Foundations of InterDomain Routing

1
Foundations ofInter-Domain Routing

• Vijay Ramachandran
• Yale University
• vijayr_at_cs.yale.edu
• http//www.cs.yale.edu/vijayr

2
Overview

• My work develops a theoretical framework for the
  design and analysis of path-vector protocols
  primarily used for Internet inter-domain routing.
• The framework can be used to understand the
  interactions of local routing policies and their
  effects on protocol behavior.
• It can also be used to understand the design
  space of path-vector protocols and inherent
  trade-offs among desirable protocol properties.

3
Background Internet Routing
4
BGP Route Processing
IP Forwarding Table
Install forwarding entries for best routes
Routing Table
Apply Import Policies
Best Route Selection
Apply Export Policies
Apply Policy filter routes tweak attributes
Apply Policy filter routes tweak attributes
Transmit BGP updates
Based on attribute values
Receive BGP updates
Storageof routes
Open-ended programming constrain
ed only by vendor configuration language
5
BGP Route-Selection Procedure

• Highest local preference
• Shortest AS-path length
• For each AS next-hop, lowest MED value
• eBGP routes over iBGP routes
• Shortest iBGP distance to egress point

6
Motivation (1)

• Given certain policy inputs, BGP will oscillate
  or converge nondeterministically. VGE 00, GSW
  02, MGWR 02, Cisco 01
• These anomalies are difficult for operatorsto
  debug because the problems traverse autonomously
  administered networks.
• New features are often implemented without
  testing resulting worst-case scenarios.

7
Motivation (2)

• The BGP specification contains no guidance on how
  to provide good routing policies.
• Policies are unconstrained.
• Can policies be constrained to guarantee
  convergence, and how can those constraintsbe
  described?
• What is lost, if anything?
• Formal models allow rigorous analysis and design
  at different levels of abstraction.

8
Protocol-Divergence Example
120
20
120
210
1
2
10
20
10
210
10
20
Prefer sendingtraffic throughneighbor 1
Prefer sendingtraffic throughneighbor 2
0
0
0
9
Related WorkFormally Modeling Policy Semantics

• GSW 02 introduced the Stable Paths Problem
  (SPP) as the underlying theoretical problem that
  BGP is trying to solve.
• SPP is NP-hard solvability ? convergence.

An SPP instance is a graph in which each node
represents one AS and has a policy in the form of
a linear preference ordering on paths.
10
SPP Results GSW 02
DISAGREE (multiple solutions)
Dispute Wheel
No dispute wheel impliesrobust convergence.
BAD GADGET (no solution)
11
Related WorkLocal and Global Constraints

• GR 01 showed that Hierarchical BGP (HBGP) is
  robust.
• Neighbors are divided into three classes
  customers, providers, and peers.
• Preference and scoping rules apply to routes
  learned from different types of neighbors.
• No customer/provider cycles.
• GGR 01 added an attribute to HBGP to allow
  safe back-up routing.

Localconstraint
Globalconstraint
12
The Design Space of Path-Vector Protocols GJR
03

• Robustness Does the protocol predictably
  converge, even after node and link failures?
• Expressiveness What routing policies are
  permitted?
• Autonomy What degree of independence do
  operators have in local-policy configuration?
• Policy Opaqueness Can local route settings be
  kept private?
• Transparency How directly does the protocol
  apply local-policy transformations to route data?
• Global Constraint What network assumptions are
  needed?

13
Path-Vector Policy Systems GJR 03

• Formal model of path-vector routing

( PV , PL , K )
Path-Vector System The underlying
message-exchange system for route information.
Whatis exchanged and how?
Global Constraint What assumptions about the
network must be true to achieve robustness?
Policy Language How can policies be
described?PL acts as a local constraint on the
expressiveness of policies.
Question What role do these components play in
achieving protocol-design goals?
14
Linear Best-Route Selection Model

• Ignore iBGP and MED-attribute values.
• Assume that the route-selection procedure, at
  each node, for each destination
• maps each route to a rank in some totally ordered
  set based on its attribute values and
• chooses as best the path with minimal rank.
• Rank is influenced by local policy, but the
  ranking criteria are the same at each node.

15
Robustness Condition GJR03, Sob. 03

• Conjecture No path-vector policy system can
  exactly capture all robust configurations.
• Theorem A protocol in which a paths rank
  monotonically increases as it is extended
  (imported by a neighbor) is robust.This is the
  broadest-known sufficient condition for
  robustness, equivalent to dispute-wheel freeness
  on SPP instances.

16
Trade-Offs in Implementation GJR03

• Theorem. A globally unconstrained PVPS
  expressive enough to capture all increasing
  configurations either does not support autonomy
  of neighbor ranking or is not transparent, or
  both.
• Theorem. A transparent, robust PVPS that
  supports autonomy of neighbor ranking and is at
  least as expressive as shortest paths must have a
  non-trivial global constraint.

17
Class-Based Systems JR 04

• The PVPS framework can be used to generalizethe
  HBGP constraints from GR 01, GGR 01.
• A class-based PVPS is described by
• A set of classes (types of neighbor assignments,
  e.g., customer/provider/peer) and consistency
  relationships
• Class relative-preference and scoping rules
• These systems are transparent and have some
  autonomy of neighbor ranking they requirea
  nontrivial global constraint.

18
Relative Preference and Scope
Relative Preference If class i is to be
preferred over class j, then node v should prefer
routes from node w over those from node x.
Scope If class i routes cannot be exported to a
class-k neighbor, then node u will only learn
about the path uvxQ.
19
Class-Based Robustness JR 04

• From the class description alone, we can
  construct a global constraint involving a check
  on pairs of class assignments.
• Networks obeying this constraint are robust.
• Networks violating this constraint allow nodes to
  write policies that induce routing anomalies.
• We give two types of enforcement algorithms
• a centralized algorithm that detects a set of
  nodes whose class assignments permit a
  policy-induced anomaly and
• a distributed algorithm that detects whether two
  specific nodes class assignments could induce an
  anomaly.

20
Nonlinear Route-Selection Model

• Recent work generalizes the PVPS framework to
  include protocols that do not assume linear
  route-selection procedures.
• This permits modeling the MED attribute and both
  iBGP and eBGP sessions.
• Because previous convergence constraints depend
  on a notion of rank, these do not applyin the
  generalized case.
• Relies on generalized SPP GW 02.

21
Generalized SPP GW 02

• Recall BGP selection
• lowest MED value from paths to the same AS then
• shortest IGP distance.
• IGP distances are shown near intra-domain links.
• MED values are shown in parentheses near
  inter-domain links.
• This example oscillates.

MED-EVIL (no solution)
22
Independent Route Ranking
MED-EVIL (condensed)
23
Generalized Path Relations
24
Generalized Dispute Digraphs

• Given a GSPP instance, form its generalized
  dispute digraph
• nodes are paths
• edges correspond to the four relations.
• Theorem. If a GSPP is not robust, this graph
  contains a cycle.

MED-EVIL Dispute Digraph
25
Proof Method
Cycle in MED-EVIL protocol-selection states.

• Given a protocol oscillation, choose a path whose
  first node is the last oscillating node on the
  path.
• Follow the oscillation until the selection
  changes this change occurred because of a linear
  or nonlinear selection. This corresponds to some
  relation between two paths repeat with the
  related path. Choose a subpath to find the
  last oscillating node.
• Because the oscillation is finite, we must
  re-visit a path.We have just traced a cycle in
  the dispute digraph.

26
Summary

• The PVPS framework allows for a study of
  path-vector-protocol designmost importantly, a
  rigorous way to prove
• what balance of local and global constraints
  areneeded for robustness and
• what else is lost when these constraints are
  implemented.
• The framework has provided concrete and
  reasonable guidelines for class-based systems.
• The framework has been extended to include
  protocols with IRR-violating selection procedures.

27
Open Questions

• Analogous local constraints for the generalized
  case
• Real, deployable policy-configuration languages
• More examples of exact trade-offs between local
  and global constraints (to date, only class-based
  systems give this)
• Full characterization of robust systems?