The Strategic Justification for BGP

The Internet consists of many administrative domains, or \emph{Autonomous Systems} (ASes), each owned by an economic entity (Microsoft, AT\&T, The Hebrew University, etc.). The task of ensuring interconnectivity between ASes, known as \emph{interdomain routing}, is currently handled by the \emph{Border Gateway Protocol} (BGP). ASes are self-interested and might be willing to manipulate BGP for their benefit. In this paper we present the strategic justification for using BGP for interdomain routing in today's Internet: We show that, in the realistic Gao-Rexford setting, BGP is immune to almost all forms of rational manipulation by ASes, and can easily be made immune to all such manipulations. The Gao-Rexford setting is said to accurately depict the current commercial relations between ASes in the Internet. Formally, we prove that a slight modification of BGP is incentive-compatible in \emph{ex-post Nash equilibrium}. Moreover, we show that, if a certain reasonable condition holds, then this slightly modified BGP is also \emph{collusion-proof} in ex-post Nash -- i.e., immune to rational manipulations even by \emph{coalitions} of \emph{any} size. Unlike previous works on achieving incentive-compatibility in interdomain routing, our results \emph{do not require any monetary transfer between ASes} (as is the case in practice). We also strengthen the Gao-Rexford constraints by proving that one of the three constraints can actually be enforced by the rationality of ASes if the two other constraints hold.Networks; Ex post Nash; Routing; rational manipulation; Border Gateway Protocol; Dispute Wheel

Interdomain routing and games

We present a game-theoretic model that captures many of the intricacies of \emph{interdomain routing} in today's Internet. In this model, the strategic agents are source nodes located on a network, who aim to send traffic to a unique destination node. The interaction between the agents is dynamic and complex -- asynchronous, sequential, and based on partial information. Best-reply dynamics in this model capture crucial aspects of the only interdomain routing protocol de facto, namely the Border Gateway Protocol (BGP). We study complexity and incentive-related issues in this model. Our main results are showing that in realistic and well-studied settings, BGP is incentive-compatible. I.e., not only does myopic behaviour of all players \emph{converge} to a ``stable'' routing outcome, but no player has motivation to unilaterally deviate from the protocol. Moreover, we show that even \emph{coalitions} of players of \emph{any} size cannot improve their routing outcomes by collaborating. Unlike the vast majority of works in mechanism design, our results do not require any monetary transfers (to or by the agents).Interdomain Routing; Network Games; BGP protocol;

The Strategic Justification for BGP

The Internet consists of many administrative domains, or \emph{Autonomous Systems} (ASes), each owned by an economic entity (Microsoft, AT\&T, The Hebrew University, etc.). The task of ensuring interconnectivity between ASes, known as \emph{interdomain routing}, is currently handled by the \emph{Border Gateway Protocol} (BGP). ASes are self-interested and might be willing to manipulate BGP for their benefit. In this paper we present the strategic justification for using BGP for interdomain routing in today's Internet: We show that, in the realistic Gao-Rexford setting, BGP is immune to almost all forms of rational manipulation by ASes, and can easily be made immune to all such manipulations. The Gao-Rexford setting is said to accurately depict the current commercial relations between ASes in the Internet. Formally, we prove that a slight modification of BGP is incentive-compatible in \emph{ex-post Nash equilibrium}. Moreover, we show that, if a certain reasonable condition holds, then this slightly modified BGP is also \emph{collusion-proof} in ex-post Nash -- i.e., immune to rational manipulations even by \emph{coalitions} of \emph{any} size. Unlike previous works on achieving incentive-compatibility in interdomain routing, our results \emph{do not require any monetary transfer between ASes} (as is the case in practice). We also strengthen the Gao-Rexford constraints by proving that one of the three constraints can actually be enforced by the rationality of ASes if the two other constraints hold

Restorable Shortest Path Tiebreaking for Edge-Faulty Graphs

The restoration lemma by Afek, Bremler-Barr, Kaplan, Cohen, and Merritt [Dist. Comp. '02] proves that, in an undirected unweighted graph, any replacement shortest path avoiding a failing edge can be expressed as the concatenation of two original shortest paths. However, the lemma is tiebreaking-sensitive: if one selects a particular canonical shortest path for each node pair, it is no longer guaranteed that one can build replacement paths by concatenating two selected shortest paths. They left as an open problem whether a method of shortest path tiebreaking with this desirable property is generally possible. We settle this question affirmatively with the first general construction of restorable tiebreaking schemes. We then show applications to various problems in fault-tolerant network design. These include a faster algorithm for subset replacement paths, more efficient fault-tolerant (exact) distance labeling schemes, fault-tolerant subset distance preservers and $+4$ additive spanners with improved sparsity, and fast distributed algorithms that construct these objects. For example, an almost immediate corollary of our restorable tiebreaking scheme is the first nontrivial distributed construction of sparse fault-tolerant distance preservers resilient to three faults

The Strategic Justification for BGP

The Internet consists of many administrative domains, or \emph{Autonomous Systems} (ASes), each owned by an economic entity (Microsoft, AT\&T, The Hebrew University, etc.). The task of ensuring interconnectivity between ASes, known as \emph{interdomain routing}, is currently handled by the \emph{Border Gateway Protocol} (BGP). ASes are self-interested and might be willing to manipulate BGP for their benefit. In this paper we present the strategic justification for using BGP for interdomain routing in today's Internet: We show that, in the realistic Gao-Rexford setting, BGP is immune to almost all forms of rational manipulation by ASes, and can easily be made immune to all such manipulations. The Gao-Rexford setting is said to accurately depict the current commercial relations between ASes in the Internet. Formally, we prove that a slight modification of BGP is incentive-compatible in \emph{ex-post Nash equilibrium}. Moreover, we show that, if a certain reasonable condition holds, then this slightly modified BGP is also \emph{collusion-proof} in ex-post Nash -- i.e., immune to rational manipulations even by \emph{coalitions} of \emph{any} size. Unlike previous works on achieving incentive-compatibility in interdomain routing, our results \emph{do not require any monetary transfer between ASes} (as is the case in practice). We also strengthen the Gao-Rexford constraints by proving that one of the three constraints can actually be enforced by the rationality of ASes if the two other constraints hold

System Dynamics Modeling and Simulation of Enterprise Computer Security

To support decision-making, training, and understanding complex trends in enterprise computer security, we have built an executable model representing the major components of an organization's computer security, including its machines, users, administrators, countermeasures, and attacks. We use "if-then" rules to express behaviors, incorporating the notions of "archetypes", i.e. frequently-observed patterns of system behavior, and "system dynamics", a discipline which views system behavior in terms of stocks and feedback loops. This thesis describes the model, and then discusses several archetypal behaviors and their results, namely: Symptomatic Fixes (or "Shifting the Burden"), Escalation, and Escalation combined with Limits to Growth. Simulation is used to display these behaviors quantitatively, and to show the effects of possible solutions. We conclude by discussing how such results can be useful for practical computer security, and how this model can both feed off other security research and fuel it

Approximation algorithms for distributed and selfish agents

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Mathematics, 2005.Includes bibliographical references (p. 157-165).Many real-world systems involve distributed and selfish agents who optimize their own objective function. In these systems, we need to design efficient mechanisms so that system-wide objective is optimized despite agents acting in their own self interest. In this thesis, we develop approximation algorithms and decentralized mechanisms for various combinatorial optimization problems in such systems. First, we investigate the distributed caching and a general set of assignment problems. We develop an almost tight LP-based ... approximation algorithm and a local search ... approximation algorithm for these problems. We also design efficient decentralized mechanisms for these problems and study the convergence of the corresponding games. In the following chapters, we study the speed of convergence to high quality solutions on (random) best-response paths of players. First, we study the average social value on best response paths in basic-utility, market sharing, and cut games. Then, we introduce the sink equilibrium as a new equilibrium concept. We argue that, unlike Nash equilibria, the selfish behavior of players converges to sink equilibria and all strategic games have a sink equilibrium. To illustrate the use of this new concept, we study the social value of sink equilibria in weighted selfish routing (or weighted congestion) games and valid-utility (or submodular-utility) games. In these games, we bound the average social value on random best-response paths for sink equilibria.. Finally, we study cross-monotonic cost sharings and group-strategyproof mechanisms.(cont.) We study the limitations imposed by the cross-monotonicity property on cost-sharing schemes for several combinatorial optimization games including set cover and metric facility location. We develop a novel technique based on the probabilistic method for proving upper bounds on the budget-balance factor of cross-monotonic cost sharing schemes, deriving tight or nearly-tight bounds for these games. At the end, we extend some of these results to group-strategyproof mechanisms.by Vahab S. Mirrokni.Ph.D

Subjective-cost policy routing

Abstract. We study a model of interdomain routing in which autonomous systems’ (ASes’) routing policies are based on subjective cost assessments of alternative routes. The routes are constrained by the requirement that all routes to a given destination must be confluent. We show that it is NP-hard to determine whether there is a set of stable routes. We also show that it is NP-hard to find a set of confluent routes that minimizes the total subjective cost; it is hard even to approximate minimum cost closely. These hardness results hold even for very restricted classes of subjective costs. We then consider a model in which the subjective costs are based on the relative importance ASes place on a small number of objective cost measures. We show that a small number of confluent routing trees is sufficient for each AS to have a route that nearly minimizes its subjective cost. We show that this scheme is trivially strategyproof and that it can be computed easily with a distributed algorithm that does not require major changes to the Border Gateway Protocol. Furthermore, we prove a lower bound on the number of trees required to contain a (1 + ɛ)-approximately optimal route for each node and show that our scheme is nearly optimal in this respect.