Towards a Logic for Wide-Area Internet Routing

1
Towards a Logic forWide-Area Internet Routing

• Nick Feamster and Hari Balakrishnan
• M.I.T. Computer Science and Artificial
  Intelligence Laboratory

Kunal Jain and Pragya Maru
2
What is a Routing Logic?

• Protocol designers and network operators need a
  way to describe and reason about protocol
  behavior.
• Properties describe behavior
• Rules reason about whether a certain property
  holds

3
Practical Uses for a Routing Logic

• Reason about BGPs behavior
• Verify that BGP configurations satisfy properties
• Synthesize BGP configuration automatically
• Design protocol extensions that fix problems

4
Problems Underlying BGP

• Poor Integrity Denial of service and data
  integrity attacks
• Slow Convergence Path instability results in
  delayed convergence.
• Divergence BGPs policy based nature can give
  rise to configurations that diverge
• Unpredictability Due to distributed,
  asynchronous nature, predicting the effects of a
  configuration change is extremely challenging.
• Poor control of information flow Routing
  policies may expose information that is not
  intended for public knowledge, such as peering
  and transit relationships.

5
How to define "correctbehavior?

• Does it advertise invalid routes?
• Validity
• Does every valid path have a corresponding
  route?
• Visibility
• Given a set of choices, will it converge to
  a unique , stable answer?
• Safety
• Is that answer affected by the ordering of
  messages or the set of available routes?
• Determinism
• Does the protocol expose information?
• Information-flow control

6
Routing Logic Inputs

• Specification of how protocol behaves
• Specification of protocol configuration
• Policy configuration
• General configuration, e.g. which routers
  exchange routing information
• Current version has no notion of time

7
Terminology

• Participant An entity that advertises or
  receives routing messages
• Routing Domain Group of one or more participants
  that behave according to one administrative
  policy.
• Route Contains two fields- Next-hop and Next-RD
• Destination might refer to a host , an overlay
  node or a logical host
• Destination-set Refers to a set of nodes that
  share a route.
• Path A path is a sequence of participants from
  one participants from one participants to a
  destination

8
Hierarchical Routing Scopes
Scope i next-hop is i1 destination
(destination set)
9
Rules Sufficient Conditions for Each Property

• Validity a route implies a corresponding valid
  path

10
Validity and Visibility in BGP
The fundamental operation of BGP with Route
Reflection can violate Validity.
Underlying IGP result in persistent forwarding
loop
11
Applying the logic-Validity and Visibility

• There exists a route reflector configuration
  that causes BGP to violate validity.
• For an arbitrary configuration of route
  reflectors and route reflector clients, verifying
  progress is NP-complete.
• If the route reflector configuration for an AS
  along the path to a destination is RR-IGP-Safe,
  then BGP satisfies progress.
• If the route reflector in an AS are configured
  according to RR-Reflect-All, then BGP satisfies
  progress.
• If an AS uses full mesh iBGP, then BGP satisfies
  progress.

12
Information-flow Model

• Consists of objects, flow policy, partial
  ordering of security levels

Information Objects

• Policy
• Peering and transit agreements
• Router preferences
• Reachability
• Events affecting reachability
• Topology
• Internal network topology
• Inter-AS connectivity

13
Information Flow Lattice
Noninterference Rule
Objects at higher security levels should not be
visible to objects at lower levels Security level
of message not higher than level of recipient
14
Applying the logic-Information Flow Control

• A stateless BGP implementation can violate
  standard information flow policy.
• The BGP route history attribute violates standard
  information flow policy.

15
Safety and Determinism

• AS changing the choice for the best route may
  result in policy oscillations or lead to dispute
  cycles and hence this shows that BGP doesnt
  satisfy safety
• Some router configurations results in routers
  best route depending on the order in which routes
  arrive or other non deterministic factors, which
  shows that BGP doesnt satisfy determinism

16
Policy Dispute or Oscillations
17
Properties for Safety and Determinism to hold

• Safety
• Preference - If a participant chooses a
  particular route as its best route , the
  participant re advertises that route
• No route history cycles - Non existence of a
  route history cycle is sufficient to guarantee
  safety
• Determinism
• Time Immunity- A participant relative ranking of
  two routes to a destination is independent of the
  order in which those routes arrive.
• Set Immunity- A participants relative ranking
  of two routes is independent of other routes to
  that destination.

18
The properties not complete, but important

• Validity Will packets that use this route get
  there?
• basic correctness property
• Visibility Is best route chosen from all
  possibilities?
• optimal routing, robustness in failure
  scenarios
• Safety Is there policy-induced oscillation?
• network stability
• Determinism Can a snapshot of the network state
  determine the result of the "computation"?
• ease of debugging, traffic engineering
• Information-flow Control Is my network exposing
  information that should be hidden?
• competitive aspects

19
Reasoning about BGPs Behavior

• The routing logic rules can be used to prove
  theorems about these properties.
• Verifying that an arbitrary route reflector
  configuration satisfies validity.
• Route reflectors that re-advertise all
  eBGP-learned routes will satisfy validity.
• Certain fixes to other problems (e.g., safety)
  can violate information-flow policy.

20
Conclusion

• Network operators and protocol designers need a
  logic to reason about routing protocols like BGP
• The routing logic provides
• A set of properties to describe protocol
  behavior
• Rules to reason about them
• Set of properties is not complete, but it is an
  important and interesting set
• Promising for reasoning, verification, and design