Towards a Logic forWide-Area Internet Routing

Nick Feamster and Hari Balakrishnan

M.I.T. Computer Science and Artificial Intelligence Laboratory

Kunal Jain and Pragya Maru

What is a Routing Logic?

• Protocol designers and network operators need a way to describe and reason about protocol behavior.

• Properties: describe behavior

• Rules: reason about whether a certain property holds

Practical Uses for a Routing Logic

• Reason about BGP’s behavior

• Verify that BGP configurations satisfy properties

• Synthesize BGP configuration automatically

• Design protocol extensions that fix problems

Problems Underlying BGP

• Poor Integrity: Denial of service and data integrity attacks

• Slow Convergence: Path instability results in delayed convergence.

• Divergence : BGP’s policy based nature can give rise to configurations that diverge

• Unpredictability : Due to distributed, asynchronous nature, predicting the effects of a configuration change is extremely challenging.

• Poor control of information flow: Routing policies may expose information that is not intended for public knowledge, such as peering and transit relationships.

How to define "correct“behavior? Does it advertise invalid routes?

• Validity

Does every valid path have a corresponding route?

• Visibility

Given a set of choices, will it converge to a unique , stable answer?

• Safety

Is that answer affected by the ordering of messages or the set of available routes?

• Determinism

Does the protocol expose information?

• Information-flow control

Routing Logic Inputs

• Specification of how protocol behaves

• Specification of protocol configuration Policy configuration General configuration, e.g. which routers

exchange routing information

• Current version has no notion of time

Terminology

• Participant : An entity that advertises or receives routing messages

• Routing Domain: Group of one or more participants that behave according to one administrative policy.

• Route: Contains two fields- Next-hop and Next-RD

• Destination: might refer to a host , an overlay node or a logical host

• Destination-set: Refers to a set of nodes that share a route.

• Path: A path is a sequence of participants from one participants from one participants to a destination

Hierarchical Routing Scopes

Scope i next-hop is i+1 destination (destination set)

Rules: Sufficient Conditions for Each Property

Validity: a route implies a corresponding valid path

Validity and Visibility in BGP

Underlying IGP result in persistent forwarding loop

The fundamental operation of BGP with Route Reflection can violate Validity.

Applying the logic-Validity and Visibility

• There exists a route reflector configuration that causes BGP to violate validity.

• For an arbitrary configuration of route reflectors and route reflector clients, verifying progress is NP-complete.

• If the route reflector configuration for an AS along the path to a destination is RR-IGP-Safe, then BGP satisfies progress.

• If the route reflector in an AS are configured according to RR-Reflect-All, then BGP satisfies progress.

• If an AS uses full mesh iBGP, then BGP satisfies progress.

Information-flow Model

•Consists of objects, flow policy, partial ordering of security levels

•PolicyPeering and transit agreementsRouter preferences

•ReachabilityEvents affecting reachability

•TopologyInternal network topologyInter-AS connectivity

Information Objects

Information Flow Lattice

Noninterference Rule

Objects at higher security levels should not be visible to objects at lower levelsSecurity level of message not higher than level of recipient

Applying the logic-Information Flow Control

• A stateless BGP implementation can violate standard information flow policy.

• The BGP route history attribute violates standard information flow policy.

Safety and Determinism

• AS changing the choice for the best route may result in policy oscillations or lead to dispute cycles and hence this shows that BGP doesn’t satisfy safety

• Some router configurations results in router’s best route depending on the order in which routes arrive or other non deterministic factors, which shows that BGP doesn’t satisfy determinism

Policy Dispute or Oscillations

Properties for Safety and Determinism to holdSafety

• Preference :- If a participant chooses a particular route as its best route , the participant re advertises that route

• No route history cycles: - Non existence of a route history cycle is sufficient to guarantee safety

Determinism

• Time Immunity:- A participant relative ranking of two routes to a destination is independent of the order in which those routes arrive.

• Set Immunity:- A participant’s relative ranking of two routes is independent of other routes to that destination.

The properties: not complete, but important• Validity: Will packets that use this route get there?

basic correctness property

• Visibility: Is best route chosen from all possibilities?

optimal routing, robustness in failure scenarios

• Safety: Is there policy-induced oscillation?

network stability

• Determinism: Can a snapshot of the network state determine the result of the "computation"?

ease of debugging, traffic engineering

• Information-flow Control: Is my network exposing information that should be hidden?

competitive aspects

Reasoning about BGP’s Behavior

The routing logic rules can be used to prove theorems about these properties.

• Verifying that an arbitrary route reflector configuration satisfies validity.

• Route reflectors that re-advertise all eBGP-learned routes will satisfy validity.

• Certain fixes to other problems (e.g., safety) can violate information-flow policy.

Conclusion

• Network operators and protocol designers need a logic to reason about routing protocols like BGP

• The routing logic provides A set of properties to describe protocol behavior

Rules to reason about them

• Set of properties is not complete, but it is an important and interesting set

• Promising for reasoning, verification, and design