Slides - Interdomain Routing and Games

advertisement
Interdomain Routing and Games
Hagay Levin, Michael Schapira and Aviv Zohar
The Hebrew University
1
On the Agenda
• Motivation: Are Internet protocols incentive compatible?
• Interdomain routing & path vector protocols
• Convergence issues
• BGP as a game
• Hardness of approximation of social welfare
• Incentive compatibility
• Conclusions
2
Are Current Network Protocols
Incentive Compatible?
• Protocols for the network have been
dictated by some designer
• Okay for cooperative settings
• But what if nodes try to optimize
regardless of harm to others?
• Example: TCP congestion control
– Requires sender to transmit less when the
network is congested
– This is not optimal for the sender (always
better off sending more)
3
Secure Network Protocols
• A lot of effort is going into re-designing network
protocols to be secure.
• Routing protocols are currently known to be very
susceptible to attacks.
– Even inadvertent configuration errors of routers have
caused global catastrophes.
• Designers are also concerned about incentive
issues in this context.
• Our work highlights some connections between
incentives and security of BGP.
4
Interdomain Routing
• Messages in the Internet are passed from one router
to the other until reaching the destination.
• Goal of routing protocols: decide how to route packets
between nodes on the net.
• The network is partitioned into Autonomous Systems
(ASes) each owned by an economic entity.
– Within ASes routing is cooperative
– Between ASes inherently non-cooperative
• Routing preferences are complex and uncoordinated.
Always choose
shortest paths.
Load-balance my
outgoing traffic.
UUNET
AT&T
My link to UUNET is for
backup purposes only.
Comcast
Qwest
Avoid routes
through AT&T if
at all possible.
5
Path Vector Protocols
• The only protocol currently used to establish
routes between ASes (interdomain routing):
The Border Gateway Protocol (BGP).
• Performed independently for every destination
autonomous system in the network.
• The computation by each node is an infinite
sequence of actions:
receive
routes from
neighbors
choose
“best”
neighbor
send
updates
to neighbors
6
Example of BGP Execution
5
4 41d
41d
23d
1d
1
1d
23d
2 23d
23d
3d
3d
3
d d d
d
receive
routes from
neighbors
choose
“best”
neighbor
send
updates
to neighbors
7
Our Main Results Informally
• Theorem: In “reasonable economic
settings”, BGP is almost incentivecompatible (And can be tweaked to be
incentive compatible).
• Theorem: In these same settings it is
also almost collusion proof.
– To make it fully collusion proof we need a
somewhat stronger assumption.
8
BGP – Not Guaranteed to Converge
1
12d
1d
…
2d
2
23d
2d
...
12d
1d
d
31d
3
31d
3d
…
• Other examples may fail to converge for
certain timings and succeed for others.
9
Finding Stable States
• Previously known: It’s NP-Hard to determine
if a stable state even exists. [Griffin, Wilfong]
We add:
• Theorem: Determining the existence of a
stable state requires exponential
communication.
• In practice, BGP does converge in the Internet!
Why?
10
The Gao-Rexford Framework: An economic
explanation for network convergence.
Neighboring pairs of ASes have one of:
• a customer-provider relationship
• a peering relationship
peer
providers
peer
customers
Restrict the possible graphs and preferences:
• No customer-provider cycles (cannot be your own customer)
• Prefer to route through customers over peers, and peers
over providers.
• Only provide transit services to customers.
Guarantees convergence of BGP.
11
Dispute Wheels
• A Dispute Wheel [Griffin et. al.]
– A sequence of nodes ui and routes
Ri, Qi.
– ui prefers RiQi+1 over Qi.
• If the network has no
dispute wheels, BGP will always
converge.
• Also guarantees convergence
with node & link failures.
Gao-Rexford
Shortest Path
No Dispute
Wheel
Robust
Convergence
12
Modeling Path Vector Protocols as
a Game
• The interaction is very complex.
– Multi-round
– Asynchronous
– Partial-information
• Network structure, schedule, other player’s types are all unknown.
• No monetary transfers!
– More realistic
– Unlike most works on incentive-compatibility in interdomain
routing.
13
Routing as a Game
• The source-nodes are the strategic agents
• Agent i has a value vi(R) for any route R
• The game has an infinite number of rounds
• Timing decided by an entity called the scheduler
– Decides which nodes are activated in each round.
– Delays update messages along selective links.
14
Routing as a Game (2)
• A node that is activated in a certain round can
– Read update messages announcing routes.
– Send update messages announcing routes.
– Choose a neighboring node to forward traffic to.
• The gain of node i from the game is:
– vi(R) if from some point on it has an unchanging route
R.
– 0 otherwise. (can be defined as the maximal gained
path in an oscillation as well).
• a node’s strategy is its choice of a routing
protocol.
– Executing BGP is a strategy.
15
Approximating Social Welfare

1 / 2 
O
n
• Theorem: Getting an

approximation to the optimal social welfare is
impossible unless P=NP even in Gao-Rexford
settings.
(Improvement on a bound achieved by
[Feigenbaum,Sami,Shenker])
• Theorem: It requires exponential communication
1
to approximate social welfare up to O n
 
16
Manipulating in The Protocol
• A node is said to deviate from BGP (or to
manipulate BGP) if it does not follow BGP.
• We want nodes to comply with the alg.
Otherwise, suffer a loss when they deviate
• Which forms of manipulation are available to
nodes?
–
–
–
–
–
Misreporting preferences.
Reporting inconsistent information.
Announcing nonexistent routes.
Denying routes.
…
17
No Optimal Protocols
•
Theorem: Any routing protocol that:
1. Guarantees convergence to a solution for
any timing with any preference profile
2. Resists manipulation
Must contain a (weak) dictator: A node
that always gets its most preferred path.
(Simple to prove using a variant of the
Gibbard-Satterthwaite theorem)
18
• Suppose node 1 is a weak
dictator.
• If it wants some crazy
6
path, it must get it.
• This feels like an
unreasonable protocol.
5
4
3
7
2
1
d
19
Is BGP Incentive-Compatible?
• Theorem: BGP is not incentive compatible
even in Gao-Rexford settings.
m1d
m12d
12d
1d
1
m
m1d
m12d
12d
1d
1
m
d
d
2md
2d
2
without
manipulation
2md
2d
2
with
manipulation
20
Can we fix this?
• We define a property:
– Route verification means that an AS can verify
that a route is available to a neighboring AS.
• Route verification is:
– Achievable via computational means
(cryptographic signatures).
– An important part of secure BGP
implementation.
21
Incentive Compatibility
• Theorem: If the “No Dispute Wheel”
condition holds, then BGP with route
verification is incentive-compatible in expost Nash equilibrium.
• Theorem: If the “No Dispute Wheel”
condition holds, then BGP with route
verification is collusion-proof in ex-post
Nash equilibrium.
22
Open Questions
• Characterizing robust BGP convergence (“No
dispute wheel” is sufficient but not necessary).
• Does robust BGP convergence with route
verification imply incentive compatibility?
• Can network formation games help to explain the
Internet’s commercial structure?
• Maintain incentive compatibility if the protocol is
changed to deal with attacks and other security
issues?
• How do congestion and load fit in?
23
Conclusions
• Our results help explain BGP’s resilience to
manipulation in practice.
– Manipulation requires extensive knowledge on
network topology & preferences of ASes.
– Faking routes requires manipulation of TCP/IP too.
– Manipulations by coalitions require Herculean efforts,
and tight coordination.
• We show that proposed security improvements
would benefit incentives in the protocol.
• Work in progress: other natural asynchronous
games.
– “Best Reply Mechanisms” with Noam Nisam and
Michael Schapira
24
Download