk Qk+1wherethepaththroughtheneighborispreferredovertheother λ
uk(Qk)≤λuk(Rk Qk+1)• neighborindisputewheelisnotnecessarilyneighborinactualnetwork,i.e.,thepathRcanhavelength> 1
(Non-)existenceofdisputewheelisthenusedtoprovesolvabilityandsafetyofSPVPspecification
Example
AdisputewheelofbothBADandNAUGHTYGADGETs
AnotherdisputewheelofNAUGHTYGADGET
[GSW02]
λu0 (Q0) ≤ λu0(R0Q1)
λu1(Q1) ≤ λu1(R1Q2)
λu2(Q2) ≤ λu2(R2Q0)
λu0(Q0) ≤ λu0(R0Q1)
λu1(Q1) ≤ λu1(R1Q0)
0
R1
Theorems
AspecificationShasadisputewheeliffDD(S)containsacycle
IfShasnodisputewheel,Sissolvable,i.e.,∃astableroutingtreeforS
Divergenceimpliesadisputewheel:if∃anon-trivialcycle(containsnoself-loops)intheevaluationdigraphofS, Eval(S),Scontainsadisputewheel
Theorems
Sufficientcondition:ifShasnodisputewheel, Eval(S)hasnonon-trivialcycles,andSissafe
¬(Necessarycondition):ifShasadisputewheel,Eval(S)mayormaynotcontainacycleExample:BADBACKUPhasadisputewheelthatisnotrealizableintheevaluationandissafe
BAD BACKUP
SummaryAuthorspresentsufficientconditionsonroutingpoliciesthatguaranteeBGPsafety
DisputecyclecapturesacircularsetofrelationshipsbetweenrankingfunctionsAnSPVPspecificationwithnodisputecyclealwayshasauniquesolutionandsafe• specificationwithnodisputecycleissafe• itsdynamicevaluationwillalwaysarriveatastablestate(solutiontotheSPVPspecification)
ImplicationofSPVP
Conjecture:onlySPFrouteselectionisprovablysafeSPVP:ifSisconsistentwithacoherentcostfunction,suchasSPF,thenShasnodisputewheel�SissafeHowever,Sbeingsafedoesn’trequireconsistencywithacoherentcostfunction�routeselectioncan“violate”distancemetricandremainsafe!
ApplicationofSPVPStaticevaluationofBGPisNP-hard,evenofSPVPisNP-complete[GSW99]HowdoweensureBGPconvergence?GaoandRexfordproposeasetofpolicyguidelinesthat• imposesapartialorderonthesetofroutestoeachdestination
• doesnotrequireglobalcoordination• exploitsthehierarchicalstructureoftheInternetandthecommercialrelationshipsbetweenASs• convenientlyalreadyconformstocommonpractices�whywehaven’tseenBGPdivergenceontheInternet[GR01]
ASRelationshipsCommercialrelationshipsbetweenASs:• peering:peersagreetoexchangetrafficforfree(settlementfree),usuallywhentrafficexchangeisbalanced(notmorethan1:3ratio)
• customer-provider:customerpaysforaccess• backup
AS100
AS22
AS0 AS1
AS20
peer-to-peer
provider-customer
tier-1
tier-2
backup
PeeringRelationshipPeersexchangetrafficoftheircustomers• ASexportsonlyitscustomers’APstoapeer
• ASexportsapeer’sAPsonlytoitscustomers
• Peersdon’tadvertiseAPslearnedfromotherpeersorproviders(notransit)
peerpeer
Trafficto/fromthepeeranditscustomers
d
announcements
traffic
[Rexford]customercustomer
Customer-ProviderRelationshipCustomerneedstobereachablebyeveryone• providertellsallitsneighborshowtoreachthecustomer• prefer-customeroverpeerincaseofmulti-homedcustomer
Customerneedstoreacheveryone• provideradvertisesallAPstocustomer
[Rexford]
d
d
provider
customer
customer
provider
Traffictothecustomer Trafficfromthecustomer
announcements
traffic
announcementstraffic
Valley-FreeRoutingCustomerdoesnotwanttoprovidetransitservice• customeronlyadvertisesitsownAps
• notAPsfrompeersnorotherproviders(incaseofmulti-homing)
AS100
AS22
AS0 AS1
AS20
peer-to-peer
provider-customer
tier-1
tier-2
backup
✗
✗
PolicyGuidelinesGuidelineA:Prefer-Customer• preferroutingviacustomeroverroutingviapeerorprovider
• resultsinstablepath;provebyinduction:• Phase1:activateASsincustomer-to-providerDAGinlinearorder
• Phase1isstable:• customeritselfisstable
• assumestableafterkhopstoprovider• k+1hopisstablebecauseitsoptionsarestable
• Phase2:activateprovider-to-customerDAGinlinearorder
• Phase2isstable:• firstAS(provider)isstable
• assumestableafterIhopsfromprovider
• k+1hopisstablebecauseitsoptionsarestable
PolicyGuidelinesGuidelineB:• allowroutingviacustomerorpeerwithequalpreference,butoverroutingviaprovider
• resultsinstablepathifafterclusteringpeersintoclusters,theclustersformaDAG• provebyinductionintwophasessimilartoGuidelineA,butadditionallyassumeactivationinlinearorderoftheclusterDAG
• andnotethatanASalwaysprefersacustomerroutewithashorterASpathtoapeerroute,ensuringpreferenceforthecustomer-providerDAGwithshorterroute
PolicyGuidelinesGuidelineC:• usebackuplinkonlyifthere’snocustomer,peer,orproviderlink
• requirescoordinationbetweenASs• tomarkbackuppathusingcommunityset
• setallbackuppathsthesamelocal_preferencevalue
• toensuresafety,activatebackuppathsinshortestpathfirstorder
PolicyGuidelinesASscanhavedifferentrelationshipfordifferentAPs,guidelinesapplyperdestinationAPDuringrelationshipchange(customertopeerorcustomertoprovider—unlikely),modifyprovider’spolicyconfigurationfirst
BGPRoutingPolicyLoopCurrentapproachtopreventBGPpolicyloops:• ISPsregistertheirpolicywithInternetRoutingRegistry(IRR)• Policyspecifiedinastandardlanguage• ConflictscanbecheckedProblems:• Policies/relationshipsmustberevealedandupdated• StaticcheckingforconvergenceisNP-hard• BGPmaynotconvergeunderrouter/linkfailureorpolicychanges
top related