Towards a Logic for WideArea Internet Routing

1
Towards a Logic for Wide-Area Internet Routing

• Nick Feamster
• Hari Balakrishnan

2
Introduction

• Internet routing is a massive distributed
  computing task
• BGP4 is exceedingly complex
• Complexity arises due to wide variety of goals
  that must be met
• Complicated interactions and unintended side
  effects

3
Introduction (contd.)

• Propose routing logic a set of rules
• Logic used to determine satisfaction of desired
  properties
• Demonstrate how this logic can be used to analyze
  and aid implementation

4
Motivation

• Complexity of BGP
• Fast convergence to correct loop-free paths
• Resilience to congestion
• Avoid packet loss and failures
• Connecting autonomous and mutually distrusting
  domains

5
Motivation (contd.)

• Complexity stems from dynamic behavior during
  operation
• Vast possibilities for configuration
• Prior work highlights many undesirable properties

6
Motivation (contd.)

• Poor Integrity
• DoS, integrity attacks, misconfiguration
• Slow Convergence
• Path instability, delayed convergence
• Congestion scenario not well-understood

7
Motivation (contd.)

• Unpredictability
• BGP is distributed and asynchronous
• Predicting effects of configuration change
  challenging
• Poor control of information flow
• BGP implementation may expose information not
  intended to be public knowledge

8
Motivation (contd.)

• Specific modifications have unintended side
  effects
• Need for something that reasons correctness of
  the protocol
• Classify protocols in terms of desired properties

9
Desired Properties

• Validity
• Existence of route implies existence of path
• Visibility
• Existence of path implies existence of route
• Safety/Stability
• No participant should change its route in
  response to other routes

10
Desired Properties (contd.)

• Determinism
• Protocol should arrive at same predictable set of
  routes
• Information-flow Control
• Should not expose more information than necessary

11
Routing Logic Inputs

• Specification of how protocol behaves
• Specification of protocol configuration
• Policy configuration
• General configuration, e.g. which routers
  exchange routing information
• Current version has no notion of time

12
Hierarchical Routing Scopes

• Organize routing domains into hierarchical levels
  called scopes
• Protocol in scope i forwards packets via scope
  i next-hop in that path
• Scope i routing uses scope i1 path to reach
  scope i next hop

13
Routing Domains are Organized Hierarchically
14
Validity Rules

• Reachability
• Route transports packets to intended destinations
• Policy conformance
• Conform to peering and transit agreements
• Progress
• Next-hop specified reduces total distance to the
  destination

15
The Validity Rule
16
Underlying IGP can result in forwarding loops
17
Information Flow Control

• Consists of objects, flow policy, partial
  ordering of security levels
• Policy defined in terms of partial ordering
  expressed as a lattice
• Flow model specifies
• Process causing information flow
• How flow should be controlled between parties

18
An example information flow lattice
19
Information Objects

• Policy
• Peering and transit agreements
• Router preferences
• Reachability
• Events affecting reachability
• Topology
• Internal network topology
• Inter-AS connectivity

20
Noninterference Rule

• Objects at higher security levels should not be
  visible to objects at lower levels
• Security level of message not higher than level
  of recipient

21
BGP implementations can result in information
flow policy violations
22
Potential Applications

• Static analysis of existing network configuration
• Providing framework for design of high-level
  policy specification
• Aid designers of new protocols

23
Configuration Analysis

• Tool verifies properties of legacy router
  configuration
• Such tool under development
• Used to check whether configuration satisfies
  specified information flow policy

24
Configuration Synthesis

• Get rid of low-level configuration languages
• Remove complexity, frequent misconfiguration
• Synthesize low-level configuration by translating
  high-level specification

25
Protocol Design

• Implement set of protocol abstractions
• Relate to routing logic, determine satisfaction
  of properties
• Less susceptible to violating wide-area routing
  properties

26
Related Work

• Inspired by use of BAN logic for authentication
  protocol analysis
• Application of BAN logic to Taos Operating system
• Builds on BGP anomalies noted by various previous
  work

27
Conclusions

• Presented a routing logic
• Proving properties about protocol aspects
• Formally describe how fundamental properties of
  BGP lead to violations
• Evaluate future proposed modifications to BGP
• Help design new protocols

28
From 10,000 feet

• Does not aim to fix all problems in BGP
• Lays importance to formalizing current approach
  of understanding things
• Is a tool to analyze effects of modifications to
  implementations
• Approach extendable to other complex protocols