1 / 23

Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein

Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein. Allerton, 9/28/06. Routing Protocols with Misconfigurations. Routing Protocols in “friendly” environments are well understood, e.g., Link State: global knowledge, centralized approach

russell-ryan
Download Presentation

Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Control Plane Resilience: The Method of Strong Detection Raj Kumar Vishal Misra Dan Rubenstein Allerton, 9/28/06

  2. Routing Protocols with Misconfigurations • Routing Protocols in “friendly” environments are well understood, e.g., • Link State: global knowledge, centralized approach • Distance Vector (a.k.a. Bellman-Ford): known to converge (quickly), adapt to changes, etc. • BGP (Path-Vector): some problems in converging when routes change, significant literature evaluating/understanding • Critical Assumption for correctness: Nodes follow the proper protocol procedure • Q: What happens when nodes don’t follow the protocol like they’re supposed to?

  3. 8765 7007 7074 6957 5165 2134 4345 History Shows: Misbehaving nodes can be a big problem • The infamous BGP AS 7007 Incident: • Consider routes to node 8765 … Traffic goes where it is supposed to

  4. 8765 7007 7074 6957 5165 2134 4345 Nodes don’t always “behave” • The infamous BGP AS 7007 Incident: … Traffic enters “black hole”

  5. Can I tell if my neighbors are giving me the correct information? Theory to detect “Bad” Nodes • Rules: • “Bad” nodes can cheat, “Good” nodes can attempt to detect the bad nodes • “Good” nodes must limited to information provided by the routing protocol • Want to exchange additional info, modify the protocol • Challenge: When can a good node determine something isn’t right?

  6. A B D E A Node’s Info: Its State • A node’s state is its (only) view of the network • e.g., Distance-Vector (a.k.a. Bellman-Ford) C F G Note our convention: (I,J) in state table reports node I’s distance to J (not local node’s distance to J through I)

  7. N X Y N X Y 1 3 Detection • Assume: Routes have stabilized (routing protocol inactive) • Q: For routing protocol P, given a good node’s state, what misconfigurations can it detect/observe within the network? • Note: A node can’t always detect a problem D(X,Y) = 3 1 1 An undetectable misconfig at node N:

  8. Prior Work: “Weak” Detection • Process for constructing a weak detection method: • Find a property that a node’s state should exhibit • Check the property in a node’s state • Declare misconfiguration in network if property is violated • A detection method is “Weak” if it fails to identify a misconfiguration that is detectable using another method (on same state)

  9. A Weak Detection Method: Symmetry • In an undirected graph, D(X,Y) = D(Y,X) • Here, D(A,B) = 1 • But D(B,A) = 4 • Using symmetry, found a misconfiguration • So why is Symmetry weak?

  10. Another Weak Detection Method: Triangle Inequality [DMZ’03] • Triangle inequality should hold: D(X,Z) ≤ D(X,Y) + D(Y,Z) • Violated here: • D(B,E) = 3 • D(B,A) = 1 • D(A,E) = 1 • D(B,E) > D(B,A) + D(A,E) • Note: symmetry property not violated • Example shows why detection via symmetry is weak: failed to identify a detectable misconfiguration • So why is triangle inequality weak?

  11. D Weakness of Triangle Inequality A • Suppose graph edge lengths are all 1 • No violation of symmetry or triangle inequality C B Where to place edges? A and B are our neighbors C is distance 1 from B D is distance 3 from both A & B: nowhere to put connecting edge

  12. “Strong” Detection • A detection method is “strong” if it always detects detectable misconfigurations • More formally, Let • μ be a method to detect misconfigurations • C = {N} be the set of valid networks (what the network might look like) • NR: the actual network (Note NRє C) • sn(N) is state of node n when the routing protocol is executed correctly (and stabilized) within a network N є C • s’n(NR) be the state actually computed at node n (possibly with misconfigurations) in network NR • μ is a strong detection method if one of the following holds whenever s’n(NR) ≠ sn(NR): • Detected: μ detects that sn(NR) ≠ s’n(NR) • Undetectable: No method μ’ exists that can detect sn(NR)≠s’n(NR)

  13. A High-Complexity Strong Detection Algorithm • Input: • State s’n(NR) of node n for the “real” but unknown network NR • Description of set of allowable networks, C = {N} • Algorithm: For each N є C • Compute sn(N) • If sn(N) = s’n(NR) then return MISCONFIG UNDETECTABLE (N might be the valid network) • If no N є C matches, then misconfiguration detected Algorithm Complexity is Ω(C), often huge!

  14. Low-Complexity Strong-Detection • Q: Can Strong Detection be achieved with low complexity? • A: Sometimes: we show how to do it for Bellman-Ford (a.k.a. Distance Vector)

  15. Strong Detection for D.V. • Input at node n: • S’n(NR): a single node’s (steady state) state table that reports each neighbor’s (supposed) distance to all nodes • Set C of all allowable networks • defined by {Axy}: Axy is the set of allowable lengths of edges between node x and y • E.g., Axy = [0,3) U [4,4] U [7,100] S’n(NR)

  16. D F G A B C n G E B C n E F D A M Strong Detection in D.V. at a node, n • Take node n’s state, s’n(NR) • Use this state to build the canonical graph, M є C • Simulate D.V. on M to generate simulated state sn(M) • We will prove: • If sn(M) ≠ s’n(NR), then misconfiguration detected • Else, either there is no misconfiguration, or it is undetectable (using node n’s state) because M might be the actual network s’n (NR) sn(M)

  17. Creating the Canonical Graph, M for an undirected network • For each pair of nodes (x,y): • Create edge (x,y) with length exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)| • exy = ∞ if all values in Axy too small • Consider state table on left • eCD ≥ max(|12-5|, |13-9|, |8-12|) = 7 • If ACD = [1,1] U [4,6] U [8,10], then eCD = 8

  18. Proving Strongness of the Canonical Graph Method • N: a network for which sn(N) = s’n(NR), when such a network N exists • M: the canonical graph constructed by n from s’n(NR) • fxy: length of edge (x,y) in N (when the edge exists) • exy: length of edge (x,y) in M (edges always exist) • dG(x,y): shortest path distance from x to y in network G • Assume: all edges have positive length (easy to extend when edges can also have length 0) • High Level Sketch of Proof: • If N exists where sn(N) = s’n(NR), then sn(M) = sn(N) = s’n(NR) • If N does not exist, then sn(M) ≠ s’n(NR)

  19. n v Bounds on exy • Lemma 1: If sn(N) = s’n(NR) for some N є C and edge (x,y) exists in N with length fxy, then exy ≤ fxy • Proof: In N, x & y’s distances to any neighbor v must differ by at most fxy, i.e.: For each neighbor v, |dN(v,y) – dN(v,x)| ≤ fxy • Hence maxm є V(n) |d(m,x) – d(m,y)| ≤ fxy • Recall exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)| • Since N є C, we have fxy є Axy and so exy ≤ fxy y x fxy

  20. in M: exy y y x fxy • Lemma 2: If sn(N) = s’n(NR) for some N є C, then dM(v,x) ≤ dN(v,x) for all neighbors v and all nodes x • Proof: by contradiction. Select x with smallest dN(v,x) where dM(v,x) > dN(v,x) • Let y be a preceding node on a shortest path from v to x in N: fxy is the edge connecting y to x on this path, so dN(v,y) < dN(v,x) and |dN(v,x) – dN(v,y)| = fxy • dN(v,y) < dN(v,x), hence y not blue dM(v,y) ≤ dN(v,y), so dM(v,y) ≤ dN(v,y) < dN(v,x) < dM(v,x) • fxy = |dN(v,x) – dN(v,y)| < |dM(v,x) – dM(v,y)| ≤ exy Blue nodes t satisfydM(v,t) > dN(v,t) v x n Distance from v in N Contradicts Lemma 1 (which states exy ≤ fxy)!!

  21. in N: v y y exy x Blue nodes t satisfydM(v,t) < dN(v,t) • Lemma 3: If sn(N) = s’n(NR) for some N є C, then dM(v,x) ≥ dN(v,x) for all neighbors v and all nodes x • Proof: by contradiction. Select x with smallest dM(v,x) where dM(v,x) < dN(v,x) • Let y be the node preceding x on a shortest path from v to x in M where edge exy connects y to x on this path: hence dM(v,y) < dM(v,x) and exy = dM(v,x) - dM(v,y) • dM(v,y) < dM(v,x), hence y not blue dM(v,y) ≥ dN(v,y) • Hence exy = dM(v,x) - dM(v,y) < dN(v,x) - dN(v,y) = | dN(v,x) - dN(v,y) | x n Distance from v in M But exy = maxm |dN(m,x) – dN(m,y)|, and maxm |dN(m,x) – dN(m,y)|≥ |dN(v,x) – dN(v,y)| !! Contradiction!

  22. The Main Result • Some N є C produces state sn(N) = s’n(NR)  sn(M) = s’n(NR) • Proof: •  Follows from Lemma 2 (dM(v,x) ≤ dN(v,x))and Lemma 3(dM(v,x) ≥ dN(v,x)) •  If no N є C produces state s’n(N), since M є C, M cannot produce state = s’n(N) • In other words, only need to check if sn(M) = s’n(NR) • Complexity: O(|V|3) • Construct the canonical graph, M • Simulate Bellman-Ford • Compare State Tables

  23. Extensions / Future Directions • Same idea works for: • Directed graphs • Using state info from a set of trusted nodes • Similar canonical graph construction works for path-vector variants • Future Directions: • Identifying the offending node (not just its existence) • Performing Strong Detection for other routing protocols (Ad-hoc network, geographical positioning)

More Related