Control Plane Resilience: The Method of Strong
DetectionRaj Kumar
Vishal MisraDan Rubenstein
Allerton, 9/28/06
Routing Protocols with Misconfigurations
• Routing Protocols in “friendly” environments are well understood, e.g.,
– Link State: global knowledge, centralized approach
– Distance Vector (a.k.a. Bellman-Ford): known to converge (quickly), adapt to changes, etc.
– BGP (Path-Vector): some problems in converging when routes change, significant literature evaluating/understanding
• Critical Assumption for correctness: Nodes follow the proper protocol procedure
• Q: What happens when nodes don’t follow the protocol like they’re supposed to?
History Shows: Misbehaving nodes can be a big problem
• The infamous BGP AS 7007 Incident:
• Consider routes to node 8765
7007
5165
4345
7074
6957
2134
AS # 7007’s Distance
2134 2
4345 1
5165 3
6957 2
7074 1
… …
8765 8
8765
…
Traffic goes where it is supposed to
Nodes don’t always “behave”
• The infamous BGP AS 7007 Incident:
7007
5165
4345
7074
6957
2134
AS # 7007’s Distance
2134 1
4345 1
5165 1
6957 1
7074 1
… …
8765 1
8765
…
Traffic enters “black hole”
Theory to detect “Bad” Nodes
• Rules:– “Bad” nodes can cheat, “Good” nodes can attempt to detect the bad nodes
– “Good” nodes must limited to information provided by the routing protocol
• Want to exchange additional info, modify the protocol
• Challenge: When can a good node determine something isn’t right?
Can I tell if my neighbors are giving me the correct information?
A Node’s Info: Its State• A node’s state is its (only) view of the network
– e.g., Distance-Vector (a.k.a. Bellman-Ford)Dest/ Neighbor
A B E
A 0 1 12
B 1 0 7
C 7 13
8
D 5 9 6
E 9 6 0
F 12 15
13
G 4 9 2
A
B
C
E
G
F
D
Note our convention: (I,J) in state table reports node I’s distance to J (not local node’s distance to J through I)
Detection• Assume: Routes have stabilized (routing protocol inactive)
• Q: For routing protocol P, given a good node’s state, what misconfigurations can it detect/observe within the network?
• Note: A node can’t always detect a problem
N X Y1 1
D(X,Y) = 3N X Y
1 3
An undetectable misconfig at node N:
Prior Work: “Weak” Detection
• Process for constructing a weak detection method:
– Find a property that a node’s state should exhibit
– Check the property in a node’s state
– Declare misconfiguration in network if property is violated
• A detection method is “Weak” if it fails to identify a misconfiguration that is detectable using another method (on same state)
A Weak Detection Method: Symmetry
• In an undirected graph, D(X,Y) = D(Y,X)
– Here, D(A,B) = 1
– But D(B,A) = 4
• Using symmetry, found a misconfiguration
• So why is Symmetry weak?
Dest/ Neighbor
A B E
A 0 1 12
B 4 0 7
C 12 13
8
D 5 9 6
E 9 6 4
F 12 15
13
G 4 9 2
Another Weak Detection Method: Triangle Inequality
[DMZ’03]• Triangle inequality should
hold: D(X,Z) ≤ D(X,Y) + D(Y,Z)
• Violated here:
– D(B,E) = 3
– D(B,A) = 1
– D(A,E) = 1
– D(B,E) > D(B,A) + D(A,E)
• Note: symmetry property not violated
Dest/ Neighbor
A B E
A 0 1 1
B 1 0 3
C 12 13 8
D 5 9 6
E 1 3 0
• Example shows why detection via symmetry is weak: failed to identify a detectable misconfiguration
• So why is triangle inequality weak?
Weakness of Triangle Inequality
• Suppose graph edge lengths are all 1
• No violation of symmetry or triangle inequality
Dest/ Neighbor
A B
A 0 2
B 2 0
C 3 1
D 3 3
A
BC
C is distance 1 from B
D
D is distance 3 from both A & B: nowhere to put connecting edge
A and B are our neighbors
Where to place edges?
“Strong” Detection• A detection method is “strong” if it always detects detectable
misconfigurations
• More formally, Let
– μ be a method to detect misconfigurations
– C = N be the set of valid networks (what the network might look like)
– NR: the actual network (Note NR є C)
– sn(N) is state of node n when the routing protocol is executed correctly (and stabilized) within a network N є C
– s’n(NR) be the state actually computed at node n (possibly with misconfigurations) in network NR
• μ is a strong detection method if one of the following holds whenever s’n(NR) ≠ sn(NR):
– Detected: μ detects that sn(NR) ≠ s’n(NR)
– Undetectable: No method μ’ exists that can detect sn(NR)≠s’n(NR)
A High-Complexity Strong Detection Algorithm
• Input:
– State s’n(NR) of node n for the “real” but unknown network NR
– Description of set of allowable networks, C = N
• Algorithm: For each N є C
– Compute sn(N)
– If sn(N) = s’n(NR) then return MISCONFIG UNDETECTABLE (N might be the valid network)
• If no N є C matches, then misconfiguration detectedAlgorithm Complexity is Ω(C), often
huge!
Low-Complexity Strong-Detection
• Q: Can Strong Detection be achieved with low complexity?
• A: Sometimes: we show how to do it for Bellman-Ford (a.k.a. Distance Vector)
Strong Detection for D.V.• Input at node n:
– S’n(NR): a single node’s (steady state) state table that reports each neighbor’s (supposed) distance to all nodes
– Set C of all allowable networks
• defined by Axy: Axy is the set of allowable lengths of edges between node x and y
• E.g., Axy = [0,3) U [4,4] U [7,100]
Dest/ Neighbor
A B E
A 0 1 12
B 4 0 7
C 12 13
8
D 5 9 12
E 9 6 4
F 12 15
13
G 4 9 2S’n(NR)
Strong Detection in D.V. at a node, n
• Take node n’s state, s’n(NR)
• Use this state to build the canonical graph, M є C
• Simulate D.V. on M to generate simulated state sn(M)
• We will prove:
– If sn(M) ≠ s’n(NR), then misconfiguration detected
– Else, either there is no misconfiguration, or it is undetectable (using node n’s state) because M might be the actual network
Dest/ Neighbor
A B E
A 0 1 12
B 4 0 7
C 12
13
8
D 5 9 12
E 9 6 4
F 12
15
13
G 4 9 2
Dest/ Neighbor
A B E
A 0 1 12
B 4 0 7
C 12
13
8
D 5 9 12
E 9 6 4
F 12
15
13
G 4 9 2
s’n (NR)
sn(M)
G
A
B C
EF
D
G
A
BC
n E
F
D
M
n
Creating the Canonical Graph, M for an undirected
network• For each pair of nodes
(x,y):
– Create edge (x,y) with length exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)|
– exy = ∞ if all values in Axy too small
• Consider state table on left
– eCD ≥ max(|12-5|, |13-9|, |8-12|) = 7
– If ACD = [1,1] U [4,6] U [8,10], then eCD = 8
Dest/ Neighbor
A B E
A 0 1 12
B 4 0 7
C 12 13
8
D 5 9 12
E 9 6 4
F 12 15
13
G 4 9 2
Proving Strongness of the Canonical Graph Method
• N: a network for which sn(N) = s’n(NR), when such a network N exists
• M: the canonical graph constructed by n from s’n(NR)
• fxy: length of edge (x,y) in N (when the edge exists)
• exy: length of edge (x,y) in M (edges always exist)
• dG(x,y): shortest path distance from x to y in network G
• Assume: all edges have positive length (easy to extend when edges can also have length 0)
• High Level Sketch of Proof:
– If N exists where sn(N) = s’n(NR), then sn(M) = sn(N) = s’n(NR)
– If N does not exist, then sn(M) ≠ s’n(NR)
Bounds on exy
• Lemma 1: If sn(N) = s’n(NR) for some N є C and edge (x,y) exists in N with length fxy, then exy ≤ fxy
• Proof: In N, x & y’s distances to any neighbor v must differ by at most fxy, i.e.: For each neighbor v, |dN(v,y) – dN(v,x)| ≤ fxy
• Hence maxm є V(n) |d(m,x) – d(m,y)| ≤ fxy
• Recall exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)|
• Since N є C, we have fxy є Axy and so exy ≤ fxy
n xyfxy
v
• Lemma 2: If sn(N) = s’n(NR) for some N є C, then dM(v,x) ≤ dN(v,x) for all neighbors v and all nodes x
• Proof: by contradiction. Select x with smallest dN(v,x) where dM(v,x) > dN(v,x)
• Let y be a preceding node on a shortest path from v to x in N: fxy is the edge connecting y to x on this path, so dN(v,y) < dN(v,x) and |dN(v,x) – dN(v,y)| = fxy
• dN(v,y) < dN(v,x), hence y not blue dM(v,y) ≤ dN(v,y), so dM(v,y) ≤ dN(v,y) < dN(v,x) < dM(v,x)
• fxy = |dN(v,x) – dN(v,y)| < |dM(v,x) – dM(v,y)| ≤ exy
v x
Distance from v in N
yfxy
Blue nodes t satisfy dM(v,t) > dN(v,t)n
Contradicts Lemma 1 (which states exy ≤ fxy)!!
exyxy
in M:
• Lemma 3: If sn(N) = s’n(NR) for some N є C, then dM(v,x) ≥ dN(v,x) for all neighbors v and all nodes x
• Proof: by contradiction. Select x with smallest dM(v,x) where dM(v,x) < dN(v,x)
• Let y be the node preceding x on a shortest path from v to x in M where edge exy connects y to x on this path: hence dM(v,y) < dM(v,x) and exy = dM(v,x) - dM(v,y)
• dM(v,y) < dM(v,x), hence y not blue dM(v,y) ≥ dN(v,y)
• Hence exy = dM(v,x) - dM(v,y) < dN(v,x) - dN(v,y) = | dN(v,x) - dN(v,y) |
v x
Distance from v in M
Blue nodes t satisfy dM(v,t) < dN(v,t)y
exyn
xyin N:
But exy = maxm |dN(m,x) – dN(m,y)|, and
maxm |dN(m,x) – dN(m,y)|≥ |dN(v,x) – dN(v,y)| !! Contradiction!
The Main Result
• Some N є C produces state sn(N) = s’n(NR) sn(M) = s’n(NR)
• Proof:
Follows from Lemma 2 (dM(v,x) ≤ dN(v,x)) and Lemma 3 (dM(v,x) ≥ dN(v,x))
If no N є C produces state s’n(N), since M є C, M cannot produce state = s’n(N)
• In other words, only need to check if sn(M) = s’n(NR)
• Complexity: O(|V|3)
– Construct the canonical graph, M
– Simulate Bellman-Ford
– Compare State Tables
Extensions / Future Directions
• Same idea works for:
– Directed graphs
– Using state info from a set of trusted nodes
• Similar canonical graph construction works for path-vector variants
• Future Directions:
– Identifying the offending node (not just its existence)
– Performing Strong Detection for other routing protocols (Ad-hoc network, geographical positioning)