An online distributed algorithm for inferring policy routing configurations

We present an online distributed algorithm, the Causation Logging Algorithm (CLA), in which Autonomous Systems (ASes) in the Internet individually report route oscillations/flaps they experience to a central Internet Routing Registry (IRR). The IRR aggregates these reports and may observe what we call causation chains where each node on the chain caused a route flap at the next node along the chain. A chain may also have a causation cycle. The type of an observed causation chain/cycle allows the IRR to infer the underlying policy routing configuration (i.e. the system of economic relationships and constraints on route/path preferences). Our algorithm is based on a formal policy routing model that captures the propagation dynamics of route flaps under arbitrary changes in topology or path preferences. We derive invariant properties of causation chains/cycles for ASes which conform to economic relationships based on the popular Gao-Rexford model. The Gao-Rexford model is known to be safe in the sense that the system always converges to a stable set of paths under static conditions. Our CLA algorithm recovers the type/property of an observed causation chain of an underlying system and determines whether it conforms to the safe economic Gao-Rexford model. Causes for nonconformity can be diagnosed by comparing the properties of the causation chains with those predicted from different variants of the Gao-Rexford model

A randomized solution to BGP divergence

The Border Gateway Protocol (BGP) is an interdomain routing protocol that allows each Autonomous System (AS) to define its own routing policies independently and use them to select the best routes. By means of policies, ASes are able to prevent some traffic from accessing their resources, or direct their traffic to a preferred route. However, this flexibility comes at the expense of a possibility of divergence behavior because of mutually conflicting policies. Since BGP is not guaranteed to converge even in the absence of network topology changes, it is not safe. In this paper, we propose a randomized approach to providing safety in BGP. The proposed algorithm dynamically detects policy conflicts, and tries to eliminate the conflict by changing the local preference of the paths involved. Both the detection and elimination of policy conflicts are performed locally, i.e. by using only local information. Randomization is introduced to prevent synchronous updates of the local preferences of the paths involved in the same conflict.National Science Foundation (ANI-0095988, EIA-0202067, ITR ANI-0205294); Sprint Labs; Motorola Lab

The Strategic Justification for BGP

The Internet consists of many administrative domains, or \emph{Autonomous Systems} (ASes), each owned by an economic entity (Microsoft, AT\&T, The Hebrew University, etc.). The task of ensuring interconnectivity between ASes, known as \emph{interdomain routing}, is currently handled by the \emph{Border Gateway Protocol} (BGP). ASes are self-interested and might be willing to manipulate BGP for their benefit. In this paper we present the strategic justification for using BGP for interdomain routing in today's Internet: We show that, in the realistic Gao-Rexford setting, BGP is immune to almost all forms of rational manipulation by ASes, and can easily be made immune to all such manipulations. The Gao-Rexford setting is said to accurately depict the current commercial relations between ASes in the Internet. Formally, we prove that a slight modification of BGP is incentive-compatible in \emph{ex-post Nash equilibrium}. Moreover, we show that, if a certain reasonable condition holds, then this slightly modified BGP is also \emph{collusion-proof} in ex-post Nash -- i.e., immune to rational manipulations even by \emph{coalitions} of \emph{any} size. Unlike previous works on achieving incentive-compatibility in interdomain routing, our results \emph{do not require any monetary transfer between ASes} (as is the case in practice). We also strengthen the Gao-Rexford constraints by proving that one of the three constraints can actually be enforced by the rationality of ASes if the two other constraints hold.Networks; Ex post Nash; Routing; rational manipulation; Border Gateway Protocol; Dispute Wheel

An Adaptive Policy Management Approach to BGP Convergence

The Border Gateway Protocol (BGP) is the current inter-domain routing protocol used to exchange reachability information between Autonomous Systems (ASes) in the Internet. BGP supports policy-based routing which allows each AS to independently adopt a set of local policies that specify which routes it accepts and advertises from/to other networks, as well as which route it prefers when more than one route becomes available. However, independently chosen local policies may cause global conflicts, which result in protocol divergence. In this paper, we propose a new algorithm, called Adaptive Policy Management Scheme (APMS), to resolve policy conflicts in a distributed manner. Akin to distributed feedback control systems, each AS independently classifies the state of the network as either conflict-free or potentially-conflicting by observing its local history only (namely, route flaps). Based on the degree of measured conflicts (policy conflict-avoidance vs. -control mode), each AS dynamically adjusts its own path preferences—increasing its preference for observably stable paths over flapping paths. APMS also includes a mechanism to distinguish route flaps due to topology changes, so as not to confuse them with those due to policy conflicts. A correctness and convergence analysis of APMS based on the substability property of chosen paths is presented. Implementation in the SSF network simulator is performed, and simulation results for different performance metrics are presented. The metrics capture the dynamic performance (in terms of instantaneous throughput, delay, routing load, etc.) of APMS and other competing solutions, thus exposing the often neglected aspects of performance.National Science Foundation (ANI-0095988, EIA-0202067, ITR ANI-0205294

Safe Inter-domain Routing under Diverse Commercial Agreements

Commercial agreements drive the routing policies used in today\u27s Internet. The two most extensively studied commercial agreements are transit and peering; however, they are only two of many diverse and continuously evolving commercial agreements that ISPs enter into. So far, the only known practical safe and robust routing policy is Gao and Rexford\u27s policy guideline, which is applicable to transit and peering agreements only. It is, therefore, of importance to identify routing policies that are safe and robust and at the same time capable of accommodating the diverse commercial agreements existing in the Internet. In particular, this paper investigates the extent to which routing policies can be devised to accommodate complex mutual transit agreements. We propose a series of policy guidelines that allow mutual transit agreements with progressively broader semantics to be established. Those policy guidelines guarantee routing safety and robustness as long as the AS graph satisfies a corresponding set of precise topological constraints. An experimental evaluation of the proposed policy guidelines demonstrates the benefits they would likely afford in terms of routing reliability, if adopted in the current Internet

Interdomain routing and games

We present a game-theoretic model that captures many of the intricacies of \emph{interdomain routing} in today's Internet. In this model, the strategic agents are source nodes located on a network, who aim to send traffic to a unique destination node. The interaction between the agents is dynamic and complex -- asynchronous, sequential, and based on partial information. Best-reply dynamics in this model capture crucial aspects of the only interdomain routing protocol de facto, namely the Border Gateway Protocol (BGP). We study complexity and incentive-related issues in this model. Our main results are showing that in realistic and well-studied settings, BGP is incentive-compatible. I.e., not only does myopic behaviour of all players \emph{converge} to a ``stable'' routing outcome, but no player has motivation to unilaterally deviate from the protocol. Moreover, we show that even \emph{coalitions} of players of \emph{any} size cannot improve their routing outcomes by collaborating. Unlike the vast majority of works in mechanism design, our results do not require any monetary transfers (to or by the agents).Interdomain Routing; Network Games; BGP protocol;

Preventing Attacks on BGP Policies: One Bit is Enough

The Internet is comprised of many autonomous systems (AS) managed by independent entities that use the Border Gateway Protocol (BGP) to route their traffic. Although it is the de facto standard for establishing paths across the Internet, BGP is not a secure protocol and the Internet infrastructure often experiences attacks, such as prefix hijacking and attribute mangling, incurring great costs to ASes that experience them. Various solutions have been proposed in response to these attacks, such as Secure BGP, but they do not address traffic attraction attacks that stem from export policy violations. In these attacks, malicious ASes can introduce paths that are legitimate from the protocol standpoint and yet malicious to the users of that protocol. Although these attacks have been studied before, no solution has yet been proposed. In this paper, we thoroughly characterize this set of attacks and propose a very lightweight and effective scheme to address them. Our scheme requires no manual configuration. We show that even if only a small fraction of ASes deploy our scheme, the amount of possible attacks reduces by on order of magnitude