Path-Vector Policy Systems

1
Path-Vector Policy Systems

• Vijay RamachandranOfficial Graduate Student
  TalkSeptember 30, 2003Advisor Joan Feigenbaum

2
Overview

• Routing with BGP is determined using semantically
  rich routing policies.
• Expressiveness can lead to unpredictable global
  routing anomalies.
• Design principles for policies and policy
  languages can ameliorate this problem.
• This work gives a framework for the design of
  path-vector protocols and policy languages.

3
Outline

• Motivation
• Dimensions of the Design Space
• Path-Vector Policy Systems
• Trade-offs in the Design Space
• An Application
• Open Problems

4
Dynamics of Path-Vector Routing
5
BGP Route Processing
IP Forwarding Table
Install forwarding entries for best routes
Best Route Selection
Apply Import Policies
Best Route Table
Apply Export Policies
Apply Policy filter routes tweak attributes
Apply Policy filter routes tweak attributes
Receive BGP updates
Transmit BGP updates
Based on attribute values
Storageof routes
Open-ended programming constrain
ed only by vendor configuration language
6
Consequences

• Use of hacks to encode information, e.g.,
  AS-path padding
• Complex policies usingcommunity values

7
Examples of Anomalies

• Route pinning backup routes carry traffic even
  when primary link is active
• Protocol divergenceK. Varadhan, R. Govindan, and
  D. Estrin. Persistent Route Oscillations in
  Inter-Domain Routing. Computer Networks 32,
  2000.
• Troubles from cold-potato routingD. McPherson,
  V. Gill, D. Walton, and A. Retana. BGP
  Persistent Route Oscillation Condition.
  Manuscript, 2002.Cisco Field Note. Endless BGP
  Convergence Problem in Cisco IOS Software
  Releases. October 2001.

8
The Problem

• Local configuration can coax the protocol to
  execute complex routing decisions.
• Increased incidence of routing anomaliescomes
  with richer policy expressiveness.
• Lack of design principles for policy languages

9
Outline

• Motivation
• Dimensions of the Design Space
• Path-Vector Policy Systems
• Trade-offs in the Design Space
• An Application
• Open Problems

10
Expressiveness

• Desire Maximal expressiveness without
  sacrificing other design goals
• Measure How many routing configurations can be
  expressed? Use SPP as a semantic domain.

2 3 12 3 4 12 12 5 12 3 4 5 1
3 2 5 13 4 5 13 4 13 1
2
3
Griffin, Shepherd, and Wilfong. The Stable
Paths Problem and Interdomain Routing. IEEE/ACM
TON 10(2), 2002.
1
4 5 14 3 2 5 14 3 14 1
5
4
5 15 2 1
11
Robustness

• Definition Unique solvability for any
  configuration, even after link and node failures
• Primary constraint on expressiveness

Deleting edge1, 5 results ina
configurationwith no predictable solution.
2 3 12 3 4 12 12 5 12 3 4 5 1
3 2 5 13 4 5 13 4 13 1
2
3
1
4 5 14 3 2 5 14 3 14 1
5
4
5 15 2 1
12
Other Design-Space Dimensions

• Transparency Can policy writers understand the
  effects of their policies?
• Policy Opaqueness Can routing-policy details
  remain private?
• Autonomy What degree of independence do policy
  writers have in configuration?
• Global Constraint What global conditions must be
  checked?

13
A Slice of the Design SpaceRobust and
Transparent Systems
14
Outline

• Motivation
• Dimensions of the Design Space
• Path-Vector Policy Systems
• Trade-offs in the Design Space
• An Application
• Open Problems

15
Path-Vector Policy Systems

• Formal model of path-vector routing

( PV , PL , K )
Path-Vector System The underlying
message-exchange system for route information.
What is exchanged and how?
Global Constraint What assumptions about the
network must be true to achieve robustness?
Policy Language How can policies be described?
PL acts as a local constraint on the
expressiveness of policies.
Question What role do these components play in
achieving our design goals?
16
Path-Vector-System Components (1)

• Path Descriptors The data structure for
  routesthe attributes in a route record used to
  advertise routes and calculate best routes
• Example 1 (Lowest-Cost Paths)
• Example 2 (Simplified BGP)

Destination
Path Cost
AS Path (Vector)
Destination
Local Preference
AS Path (Vector)
Next Hop
Color
17
Path-Vector-System Components (2)

• Ranking Function (?) A description of how
  attribute values influence best-route choice
• Example 1 (Lowest-Cost Paths)
• Example 2 (Simplified BGP)

?(d, c, P) cLower cost More preferred
Destination
AS Path (Vector)
Path Cost ?N
Destination
Color
Local Preference
AS Path (Vector)
Next Hop
Prefer larger local pref, then shorter path
length, then smaller next-hop value
18
Path-Vector-System Components (3)

• Local Constraints A description of legal import
  and export policies
• Example 1 (Lowest-Cost Paths)Routers can only
  increment path-cost value bya non-negative
  integer.
• Example 2 (Simplified BGP)Routers can only set
  local-preference (to any integer) and color
  values.

Destination
AS Path (Vector)
Path Cost ?N
Destination
Color
Local Preference
AS Path (Vector)
Next Hop
19
Path-Vector-System Components (4)

• Policy-Application Functions How routers should
  apply policies
• Example 1 (Lowest-Cost Paths)Apply path-cost
  increment as specified add to AS path on export
  check for loops on import.
• Example 2 (Simplified BGP)Set color as
  specified. Set AS path and hop and hide pref on
  export check for loops and set pref on import.

Destination
Path Cost ?N
AS Path (Vector)
Destination
Color
Local Preference
AS Path (Vector)
Next Hop
20
Policy Languages

• High-level language to write routing policies
• Probably involves compilation to low-level
  transformations on path descriptors
• Generated policies should satisfy path-vector
  systems local constraints

if r.color Red then r.local-pref
50 else if first(r.as-path) AS5 then
r.local-pref 25 r.color
Blue else r.local-pref 100
Example (Simplified BGP)
21
Definition of Transparency

• Policy application along an arc
• F(a, b)(X) tin(a, b, f in(a, b), tout(b, a, f
  out(b, a), X)
• can be written
• F(a, b)(X) Fin(a, b, T(Fout(b, a,
  X)))

22
Autonomy (Informal)

• General Autonomy How many ways can a node
  partition neighbors into preference classes?
• Autonomy of Neighbor Ranking Can anode always
  prefer routes through one set of neighbors over
  routes through another set of neighbors?

23
Outline

• Motivation
• Dimensions of the Design Space
• Path-Vector Policy Systems
• Trade-offs in the Design Space
• An Application
• Open Problems

24
Example 1 Properties
Destination
Path Cost ?N
AS Path (Vector)

• Shortest Paths
• Expressiveness low
• Robust yes
• Transparent yes
• Aut. Nbr. Ranking no
• Opaque no

25
Example 2 Properties
Destination
Color
Local Preference
AS Path (Vector)
Next Hop

• Simplified BGP
• Expressiveness high
• Robust no
• Transparent yes
• Aut. Nbr. Ranking yes
• Opaque yes

26
A Natural Robust Class

• Conjecture 1. No path-vector policy system can
  exactly capture all robust configurations.
• Theorem 5 6. A path-vector policy systemin
  which a paths absolute rank monotonically
  increases as it is exchanged among routersis
  robust. Example Lowest-cost paths
• (This is the broadest-known sufficient condition
  for robustness.)

27
Increasing What is Lost? (1)

• 1. Filter out routes whose absolute rank does not
  increase on import/export.
• X Transparency

u decreases local preference value for P
P.pref 75
P.pref 25
u
u
P
P
s
d
s
d
uP.pref 50vQ.pref 25
uP.pref 50vQ.pref 25
Q
Q
v
v
Q.pref 50
Q.pref 50
28
Increasing What is Lost? (2)

• 2. Have routers share all rank-determining
  attributes and constrain legal policies to those
  that increase absolute rank.
• X Autonomy and Policy Opaqueness

u decreases local preference value for P, so s
must adjust
P.pref 75
P.pref 25
u
u
P
P
s
d
s
d
uP.pref 50vQ.pref 25
uP.pref 20vQ.pref 15
Q
Q
v
v
Q.pref 50
Q.pref 50
29
Increasing What is Lost? (3)

• 3. Impose some global mechanism to check that
  paths are partially ordered with respect to the
  ranking function.
• i.e., for any configuration, check that all
  realizable path descriptors have increased
  absolute rank on import / export
• X In general, tractability of Global Constraint

30
Summary of Trade-offs

• Theorem 7. A path-vector policy
  system(without global constraint) expressive
  enough to capture all increasing configurations
  either does not support autonomy of neighbor
  ranking or is not transparent, or both.
• Theorem 8. A transparent, robust path-vector
  policy system that supports autonomy of neighbor
  ranking and is at least as expressive as shortest
  paths must have a non-trivial global constraint.

31
Outline

• Motivation
• Dimensions of the Design Space
• Path-Vector Policy Systems
• Trade-offs in the Design Space
• An Application
• Open Problems

32
Class-Based Systems (1)

• Assign each neighbor to a class
• Classes have preference and scope rules
• Prefer routes through neighbors of certain
  classes
• Conditions for sharing routes with neighbors

• Example (HBGP)
• Classes are peer, provider, and customer.
• Classes are preferred in the standard order.

33
Class-Based Systems (2)
Relative Preference If class i is to be
preferred over class j, then node v should prefer
routes from node w over those from node x.
Scope If class i routes cannot be exported to a
class-k neighbor, then node u will only learn
about the path uvxQ.
34
Class-Based Systems (3)

• Use a BGP-like path-vector system with level and
  local-preference attributes.
• Use policy languages that allow classification of
  neighbors, assignment of local preference, and
  adjustment of level.
• What global constraint is needed?
• Theorem 9. Constraint class consistency
  check that certain cycles do not existExample
  (HBGP) no customer-provider cycles

35
Outline

• Motivation
• Dimensions of the Design Space
• Path-Vector Policy Systems
• Trade-offs in the Design Space
• An Application
• Open Problems

36
Open Problems

• Conjecture 1, or necessary condition for
  robustness
• Further study of class-based systems in
  particular, tighten robustness check
• Enforcement mechanisms for global constraints
• Expressiveness of systems under
  poynomial-time-checkable global constraints
• Policy language development
• Non-deterministic systems and their dynamics
• Security issues and study of the forwarding
  plane