towards a logic for wide area internet routing n.
Skip this Video
Loading SlideShow in 5 Seconds..
Towards a Logic for Wide-Area Internet Routing PowerPoint Presentation
Download Presentation
Towards a Logic for Wide-Area Internet Routing

Loading in 2 Seconds...

play fullscreen
1 / 28

Towards a Logic for Wide-Area Internet Routing - PowerPoint PPT Presentation

Download Presentation
Towards a Logic for Wide-Area Internet Routing
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Towards a Logic for Wide-Area Internet Routing Nick Feamster Hari Balakrishnan

  2. Introduction • Internet routing is a massive distributed computing task • BGP4 is exceedingly complex • Complexity arises due to wide variety of goals that must be met • Complicated interactions and unintended side effects

  3. Introduction (contd.) • Propose routing logic – a set of rules • Logic used to determine satisfaction of desired properties • Demonstrate how this logic can be used to analyze and aid implementation

  4. Motivation • Complexity of BGP • Fast convergence to correct loop-free paths • Resilience to congestion • Avoid packet loss and failures • Connecting autonomous and mutually distrusting domains

  5. Motivation (contd.) • Complexity stems from dynamic behavior during operation • Vast possibilities for configuration • Prior work highlights many undesirable properties

  6. Motivation (contd.) • Poor Integrity • DoS, integrity attacks, misconfiguration • Slow Convergence • Path instability, delayed convergence • Congestion scenario not well-understood

  7. Motivation (contd.) • Unpredictability • BGP is distributed and asynchronous • Predicting effects of configuration change challenging • Poor control of information flow • BGP implementation may expose information not intended to be public knowledge

  8. Motivation (contd.) • Specific modifications have unintended side effects • Need for something that reasons ‘correctness’ of the protocol • Classify protocols in terms of desired properties

  9. Desired Properties • Validity • Existence of route implies existence of path • Visibility • Existence of path implies existence of route • Safety/Stability • No participant should change its route in response to other routes

  10. Desired Properties (contd.) • Determinism • Protocol should arrive at same predictable set of routes • Information-flow Control • Should not expose more information than necessary

  11. Routing Logic Inputs • Specification of how protocol behaves • Specification of protocol configuration • Policy configuration • General configuration, e.g. which routers exchange routing information • Current version has no notion of time

  12. Hierarchical Routing Scopes • Organize routing domains into hierarchical levels called scopes • Protocol in scope ‘i’ forwards packets via scope ‘i’ next-hop in that path • Scope ‘i’ routing uses scope ‘i+1’ path to reach scope ‘i’ next hop

  13. Routing Domains are Organized Hierarchically

  14. Validity Rules • Reachability • Route transports packets to intended destinations • Policy conformance • Conform to peering and transit agreements • Progress • Next-hop specified reduces total distance to the destination

  15. The Validity Rule

  16. Underlying IGP can result in forwarding loops

  17. Information Flow Control • Consists of objects, flow policy, partial ordering of security levels • Policy defined in terms of partial ordering expressed as a lattice • Flow model specifies • Process causing information flow • How flow should be controlled between parties

  18. An example information flow lattice

  19. Information Objects • Policy • Peering and transit agreements • Router preferences • Reachability • Events affecting reachability • Topology • Internal network topology • Inter-AS connectivity

  20. Noninterference Rule • Objects at higher security levels should not be visible to objects at lower levels • Security level of message not higher than level of recipient

  21. BGP implementations can result in information flow policy violations

  22. Potential Applications • Static analysis of existing network configuration • Providing framework for design of high-level policy specification • Aid designers of new protocols

  23. Configuration Analysis • Tool verifies properties of legacy router configuration • Such tool under development • Used to check whether configuration satisfies specified information flow policy

  24. Configuration Synthesis • Get rid of low-level configuration languages • Remove complexity, frequent misconfiguration • Synthesize low-level configuration by translating high-level specification

  25. Protocol Design • Implement set of protocol abstractions • Relate to routing logic, determine satisfaction of properties • Less susceptible to violating wide-area routing properties

  26. Related Work • Inspired by use of BAN logic for authentication protocol analysis • Application of BAN logic to Taos Operating system • Builds on BGP anomalies noted by various previous work

  27. Conclusions • Presented a routing logic • Proving properties about protocol aspects • Formally describe how fundamental properties of BGP lead to violations • Evaluate future proposed modifications to BGP • Help design new protocols

  28. From 10,000 feet … • Does not aim to fix all problems in BGP • Lays importance to formalizing current approach of understanding things • Is a tool to analyze effects of modifications to implementations • Approach extendable to other complex protocols