Inherently Safe Backup Routing with BGP

1
Inherently Safe Backup Routing with BGP

• Lixin Gao (U. Mass Amherst)
• Timothy Griffin (ATT Research)
• Jennifer Rexford (ATT Research)

2
The Problem

• Properties of BGP routing in the Internet
• Connected graph does not imply hosts can
  communicate
• Conflicting BGP policies can cause routing
  divergence

?
destination
source
?
3
Conflicting Solutions

• Avoiding route divergence
• BGP policies based on commercial relationships
• Customer-provider and peer-peer relationships
• Prevents route divergence (SIGMETRICS00)
• Improving reachability
• Introducing additional paths for use under
  failure
• Homing to multiple service providers (common
  practice)
• Backup peering relationships (discussed in RFC
  1998)
• Tension
• Backup paths necessary to improve reachability
• Backup paths may introduce route divergence

4
Outline

• Background
• Border Gateway Protocol (BGP)
• BGP route divergence example
• Commercial relationships between ASes
• Backup routing
• Multi-homed backup and peer-peer backup
• Assigning an avoidance level to routes
• Local guidelines for ranking routes
• Conclusion

5
Interdomain Routing (Between ASes)

• ASes exchange info about who they can reach
• Local policies for path selection (which to use?)
  
• Local policies for route propagation (who to
  tell?)
• Policies configured by the ASs network operator

I can reach 12.34.158.0/24 via AS 1
I can reach 12.34.158.0/24
1
2
3
12.34.158.5
Client (12.34.158.5)
6
Border Gateway Protocol

• Exchanging route advertisements
• Pair of routers speak BGP over a TCP connection
• Advertise best route for a prefix to neighboring
  ASes
• Withdraw a route when it is no longer available
• Processing route advertisements
• Import policies (manipulate incoming
  advertisements)
• Decision process (select best route to given
  prefix)
• Export policies (manipulate outgoing
  advertisement)
• No guarantee of convergence or reachability

7
Route Divergence Bad Gadget (SIGCOMM99)
(1 3 0) (1 0)
ASes 1, 2, and 3 prefer the route via the
clockwise neighbor over direct route
1
AS 1 wants to change to (1 3 0)
(0)
0
d
(2 1 0) (2 0)
(3 2 0) (3 0)
2
3
Do route divergence problems actually happen in
practice?
8
Customer-Provider Relationship

• Customer pays provider for access to the Internet
• AS exports customers routes to all neighbors
• AS exports providers routes only to its customers

Traffic to the customer
Traffic from the customer
d
provider
advertisements
provider
traffic
customer
d
customer
9
Peer-Peer Relationship

• Peers exchange traffic between their customers
• Free of charge (assumption of even traffic load)
• AS exports a peers routes only to its customers

Traffic to/from the peer and its customers
advertisements
peer
peer
traffic
d
10
Avoiding Route Divergence (SIGMETRICS00)

• Export policies based on commercial relationships
• Peer routes are not exported to other
  peers/providers
• Provider routes are not exported to other
  peers/providers
• Import policies based on commercial relationship
• Prefer customer routes over peer/provider routes
• Hierarchical customer-provider relationships
• If u is a customer of v and v is a customer of w
• then, w is not a customer of u
• Then, route divergence is provably not a problem

11
Multi-Homed Backup

• Allow an AS to have a backup provider
• Assign lowest preference for backup route
• Backup route selected when primary fails

failure
12
Peer-Peer Backup

• Allow two ASes to provide backup service
• Liberal export policies for backup relationship
• Assign lowest preference to backup routes

provider
backup path violates normal export rules
backup path
failure
peer
13
Backup Paths Have Global Significance

• Once a backup path, always a backup path
• If P at AS v is a backup path, so is (u v)P at AS
  u

u
v
failure
(u v)P
P
peer
14
Avoidance Levels

• Each path has avoidance level (e.g., integer
  weight)
• Avoidance level cannot decrease as it is
  advertised
• Avoidance level K(P) cannot exceed K((u v)P)

u
primary provider
backup provider
(u v)P
v
failure
P
15
Mandatory Increase in Avoidance Level (Steps)
v
w
P
(w u v)P
(w u v)P
u
v
w
u
P
(w u v)P
u
v
w
P
K((w u v)P) must be greater than K((u v)P)
16
Ranking Between Paths

• Lower ranking for backup paths
• Prefer primary paths over backup paths
• Prefer path P with a smaller avoidance level K(P)
• Higher ranking for customer routes
• Ranking between paths with same avoidance level
• Prefer path via customer over path via peer or
  provider
• Inherent safety
• Guaranteed to prevent route divergence (proof in
  paper)
• Result holds under any failures and policy
  changes

17
Conclusions

• Realization in BGP
• New BGP attribute and change in decision process,
  or
• Community attribute to convey avoidance level
  (and configuration rules for assigning local
  preference)
• Properties of our solution
• Backup paths available under link and router
  failure
• Guaranteed safety under all failure scenarios
• Local configuration of BGP policies in each AS
• Policies consistent with AS commercial
  relationships