Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

The Strategic Justification for BGP Hagay Levin, Michael Schapira, Aviv Zohar

advertisement 
The Strategic Justification for
BGP
Hagay Levin, Michael Schapira, Aviv Zohar
On the agenda
• Introduction
– BGP
– Gao-Rexford
– Dispute Wheels
• A game theory perspective on routing
• Results:
– No perfect routing algorithms.
– In reasonable economic settings, BGP is incentive
compatible in ex-post Nash.
– BGP and colluding agents.
The Internet
• The Internet is composed of Autonomous
Systems (ASes). Each AS is a network owned
by an economic entity.
• ASes are interconnected.
• There are many protocols that may be chosen
to handle routing inside ASes.
• Only one protocol is used for inter-domain
routing: The Border Gateway Protocol (BGP)
• We will think of each AS as a single node in
the network graph.
Next-Hop Routing in the Internet
• Done independently for each destination.
• Every packet carries with it the target
address.
• Given a destination, a router along the way
only selects the next-hop in the route.
– This is all maintained in a large routing table
– Can be implemented in Hardware
• The routing protocol needs to select this next
hop.
BGP
• Nodes in the network have preferences over
routes.
– (We assume they have some valuation)
• Can only choose between routes they are
offered by neighbors.
• Preferences are complex:
– Microsoft don’t want to route through the
competition.
– Google wants a minimal number of hops
– The CIA never wants to route through Russia.
BGP
• BGP is a very simple algorithm:
– A node considers the route offered by each of its
neighbors.
– It selects the most attractive one as its next hop.
– Then announces the new route to all its
neighbors.
– The algorithm is initiated when the destination
announces its presence to its neighbors and
ripples through the network.
Routes are selected based on knowledge of the
entire path.
BGP
• BGP converges when:
– All nodes know the current path of their neighbors
– No one wants to change their next hop.
• BGP is asynchronous.
– Messages can be delayed along some links.
– Some nodes may be slower than others.
The Appeal of BGP
• Myopic decisions.
• Local actions.
• Very little to maintain for each destination
(huge number of destinations in the net).
• Recovers from node and link failures.
• No knowledge assumptions about the net.
• Allows the nodes to make decisions based on
the full path.
– The exact policy is up to the node itself!
Problem
• BGP does not always converge.
• Sometimes there is more than one stable
routing tree, sometimes there are none!
• May depend on the asynchronous timing.
• Example (Naughty Gadget):
12d > 1d
21d > 2d
1
2
d
Gao-Rexford
• Route oscillations are due to preference
structure and network topology.
• These are not arbitrary:
– The Internet is shaped by economic forces.
– ASes sign routing contracts to decide who
provides connectivity to whom.
• Gao & Rexford Modeled the economic
relationships between ASes.
– Customers, Providers, and Peers.
The Gao-Rexford Constraints
Model only two types of connections:
• Customer to Provider
• Peer to Peer
2
1
4
3
5
The Gao-Rexford Constraints
1. No customer-provider cycles.
–
You cannot be your own
customer indirectly Topology
2. Prefer to route through
customers over peers over
providers. Preferences
3. Provide transit services only to
customers.
–
Do not reveal to a provider/peer
routes through other
providers/peers. Strategy
2
1
4
3
5
The Gao-Rexford Constraints
• If all three Gao-Rexford constraints hold, BGP
is guaranteed to converge, for any timing.
• Deleting edges and nodes maintains the
constraints.
• Gao & Rexford were mostly interested in
convergence.
– How do we force nodes to play by the rules?
(Constraint 3)
Dispute Wheels
[Griffin, Shepherd &
Wilfong]
• A condition on
Topology +
Preferences.
• A set of nodes ui
and paths R,Q.
• ui prefers
RiQi+1 Over Qi
Dispute Wheels
• A generalization of convergence conditions for
BGP.
• No Dispute Wheels implies:
– BGP converges for all timings.
– A unique stable state.
• Griffin-Gao-Rexford later show that:
The GR constraints imply no dispute wheel.
• Graphs with metric-like preferences also have
no dispute wheels.
So far…
Gao-Rexford
1+2+3
Metric Preferences
No Dispute Wheel
Convergence
A Game-Theory Perspective
• Why should nodes follow the protocol?
• Routing is after all a game. Nodes can play
strategically.
• The Game is:
– Temporal (and maybe infinite)
– Asynchronous (who plays when? Which
messages are delayed?)
– With partial information
• Nodes only see their own neighbors.
• Learn things during the run.
A Negative Result
• Fix a graph G
• Fix a routing alg. A (the “best” alg. you have for G).
• If for all preference expressed by nodes over paths
in G the algorithm A
– assigns a the same routing tree deterministically
in any asynchronous timing,
– is incentive compatible,
– has at least 3 possible outcomes
Then A is dictatorial.
Meaning some node in G always gets its most
preferred route.
Negative Result.
For example:
if node 1 is the
Dictator in this graph
5
6
It may choose any path it
wants to d,
Thereby forcing many others
along the way.
4
3
7
2
1
d
Remarks
• Alg. A may also be centralized.
• The manipulation implied is easy – only lie
about your preferences.
• Graph G and Deterministic alg. A together are
actually a social choice function.
– From here, proof is by reduction from Gibbard
Satterthwaite.
• Conclusion: if we want non-manipulability, we
can’t expect reasonable algorithms that
always converge.
Another Negative result
• BGP ‘as is’ is not incentive compatible even in
Gao-Rexford settings.
Honest Graph
Manipulated Graph
The Manipulator
• The lie is possible because the manipulator
invents an edge in the Graph.
• The manipulator has a very large bag of
tricks.
– can drop messages,
– send inconsistent ones,
– lie about routes,
– etc.
Path Verification
• We can fix our counter example by adding
path verification.
• A node will know if the routes it is promised
are available to its neighbor.
– Can be done with cryptographic signatures.
• Note: An available route might not be used in
practice!
– The manipulator can report one available path but
send packets along another.
Our Main Result
Convergence
Gao-Rexford
1+2+3
+
Path Verification
No Dispute Wheel
+
Path Verification
Incentive
Compatibility
The Right Solution Concept
• Dominant strategy would be best but is very
rare.
• The regular Nash Eq. is an unreasonable eq.
– You do not know the exact strategy of others, only
their general protocol (BGP)
– Don’t know preferences of others.
– Don’t know the network structure
• Ex-Post Nash much better:
– Given the fact that everyone is using BGP, BGP is
the best response
(for all preferences, net structures, timings etc.)
Proof Sketch.
• We take a graph that has no dispute wheel.
• It converges to some routing tree T.
• We will assume that BGP with route
verification is not incentive compatible.
• Show a sequence of nodes that forms a
dispute wheel, and thereby reach a
contradiction.
• This is only a sketch!
(I’m ignoring lots of messy details and subcases)
•Assume:
Manipulator m
Manages to benefit from
manipulation
Mm >m Tm
• The path Mm could not be
an available option in T.
– Otherwise m would choose
it.
m
Tm
d
Mm
• There must exist a node ‘1’
along Mm that has M1≠T1
• We choose ‘1’ to be the lowest
node on Mm with this property.
• All nodes below it route the
same in both trees.
• Meaning M1 is an available
option in T. This implies:
T1 >1 M1
• T1 cannot be an available option
in M (or it would be chosen)
m
Mm
1
Tm
M1
d
T1
• There must exist a node ‘2’
along T1 that has M2≠T2
• We choose ‘2’ to be the
lowest node on T1 with this
property.
• All nodes below it route the
same in both trees.
• Meaning T2 is an available
option in M. This implies:
M2 >2 T2
• M2 cannot be an available
option in T (or it would be
chosen)
m
Mm
1
Tm
M1
T1
d
T2
2
M2
• So there must exist
nodes 4,5,6… that are
chosen in the same
manner.
Tk
• Eventually some node
appears twice.
• (Let’s assume it’s the
manipulator)
• We have a dispute
Wheel!
m
k
Mm
1
Tm
Mk
M1
T1
d
T4
M3
4
T3
3
T2
2
M2
• So where did we need
route verification?
• Maybe the wheel has
an odd number of
nodes.
• The last node is above
the manipulator on an
M path.
• It may believe in a
false path.
• Still,
Mm >m Tm >m Lm
Mk
k
Tk
Mm
m
Lm
1
Tm
M1
T1
d
T4
M3
4
T3
3
T2
2
M2
A stronger result
• With a slightly stronger route verification
assumption (That is not possible to implement
with digital signatures) and in graphs with no
dispute wheel, BGP is collusion proof in expost Nash.
• Against any size of a defecting coalition.
Clusters of manipulator nodes are the reason
we need the stronger assumption here.
Final Result
• The 3rd Gao Rexford constraint speaks about
the strategy of each node
(Do not advertise a peer/provider to some
other peer/provider)
• Modify the strategy to ignore routes to
• BGP` + gao rexford 1,2 is also converging,
and incentive compatible.
• We replace the 3rd constraint with the
rationality assumption and equilibrium.
Conclusion
• A very small modification of BGP makes it
incentive compatible in ex-post Nash to all
kinds of manipulations.
• In fact, even without the modification, it is very
hard to manipulate
– You have to fool TCP/IP, traceroute, have lots of
knowledge on the graph and prefernces.
• Manipulation by a coalition also requires
Herculean efforts, and amazing coordination.
Open Questions
• Convergence -> Incentive compatibility?
• Better Conditions for BGP convergence?
• Network Formation Theory to explain
structure?
Thank You!
Related documents
6.033 Computer System Engineering
6.033 Computer System Engineering
1. Jones and Manuelli (1990) explains Piketty (2014)
1. Jones and Manuelli (1990) explains Piketty (2014)
1. An Endogenous Growth Model
1. An Endogenous Growth Model
Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin
Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin
Download
advertisement