520 likes | 687 Views
Pitch Patarasuk. Policy Disputes in Path-Vector Protocol A Safe Path Vector Protocol The Stable Paths Problem and Interdomain routing. Safety in BGP. BGP is the only interdomain routing protocol in the internet A routing protocol is safe when it is guaranteed to converge
E N D
Pitch Patarasuk • Policy Disputes in Path-Vector Protocol • A Safe Path Vector Protocol • The Stable Paths Problem and Interdomain routing
Safety in BGP • BGP is the only interdomain routing protocol in the internet • A routing protocol is safe when it is guaranteed to converge • RIP and OSPF protocols are safe • Use shortest-path algorithm • BGP is not safe
Safety in BGP (Cont.) • BGP does not use pure shortest-path algorithm • BGP allow policy concerns to override distance metric • Each AS decides its own policy with little knowledge of of other ASs’ policies
How to make BGP safe? • Policy • Static • ASs do not share their policies • The problem is NP-complete • Heuristic • Dynamic • Paths that are potentially create problem will be deleted
Outline • SPP (stable path problem) • SPVP (simple path vector protocol) • SPVP1 • SPVP2 • SPVP3 • Dispute Digraph • Dispute Wheel
Stable Path Problem (SPP) • Simplify BGP solvability problem to a problem of “whether every node has a stable route to one destination node” • Destination node == node 0 • (x) = path assignment from node x to node 0 • = path assignment of every node to node 0 • = ((1), (2), (3), ……………….) • When does not change • Stable state • Converge • is the solution to this problem • is a stable path assignment of this problem
Stable Path Problem (Cont.) • When keep changing • Diverge ** NOTE ** • Even if there is a solution, the problem can still be diverge (cannot find a solution) • Even if a problem converge, some nodes may not have a route to node 0 • = (10, , 310, 40)
SPP – permitted path permitted path(1) = ( 1 0, 1 3 0) permitted path(2) = ( 2 0, 2 1 0) permitted path(3) = (3 0) permitted path(4) = (4 3 0, 4 2 0)
SPP – path assignment = ( 1 3 0, 2 0, 3 0, 4 3 0) 1 = 1 3 0 2 = 2 0 3 = 3 0 4 = 4 3 0
How to check whether a path assignment is stable? = (10, 20, 30, 430) = (130, 20, 30, 430) = (10, 210, 30, 430) = (130, 210, 30, 430) = (10, 20, 30, 420) = (130, 20, 30, 420) = (10, 210, 30, 420) = (130, 210, 30, 420)
How to check whether a path assignment is stable? (Cont.) • = (10, 20, 30, 430) • = (130, 20, 30, 430) • = (10, 210, 30, 430) • = (130, 210, 30, 430) • = (10, 20, 30, 420) • = (130, 20, 30, 420) • = (10, 210, 30, 420) • = (130, 210, 30, 420) • Node i is stable if rank (i,j)P(j) < rank P(i) whenever (i,j)P(j) is a permitted path at i • ** note that (2 1)(1 0) == (2 1 0) **
How to check whether a path assignment is stable? (Cont.) • Choice( , u) is a union of • (u 0) if u is connected to 0 and (u 0) is a permitted path at u • (u v) (v) when u is connected to v and (u v) (v) is a permitted path at u let = (1 0, 2 0, 3 0, 4 3 0) Choices( ,1) = (1 0, 1 3 0) Choices( , 2) = (2 0, 2 10) Choices( , 3) = (3 0) Choices( , 4) = (4 3 0, 4 2 0)
How to check whether a path assignment is stable? (Cont.) • Let W is a subset of permitted path at u, Best(W, u) = P W with a maximum ranking • The path assignment at node u, (u), is stable if (u) = best(choices(, u), u) • The path assignment is stable if (u) is stable at every node u.
Example: Good Gadget • There is only one solution (stable path assignment) for this problem • = ( 1 3 0, 2 0, 3 0, 4 3 0)
Example: Good Gadget (Cont.) = ( 1 3 0, 2 0, 3 0, 4 3 0) • Choices(, 1) = (1 0, 1 3 0) Best (Choices(, 1), 1) = 1 3 0 = (1) => stable • Choices(, 2) = (2 0) Best (Choices(, 2), 2) = 2 0 = (2) => stable • Choices(, 3) = (3 0) Best (Choices(, 3), 3) = 3 0 = (3) => stable • Choices(, 4) = (4 3 0, 4 2 0) Best (Choices(, 4), 4) = 4 3 0 = (4) => stable ** = ( 1 3 0, 2 0, 3 0, 4 3 0) is stable **
Unstable path assignment example #1 Stable: = ( 1 3 0, 2 0, 3 0, 4 3 0) • Choices(, 1) = (1 0, 1 3 0) Best (Choices(, 1), 1) = 1 3 0 != (1) => unstable • Choices(, 2) = (2 0, 2 1 0) Best (Choices(, 2), 2) = 2 1 0 != (2) => unstable • (3), (4) are stable • = ( 1 0, 2 1 0, 3 0, 4 3 0) are not stable Unstable: = ( 1 0, 2 1 0, 3 0, 4 3 0)
Simple path vector protocol (SPVP) • SPVP1 • Basic • Not safe • SPVP2 • Contains path history • Can detect protocol oscillation due to policy conflict • Still not safe • SPVP3 • Extends SPVP2 to make it safe by suppressing paths that can make the protocol diverge
SPVP1 • Let rib(u) = (u) for each node u • Each node u send rib(u) to its neighbor • When each node receives rib(w) from its neighbor w, called rib-in(u<=w), it computes best(u) • If best(u) != rib(u), it replace rib(u) with best(u), and sends new rib(u) to all its neighbor • When no node sends new rib(u) to its neighbor, the protocol is in a stable state, the problem is converge • If there will never be a stable state, the problem is diverge
Algorithm for SPVP1 • Rib(u) = path from u to node 0 • Rib-in(u <= w) = rib(w) received from the neighbor w • Best(u) = computed new path from u to 0 from all Rib-ins(u <=w)
Example: Good Gadget • = (130, 210, 30, 430) • = (130, 20, 30, 430) • = (130, 20, 30, 420) • is stable => problem is converge
Example2: Bad Gadget (no solution) ** Step 0 and 9 are the same ** one round of oscillation
Example3: Naughty Gadget • Has a solution • (130,20,30,420) • Diverge • Cannot go to (130,20,30,420) state with SPVP protocol
Protocol Oscillation • Assume node u abandons path p1 and adopts path p2, we say that • Node u went down from p1 if p2 has lower rank than p1 • Node u went up to p2 if p2 has higher rank than p1 • Look at node 2 from step 6 backward: node 2 adopts (2 0) because it went down from (2 1 0) because node 1 went up to (1 3 0) because node 3 went down from (3 4 2 0) because node 4 went down from (4 2 0) because node 2 went up to (2 1 0) • ** there is a cycle between went up and down to/from path 210 **
SPVP2 • Each node has path history • Each node send path history to its neighbor • Policy based oscillation can be detected • But do nothing => still not safe • The sentence “node 2 adopts (2 0) because it went down from (2 1 0) because node 1 went up to (1 3 0) because node 3 went down from (3 4 2 0) because node 4 went down from (4 2 0) because node 2 went up to (2 1 0)”can be translated to (- 2 1 0) (+ 1 3 0) (- 3 4 20) (- 4 2 0) (+ 2 1 0)
SPVP3: A safe path vector protocol • B(u) = bad paths at node u • Choices(u) now exclude every path in B(u) • In step 6, node 2 has a cycle in its history of path (2 0), it add path (2 0) to B(2) and adopts empty path • The solution of this problem is ( 1 3 0, , 3 0, 4 3 0) • The protocol converge, there is no oscillation, but node 2 cannot get to node 0
Dispute Digraph • There are 2 types of arc in dispute digraph • Transmission arc • Dispute arcs
Transmission arc • P = = => (u v)P when • u and v are peers • P is permitted at v • (u v)P is permitted at u • (1 0) = = => (2 1 0) • (2 0) = = => (4 2 0) • (3 0) = = => (1 3 0) • (3 0) = = => (4 3 0) • (4 2 0) = = => (3 4 2 0) ** node 1 adopts path (10) which allow node 2 to permit path (2 1 0) **
Dispute arc Q ===> (u v)P when • (u v)P is a permitted path at u • Q and P are permitted path at v • Path (u v)Q is not permitted at u, or path Q has lower rank than P at node u • Path Q has higher rank than P at node v • Node v could increase the rank of its best path by abandon path P and adopt path Q, however, this will force node u to abandon path (u v)P
Dispute arc • (1 3 0) ===> (2 1 0) • (2 1 0) ===> (4 2 0) • (3 4 2 0) ===> (1 3 0) • (3 4 2 0) ===> (4 3 0) • (4 3 0) ===> (3 4 2 0)
Dispute digraph: good gadget • Acyclic (no loop) • Converge, unique solution, safe, robust
Dispute digraph: naughty gadget • 2 loops • (430=>3420=>430) • (3420=>130=>210=>420=>3420)
Dispute digraph: bad gadget • 1 loop • (3420=>130=>210=>420=>3420)
Loops in dispute digraph • Acyclic (no loop) • good • Contains loops (dispute cycles) • Potentially bad
Dispute Wheel • An alternative representation structure of a dispute cycle • A specification S has a dispute wheel if and only if the dispute digraph DD(S) contains a cycle • Dispute cycles are built from local relationships between peers • Dispute wheels are based on long-distance relationships
Dispute Wheel (Cont.) • A dispute wheel of size k is • A sequence of nodes U = U0…Uk-1 • A sequence of paths Q = Q0….Qk-1 • A sequence of paths R = R0….Rk-1 • Such that for each 0 <= i <= k-1 • Ri is a path from ui to ui+1 • Qi is a permitted path at Ui • RiQi+1 is a permitted path at Ui • Rank Qi < RiQi+1 at Ui
U0 U2 R2=21 Q0=10 Q2=20 R0=13 Q1=30 R1=342 U1 Dispute wheel of size 3: bad gadget At U0: rank (Q0 == 10) < (R0Q1 ==1330 == 130) At U1: rank (Q1 == 30) < (R1Q2 ==34220 == 3420) At U2: rank (Q2 == 20) < (R2Q3 ==2110 == 210)
Properties of dispute wheel • No dispute wheel implies solvability • No dispute wheel implies a unique solution • No dispute wheel implies safety • No dispute wheel implies robustness ** No dispute wheel == no dispute cycle in DD(S) **
Two trees imply a dispute wheel 120 10 210 20 • Disagree • Has 2 solutions (2 trees) • Contains a dispute wheel Disagree solutions
Disagree problem ** May or may not converge **
An algorithm to find a stable path assignment • Start from a problem of size 0, then 1, 2 ,….,k-1, where k is a number of nodes • Grow an assignment in a greedy manner • i is a stable path assignment of size i • Vi V where every node in (u) is in Vi, 0 Vi • = (130, 210, 30, 430), (0)=0 • V1 = {0,3} • u V-V1 = {1,2,4}
Direct path to V1 • Node 1: 130 • Node 2: 20 • Node 4: 430 • 2 = (130,20,30,430) • V2 = {0,3,1} • V3 = {0,3,1,2} • V4 = {0,3,1,2,4} • = (130,20,30,430) • If this algorithm cannot find a solution, there must exists a dispute wheel
Stable path problem VS Shortest path problem • Routing protocol based on shortest path is always safe • Routing protocol can be safe even if it does not use the shortest path • BGP: Good gadget
Routing protocol based on cost function • Not all path are permitted • May not be safe • Safe if there is no negative cost cycle Naughty gadget (unsafe) • A cycle 1342 has a negative cost of -16
Routing protocol based on cost function (Cont.) • The protocol can also be safe even if there exists a negative cost cycle ** A+B+C < 0 ** ** no dispute cycle safe **
Assumptions in these works • Ignore all issues relating to internal BGP • There is at most one link between any two ASs • Ignore address aggregation
Conclusions • Shortest path is safe, BGP is not • There are 3 ways to make routing protocol safe • Policy • Static • Dynamic • Static • Dispute digraph • Dispute cycle • Dispute wheel • No dispute wheel == no dispute cycle • No dispute wheel == safe, robust