Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan

advertisement
Towards a Logic for
Wide-Area Internet Routing
Nick Feamster and Hari Balakrishnan
M.I.T. Computer Science and Artificial Intelligence
Laboratory
Kunal Jain and Pragya Maru
What is a Routing Logic?
• Protocol designers and network operators need
a way to describe and reason about protocol
behavior.
• Properties: describe behavior
• Rules: reason about whether a certain
property holds
Practical Uses for a Routing Logic
• Reason about BGP’s behavior
• Verify that BGP configurations satisfy
properties
• Synthesize BGP configuration automatically
• Design protocol extensions that fix
problems
Problems Underlying BGP
• Poor Integrity: Denial of service and data integrity
attacks
• Slow Convergence: Path instability results in delayed
convergence.
• Divergence : BGP’s policy based nature can give rise
to configurations that diverge
• Unpredictability : Due to distributed, asynchronous
nature, predicting the effects of a configuration change
is extremely challenging.
• Poor control of information flow: Routing policies may
expose information that is not intended for public
knowledge, such as peering and transit relationships.
How to define "correct“
behavior?
Does it advertise invalid routes?
•
Validity
Does every valid path have a corresponding route?
•
Visibility
Given a set of choices, will it converge to a unique , stable answer?
•
Safety
Is that answer affected by the ordering of messages or the set of
available routes?
•
Determinism
Does the protocol expose information?
•
Information-flow control
Routing Logic Inputs
• Specification of how protocol behaves
• Specification of protocol configuration
 Policy configuration
 General configuration, e.g. which routers
exchange routing information
• Current version has no notion of time
Terminology
• Participant : An entity that advertises or receives routing
messages
• Routing Domain: Group of one or more participants that
behave according to one administrative policy.
• Route: Contains two fields- Next-hop and Next-RD
• Destination: might refer to a host , an overlay node or a
logical host
• Destination-set: Refers to a set of nodes that share a
route.
• Path: A path is a sequence of participants from one
participants from one participants to a destination
Hierarchical Routing Scopes
Scope i next-hop is i+1 destination (destination set)
Rules: Sufficient Conditions for
Each Property
Validity: a route implies a corresponding valid
path
Validity and Visibility in BGP
The fundamental operation of BGP with Route Reflection can
violate Validity.
Underlying IGP result in persistent forwarding loop
Applying the logic-Validity and
Visibility
• There exists a route reflector configuration that causes
BGP to violate validity.
• For an arbitrary configuration of route reflectors and route
reflector clients, verifying progress is NP-complete.
• If the route reflector configuration for an AS along the
path to a destination is RR-IGP-Safe, then BGP satisfies
progress.
• If the route reflector in an AS are configured according to
RR-Reflect-All, then BGP satisfies progress.
• If an AS uses full mesh iBGP, then BGP satisfies
progress.
Information-flow Model
•Consists of objects, flow policy, partial ordering of security
levels
Information Objects
•Policy
Peering and transit agreements
Router preferences
•Reachability
Events affecting reachability
•Topology
Internal network topology
Inter-AS connectivity
Information Flow Lattice
Noninterference Rule
Objects at higher security levels should not be visible to objects at
lower levels
Security level of message not higher than level of recipient
Applying the logic-Information Flow
Control
• A stateless BGP implementation can violate
standard information flow policy.
• The BGP route history attribute violates
standard information flow policy.
Safety and Determinism
•
AS changing the choice for the best route may result in policy
oscillations or lead to dispute cycles and hence this shows that
BGP doesn’t satisfy safety
•
Some router configurations results in router’s best route
depending on the order in which routes arrive or other non
deterministic factors, which shows that BGP doesn’t satisfy
determinism
Policy Dispute or Oscillations
Properties for Safety and
Determinism to hold
Safety
•
Preference :- If a participant chooses a particular route as its
best route , the participant re advertises that route
•
No route history cycles: - Non existence of a route history cycle
is sufficient to guarantee safety
Determinism
•
Time Immunity:- A participant relative ranking of two routes to a
destination is independent of the order in which those routes
arrive.
•
Set Immunity:- A participant’s relative ranking of two routes is
independent of other routes to that destination.
The properties: not complete,
but important
•
Validity: Will packets that use this route get there?
basic correctness property
•
Visibility: Is best route chosen from all possibilities?
optimal routing, robustness in failure scenarios
•
Safety: Is there policy-induced oscillation?
network stability
•
Determinism: Can a snapshot of the network state determine the
result of the "computation"?
ease of debugging, traffic engineering
•
Information-flow Control: Is my network exposing information that
should be hidden?
competitive aspects
Reasoning about BGP’s Behavior
The routing logic rules can be used to prove theorems
about these properties.
• Verifying that an arbitrary route reflector configuration
satisfies validity.
• Route reflectors that re-advertise all eBGP-learned routes
will satisfy validity.
• Certain fixes to other problems (e.g., safety) can violate
information-flow policy.
Conclusion
• Network operators and protocol designers need a
logic to reason about routing protocols like BGP
• The routing logic provides

A set of properties to describe protocol behavior

Rules to reason about them
• Set of properties is not complete, but it is an
important and interesting set
• Promising for reasoning, verification, and design
Download