1 / 36

The Strategic Justification for BGP

The Strategic Justification for BGP. Hagay Levin, Michael Schapira, Aviv Zohar. On the agenda. Introduction BGP Gao-Rexford Dispute Wheels A game theory perspective on routing Results: No perfect routing algorithms.

rayya
Download Presentation

The Strategic Justification for BGP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Strategic Justification for BGP Hagay Levin, Michael Schapira, Aviv Zohar

  2. On the agenda • Introduction • BGP • Gao-Rexford • Dispute Wheels • A game theory perspective on routing • Results: • No perfect routing algorithms. • In reasonable economic settings, BGP is incentive compatible in ex-post Nash. • BGP and colluding agents.

  3. The Internet • The Internet is composed of Autonomous Systems (ASes). Each AS is a network owned by an economic entity. • ASes are interconnected. • There are many protocols that may be chosen to handle routing inside ASes. • Only one protocol is used for inter-domain routing: The Border Gateway Protocol (BGP) • We will think of each AS as a single node in the network graph.

  4. Next-Hop Routing in the Internet • Done independently for each destination. • Every packet carries with it the target address. • Given a destination, a router along the way only selects the next-hop in the route. • This is all maintained in a large routing table • Can be implemented in Hardware • The routing protocol needs to select this next hop.

  5. BGP • Nodes in the network have preferences over routes. • (We assume they have some valuation) • Can only choose between routes they are offered by neighbors. • Preferences are complex: • Microsoft don’t want to route through the competition. • Google wants a minimal number of hops • The CIA never wants to route through Russia.

  6. BGP • BGP is a very simple algorithm: • A node considers the route offered by each of its neighbors. • It selects the most attractive one as its next hop. • Then announces the new route to all its neighbors. • The algorithm is initiated when the destination announces its presence to its neighbors and ripples through the network. Routes are selected based on knowledge of the entire path.

  7. BGP • BGP converges when: • All nodes know the current path of their neighbors • No one wants to change their next hop. • BGP is asynchronous. • Messages can be delayed along some links. • Some nodes may be slower than others.

  8. The Appeal of BGP • Myopic decisions. • Local actions. • Very little to maintain for each destination (huge number of destinations in the net). • Recovers from node and link failures. • No knowledge assumptions about the net. • Allows the nodes to make decisions based on the full path. • The exact policy is up to the node itself!

  9. Problem • BGP does not always converge. • Sometimes there is more than one stable routing tree, sometimes there are none! • May depend on the asynchronous timing. • Example (Naughty Gadget): 12d > 1d 21d > 2d 1 2 d

  10. Gao-Rexford • Route oscillations are due to preference structure and network topology. • These are not arbitrary: • The Internet is shaped by economic forces. • ASes sign routing contracts to decide who provides connectivity to whom. • Gao & Rexford Modeled the economic relationships between ASes. • Customers, Providers, and Peers.

  11. The Gao-Rexford Constraints Model only two types of connections: • Customer to Provider • Peer to Peer 2 1 4 3 5

  12. The Gao-Rexford Constraints • No customer-provider cycles. • You cannot be your own customer indirectly • Prefer to route through customers over peers over providers. • Provide transit services only to customers. • Do not reveal to a provider/peer routes through other providers/peers. Topology 2 1 Preferences 4 3 5 Strategy

  13. The Gao-Rexford Constraints • If all three Gao-Rexford constraints hold, BGP is guaranteed to converge, for any timing. • Deleting edges and nodes maintains the constraints. • Gao & Rexford were mostly interested in convergence. • How do we force nodes to play by the rules? (Constraint 3)

  14. Dispute Wheels [Griffin, Shepherd & Wilfong] • A condition on Topology + Preferences. • A set of nodes ui and paths R,Q. • ui prefersRiQi+1 Over Qi

  15. Dispute Wheels • A generalization of convergence conditions for BGP. • No Dispute Wheels implies: • BGP converges for all timings. • A unique stable state. • Griffin-Gao-Rexford later show that:The GR constraints imply no dispute wheel. • Graphs with metric-like preferences also have no dispute wheels.

  16. So far… Gao-Rexford 1+2+3 No Dispute Wheel Convergence Metric Preferences

  17. A Game-Theory Perspective • Why should nodes follow the protocol? • Routing is after all a game. Nodes can play strategically. • The Game is: • Temporal (and maybe infinite) • Asynchronous (who plays when? Which messages are delayed?) • With partial information • Nodes only see their own neighbors. • Learn things during the run.

  18. A Negative Result • Fix a graph G • Fix a routing alg. A (the “best” alg. you have for G). • If for all preference expressed by nodes over paths in G the algorithm A • assigns a the same routing tree deterministicallyin any asynchronous timing, • is incentive compatible, • has at least 3 possible outcomes Then A is dictatorial. Meaning some node in G always gets its most preferred route.

  19. Negative Result. For example: if node 1 is the Dictator in this graph It may choose any path it wants to d, Thereby forcing many others along the way. 5 4 6 3 2 7 1 d

  20. Remarks • Alg. A may also be centralized. • The manipulation implied is easy – only lie about your preferences. • Graph G and Deterministic alg. A together are actually a social choice function. • From here, proof is by reduction from Gibbard Satterthwaite. • Conclusion: if we want non-manipulability, we can’t expect reasonable algorithms that always converge.

  21. Another Negative result • BGP ‘as is’ is not incentive compatible even in Gao-Rexford settings. Honest Graph Manipulated Graph

  22. The Manipulator • The lie is possible because the manipulator invents an edge in the Graph. • The manipulator has a very large bag of tricks. • can drop messages, • send inconsistent ones, • lie about routes, • etc.

  23. Path Verification • We can fix our counter example by adding path verification. • A node will know if the routes it is promised are available to its neighbor. • Can be done with cryptographic signatures. • Note: An available route might not be used in practice! • The manipulator can report one available path but send packets along another.

  24. Our Main Result Convergence Gao-Rexford 1+2+3 No Dispute Wheel + Path Verification + Path Verification Incentive Compatibility

  25. The Right Solution Concept • Dominant strategy would be best but is very rare. • The regular Nash Eq. is an unreasonable eq. • You do not know the exact strategy of others, only their general protocol (BGP) • Don’t know preferences of others. • Don’t know the network structure • Ex-Post Nash much better: • Given the fact that everyone is using BGP, BGP is the best response(for all preferences, net structures, timings etc.)

  26. Proof Sketch. • We take a graph that has no dispute wheel. • It converges to some routing tree T. • We will assume that BGP with route verification is not incentive compatible. • Show a sequence of nodes that forms a dispute wheel, and thereby reach a contradiction. • This is only a sketch! (I’m ignoring lots of messy details and subcases)

  27. Assume: Manipulator m Manages to benefit from manipulation Mm >m Tm • The path Mm could not be an available option in T. • Otherwise m would choose it. m Mm Tm d

  28. There must exist a node ‘1’ along Mm that has M1≠T1 • We choose ‘1’ to be the lowest node on Mm with this property. • All nodes below it route the same in both trees. • Meaning M1 is an available option in T. This implies: T1 >1 M1 • T1 cannot be an available option in M (or it would be chosen) m Mm 1 Tm M1 d T1

  29. There must exist a node ‘2’ along T1 that has M2≠T2 • We choose ‘2’ to be the lowest node on T1 with this property. • All nodes below it route the same in both trees. • Meaning T2 is an available option in M. This implies: M2 >2 T2 • M2 cannot be an available option in T (or it would be chosen) m Mm 1 Tm M1 d T1 T2 2 M2

  30. So there must exist nodes 4,5,6… that are chosen in the same manner. • Eventually some node appears twice. • (Let’s assume it’s the manipulator) • We have a dispute Wheel! m Mm Tk k 1 Tm Mk M1 d T1 T4 T2 M3 4 2 T3 M2 3

  31. So where did we need route verification? • Maybe the wheel has an odd number of nodes. • The last node is above the manipulator on an M path. • It may believe in a false path. • Still, Mm >m Tm >m Lm m Mm Mk k 1 Tm Lm Tk M1 d T1 T4 T2 M3 4 2 T3 M2 3

  32. A stronger result • With a slightly stronger route verification assumption (That is not possible to implement with digital signatures) and in graphs with no dispute wheel, BGP is collusion proof in ex-post Nash. • Against any size of a defecting coalition. Clusters of manipulator nodes are the reason we need the stronger assumption here.

  33. Final Result • The 3rd Gao Rexford constraint speaks about the strategy of each node (Do not advertise a peer/provider to some other peer/provider) • Modify the strategy to ignore routes to • BGP` + gao rexford 1,2 is also converging, and incentive compatible. • We replace the 3rd constraint with the rationality assumption and equilibrium.

  34. Conclusion • A very small modification of BGP makes it incentive compatible in ex-post Nash to all kinds of manipulations. • In fact, even without the modification, it is very hard to manipulate • You have to fool TCP/IP, traceroute, have lots of knowledge on the graph and prefernces. • Manipulation by a coalition also requires Herculean efforts, and amazing coordination.

  35. Open Questions • Convergence -> Incentive compatibility? • Better Conditions for BGP convergence? • Network Formation Theory to explain structure?

  36. Thank You!

More Related