[GSW99]Griffin,Shepherd,andWilfong,“PolicyDisputesinPath-VectorProtocols,”Proc.ofInt’lConf.onNetworkProtocols’99,Nov.1999[GR01]GaoandRexford,“StableInternetRoutingwithoutGlobalCoordination,”IEEE/ACMTrans.onNetworking,9(6):681-692,Dec.2001[GSW02]Griffin,Shepherd,andWilfong,“TheStablePathsProblemandInterdomainRouting,”IEEE/ACMTrans.onNetworking(TON),10(2):232-243,Apr.2002

Advanced!Computer Networks

Internetinter-ASRouting:BGPBGP(BorderGatewayProtocol),released07/94,isdefactostandardforinter-ASroutingBGPprovideseachASameansto:• advertiseAddressPrefixes(APs)reachabilityinformationtoneighboringASs(witheBGP)• propagateAP-reachabilitytoallAS-internalrouters(withiBGP)• determine“good”routestoAPsbasedonreachabilityandpolicy•  inter-ASroutingispolicydriven,notload-sensitive,generallynotQoS-based

BGPRoutingPolicyExample

A,B,CareprovidernetworksX,W,Yarecustomers(ofprovidernetworks)Xismulti-homed:attachedto≥2networksXdoesnotwanttoroutefromBviaXtoC�..soXwillnotadvertisetoBaroutetoC

BGPRoutingPolicyExample

AadvertisestoBthepathAWBadvertisestoXthepathBAWBdoesnotadvertisetoCthepathBAW • Bgetsno“revenue”forroutingCBAWsinceneitherWnorCareB’scustomers• BwantstoforceCtoroutetoWviaA • Bwantstorouteonlyto/fromitscustomers!

PathAttributes&BGPRoutesBGPassociatesBGPattributeswitheachAP

Twoimportantattributes:•  AS_PATH:thepathvectorofASsthroughwhichtheadvertisementforaprefixpassedthrough

•  NEXT_HOP:thespecificrouteratneighborAS(theremaybemultipleexitsfromcurrentAStoneighborAS)

SampleBGProutingtableentry:AP NEXT_HOP AS_PATH 198.32.163.0/24 202.232.1.8 2497 2914 3582 4600

• addressprefix198.32.163.0/24isinAS4600 • togetthere,sendtorouterataddress202.232.1.8 • thepathgoesthroughASs2497,2914,3582,inorder

BGPPolicyToolsExportpolicies:inadditiontoAS_PATH,anAScansettheseadditionalattributeswhenadvertisinganAP:• multiple-exitdiscriminator(MED):anAScantellaneighboritspreferredingresspoint• communityset(c_set):anAScantagcertainAPsasbelongingtothesamegroup,e.g.,customer,peer,back-up

Importpolicies:anASmaylearnofmorethanoneroutestosomeAPs•  local_preference:anAScanspecifyitspreferredegresspointforanAP,e.g.,prefercustomeroverpeer

AT&T Sprint

Customer

Tier-2

Tier-3

Local-pref=100

Local-pref=90

BGPImplicitPoliciesImplicitimportpolicies:• setsNEXT_HOPandlocalpreference• discardssomerouteannouncements,topreventroutingloop,configurationmistakes,andattacks•  discardrouteifASalreadyappearsinAS_PATH •  discardrouteifAPadvertisedbycustomerisnotownedbycustomer•  discardcustomeradvertisementthatcontainsotherlargeISPinitsAS_PATH

Implicitexportpolicies:•  setsMEDvalues• prependsAStoAS_PATH

BGPPolicyinPlayHowanASsetstheattributesofitadvertisementsinfluencesitsneighbors’behavior

• ASprepending:artificiallyinflatetheASpathlength(byrepeatingtheASnumberinAS_PATH)toconvinceneighborstouseadifferentAS

• cold-potatorouting:AS1setsMEDinadvertisementforAPdtoprefertrafficingressclosesttod

• hot-potatorouting:AS2prefersegress(local_preference)closesttotrafficsource(ignoringtheotherAS’sMED)

d

d

d

s

AS1

AS2

BGPPolicy:Implementation

BestRouteSelection

ApplyImportPolicies

BestRouteTable

ApplyExportPolicies

Installforwardingentriesforbestroutes

ReceiveBGPUpdates

BestRoutes

TransmitBGPUpdates

ApplyPolicy=filterroutes&tweakattributes

BasedonAttributeValues

IPForwardingTable

ApplyPolicy=filterroutes&tweakattributes

Openendedprogramming,constrainedonlybyvendorconfigurationlanguage

[Rexford]

BGProuteselectioninorder:1.  highestlocal_preference 2.  shortestAS_PATH 3.  lowestMEDvalue4.  tiebreakbyNEXT_HOP

IPaddress

PolicyDisputesBGPallowspathchoicestobedictatedbypolicyinsteadofdistancemetric

EachASsetsitsownpolicy,withoutanyglobalcoordination

Problem:thereareunsafecollectionsofroutingpoliciesthatcancauseBGPtodiverge(exchangingBGProutingmessagesindefinitely)

Griffin,Shepherd,andWilfongpresentsufficientconditionsonroutingpoliciesthatguaranteeBGPsafety[GSW99]

PolicySafetyStepstoensureacollectionofpoliciesissafe:1. modelBGPasSimplePathVectorProtocol(SPVP)

2. checkfordisputecycle(or,equivalently,disputewheel)inanSPVPspecification

3. nodisputewheelmeansanSPVPspecissafe

SimplePathVectorProtocol(SPVP):• aformalsystemdesignedtocapturetheunderlyingsemanticsofBGP

• stripsawayallbuttheessentialsofBGP,leavingonly:•  permittedpathstoadestination

•  therankingofthosepaths

SPVPandSolvabilitySimplePathVectorProtocol(SPVP)specification:• eachnode,representinganAS,hasasetofpermittedpathstoasingledestination• andarankingfunctionthatranksitspermittedpathsbypreference

SolutionstoanSPVPspecificationareroutingtreesthatsatisfycertainstabilityconditions• staticsolvabilityofSPVPisstillNP-complete• butadynamicevaluationheuristicgrowsastablepathassignment(aroutingtree)inagreedymanner[GSW02]• thestablestatesofthedynamicevaluationaresolutionstotheSPVPspecification

Terminology

G(V, E)anetworkofnodes,V = {0, 1, 2, ..., n}Node0:theorigin,aspecialnodethatisthedestinationnodetowhichallothernodesattempttoestablishapathPermittedpath(P):apaththathasnotbeenfilteredoutbypolicyalongtheway

Rankingfunction(λi(P)):givesnodei’srankingofpermittedpathPbypolicypreference;largerλ()meanshigherpreference

TerminologyandNotationApathinG,P = vk, vk−1, ..., v1, v0,s.t.∀i > 1, {vi, vi−1} ∈ E

PQ:concatenationofPandQ,thelastnodeinPmustbethesameasthefirstnodeinQ

(u, vk)P = u, vk, vk−1, ..., v0(vkmustbethefirstnodeinP)

εP = Pε = P,εemptypath

P[vi, vj]:subpathvi, vi−1, ..., vjofsimplepathP

P v:setofpermittedpathsfromvtotheorigin

ForP1,P2∈Pv,andλv(P1)<λv(P2),thenP2issaidtobe

preferredoverP1(largerλ(),higherpreference)

SPVPForP=∪v∈VP

v,thesetofallpermittedpathstotheorigin,andΛ={λv|v ∈ V−{0}},thesetofallrankingfunctions,anSPVPspecificationisS = (G, P, Λ)RestrictionsonΛandP:• foreachv ∈ V,ε ∈ P v(it’soknottohaveapath)• foreachv ∈ V,λv(ε) = 0• Ifλv(P1)=λv(P2),thenP1=P2orP1= (v, u)P’1andP2= (v, u)P’2(P1andP2havethesamenexthop)

• ifpathP∈P v,Pisasimplepath(norepeatednodes)• ifpathP∈ P v,andnodew≠0isinP,thenP[w, 0] ∈Pw

(consistency:tailofapermittedpathmustbeapermittedpath)

StabilityandSolvabilityAroutingtreeT = (P1, P2, ..., Pn)isavectorofpathswithPi∈P

is.t.theunionofthesepathsisatreeNodeiisstablewithrespecttoTifλi((i, j)Pj)≤λ

i(Pi)whenever(i, j)Pj∈P

i,i.e.,analternatepermittedpathisnotpreferredovercurrentpathTisstableifeverynodeisstableSissolvableif∃astableT⇒TisasolutiontoS

Example1:GOODGADGET

SPVPspecification:aroutingtree/solution:nonodecouldpickamorepreferredpath

Solutiontospecification:

pathrankinghighestpreferencelowestpreference�

(1 3 0)(2 0)(3 0)

(4 3 0)

DynamicEvaluationNowconsidercollectionofpermittedpathsatallnodesatanyonetimeasastateAstateforSPVPSisavectors = (P1, P2, ..., Pn),wherePi∈P

i• sisnotalwaysatree(couldbecyclic)Indynamicevaluation, Eval(S),theSPVPmovesfromonestatetoanotherwhereeach“activated”node(anodethatmustrecomputepath):• processesallneighbors’updates• computesanychangestopreferredroutes• andsendsupdatestoitsneighbors

(1 3 0)(2 0)(3 0)

(4 3 0)

Example1

(1 0)(2 0)(3 0)

(4 3 0)

(1 3 0)(2 1 0)(3 0)

(4 3 0)

(1 3 0)(2 0)(3 0)

(4 3 0)

unstableinitialstate

nodes1and2preferhigherrankedpathsavailable

node2lostpreferredpath,acceptinglowerrankedpath:solutionstabilizes:nonodecouldpickamorepreferredpath

SPVPspecification:aroutingtree/solution:nonodecouldpickamorepreferredpath

(1 3 0)(2 0)(3 0)

(4 3 0)

Statetransitiondiagramorevaluationdigraph,

Eval(S)

stablestate

GOOD GADGETissafe

pathrankinghighestpreferencelowestpreference

�

DisputeCycle

CapturesacertaintypeofcircularpolicyinconsistencyAnSPVPspecificationwithnodisputecyclealwayshasauniquesolutionandissafe• itsdynamicevaluationwillalwaysarriveatastablestate

Example2

Hasnosolution,dynamicevaluationdiverges:

(1 0)(2 0)(3 0)

()

(1 3 0)(2 1 0)(3 0)

(4 2 0)

(1 3 0)(2 0)

(3 4 2 0)(4 3 0)

(1 0)(2 0)(3 0)

(4 2 0)

(1 3 0)(2 1 0)

(3 4 2 0)(4 2 0)

(1 0)(2 0)(3 0)

()

SPVPspecification:

{1, 2, 4} {2, 3, 4} {1, 3, 4} {1, 2, 3} {1, 2, 3, 4}

{1, 2, 4}

BAD GADGETisnotsolvable

cycle�Sdiverges

pathrankinghighestpreferencelowestpreference

�

Example3

SPVPspecification:

SameuniquesolutionasGOODGADGET:Butdynamicevaluationdiverges:

(1 3 0)(2 0)(3 0)

(4 3 0)

NAUGHTY GADGETissolvablebutnotsafe

pathrankinghighestlowest

�

DynamicEvaluation:FormallyLet:• A ⊆ V ≠ ∅bethesetofnodesthatmustupdatepaths(activatednodes),• s = (P1, ..., Pn)betheSPVPstatebeforetheupdates,and• s’ = (P’1, …, P’n)betheSPVPstateafternodesinA updatetheirpaths

Piifi∉A(i’spathdoesn’tchange),P∈P is.t.λi(P)ismaximal

s→s’denotesthistransition

P’i =

A

(1 0)(2 0)(3 0)

(4 3 0)

(1 3 0)(2 1 0)(3 0)

(4 3 0)

{1, 2}

StableState

Astatesisstableifs→sforeveryA,i.e.,nonodecouldpickabetterpaththanitscurrentpathAnupdatesequenceσisafunctions.t.σ(t) ⊆ V, foreacht ≥ 0, i.e.,σ(1) = A1, σ(2) = A2, …, σ(t) = Atσ(s0, t) = st: s0 → s1 → s2 → … → st

A

A1 A2 A3 At

ConvergenceandSafety

Sissaidtoconvergewithrespecttoσands0if∃ts.t.σ(s0, t)isstableOtherwiseitissaidtodivergewithrespecttoσands0σisfairifforeachnodeu,u∈σ(t)forinfinitelymanyt’s(σmakesprogress)Sissafeifitconvergesforeveryfairσandeveryinitialstates0

DisputeDigraphAdisputedigraphofS(DD(S))consistsofnodesandarcswhere:• eachnoderepresentsapermittedpath• anarciseitheratransmissionarcoradisputearc• transmissionarc(-->):apermittedpathatonenodeallowinganotherpermittedpathatanothernode• disputearc(→):policydisputebetweennodesthatdisallowapermittedpathatoneofthenodes

DD(GOOD GADGET):

DisputeCycle

Acycleinthedisputedigraph

0

DisputeWheelGeneralization(“long-distance”)andformalizationofdisputecycleusedtoprovesolvabilityandsafetyofSPVPspecification

DisputewheelconstructedfromasetofnodeswhereeachnodeukhastwopermittedpathsQk andRk Qk+1wherethepaththroughtheneighborispreferredovertheother λ

uk(Qk)≤λuk(Rk Qk+1)• neighborindisputewheelisnotnecessarilyneighborinactualnetwork,i.e.,thepathRcanhavelength> 1

(Non-)existenceofdisputewheelisthenusedtoprovesolvabilityandsafetyofSPVPspecification

Example

AdisputewheelofbothBADandNAUGHTYGADGETs

AnotherdisputewheelofNAUGHTYGADGET

[GSW02]

λu0 (Q0) ≤ λu0(R0Q1)

λu1(Q1) ≤ λu1(R1Q2)

λu2(Q2) ≤ λu2(R2Q0)

λu0(Q0) ≤ λu0(R0Q1)

λu1(Q1) ≤ λu1(R1Q0)

0

R1

Theorems

AspecificationShasadisputewheeliffDD(S)containsacycle

IfShasnodisputewheel,Sissolvable,i.e.,∃astableroutingtreeforS

Divergenceimpliesadisputewheel:if∃anon-trivialcycle(containsnoself-loops)intheevaluationdigraphofS, Eval(S),Scontainsadisputewheel

Theorems

Sufficientcondition:ifShasnodisputewheel, Eval(S)hasnonon-trivialcycles,andSissafe

¬(Necessarycondition):ifShasadisputewheel,Eval(S)mayormaynotcontainacycleExample:BADBACKUPhasadisputewheelthatisnotrealizableintheevaluationandissafe

BAD BACKUP

SummaryAuthorspresentsufficientconditionsonroutingpoliciesthatguaranteeBGPsafety

DisputecyclecapturesacircularsetofrelationshipsbetweenrankingfunctionsAnSPVPspecificationwithnodisputecyclealwayshasauniquesolutionandsafe• specificationwithnodisputecycleissafe• itsdynamicevaluationwillalwaysarriveatastablestate(solutiontotheSPVPspecification)

ImplicationofSPVP

Conjecture:onlySPFrouteselectionisprovablysafeSPVP:ifSisconsistentwithacoherentcostfunction,suchasSPF,thenShasnodisputewheel�SissafeHowever,Sbeingsafedoesn’trequireconsistencywithacoherentcostfunction�routeselectioncan“violate”distancemetricandremainsafe!

ApplicationofSPVPStaticevaluationofBGPisNP-hard,evenofSPVPisNP-complete[GSW99]HowdoweensureBGPconvergence?GaoandRexfordproposeasetofpolicyguidelinesthat• imposesapartialorderonthesetofroutestoeachdestination

• doesnotrequireglobalcoordination• exploitsthehierarchicalstructureoftheInternetandthecommercialrelationshipsbetweenASs• convenientlyalreadyconformstocommonpractices�whywehaven’tseenBGPdivergenceontheInternet[GR01]

ASRelationshipsCommercialrelationshipsbetweenASs:• peering:peersagreetoexchangetrafficforfree(settlementfree),usuallywhentrafficexchangeisbalanced(notmorethan1:3ratio)

• customer-provider:customerpaysforaccess• backup

AS100

AS22

AS0 AS1

AS20

peer-to-peer

provider-customer

tier-1

tier-2

backup

PeeringRelationshipPeersexchangetrafficoftheircustomers• ASexportsonlyitscustomers’APstoapeer

• ASexportsapeer’sAPsonlytoitscustomers

• Peersdon’tadvertiseAPslearnedfromotherpeersorproviders(notransit)

peerpeer

Trafficto/fromthepeeranditscustomers

d

announcements

traffic

[Rexford]customercustomer

Customer-ProviderRelationshipCustomerneedstobereachablebyeveryone• providertellsallitsneighborshowtoreachthecustomer• prefer-customeroverpeerincaseofmulti-homedcustomer

Customerneedstoreacheveryone• provideradvertisesallAPstocustomer

[Rexford]

d

d

provider

customer

customer

provider

Traffictothecustomer Trafficfromthecustomer

announcements

traffic

announcementstraffic

Valley-FreeRoutingCustomerdoesnotwanttoprovidetransitservice•  customeronlyadvertisesitsownAps

•  notAPsfrompeersnorotherproviders(incaseofmulti-homing)

AS100

AS22

AS0 AS1

AS20

peer-to-peer

provider-customer

tier-1

tier-2

backup

✗

✗

PolicyGuidelinesGuidelineA:Prefer-Customer• preferroutingviacustomeroverroutingviapeerorprovider

•  resultsinstablepath;provebyinduction:•  Phase1:activateASsincustomer-to-providerDAGinlinearorder

•  Phase1isstable:•  customeritselfisstable

•  assumestableafterkhopstoprovider•  k+1hopisstablebecauseitsoptionsarestable

•  Phase2:activateprovider-to-customerDAGinlinearorder

•  Phase2isstable:•  firstAS(provider)isstable

•  assumestableafterIhopsfromprovider

•  k+1hopisstablebecauseitsoptionsarestable

PolicyGuidelinesGuidelineB:• allowroutingviacustomerorpeerwithequalpreference,butoverroutingviaprovider

•  resultsinstablepathifafterclusteringpeersintoclusters,theclustersformaDAG•  provebyinductionintwophasessimilartoGuidelineA,butadditionallyassumeactivationinlinearorderoftheclusterDAG

•  andnotethatanASalwaysprefersacustomerroutewithashorterASpathtoapeerroute,ensuringpreferenceforthecustomer-providerDAGwithshorterroute

PolicyGuidelinesGuidelineC:• usebackuplinkonlyifthere’snocustomer,peer,orproviderlink

•  requirescoordinationbetweenASs•  tomarkbackuppathusingcommunityset

• setallbackuppathsthesamelocal_preferencevalue

•  toensuresafety,activatebackuppathsinshortestpathfirstorder

PolicyGuidelinesASscanhavedifferentrelationshipfordifferentAPs,guidelinesapplyperdestinationAPDuringrelationshipchange(customertopeerorcustomertoprovider—unlikely),modifyprovider’spolicyconfigurationfirst

BGPRoutingPolicyLoopCurrentapproachtopreventBGPpolicyloops:• ISPsregistertheirpolicywithInternetRoutingRegistry(IRR)• Policyspecifiedinastandardlanguage• ConflictscanbecheckedProblems:• Policies/relationshipsmustberevealedandupdated• StaticcheckingforconvergenceisNP-hard• BGPmaynotconvergeunderrouter/linkfailureorpolicychanges