1 / 28

Towards a Logic for Wide-Area Internet Routing

Towards a Logic for Wide-Area Internet Routing. Nick Feamster Hari Balakrishnan. Introduction. Internet routing is a massive distributed computing task BGP4 is exceedingly complex Complexity arises due to wide variety of goals that must be met

claudia
Download Presentation

Towards a Logic for Wide-Area Internet Routing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards a Logic for Wide-Area Internet Routing Nick Feamster Hari Balakrishnan

  2. Introduction • Internet routing is a massive distributed computing task • BGP4 is exceedingly complex • Complexity arises due to wide variety of goals that must be met • Complicated interactions and unintended side effects

  3. Introduction (contd.) • Propose routing logic – a set of rules • Logic used to determine satisfaction of desired properties • Demonstrate how this logic can be used to analyze and aid implementation

  4. Motivation • Complexity of BGP • Fast convergence to correct loop-free paths • Resilience to congestion • Avoid packet loss and failures • Connecting autonomous and mutually distrusting domains

  5. Motivation (contd.) • Complexity stems from dynamic behavior during operation • Vast possibilities for configuration • Prior work highlights many undesirable properties

  6. Motivation (contd.) • Poor Integrity • DoS, integrity attacks, misconfiguration • Slow Convergence • Path instability, delayed convergence • Congestion scenario not well-understood

  7. Motivation (contd.) • Unpredictability • BGP is distributed and asynchronous • Predicting effects of configuration change challenging • Poor control of information flow • BGP implementation may expose information not intended to be public knowledge

  8. Motivation (contd.) • Specific modifications have unintended side effects • Need for something that reasons ‘correctness’ of the protocol • Classify protocols in terms of desired properties

  9. Desired Properties • Validity • Existence of route implies existence of path • Visibility • Existence of path implies existence of route • Safety/Stability • No participant should change its route in response to other routes

  10. Desired Properties (contd.) • Determinism • Protocol should arrive at same predictable set of routes • Information-flow Control • Should not expose more information than necessary

  11. Routing Logic Inputs • Specification of how protocol behaves • Specification of protocol configuration • Policy configuration • General configuration, e.g. which routers exchange routing information • Current version has no notion of time

  12. Hierarchical Routing Scopes • Organize routing domains into hierarchical levels called scopes • Protocol in scope ‘i’ forwards packets via scope ‘i’ next-hop in that path • Scope ‘i’ routing uses scope ‘i+1’ path to reach scope ‘i’ next hop

  13. Routing Domains are Organized Hierarchically

  14. Validity Rules • Reachability • Route transports packets to intended destinations • Policy conformance • Conform to peering and transit agreements • Progress • Next-hop specified reduces total distance to the destination

  15. The Validity Rule

  16. Underlying IGP can result in forwarding loops

  17. Information Flow Control • Consists of objects, flow policy, partial ordering of security levels • Policy defined in terms of partial ordering expressed as a lattice • Flow model specifies • Process causing information flow • How flow should be controlled between parties

  18. An example information flow lattice

  19. Information Objects • Policy • Peering and transit agreements • Router preferences • Reachability • Events affecting reachability • Topology • Internal network topology • Inter-AS connectivity

  20. Noninterference Rule • Objects at higher security levels should not be visible to objects at lower levels • Security level of message not higher than level of recipient

  21. BGP implementations can result in information flow policy violations

  22. Potential Applications • Static analysis of existing network configuration • Providing framework for design of high-level policy specification • Aid designers of new protocols

  23. Configuration Analysis • Tool verifies properties of legacy router configuration • Such tool under development • Used to check whether configuration satisfies specified information flow policy

  24. Configuration Synthesis • Get rid of low-level configuration languages • Remove complexity, frequent misconfiguration • Synthesize low-level configuration by translating high-level specification

  25. Protocol Design • Implement set of protocol abstractions • Relate to routing logic, determine satisfaction of properties • Less susceptible to violating wide-area routing properties

  26. Related Work • Inspired by use of BAN logic for authentication protocol analysis • Application of BAN logic to Taos Operating system • Builds on BGP anomalies noted by various previous work

  27. Conclusions • Presented a routing logic • Proving properties about protocol aspects • Formally describe how fundamental properties of BGP lead to violations • Evaluate future proposed modifications to BGP • Help design new protocols

  28. From 10,000 feet … • Does not aim to fix all problems in BGP • Lays importance to formalizing current approach of understanding things • Is a tool to analyze effects of modifications to implementations • Approach extendable to other complex protocols

More Related