The Scope of the IBGP Routing Anomaly Problem

Correctness problems in the iBGP routing, the de-facto standard to spread global routing information in Autonomous Systems, are a well-known issue. Configurations may route cost-suboptimal, inconsistent, or even behave non-convergent and -deterministic. However, even if a lot of studies have shown many exemplary problematic configurations, the exact scope of the problem is largely unknown: Up to now, it is not clear which problems may appear under which iBGP architectures. The exact scope of the iBGP correctness problem is of high theoretical and practical interest. Knowledge on the resistance of specific architecture schemes against certain anomaly classes and the reasons may help to improve other iBGP schemes. Knowledge on the specific problems of the different schemes helps to identify the right scheme for an AS and develop workarounds

The Strategic Justification for BGP

The Internet consists of many administrative domains, or \emph{Autonomous Systems} (ASes), each owned by an economic entity (Microsoft, AT\&T, The Hebrew University, etc.). The task of ensuring interconnectivity between ASes, known as \emph{interdomain routing}, is currently handled by the \emph{Border Gateway Protocol} (BGP). ASes are self-interested and might be willing to manipulate BGP for their benefit. In this paper we present the strategic justification for using BGP for interdomain routing in today's Internet: We show that, in the realistic Gao-Rexford setting, BGP is immune to almost all forms of rational manipulation by ASes, and can easily be made immune to all such manipulations. The Gao-Rexford setting is said to accurately depict the current commercial relations between ASes in the Internet. Formally, we prove that a slight modification of BGP is incentive-compatible in \emph{ex-post Nash equilibrium}. Moreover, we show that, if a certain reasonable condition holds, then this slightly modified BGP is also \emph{collusion-proof} in ex-post Nash -- i.e., immune to rational manipulations even by \emph{coalitions} of \emph{any} size. Unlike previous works on achieving incentive-compatibility in interdomain routing, our results \emph{do not require any monetary transfer between ASes} (as is the case in practice). We also strengthen the Gao-Rexford constraints by proving that one of the three constraints can actually be enforced by the rationality of ASes if the two other constraints hold.Networks; Ex post Nash; Routing; rational manipulation; Border Gateway Protocol; Dispute Wheel

Automated Formal Analysis of Internet Routing Configurations

Today\u27s Internet interdomain routing protocol, the Border Gateway Protocol (BGP), is increasingly complicated and fragile due to policy misconfigurations by individual autonomous systems (ASes). To create provably correct networks, the past twenty years have witnessed, among many other efforts, advances in formal network modeling, system verification and testing, and point solutions for network management by formal reasoning. On the conceptual side, the formal models usually abstract away low-level details, specifying what are the correct functionalities but not how to achieve them. On the practical side, system verification of existing networked systems is generally hard, and system testing or simulation provide limited formal guarantees. This is known as a long standing challenge in network practice --- formal reasoning is decoupled from actual implementation. This thesis seeks to bridge formal reasoning and actual network implementation in the setting of the Border Gateway Protocol (BGP), by developing the Formally Verifiable Routing (FVR) toolkit that combines formal methods and programming language techniques. Starting from the formal model, FVR automates verification of routing models and the synthesis of faithful implementations that carries the correctness property. Conversely, starting from large real-world BGP systems with arbitrary policy configurations, automates the analysis of Internet routing configurations, and also includes a novel network reduction technique that scales up existing techniques for automated analysis. By developing the above formal theories and tools, this thesis aims to help network operators to create and manage BGP systems with correctness guarantee

An algebraic perspective on the convergence of vector-based routing protocols

This thesis studies the properties of vector-based routing protocols whose underlying algebras are strictly increasing. Strict increasingness has previously been shown to be both a sufficient and a necessary condition for the convergence of path-vector protocols. One of the key contributions of this thesis is to link vector-based routing to a much larger family of asynchronous iterative algorithms. This unlocks a significant body of existing theory, and allows asynchronous protocols to be proved correct by purely synchronous reasoning. As well as applying it to routing protocols, this thesis advances the asynchronous theory in two ways. Firstly it shows that the existing conditions required for convergence may be relaxed. Secondly it proposes the first model for ``dynamic'' asynchronous processes in which both the problem being solved and the set of participants change over time. The thesis' attention then turns to models of routing problems, and presents a new algebraic structure that is simpler and more expressive than the state of the art. In particular this structure is capable of modelling routing problems that underlie both distance-vector and path-vector protocols. Consequently these two families of vector-based protocols may be unified for the first time. The new structure is also capable of modelling protocols that use path-dependent conditional policy. Next the work above is used to construct a model of an abstract vector-based protocol. This is then used in the first proof of correctness for strictly increasing distance-vector protocols and a new proof of correctness for strictly increasing path-vector protocols. The latter is an improvement over previous results as it i) proves that convergence is deterministic ii) does not assume reliable communication between nodes and iii) applies to path-vector protocols with path-dependent conditional policy. The long standing question of the worst-case rate of convergence for a strictly increasing path-vector protocol is then answered by lowering the previous upper bound of $O(n!)$ to a new tight bound of~$\Theta(n^2)$. Finally all of the work has been formalised in the proof assistant Agda. Not only does this significantly increase users' confidence in the validity of the results, the resulting Agda library may also be used to verify the correctness of protocol implementations. To illustrate this, a formal proof of correctness is described for a path-vector protocol which contains many of the features of the Border Gateway Protocol including: local preferences, communities, an expressive conditional policy language and path inflation.EPSRC Doctoral Training gran

Multipath policy routing in packet switched networks

Dissertação apresentada para obtenção do Grau de Mestre em Engenharia Electrotécnica e de Computadores, pela Universidade Nova de Lisboa, Faculdade de Ciências e TecnologiaNowadays, the continuous operations of large networks, under multiple ownerships, are of tremendous importance and as a result, routing protocols have gained numerous extensions and accumulated complexity. Policy-based routing can be of signi cance for common networks when the cost of transporting a bit is no longer the biggest pressure point. The best path problem is a generalization of the shortest path problem that suits policy based routing. This means that preferences for the paths depend on semantically rich characteristics, in which two di erent paths may have the same preference. However, current policy-based routing models cannot take full advantage of the multiplicity of connections to a given destination and are single path in nature. Therefore multipath can bring several advantages in policy based routing. Designing multipath routing protocols based on policies seem to be a problem of interest. To model routing problems, algebraic structures and graph theory are used. Through variants of classical methods of linear algebra routing problems can be solved. The objective of this dissertation is to devise a multipath policy-based routing protocol using a simple destination-based hop-by-hop protocol with independent forwarding decisions. Networks featuring these characteristics can be more resilient to failures, provide better tra c distribution and maintain a simple forwarding paradigm. The dissertation concludes with the trade-o 's between the exibility of the proposed solution, the amount of multiple paths that can be used simultaneously and the network restrictions that must be applied

Certainty Closure: Reliable Constraint Reasoning with Incomplete or Erroneous Data

Constraint Programming (CP) has proved an effective paradigm to model and solve difficult combinatorial satisfaction and optimisation problems from disparate domains. Many such problems arising from the commercial world are permeated by data uncertainty. Existing CP approaches that accommodate uncertainty are less suited to uncertainty arising due to incomplete and erroneous data, because they do not build reliable models and solutions guaranteed to address the user's genuine problem as she perceives it. Other fields such as reliable computation offer combinations of models and associated methods to handle these types of uncertain data, but lack an expressive framework characterising the resolution methodology independently of the model. We present a unifying framework that extends the CP formalism in both model and solutions, to tackle ill-defined combinatorial problems with incomplete or erroneous data. The certainty closure framework brings together modelling and solving methodologies from different fields into the CP paradigm to provide reliable and efficient approches for uncertain constraint problems. We demonstrate the applicability of the framework on a case study in network diagnosis. We define resolution forms that give generic templates, and their associated operational semantics, to derive practical solution methods for reliable solutions.Comment: Revised versio

The Strategic Justification for BGP

The Internet consists of many administrative domains, or \emph{Autonomous Systems} (ASes), each owned by an economic entity (Microsoft, AT\&T, The Hebrew University, etc.). The task of ensuring interconnectivity between ASes, known as \emph{interdomain routing}, is currently handled by the \emph{Border Gateway Protocol} (BGP). ASes are self-interested and might be willing to manipulate BGP for their benefit. In this paper we present the strategic justification for using BGP for interdomain routing in today's Internet: We show that, in the realistic Gao-Rexford setting, BGP is immune to almost all forms of rational manipulation by ASes, and can easily be made immune to all such manipulations. The Gao-Rexford setting is said to accurately depict the current commercial relations between ASes in the Internet. Formally, we prove that a slight modification of BGP is incentive-compatible in \emph{ex-post Nash equilibrium}. Moreover, we show that, if a certain reasonable condition holds, then this slightly modified BGP is also \emph{collusion-proof} in ex-post Nash -- i.e., immune to rational manipulations even by \emph{coalitions} of \emph{any} size. Unlike previous works on achieving incentive-compatibility in interdomain routing, our results \emph{do not require any monetary transfer between ASes} (as is the case in practice). We also strengthen the Gao-Rexford constraints by proving that one of the three constraints can actually be enforced by the rationality of ASes if the two other constraints hold

The Strategic Justification for BGP

The Internet consists of many administrative domains, or \emph{Autonomous Systems} (ASes), each owned by an economic entity (Microsoft, AT\&T, The Hebrew University, etc.). The task of ensuring interconnectivity between ASes, known as \emph{interdomain routing}, is currently handled by the \emph{Border Gateway Protocol} (BGP). ASes are self-interested and might be willing to manipulate BGP for their benefit. In this paper we present the strategic justification for using BGP for interdomain routing in today's Internet: We show that, in the realistic Gao-Rexford setting, BGP is immune to almost all forms of rational manipulation by ASes, and can easily be made immune to all such manipulations. The Gao-Rexford setting is said to accurately depict the current commercial relations between ASes in the Internet. Formally, we prove that a slight modification of BGP is incentive-compatible in \emph{ex-post Nash equilibrium}. Moreover, we show that, if a certain reasonable condition holds, then this slightly modified BGP is also \emph{collusion-proof} in ex-post Nash -- i.e., immune to rational manipulations even by \emph{coalitions} of \emph{any} size. Unlike previous works on achieving incentive-compatibility in interdomain routing, our results \emph{do not require any monetary transfer between ASes} (as is the case in practice). We also strengthen the Gao-Rexford constraints by proving that one of the three constraints can actually be enforced by the rationality of ASes if the two other constraints hold

An Overlay Architecture for Personalized Object Access and Sharing in a Peer-to-Peer Environment

Due to its exponential growth and decentralized nature, the Internet has evolved into a chaotic repository, making it difficult for users to discover and access resources of interest to them. As a result, users have to deal with the problem of information overload. The Semantic Web's emergence provides Internet users with the ability to associate explicit, self-described semantics with resources. This ability will facilitate in turn the development of ontology-based resource discovery tools to help users retrieve information in an efficient manner. However, it is widely believed that the Semantic Web of the future will be a complex web of smaller ontologies, mostly created by various groups of web users who share a similar interest, referred to as a Community of Interest. This thesis proposes a solution to the information overload problem using a user driven framework, referred to as a Personalized Web, that allows individual users to organize themselves into Communities of Interests based on ontologies agreed upon by all community members. Within this framework, users can define and augment their personalized views of the Internet by associating specific properties and attributes to resources and defining constraint-functions and rules that govern the interpretation of the semantics associated with the resources. Such views can then be used to capture the user's interests and integrate these views into a user-defined Personalized Web. As a proof of concept, a Personalized Web architecture that employs ontology-based semantics and a structured Peer-to-Peer overlay network to provide a foundation of semantically-based resource indexing and advertising is developed. In order to investigate mechanisms that support the resource advertising and retrieval of the Personalized Web architecture, three agent-driven advertising and retrieval schemes, the Aggressive scheme, the Crawler-based scheme, and the Minimum-Cover-Rule scheme, were implemented and evaluated in both stable and churn environments. In addition to the development of a Personalized Web architecture that deals with typical web resources, this thesis used a case study to explore the potential of the Personalized Web architecture to support future web service workflow applications. The results of this investigation demonstrated that the architecture can support the automation of service discovery, negotiation, and invocation, allowing service consumers to actualize a personalized web service workflow. Further investigation will be required to improve the performance of the automation and allow it to be performed in a secure and robust manner. In order to support the next generation Internet, further exploration will be needed for the development of a Personalized Web that includes ubiquitous and pervasive resources