 Policy Disputes in Path-Vector Protocol
 A Safe Path Vector Protocol
 The Stable Paths Problem and Interdomain routing
Pitch Patarasuk
Safety in BGP
 BGP is the only interdomain routing protocol in the
internet
 A routing protocol is safe when it is guaranteed to
converge
 RIP and OSPF protocols are safe
 Use shortest-path algorithm
 BGP is not safe
2
Safety in BGP (Cont.)
 BGP does not use pure shortest-path algorithm
 BGP allow policy concerns to override distance
metric
 Each AS decides its own policy with little knowledge
of of other ASs’ policies
3
How to make BGP safe?
 Policy
 Static


ASs do not share their policies
The problem is NP-complete

Heuristic
 Dynamic

Paths that are potentially create problem will be
deleted
4
Outline
 SPP (stable path problem)
 SPVP (simple path vector protocol)

SPVP1
 SPVP2
 SPVP3
 Dispute Digraph
 Dispute Wheel
5
Stable Path Problem (SPP)
 Simplify BGP solvability problem to a problem of





“whether every node has a stable route to one
destination node”
Destination node == node 0
(x) = path assignment from node x to node 0
 = path assignment of every node to node 0
 = ((1), (2), (3), ……………….)
When  does not change




Stable state
Converge
 is the solution to this problem
 is a stable path assignment of this problem
6
Stable Path Problem (Cont.)
 When  keep changing

Diverge
** NOTE **
 Even if there is a solution, the problem can still be
diverge (cannot find a solution)
 Even if a problem converge, some nodes may not
have a route to node 0
  = (10, , 310, 40)
7
SPP – permitted path
permitted path(1) = ( 1 0, 1 3 0)
permitted path(2) = ( 2 0, 2 1 0)
permitted path(3) = (3 0)
permitted path(4) = (4 3 0, 4 2 0)
8
SPP – path rank
9
SPP – path assignment
 = ( 1 3 0, 2 0, 3 0, 4 3 0)
1 = 1 3 0
2 = 2 0
3 = 3 0
4 = 4 3 0
10
How to check whether a path assignment
is stable?
 = (10, 20, 30, 430)
 = (130, 20, 30, 430)
 = (10, 210, 30, 430)
 = (130, 210, 30, 430)
 = (10, 20, 30, 420)
 = (130, 20, 30, 420)
 = (10, 210, 30, 420)
 = (130, 210, 30, 420)
11
How to check whether a path assignment
is stable? (Cont.)
 = (10, 20, 30, 430)
 = (130, 20, 30, 430)
 = (10, 210, 30, 430)
= (130, 210, 30, 430)
 = (10, 20, 30, 420)
 = (130, 20, 30, 420)
 = (10, 210, 30, 420)
 = (130, 210, 30, 420)
 Node i is stable if rank (i,j)P(j) < rank P(i) whenever (i,j)P(j) is a
permitted path at i
 ** note that (2 1)(1 0) == (2 1 0) **
12
How to check whether a path assignment
is stable? (Cont.)
 Choice( , u) is a union of


(u 0) if u is connected to 0 and (u 0) is a permitted
path at u
(u v) (v) when u is connected to v and (u v) (v)
is a permitted path at u
let  = (1 0, 2 0, 3 0, 4 3 0)
Choices( ,1) = (1 0, 1 3 0)
Choices( , 2) = (2 0, 2 10)
Choices( , 3) = (3 0)
Choices( , 4) = (4 3 0, 4 2 0)
13
How to check whether a path assignment
is stable? (Cont.)
 Let W is a subset of permitted path at u,
Best(W, u) = P  W with a maximum ranking
 The path assignment at node u, (u), is stable if (u)
= best(choices(, u), u)
 The path assignment  is stable if (u) is stable at
every node u.
14
Example: Good Gadget
 There is only one solution (stable path assignment)
for this problem
  = ( 1 3 0, 2 0, 3 0, 4 3 0)
15
Example: Good Gadget (Cont.)
 = ( 1 3 0, 2 0, 3 0, 4 3 0)
 Choices(, 1) = (1 0, 1 3 0)
Best (Choices(, 1), 1) = 1 3 0 = (1) => stable
 Choices(, 2) = (2 0)
Best (Choices(, 2), 2) = 2 0 = (2) => stable
 Choices(, 3) = (3 0)
Best (Choices(, 3), 3) = 3 0 = (3) => stable
 Choices(, 4) = (4 3 0, 4 2 0)
Best (Choices(, 4), 4) = 4 3 0 = (4) => stable
**  = ( 1 3 0, 2 0, 3 0, 4 3 0) is stable **
16
Unstable path assignment example #1
Stable:  = ( 1 3 0, 2 0, 3 0, 4 3
0)
Unstable:  = ( 1 0, 2 1 0, 3 0, 4 3 0)
 Choices(, 1) = (1 0, 1 3 0)
Best (Choices(, 1), 1) = 1 3 0 != (1) => unstable
 Choices(, 2) = (2 0, 2 1 0)
Best (Choices(, 2), 2) = 2 1 0 != (2) => unstable
 (3), (4) are stable
  = ( 1 0, 2 1 0, 3 0, 4 3 0) are not stable
17
Simple path vector protocol (SPVP)
 SPVP1
 Basic
 Not safe
 SPVP2
 Contains path history
 Can detect protocol oscillation due to policy
conflict
 Still not safe
 SPVP3
 Extends SPVP2 to make it safe by suppressing
paths that can make the protocol diverge
18
SPVP1
 Let rib(u) =  (u) for each node u
 Each node u send rib(u) to its neighbor
 When each node receives rib(w) from its neighbor w,
called rib-in(u<=w), it computes best(u)
 If best(u) != rib(u), it replace rib(u) with best(u), and
sends new rib(u) to all its neighbor
 When no node sends new rib(u) to its neighbor, the
protocol is in a stable state, the problem is converge
 If there will never be a stable state, the problem is
diverge
19
Algorithm for SPVP1
 Rib(u) = path from u to node 0
 Rib-in(u <= w) = rib(w) received from the neighbor w
 Best(u) = computed new path from u to 0 from all Rib-
ins(u <=w)
20
Example: Good Gadget
  = (130, 210, 30, 430)
  = (130, 20, 30, 430)
  = (130, 20, 30, 420)
  is stable => problem is converge
21
Example2: Bad Gadget (no solution)
** Step 0 and 9 are the same
** one round of oscillation
22
Example3:
Naughty Gadget
 Has a solution
 (130,20,30,420)
 Diverge
 Cannot go to (130,20,30,420)
state with SPVP protocol
23
Protocol Oscillation

Assume node u abandons
path p1 and adopts path p2,
we say that

Node u went down from p1 if
p2 has lower rank than p1
 Node u went up to p2 if p2
has higher rank than p1

Look at node 2 from step 6
backward:
node 2 adopts (2 0) because it
went down from (2 1 0)
because node 1 went up to (1
3 0) because node 3 went
down from (3 4 2 0) because
node 4 went down from (4 2 0)
because node 2 went up to (2
1 0)
 ** there is a cycle between
went up and down to/from
path 210 **
24
SPVP2
 Each node has path history
 Each node send path history to its neighbor
 Policy based oscillation can be detected

But do nothing => still not safe
 The sentence “node 2 adopts (2 0) because it went
down from (2 1 0) because node 1 went up to (1 3 0)
because node 3 went down from (3 4 2 0) because
node 4 went down from (4 2 0) because node 2 went
up to (2 1 0)” can be translated to
(- 2 1 0) (+ 1 3 0) (- 3 4 20) (- 4 2 0) (+ 2 1 0)
25
SPVP2 Example: bad gadget
26
SPVP2 Example: bad gadget
(Cont.)
27
SPVP2: algorithm
28
SPVP3: A safe path vector protocol
 B(u) = bad paths at node u
 Choices(u) now exclude every path in B(u)
 In step 6, node 2 has a cycle in its history of path (2
0), it add path (2 0) to B(2) and adopts empty path
 The solution of this problem is ( 1 3 0, , 3 0, 4 3 0)
 The protocol converge, there is no oscillation, but
node 2 cannot get to node 0
29
Dispute Digraph
 There are 2 types of arc in dispute digraph


Transmission arc
Dispute arcs
30
Transmission arc
 P = = => (u v)P when






u and v are peers
 P is permitted at v
 (u v)P is permitted at u
(1 0) = = => (2 1 0)
(2 0) = = => (4 2 0)
(3 0) = = => (1 3 0)
(3 0) = = => (4 3 0)
(4 2 0) = = => (3 4 2 0)
** node 1 adopts path (10) which allow node 2 to permit path
(2 1 0) **
31
Dispute arc
Q ===> (u v)P when




(u v)P is a permitted path at u
Q and P are permitted path at
v
Path (u v)Q is not permitted at
u, or path Q has lower rank
than P at node u
Path Q has higher rank than P
at node v
 Node v could increase the rank of its best path by
abandon path P and adopt path Q, however, this will
force node u to abandon path (u v)P
32
Dispute arc
 (1 3 0) ===> (2 1 0)
 (2 1 0) ===> (4 2 0)
 (3 4 2 0) ===> (1 3 0)
 (3 4 2 0) ===> (4 3 0)
 (4 3 0) ===> (3 4 2 0)
33
Dispute digraph: good gadget
 Acyclic (no loop)
 Converge, unique solution, safe, robust
34
Dispute digraph: naughty
gadget
 2 loops
 (430=>3420=>430)
 (3420=>130=>210=>420=>3420)
35
Dispute digraph: bad gadget
 1 loop
 (3420=>130=>210=>420=>3420)
36
Loops in dispute digraph
 Acyclic (no loop)
 good
 Contains loops (dispute cycles)
 Potentially
bad
37
Dispute Wheel
 An alternative representation structure of a dispute
cycle
 A specification S has a dispute wheel if and only if the
dispute digraph DD(S) contains a cycle
 Dispute cycles are built from local relationships
between peers
 Dispute wheels are based on long-distance
relationships
38
Dispute Wheel (Cont.)
 A dispute wheel of size k is
 A sequence of nodes U = U0…Uk-1
 A sequence of paths Q = Q0….Qk-1
 A sequence of paths R = R0….Rk-1
 Such that for each 0 <= i <= k-1
 Ri is a path from ui to ui+1
 Qi is a permitted path at Ui
 RiQi+1 is a permitted path at Ui
 Rank Qi < RiQi+1 at Ui
39
Dispute wheel of size 3: bad gadget
U0
U2
R2=21
Q0=10
Q2=20
R0=13
Q1=30
R1=342
U1
At U0: rank (Q0 == 10) < (R0Q1 == 1330 == 130)
At U1: rank (Q1 == 30) < (R1Q2 == 34220 == 3420)
At U2: rank (Q2 == 20) < (R2Q3 == 2110 == 210)
40
Properties of dispute wheel
 No dispute wheel implies solvability
 No dispute wheel implies a unique solution
 No dispute wheel implies safety
 No dispute wheel implies robustness
** No dispute wheel == no dispute cycle in DD(S) **
41
Two trees imply a dispute wheel
120
10
210
20
Disagree
solutions
 Disagree


Has 2 solutions (2 trees)
Contains a dispute wheel
42
Disagree problem
** May or may not converge **
43
An algorithm to find a stable path assignment
 Start from a problem of size 0, then 1, 2 ,….,k-1,






where k is a number of nodes
Grow an assignment in a greedy manner
i is a stable path assignment of size i
Vi  V where every node in (u) is in Vi, 0  Vi
 = (130, 210, 30, 430), (0)=0
V1 = {0,3}
u  V-V1 = {1,2,4}
44
 Direct path to V1
 Node 1: 130
 Node 2: 20
 Node 4: 430
 2 = (130,20,30,430)
 V2 = {0,3,1}
 V3 = {0,3,1,2}
 V4 = {0,3,1,2,4}
  = (130,20,30,430)
 If this algorithm cannot find a solution, there must
exists a dispute wheel
45
Stable path problem VS Shortest path problem
 Routing protocol based on shortest path is always
safe
 Routing protocol can be safe even if it does not use
the shortest path

BGP: Good gadget
46
Routing protocol based on cost function
 Not all path are permitted
 May not be safe
 Safe if there is no negative cost cycle
Naughty gadget (unsafe)
 A cycle 1342 has a negative cost of -16
47
Routing protocol based on cost function (Cont.)
 The protocol can also be safe even if there exists a
negative cost cycle
** A+B+C < 0 **
** no dispute cycle  safe ** 48
Assumptions in these works
 Ignore all issues relating to internal BGP
 There is at most one link between any two ASs
 Ignore address aggregation
49
Conclusions
 Shortest path is safe, BGP is not
 There are 3 ways to make routing protocol safe
 Policy
 Static
 Dynamic
 Static
 Dispute digraph




Dispute cycle
Dispute wheel
No dispute wheel == no dispute cycle
No dispute wheel == safe, robust
50
Conclusions (Cont.)
 Dynamic
 SPP (simple path problem)



simplify the problem
route to one destination
SPVP (simple path vector protocol)



SPVP1: Like what is used in BGP, unsafe
SPVP2: Can detect oscillation caused by policy conflict
SPVP3: Get rid of bad path  safe , however, some nodes may
not have a route to a destination
 Routing based on cost function without a negative
cost cycle is safe
51
Questions?
52