Results 11 - 20
of
262
Consensus Routing: The Internet as a Distributed System
"... Internet routing protocols (BGP, OSPF, RIP) have traditionally favored responsiveness over consistency. A router applies a received update immediately to its forwarding table before propagating the update to other routers, including those that potentially depend upon the outcome of the update. Respo ..."
Abstract
-
Cited by 45 (5 self)
- Add to MetaCart
(Show Context)
Internet routing protocols (BGP, OSPF, RIP) have traditionally favored responsiveness over consistency. A router applies a received update immediately to its forwarding table before propagating the update to other routers, including those that potentially depend upon the outcome of the update. Responsiveness comes at the cost of routing loops and blackholes—a router A thinks its route to a destination is via B but B disagrees. By favoring responsiveness (a liveness property) over consistency (a safety property), Internet routing has lost both. Worse, protocol behavior is complex and unpredictable, which makes them vulnerable to misconfiguration or abuse and stifles innovation in the long term. Our position is that consistent state in a distributed system makes its behavior more predictable and securable. To this end, we present consensus routing, a consistencyfirst approach that cleanly separates safety and liveness using two logically distinct modes of packet delivery: a stable mode where a route is adopted only after all dependent routers have agreed upon it, and a transient mode that heuristically forwards the small fraction of packets that encounter failed links. Somewhat surprisingly, we find that consensus routing improves overall availability when used in conjunction with existing transient mode heuristics such as backup paths, deflections, or detouring, while ensuring that the bulk of the traffic traverses the stable mode in a provably consistent and predictable manner. Experiments on the Internet’s ASlevel topology show that consensus routing eliminates nearly all transient disconnectivity in BGP.
Rationality and Traffic Attraction: Incentives for Honest Path Announcements in BGP
, 2008
"... We study situations in which autonomous systems (ASes) may have incentives to send BGP announcements differing from the AS-level paths that packets traverse in the data plane. Prior work on this issue assumed that ASes seek only to obtain the best possible outgoing path for their traffic. In reality ..."
Abstract
-
Cited by 43 (7 self)
- Add to MetaCart
(Show Context)
We study situations in which autonomous systems (ASes) may have incentives to send BGP announcements differing from the AS-level paths that packets traverse in the data plane. Prior work on this issue assumed that ASes seek only to obtain the best possible outgoing path for their traffic. In reality, other factors can influence a rational AS’s behavior. Here we consider a more natural model, in which an AS is also interested in attracting incoming traffic (e.g., because other ASes pay it to carry their traffic). We ask what combinations of BGP enhancements and restrictions on routing policies can ensure that ASes have no incentive to lie about their data-plane paths. We find that protocols like S-BGP alone are insufficient, but that S-BGP does suffice if coupled with additional (quite unrealistic) restrictions on routing policies. Our game-theoretic analysis illustrates the high cost of ensuring that the ASes honestly announce data-plane paths in their BGP path announcements.
Incentive-compatible interdomain routing (Extended Abstract)
- PROC. OF THE 7TH CONFERENCE ON ELECTRONIC COMMERCE (EC’06)
, 2006
"... The routing of traffic between Internet domains, or Autonomous Systems (ASes), a task known as interdomain routing, is currently handled by the Border Gateway Protocol (BGP) [17]. Using BGP, autonomous systems can apply semantically rich routing policies to choose interdomain routes in a distributed ..."
Abstract
-
Cited by 40 (13 self)
- Add to MetaCart
The routing of traffic between Internet domains, or Autonomous Systems (ASes), a task known as interdomain routing, is currently handled by the Border Gateway Protocol (BGP) [17]. Using BGP, autonomous systems can apply semantically rich routing policies to choose interdomain routes in a distributed fashion. This expressiveness in routing-policy choice supports domains ’ autonomy in network operations and in business decisions, but it comes at a price: The interaction of locally defined routing policies can lead to unexpected global anomalies, including route oscillations or overall protocol divergence (see, e.g., [20]). Networking researchers have addressed this problem by devising constraints on policies that guarantee BGP convergence without unduly limiting expressiveness and autonomy (see, e.g., [7, 8]). In addition to taking this engineering or “protocol-design ” approach, researchers have approached interdomain routing from an economic or “mechanism-design” point of view. It is known that lowest-cost-path (LCP) routing can be implemented in a truthful, BGP-compatible manner [3] but that several other natural classes of routing policies cannot [2, 5]. In this paper, we present a natural class of interdomain-routing policies that is more realistic than LCP routing and admits incentive-compatible, BGP-compatible implementation. We also present several positive steps toward a general theory of incentive-compatible interdomain routing.
Analysis of the MED Oscillation Problem in BGP
, 2002
"... The Multi Exit Discriminator (MED) attribute of the Border Gateway Protocol (BGP) is widely used to implement “cold potato routing ” between autonomous systems. However, the use of MED in practice has led to BGP persistent oscillation. The MED oscillation problem has been described with example conf ..."
Abstract
-
Cited by 39 (1 self)
- Add to MetaCart
(Show Context)
The Multi Exit Discriminator (MED) attribute of the Border Gateway Protocol (BGP) is widely used to implement “cold potato routing ” between autonomous systems. However, the use of MED in practice has led to BGP persistent oscillation. The MED oscillation problem has been described with example configurations and complicated, step-by-step evaluation of dynamic route computations performed at multiple routers. Our work presents the first rigorous analysis of the MED oscillation problem. We employ the Stable Paths Problem (SPP) formalism that allows a static analysis of the interaction of routing policies. We give a formal definition of MED Induced Routing Anomalies (MIRA) and show that, in general, they can span multiple autonomous systems. However, if we assume that the BGP configurations between ASes follows a common model based on customer/provider and peer/peer relationships, then we show that the scope of any MIRA is always contained within a single autonomous system. Contrary to widely held assumptions, we show that a MIRA can occur even in a fully meshed IBGP configuration. We also show that a stable BGP routing may actually violate the stated semantics of the MED attribute.
How secure are secure interdomain routing protocols
- SIGCOMM Comput. Commun. Rev
"... In response to high-profile Internet outages, BGP security variants have been proposed to prevent the propagation of bogus routing information. To inform discussions of which of these variants should be deployed in the Internet, we quan-tify the ability of the main protocols (origin authentication, ..."
Abstract
-
Cited by 37 (10 self)
- Add to MetaCart
(Show Context)
In response to high-profile Internet outages, BGP security variants have been proposed to prevent the propagation of bogus routing information. To inform discussions of which of these variants should be deployed in the Internet, we quan-tify the ability of the main protocols (origin authentication, soBGP, S-BGP, and data-plane verification) to blunt traffic-attraction attacks; i.e., , an attacker that deliberately attracts traffic to drop, tamper, or eavesdrop on packets. Intuition suggests that an attacker can maximize the amount of traffic he attracts by widely announcing a short path that is not flagged as bogus by the secure protocol. Through simulations on an empirically-determined AS-level topol-ogy, we show that this strategy is surprisingly effective, even when the network uses an advanced security solution like S-BGP or data-plane verification. Worse yet, we show that these results underestimate the severity of attacks. We prove that finding the most damaging strategy is NP-hard, and show how counterintuitive strategies, like announcing longer paths, announcing to fewer neighbors, or triggering BGP loop-detection, can be used to attract even more traffic the strategy above. These counterintuitive examples are not merely hypotheti-cal; we searched the empirical AS topology to identify spe-cific ASes that can launch them. Finally, we find that a clever export policy can often attract almost as much traffic as a bo-gus path announcement. Thus, our work implies that mech-anisms that police export policies (e.g., defensive filtering) are crucial, even if S-BGP is fully deployed. 1.
Designing networks with good equilibria
- In SODA ’08
, 2007
"... In a network with selfish users, designing and deploying a protocol determines the rules of the game by which end users interact with each other and with the network. We study the problem of designing a protocol to optimize the equilibrium behavior of the induced network game. We consider network co ..."
Abstract
-
Cited by 34 (4 self)
- Add to MetaCart
(Show Context)
In a network with selfish users, designing and deploying a protocol determines the rules of the game by which end users interact with each other and with the network. We study the problem of designing a protocol to optimize the equilibrium behavior of the induced network game. We consider network cost-sharing games, where the set of Nash equilibria depends fundamentally on the choice of an edge cost-sharing protocol. Previous research focused on the Shapley protocol, in which the cost of each edge is shared equally among its users. We systematically study the design of optimal costsharing protocols for undirected and directed graphs, single-sink and multicommodity networks, different classes of cost-sharing methods, and different measures of the inefficiency of equilibria. One of our main technical tools is a complete characterization of the uniform cost-sharing protocols—protocols that are designed without foreknowledge of or assumptions on the network in which they will be deployed. We use this characterization result to identify the optimal uniform protocol in several scenarios: for example, the Shapley protocol is optimal in directed graphs, while the optimal protocol in undirected graphs, a simple priority scheme, has exponentially smaller worst-case price of anarchy than the Shapley protocol. We also provide several matching upper and lower bounds on the bestpossible performance of non-uniform cost-sharing protocols.
The complexity of game dynamics: Bgp oscillations, sink equilibria, and beyond
- In SODA ’08: Proceedings of the nineteenth annual ACM-SIAM symposium on Discrete algorithms
, 2008
"... We settle the complexity of a well-known problem in networking by establishing that it is PSPACE-complete to tell whether a system of path preferences in the BGP protocol [25] can lead to oscillatory behavior; one key insight is that the BGP oscillation question is in fact one about Nash dynamics. W ..."
Abstract
-
Cited by 34 (4 self)
- Add to MetaCart
(Show Context)
We settle the complexity of a well-known problem in networking by establishing that it is PSPACE-complete to tell whether a system of path preferences in the BGP protocol [25] can lead to oscillatory behavior; one key insight is that the BGP oscillation question is in fact one about Nash dynamics. We show that the concept of sink equilibria proposed recently in [11] is also PSPACE-complete to analyze and approximate for graphical games. Finally, we propose a new equilibrium concept inspired by game dynamics, unit recall equilibria, which we show to be close to universal (exists with high probability in a random game) and algorithmically promising. We also give a relaxation thereof, called componentwise unit recall equilibria, which we show to be both tractable and universal (guaranteed to exist in every game).
Some foundational problems in Interdomain routing
- In HotNets, 2004. (Cited on
, 2004
"... The substantial complexity of interdomain routing in the Internet comes from the need to support flexible policies while scaling to a large number of Autonomous Systems. Despite impressive progress in characterizing the various ills of the Border Gateway Protocol (BGP), many problems remain unsolved ..."
Abstract
-
Cited by 32 (3 self)
- Add to MetaCart
(Show Context)
The substantial complexity of interdomain routing in the Internet comes from the need to support flexible policies while scaling to a large number of Autonomous Systems. Despite impressive progress in characterizing the various ills of the Border Gateway Protocol (BGP), many problems remain unsolved, and the behavior of the routing system is still poorly understood. This paper argues that we must understand interdomain routing in terms of: (1) intrinsic properties and design tradeoffs of policy-based routing, independent of the specific routing protocol and (2) properties that relate to artifacts in today’s protocol. We pose open questions for the research community that, if answered, should help us understand why BGP’s many problems are so difficult to fix. Understanding the fundamental properties of interdomain routing will help us decide how to make progress, be it making backward-compatible modifications to BGP or designing a radically different protocol. 1.
Let the Market Drive Deployment: A Strategy for Transitioning to BGP Security.
, 2011
"... With a cryptographic root-of-trust for Internet routing (RPKI [18]) on the horizon, we can finally start planning the deployment of one of the secure interdomain routing protocols proposed over a decade ago (Secure BGP [24], secure origin BGP [43]). However, if experience with IPv6 is any indicator, ..."
Abstract
-
Cited by 32 (6 self)
- Add to MetaCart
With a cryptographic root-of-trust for Internet routing (RPKI [18]) on the horizon, we can finally start planning the deployment of one of the secure interdomain routing protocols proposed over a decade ago (Secure BGP [24], secure origin BGP [43]). However, if experience with IPv6 is any indicator, this will be no easy task. Security concerns alone seem unlikely to provide sufficient local incentive to drive the deployment process forward. Worse yet, the security benefits provided by the S*BGP protocols do not even kick in until a large number of ASes have deployed them. Instead, we appeal to ISPs ’ interest in increasing revenue-generating traffic. We propose a strategy that governments and industry groups can use to harness ISPs’ local business objectives and drive global S*BGP deployment. We evaluate our deployment strategy using theoretical analysis and large-scale simulations on empirical data. Our results give evidence that the market dynamics created by our proposal can transition the majority of the Internet to S*BGP. 1.
Network-wide prediction of BGP routes
- In IEEE/ACM Trans. Networking
, 2007
"... Abstract—This paper presents provably correct algorithms for computing the outcome of the BGP route-selection process for each router in a network, without simulating the complex details of BGP message passing. The algorithms require only static inputs that can be easily obtained from the routers: t ..."
Abstract
-
Cited by 27 (7 self)
- Add to MetaCart
(Show Context)
Abstract—This paper presents provably correct algorithms for computing the outcome of the BGP route-selection process for each router in a network, without simulating the complex details of BGP message passing. The algorithms require only static inputs that can be easily obtained from the routers: the BGP routes learned from neighboring domains, the import policies configured on the BGP sessions, and the internal topology. Solving the problem would be easy if the route-selection process were deterministic and every router received all candidate BGP routes. However, two important features of BGP—the Multiple Exit Discriminator (MED) attribute and route reflectors—violate these properties. After presenting a simple route-prediction algorithm for networks that do not use these features, we present algorithms that capture the effects of the MED attribute and route reflectors in isolation. Then, we explain why the interaction between these two features precludes efficient route prediction. These two features also create difficulties for the operation of BGP itself, leading us to suggest improvements to BGP that achieve the same goals as MED and route reflection without introducing the negative side effects. Index Terms—Networks, protocols, routing. I.
