Pitch Patarasuk

1
Pitch Patarasuk

• Policy Disputes in Path-Vector Protocol
• A Safe Path Vector Protocol
• The Stable Paths Problem and Interdomain routing

2
Safety in BGP

• BGP is the only interdomain routing protocol in
  the internet
• A routing protocol is safe when it is guaranteed
  to converge
• RIP and OSPF protocols are safe
• Use shortest-path algorithm
• BGP is not safe

3
Safety in BGP (Cont.)

• BGP does not use pure shortest-path algorithm
• BGP allow policy concerns to override distance
  metric
• Each AS decides its own policy with little
  knowledge of of other ASs policies

4
How to make BGP safe?

• Policy
• Static
• ASs do not share their policies
• The problem is NP-complete
• Heuristic
• Dynamic
• Paths that are potentially create problem will be
  deleted

5
Outline

• SPP (stable path problem)
• SPVP (simple path vector protocol)
• SPVP1
• SPVP2
• SPVP3
• Dispute Digraph
• Dispute Wheel

6
Stable Path Problem (SPP)

• Simplify BGP solvability problem to a problem of
  whether every node has a stable route to one
  destination node
• Destination node node 0
• ?(x) path assignment from node x to node 0
• ? path assignment of every node to node 0
• ? (?(1), ?(2), ?(3), .)
• When ? does not change
• Stable state
• Converge
• ? is the solution to this problem
• ? is a stable path assignment of this problem

7
Stable Path Problem (Cont.)

• When ? keep changing
• Diverge
• NOTE
• Even if there is a solution, the problem can
  still be diverge (cannot find a solution)
• Even if a problem converge, some nodes may not
  have a route to node 0
• ? (10, ?, 310, 40)

8
SPP permitted path

• permitted path(1) ( 1 0, 1 3 0)
• permitted path(2) ( 2 0, 2 1 0)
• permitted path(3) (3 0)
• permitted path(4) (4 3 0, 4 2 0)

9
SPP path rank
10
SPP path assignment

• ? ( 1 3 0, 2 0, 3 0, 4 3 0)
• ?1 1 3 0
• ?2 2 0
• ?3 3 0
• ?4 4 3 0

11
How to check whether a path assignment is stable?
? (10, 20, 30, 430) ? (130, 20, 30, 430) ?
(10, 210, 30, 430) ? (130, 210, 30, 430)
? (10, 20, 30, 420) ? (130, 20, 30, 420) ?
(10, 210, 30, 420) ? (130, 210, 30, 420)
12
How to check whether a path assignment is stable?
(Cont.)

• ? (10, 20, 30, 430)
• ? (130, 20, 30, 430)
• ? (10, 210, 30, 430)
• (130, 210, 30, 430)
• ? (10, 20, 30, 420)
• ? (130, 20, 30, 420)
• ? (10, 210, 30, 420)
• ? (130, 210, 30, 420)

• Node i is stable if rank (i,j)P(j) lt rank P(i)
  whenever (i,j)P(j) is a permitted path at i
• note that (2 1)(1 0) (2 1 0)

13
How to check whether a path assignment is stable?
(Cont.)

• Choice(? , u) is a union of
• (u 0) if u is connected to 0 and (u 0) is a
  permitted path at u
• (u v) ?(v) when u is connected to v and (u v)
  ?(v) is a permitted path at u

let ? (1 0, 2 0, 3 0, 4 3 0) Choices(? ,1) (1
0, 1 3 0) Choices(? , 2) (2 0, 2 10) Choices(?
, 3) (3 0) Choices(? , 4) (4 3 0, 4 2 0)
14
How to check whether a path assignment is stable?
(Cont.)

• Let W is a subset of permitted path at u,
• Best(W, u) P ? W with a maximum ranking
• The path assignment at node u, ?(u), is stable if
  ?(u) best(choices(?, u), u)
• The path assignment ? is stable if ?(u) is stable
  at every node u.

15
Example Good Gadget

• There is only one solution (stable path
  assignment) for this problem
• ? ( 1 3 0, 2 0, 3 0, 4 3 0)

16
Example Good Gadget (Cont.)
? ( 1 3 0, 2 0, 3 0, 4 3 0)

• Choices(?, 1) (1 0, 1 3 0)
• Best (Choices(?, 1), 1) 1 3 0 ?(1) gt stable
• Choices(?, 2) (2 0)
• Best (Choices(?, 2), 2) 2 0 ?(2) gt stable
• Choices(?, 3) (3 0)
• Best (Choices(?, 3), 3) 3 0 ?(3) gt stable
• Choices(?, 4) (4 3 0, 4 2 0)
• Best (Choices(?, 4), 4) 4 3 0 ?(4) gt stable
• ? ( 1 3 0, 2 0, 3 0, 4 3 0) is stable

17
Unstable path assignment example 1
Stable ? ( 1 3 0, 2 0, 3 0, 4 3 0)
Unstable ? ( 1 0, 2 1 0, 3 0, 4 3 0)

• Choices(?, 1) (1 0, 1 3 0)
• Best (Choices(?, 1), 1) 1 3 0 ! ?(1) gt
  unstable
• Choices(?, 2) (2 0, 2 1 0)
• Best (Choices(?, 2), 2) 2 1 0 ! ?(2) gt
  unstable
• ?(3), ?(4) are stable
• ? ( 1 0, 2 1 0, 3 0, 4 3 0) are not stable

18
Simple path vector protocol (SPVP)

• SPVP1
• Basic
• Not safe
• SPVP2
• Contains path history
• Can detect protocol oscillation due to policy
  conflict
• Still not safe
• SPVP3
• Extends SPVP2 to make it safe by suppressing
  paths that can make the protocol diverge

19
SPVP1

• Let rib(u) ? (u) for each node u
• Each node u send rib(u) to its neighbor
• When each node receives rib(w) from its neighbor
  w, called rib-in(ultw), it computes best(u)
• If best(u) ! rib(u), it replace rib(u) with
  best(u), and sends new rib(u) to all its neighbor
• When no node sends new rib(u) to its neighbor,
  the protocol is in a stable state, the problem is
  converge
• If there will never be a stable state, the
  problem is diverge

20
Algorithm for SPVP1

• Rib(u) path from u to node 0
• Rib-in(u lt w) rib(w) received from the
  neighbor w
• Best(u) computed new path from u to 0 from all
  Rib-ins(u ltw)

21
Example Good Gadget

• ? (130, 210, 30, 430)
• ? (130, 20, 30, 430)
• ? (130, 20, 30, 420)
• ? is stable gt problem is converge

22
Example2 Bad Gadget (no solution)
Step 0 and 9 are the same one round of
oscillation
23
Example3 Naughty Gadget

• Has a solution
• (130,20,30,420)
• Diverge
• Cannot go to (130,20,30,420) state with SPVP
  protocol

24
Protocol Oscillation

• Assume node u abandons path p1 and adopts path
  p2, we say that
• Node u went down from p1 if p2 has lower rank
  than p1
• Node u went up to p2 if p2 has higher rank than
  p1
• Look at node 2 from step 6 backward
• node 2 adopts (2 0) because it went down from (2
  1 0) because node 1 went up to (1 3 0) because
  node 3 went down from (3 4 2 0) because node 4
  went down from (4 2 0) because node 2 went up to
  (2 1 0)
• there is a cycle between went up and down
  to/from path 210

25
SPVP2

• Each node has path history
• Each node send path history to its neighbor
• Policy based oscillation can be detected
• But do nothing gt still not safe
• The sentence node 2 adopts (2 0) because it went
  down from (2 1 0) because node 1 went up to (1 3
  0) because node 3 went down from (3 4 2 0)
  because node 4 went down from (4 2 0) because
  node 2 went up to (2 1 0) can be translated to
• (- 2 1 0) ( 1 3 0) (- 3 4 20) (- 4 2 0) ( 2 1 0)

26
SPVP2 Example bad gadget
27
SPVP2 Example bad gadget (Cont.)
28
SPVP2 algorithm
29
SPVP3 A safe path vector protocol

• B(u) bad paths at node u
• Choices(u) now exclude every path in B(u)

• In step 6, node 2 has a cycle in its history of
  path (2 0), it add path (2 0) to B(2) and adopts
  empty path
• The solution of this problem is ( 1 3 0, ?, 3 0,
  4 3 0)
• The protocol converge, there is no oscillation,
  but node 2 cannot get to node 0

30
Dispute Digraph

• There are 2 types of arc in dispute digraph
• Transmission arc
• Dispute arcs

31
Transmission arc

• P gt (u v)P when
• u and v are peers
• P is permitted at v
• (u v)P is permitted at u

• (1 0) gt (2 1 0)
• (2 0) gt (4 2 0)
• (3 0) gt (1 3 0)
• (3 0) gt (4 3 0)
• (4 2 0) gt (3 4 2 0)

node 1 adopts path (10) which allow node 2 to
permit path (2 1 0)
32
Dispute arc

• Q gt (u v)P when
• (u v)P is a permitted path at u
• Q and P are permitted path at v
• Path (u v)Q is not permitted at u, or path Q has
  lower rank than P at node u
• Path Q has higher rank than P at node v

• Node v could increase the rank of its best path
  by abandon path P and adopt path Q, however, this
  will force node u to abandon path (u v)P

33
Dispute arc

• (1 3 0) gt (2 1 0)
• (2 1 0) gt (4 2 0)
• (3 4 2 0) gt (1 3 0)
• (3 4 2 0) gt (4 3 0)
• (4 3 0) gt (3 4 2 0)

34
Dispute digraph good gadget

• Acyclic (no loop)
• Converge, unique solution, safe, robust

35
Dispute digraph naughty gadget

• 2 loops
• (430gt3420gt430)
• (3420gt130gt210gt420gt3420)

36
Dispute digraph bad gadget

• 1 loop
• (3420gt130gt210gt420gt3420)

37
Loops in dispute digraph

• Acyclic (no loop)
• good
• Contains loops (dispute cycles)
• Potentially bad

38
Dispute Wheel

• An alternative representation structure of a
  dispute cycle
• A specification S has a dispute wheel if and only
  if the dispute digraph DD(S) contains a cycle
• Dispute cycles are built from local relationships
  between peers
• Dispute wheels are based on long-distance
  relationships

39
Dispute Wheel (Cont.)

• A dispute wheel of size k is
• A sequence of nodes U U0Uk-1
• A sequence of paths Q Q0.Qk-1
• A sequence of paths R R0.Rk-1
• Such that for each 0 lt i lt k-1
• Ri is a path from ui to ui1
• Qi is a permitted path at Ui
• RiQi1 is a permitted path at Ui
• Rank Qi lt RiQi1 at Ui

40
Dispute wheel of size 3 bad gadget
At U0 rank (Q0 10) lt (R0Q1 1330 130) At
U1 rank (Q1 30) lt (R1Q2 34220 3420) At
U2 rank (Q2 20) lt (R2Q3 2110 210)
41
Properties of dispute wheel

• No dispute wheel implies solvability
• No dispute wheel implies a unique solution
• No dispute wheel implies safety
• No dispute wheel implies robustness
• No dispute wheel no dispute cycle in
  DD(S)

42
Two trees imply a dispute wheel
120 10
210 20
Disagree
solutions

• Disagree
• Has 2 solutions (2 trees)
• Contains a dispute wheel

43
Disagree problem
May or may not converge
44
An algorithm to find a stable path assignment

• Start from a problem of size 0, then 1, 2
  ,.,k-1, where k is a number of nodes
• Grow an assignment in a greedy manner
• ?i is a stable path assignment of size i
• Vi ? V where every node in ?(u) is in Vi, 0 ? Vi
• ? (130, 210, 30, 430), ?(0)0
• V1 0,3
• u ? V-V1 1,2,4

45

• Direct path to V1
• Node 1 130
• Node 2 20
• Node 4 430
• ?2 (130,20,30,430)
• V2 0,3,1
• V3 0,3,1,2
• V4 0,3,1,2,4
• ? (130,20,30,430)

• If this algorithm cannot find a solution, there
  must exists a dispute wheel

46
Stable path problem VS Shortest path problem

• Routing protocol based on shortest path is always
  safe
• Routing protocol can be safe even if it does not
  use the shortest path
• BGP Good gadget

47
Routing protocol based on cost function

• Not all path are permitted
• May not be safe
• Safe if there is no negative cost cycle

Naughty gadget (unsafe)

• A cycle 1342 has a negative cost of -16

48
Routing protocol based on cost function (Cont.)

• The protocol can also be safe even if there
  exists a negative cost cycle

ABC lt 0 no dispute cycle ? safe

49
Assumptions in these works

• Ignore all issues relating to internal BGP
• There is at most one link between any two ASs
• Ignore address aggregation

50
Conclusions

• Shortest path is safe, BGP is not
• There are 3 ways to make routing protocol safe
• Policy
• Static
• Dynamic
• Static
• Dispute digraph
• Dispute cycle
• Dispute wheel
• No dispute wheel no dispute cycle
• No dispute wheel safe, robust

51
Conclusions (Cont.)

• Dynamic
• SPP (simple path problem)
• simplify the problem
• route to one destination
• SPVP (simple path vector protocol)
• SPVP1 Like what is used in BGP, unsafe
• SPVP2 Can detect oscillation caused by policy
  conflict
• SPVP3 Get rid of bad path ? safe , however, some
  nodes may not have a route to a destination
• Routing based on cost function without a negative
  cost cycle is safe

52
Questions?