Interdomain Routing and Games

1
Interdomain Routing and Games

• Hagay Levin, Michael Schapira and Aviv Zohar
• The Hebrew University

2
On the Agenda

• Motivation Are Internet protocols incentive
  compatible?
• Interdomain routing path vector protocols
• Convergence issues
• BGP as a game
• Hardness of approximation of social welfare
• Incentive compatibility
• Conclusions

3
Are Current Network Protocols Incentive
Compatible?

• Protocols for the network have been dictated by
  some designer
• Okay for cooperative settings
• But what if nodes try to optimize regardless of
  harm to others?
• Example TCP congestion control
• Requires sender to transmit less when the network
  is congested
• This is not optimal for the sender (always better
  off sending more)

4
Secure Network Protocols

• A lot of effort is going into re-designing
  network protocols to be secure.
• Routing protocols are currently known to be very
  susceptible to attacks.
• Even inadvertent configuration errors of routers
  have caused global catastrophes.
• Designers are also concerned about incentive
  issues in this context.
• Our work highlights some connections between
  incentives and security of BGP.

5
Interdomain Routing

• Messages in the Internet are passed from one
  router to the other until reaching the
  destination.
• Goal of routing protocols decide how to route
  packets between nodes on the net.
• The network is partitioned into Autonomous
  Systems (ASes) each owned by an economic entity.
• Within ASes routing is cooperative
• Between ASes inherently non-cooperative
• Routing preferences are complex and uncoordinated.

Always chooseshortest paths.
Load-balance myoutgoing traffic.
Avoid routes through ATT if at all possible.
My link to UUNET is forbackup purposes only.
6
Path Vector Protocols

• The only protocol currently used to establish
  routes between ASes (interdomain routing) The
  Border Gateway Protocol (BGP).
• Performed independently for every destination
  autonomous system in the network.
• The computation by each node is an infinite
  sequence of actions

7
Example of BGP Execution
5
4
41d
41d
23d
23d
2
23d
1d
1
3d
23d
3
1d
3d
d
d
d
d
receive routes from neighbors
choosebest neighbor
send updatesto neighbors
8
Our Main Results Informally

• Theorem In reasonable economic settings, BGP
  is almost incentive-compatible (And can be
  tweaked to be incentive compatible).
• Theorem In these same settings it is also almost
  collusion proof.
• To make it fully collusion proof we need a
  somewhat stronger assumption.

9
BGP Not Guaranteed to Converge
1
2
2d
23d 2d ...
12d 1d
1d
12d
d
31d 3d
31d
3

• Other examples may fail to converge for certain
  timings and succeed for others.

10
Finding Stable States

• Previously known Its NP-Hard to determine if a
  stable state even exists. Griffin, Wilfong
• We add
• Theorem Determining the existence of a stable
  state requires exponential communication.
• In practice, BGP does converge in the Internet!
  Why?

11
The Gao-Rexford Framework An economic
explanation for network convergence.

• Neighboring pairs of ASes have one of
• a customer-provider relationship
• a peering relationship
• Restrict the possible graphs and preferences
• No customer-provider cycles (cannot be your own
  customer)
• Prefer to route through customers over peers, and
  peers over providers.
• Only provide transit services to customers.
• Guarantees convergence of BGP.

peer
providers
peer
customers
12
Dispute Wheels

• A Dispute Wheel Griffin et. al.
• A sequence of nodes ui and routes Ri, Qi.
• ui prefers RiQi1 over Qi.
• If the network has no dispute wheels, BGP will
  always converge.
• Also guarantees convergence with node link
  failures.

Gao-Rexford
No Dispute Wheel
Robust Convergence
Shortest Path
13
Modeling Path Vector Protocols as a Game

• The interaction is very complex.
• Multi-round
• Asynchronous
• Partial-information
• Network structure, schedule, other players types
  are all unknown.
• No monetary transfers!
• More realistic
• Unlike most works on incentive-compatibility in
  interdomain routing.

14
Routing as a Game

• The source-nodes are the strategic agents
• Agent i has a value vi(R) for any route R
• The game has an infinite number of rounds
• Timing decided by an entity called the scheduler
• Decides which nodes are activated in each round.
• Delays update messages along selective links.

15
Routing as a Game (2)

• A node that is activated in a certain round can
• Read update messages announcing routes.
• Send update messages announcing routes.
• Choose a neighboring node to forward traffic to.
• The gain of node i from the game is
• vi(R) if from some point on it has an unchanging
  route R.
• 0 otherwise. (can be defined as the maximal
  gained path in an oscillation as well).
• a nodes strategy is its choice of a routing
  protocol.
• Executing BGP is a strategy.

16
Approximating Social Welfare

• Theorem Getting an approximation to the optimal
  social welfare is impossible unless PNP even in
  Gao-Rexford settings.(Improvement on a bound
  achieved by Feigenbaum,Sami,Shenker)
• Theorem It requires exponential communication to
  approximate social welfare up to

17
Manipulating in The Protocol

• A node is said to deviate from BGP (or to
  manipulate BGP) if it does not follow BGP.
• We want nodes to comply with the alg. Otherwise,
  suffer a loss when they deviate
• Which forms of manipulation are available to
  nodes?
• Misreporting preferences.
• Reporting inconsistent information.
• Announcing nonexistent routes.
• Denying routes.

18
No Optimal Protocols

• Theorem Any routing protocol that
• Guarantees convergence to a solution for any
  timing with any preference profile
• Resists manipulation
• Must contain a (weak) dictator A node that
  always gets its most preferred path.
• (Simple to prove using a variant of the
  Gibbard-Satterthwaite theorem)

19

• Suppose node 1 is a weak dictator.
• If it wants some crazy path, it must get it.
• This feels like an unreasonable protocol.

5
4
3
6
2
1
7
d
20
Is BGP Incentive-Compatible?

• Theorem BGP is not incentive compatible even in
  Gao-Rexford settings.

21
Can we fix this?

• We define a property
• Route verification means that an AS can verify
  that a route is available to a neighboring AS.
• Route verification is
• Achievable via computational means (cryptographic
  signatures).
• An important part of secure BGP implementation.

22
Incentive Compatibility

• Theorem If the No Dispute Wheel condition
  holds, then BGP with route verification is
  incentive-compatible in ex-post Nash equilibrium.
• Theorem If the No Dispute Wheel condition
  holds, then BGP with route verification is
  collusion-proof in ex-post Nash equilibrium.

23
Open Questions

• Characterizing robust BGP convergence (No
  dispute wheel is sufficient but not necessary).
• Does robust BGP convergence with route
  verification imply incentive compatibility?
• Can network formation games help to explain the
  Internets commercial structure?
• Maintain incentive compatibility if the protocol
  is changed to deal with attacks and other
  security issues?
• How do congestion and load fit in?

24
Conclusions

• Our results help explain BGPs resilience to
  manipulation in practice.
• Manipulation requires extensive knowledge on
  network topology preferences of ASes.
• Faking routes requires manipulation of TCP/IP
  too.
• Manipulations by coalitions require Herculean
  efforts, and tight coordination.
• We show that proposed security improvements would
  benefit incentives in the protocol.
• Work in progress other natural asynchronous
  games.
• Best Reply Mechanisms with Noam Nisam and
  Michael Schapira