Title: Interdomain Routing and Games
1Interdomain Routing and Games
- Hagay Levin, Michael Schapira and Aviv Zohar
- The Hebrew University
2On the Agenda
- Motivation Are Internet protocols incentive
compatible? - Interdomain routing path vector protocols
- Convergence issues
- BGP as a game
- Hardness of approximation of social welfare
- Incentive compatibility
- Conclusions
3Are Current Network Protocols Incentive
Compatible?
- Protocols for the network have been dictated by
some designer - Okay for cooperative settings
- But what if nodes try to optimize regardless of
harm to others? - Example TCP congestion control
- Requires sender to transmit less when the network
is congested - This is not optimal for the sender (always better
off sending more)
4Secure Network Protocols
- A lot of effort is going into re-designing
network protocols to be secure. - Routing protocols are currently known to be very
susceptible to attacks. - Even inadvertent configuration errors of routers
have caused global catastrophes. - Designers are also concerned about incentive
issues in this context. - Our work highlights some connections between
incentives and security of BGP.
5Interdomain Routing
- Messages in the Internet are passed from one
router to the other until reaching the
destination. - Goal of routing protocols decide how to route
packets between nodes on the net. - The network is partitioned into Autonomous
Systems (ASes) each owned by an economic entity. - Within ASes routing is cooperative
- Between ASes inherently non-cooperative
- Routing preferences are complex and uncoordinated.
Always chooseshortest paths.
Load-balance myoutgoing traffic.
Avoid routes through ATT if at all possible.
My link to UUNET is forbackup purposes only.
6Path Vector Protocols
- The only protocol currently used to establish
routes between ASes (interdomain routing) The
Border Gateway Protocol (BGP). - Performed independently for every destination
autonomous system in the network. - The computation by each node is an infinite
sequence of actions
7Example of BGP Execution
5
4
41d
41d
23d
23d
2
23d
1d
1
3d
23d
3
1d
3d
d
d
d
d
receive routes from neighbors
choosebest neighbor
send updatesto neighbors
8Our Main Results Informally
- Theorem In reasonable economic settings, BGP
is almost incentive-compatible (And can be
tweaked to be incentive compatible). - Theorem In these same settings it is also almost
collusion proof. - To make it fully collusion proof we need a
somewhat stronger assumption.
9BGP Not Guaranteed to Converge
1
2
2d
23d 2d ...
12d 1d
1d
12d
d
31d 3d
31d
3
- Other examples may fail to converge for certain
timings and succeed for others.
10Finding Stable States
- Previously known Its NP-Hard to determine if a
stable state even exists. Griffin, Wilfong - We add
- Theorem Determining the existence of a stable
state requires exponential communication. - In practice, BGP does converge in the Internet!
Why?
11The Gao-Rexford Framework An economic
explanation for network convergence.
- Neighboring pairs of ASes have one of
- a customer-provider relationship
- a peering relationship
- Restrict the possible graphs and preferences
- No customer-provider cycles (cannot be your own
customer) - Prefer to route through customers over peers, and
peers over providers. - Only provide transit services to customers.
- Guarantees convergence of BGP.
peer
providers
peer
customers
12Dispute Wheels
- A Dispute Wheel Griffin et. al.
- A sequence of nodes ui and routes Ri, Qi.
- ui prefers RiQi1 over Qi.
- If the network has no dispute wheels, BGP will
always converge. - Also guarantees convergence with node link
failures.
Gao-Rexford
No Dispute Wheel
Robust Convergence
Shortest Path
13Modeling Path Vector Protocols as a Game
- The interaction is very complex.
- Multi-round
- Asynchronous
- Partial-information
- Network structure, schedule, other players types
are all unknown. - No monetary transfers!
- More realistic
- Unlike most works on incentive-compatibility in
interdomain routing.
14Routing as a Game
- The source-nodes are the strategic agents
- Agent i has a value vi(R) for any route R
- The game has an infinite number of rounds
- Timing decided by an entity called the scheduler
- Decides which nodes are activated in each round.
- Delays update messages along selective links.
15Routing as a Game (2)
- A node that is activated in a certain round can
- Read update messages announcing routes.
- Send update messages announcing routes.
- Choose a neighboring node to forward traffic to.
- The gain of node i from the game is
- vi(R) if from some point on it has an unchanging
route R. - 0 otherwise. (can be defined as the maximal
gained path in an oscillation as well). - a nodes strategy is its choice of a routing
protocol. - Executing BGP is a strategy.
16Approximating Social Welfare
- Theorem Getting an approximation to the optimal
social welfare is impossible unless PNP even in
Gao-Rexford settings.(Improvement on a bound
achieved by Feigenbaum,Sami,Shenker) - Theorem It requires exponential communication to
approximate social welfare up to
17Manipulating in The Protocol
- A node is said to deviate from BGP (or to
manipulate BGP) if it does not follow BGP. - We want nodes to comply with the alg. Otherwise,
suffer a loss when they deviate - Which forms of manipulation are available to
nodes? - Misreporting preferences.
- Reporting inconsistent information.
- Announcing nonexistent routes.
- Denying routes.
18No Optimal Protocols
- Theorem Any routing protocol that
- Guarantees convergence to a solution for any
timing with any preference profile - Resists manipulation
- Must contain a (weak) dictator A node that
always gets its most preferred path. - (Simple to prove using a variant of the
Gibbard-Satterthwaite theorem)
19- Suppose node 1 is a weak dictator.
- If it wants some crazy path, it must get it.
- This feels like an unreasonable protocol.
5
4
3
6
2
1
7
d
20Is BGP Incentive-Compatible?
- Theorem BGP is not incentive compatible even in
Gao-Rexford settings.
21Can we fix this?
- We define a property
- Route verification means that an AS can verify
that a route is available to a neighboring AS. - Route verification is
- Achievable via computational means (cryptographic
signatures). - An important part of secure BGP implementation.
22Incentive Compatibility
- Theorem If the No Dispute Wheel condition
holds, then BGP with route verification is
incentive-compatible in ex-post Nash equilibrium. - Theorem If the No Dispute Wheel condition
holds, then BGP with route verification is
collusion-proof in ex-post Nash equilibrium.
23Open Questions
- Characterizing robust BGP convergence (No
dispute wheel is sufficient but not necessary). - Does robust BGP convergence with route
verification imply incentive compatibility? - Can network formation games help to explain the
Internets commercial structure? - Maintain incentive compatibility if the protocol
is changed to deal with attacks and other
security issues? - How do congestion and load fit in?
24Conclusions
- Our results help explain BGPs resilience to
manipulation in practice. - Manipulation requires extensive knowledge on
network topology preferences of ASes. - Faking routes requires manipulation of TCP/IP
too. - Manipulations by coalitions require Herculean
efforts, and tight coordination. - We show that proposed security improvements would
benefit incentives in the protocol. - Work in progress other natural asynchronous
games. - Best Reply Mechanisms with Noam Nisam and
Michael Schapira