240 likes | 249 Views
This study explores the incentive compatibility of current network protocols, focusing on interdomain routing games, convergence issues in BGP, and the intersection of incentives and security in network design. Key findings include the near-incentive compatibility of BGP in reasonable economic settings and strategies for ensuring network convergence. The research delves into complex routing preferences, network security challenges, and protocol redesign for enhanced security and stability. The analysis illustrates the interplay between economic incentives and network protocol design, shedding light on crucial considerations for a secure and efficient interdomain routing environment.
E N D
Interdomain Routing and Games Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University
On the Agenda • Motivation: Are Internet protocols incentive compatible? • Interdomain routing & path vector protocols • Convergence issues • BGP as a game • Hardness of approximation of social welfare • Incentive compatibility • Conclusions
Are Current Network Protocols Incentive Compatible? • Protocols for the network have been dictated by some designer • Okay for cooperative settings • But what if nodes try to optimize regardless of harm to others? • Example: TCP congestion control • Requires sender to transmit less when the network is congested • This is not optimal for the sender (always better off sending more)
Secure Network Protocols • A lot of effort is going into re-designing network protocols to be secure. • Routing protocols are currently known to be very susceptible to attacks. • Even inadvertent configuration errors of routers have caused global catastrophes. • Designers are also concerned about incentive issues in this context. • Our work highlights some connections between incentives and security of BGP.
UUNET AT&T Comcast Qwest Interdomain Routing • Messages in the Internet are passed from one router to the other until reaching the destination. • Goal of routing protocols: decide how to route packets between nodes on the net. • The network is partitioned into Autonomous Systems (ASes) each owned by an economic entity. • Within ASes routing is cooperative • Between ASes inherently non-cooperative • Routing preferences are complex and uncoordinated. Always chooseshortest paths. Load-balance myoutgoing traffic. Avoid routes through AT&T if at all possible. My link to UUNET is forbackup purposes only.
receive routes from neighbors send updatesto neighbors choose“best” neighbor Path Vector Protocols • The only protocol currently used to establish routes between ASes (interdomain routing): The Border Gateway Protocol (BGP). • Performed independently for every destination autonomous system in the network. • The computation by each node is an infinite sequence of actions:
Example of BGP Execution 5 4 41d 41d 23d 23d 2 23d 1d 1 23d 3d 3 1d 3d d d d d receive routes from neighbors send updatesto neighbors choose“best” neighbor
Our Main Results Informally • Theorem: In “reasonable economic settings”, BGP is almost incentive-compatible (And can be tweaked to be incentive compatible). • Theorem: In these same settings it is also almost collusion proof. • To make it fully collusion proof we need a somewhat stronger assumption.
BGP – Not Guaranteed to Converge 1 2 • Other examples may fail to converge for certain timings and succeed for others. 2d 23d 2d ... 12d 1d … 1d 12d d 31d 3d … 31d 3
Finding Stable States • Previously known: It’s NP-Hard to determine if a stable state even exists. [Griffin, Wilfong] We add: • Theorem: Determining the existence of a stable state requires exponential communication. • In practice, BGP does converge in the Internet! Why?
The Gao-Rexford Framework: An economic explanation for network convergence. Neighboring pairs of ASes have one of: • a customer-provider relationship • a peering relationship Restrict the possible graphs and preferences: • No customer-provider cycles (cannot be your own customer) • Prefer to route through customers over peers, and peers over providers. • Only provide transit services to customers. Guarantees convergence of BGP. peer providers peer customers
Dispute Wheels • A Dispute Wheel [Griffin et. al.] • A sequence of nodes ui and routes Ri, Qi. • ui prefers RiQi+1 over Qi. • If the network has no dispute wheels, BGP will always converge. • Also guarantees convergence with node & link failures. Gao-Rexford No Dispute Wheel Robust Convergence Shortest Path
Modeling Path Vector Protocols as a Game • The interaction is very complex. • Multi-round • Asynchronous • Partial-information • Network structure, schedule, other player’s types are all unknown. • No monetary transfers! • More realistic • Unlike most works on incentive-compatibility in interdomain routing.
Routing as a Game • The source-nodes are the strategic agents • Agent i has a value vi(R) for any route R • The game has an infinite number of rounds • Timing decided by an entity called the scheduler • Decides which nodes are activated in each round. • Delays update messages along selective links.
Routing as a Game (2) • A node that is activated in a certain round can • Read update messages announcing routes. • Send update messages announcing routes. • Choose a neighboring node to forward traffic to. • The gain of node i from the game is: • vi(R) if from some point on it has an unchanging route R. • 0 otherwise. (can be defined as the maximal gained path in an oscillation as well). • a node’s strategy is its choice of a routing protocol. • Executing BGP is a strategy.
Approximating Social Welfare • Theorem: Getting an approximation to the optimal social welfare is impossible unless P=NP even in Gao-Rexford settings.(Improvement on a bound achieved by [Feigenbaum,Sami,Shenker]) • Theorem: It requires exponential communication to approximate social welfare up to
Manipulating in The Protocol • A node is said to deviate from BGP (or to manipulate BGP) if it does not follow BGP. • We want nodes to comply with the alg. Otherwise, suffer a loss when they deviate • Which forms of manipulation are available to nodes? • Misreporting preferences. • Reporting inconsistent information. • Announcing nonexistent routes. • Denying routes. • …
No Optimal Protocols • Theorem: Any routing protocol that: • Guarantees convergence to a solution for any timing with any preference profile • Resists manipulation Must contain a (weak) dictator: A node that always gets its most preferred path. (Simple to prove using a variant of the Gibbard-Satterthwaite theorem)
Suppose node 1 is a weak dictator. • If it wants some crazy path, it must get it. • This feels like an unreasonable protocol. 5 4 6 3 2 7 1 d
m1d m12d m1d m12d 1 1 m m 12d 1d 12d 1d d d 2 2 2md 2d 2md 2d with manipulation without manipulation Is BGP Incentive-Compatible? • Theorem: BGP is not incentive compatible even in Gao-Rexford settings.
Can we fix this? • We define a property: • Route verification means that an AS can verify that a route is available to a neighboring AS. • Route verification is: • Achievable via computational means (cryptographic signatures). • An important part of secure BGP implementation.
Incentive Compatibility • Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is incentive-compatible in ex-post Nash equilibrium. • Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is collusion-proof in ex-post Nash equilibrium.
Open Questions • Characterizing robust BGP convergence (“No dispute wheel” is sufficient but not necessary). • Does robust BGP convergence with route verification imply incentive compatibility? • Can network formation games help to explain the Internet’s commercial structure? • Maintain incentive compatibility if the protocol is changed to deal with attacks and other security issues? • How do congestion and load fit in?
Conclusions • Our results help explain BGP’s resilience to manipulation in practice. • Manipulation requires extensive knowledge on network topology & preferences of ASes. • Faking routes requires manipulation of TCP/IP too. • Manipulations by coalitions require Herculean efforts, and tight coordination. • We show that proposed security improvements would benefit incentives in the protocol. • Work in progress: other natural asynchronous games. • “Best Reply Mechanisms” with Noam Nisam and Michael Schapira