theoretical bounds on control plane monitoring in routing protocols dan rubenstein joint work with...
Post on 21-Dec-2015
216 Views
Preview:
TRANSCRIPT
Theoretical Bounds on Control Plane Monitoring in Routing
Protocols
Dan Rubenstein
Joint work with Raj Kumar, Vishal Misra
Routing Protocols with Misconfigurations
• Routing Protocols in “friendly” environments are well understood, e.g.,
– Link State: global knowledge, centralized approach
– Distance Vector (a.k.a. Bellman-Ford): known to converge (quickly), adapt to changes, etc.
– BGP (Path-Vector): some problems in converging when routes change, significant literature evaluating/understanding
• Critical Assumption for correctness: Nodes follow the proper protocol procedure
• Q: What happens when nodes don’t follow the protocol like they’re supposed to?
History Shows: Misbehaving nodes can be a big problem
• The infamous BGP AS 7007 Incident (& Pakistan YouTube):
• Consider routes to node 8765 (all edges length 1)
7007
5165
4345
7074
6957
2134
AS # 7007’s Distance
2134 2
4345 1
5165 3
6957 2
7074 1
… …
8765 8
8765
…
Traffic goes where it is supposed to
Nodes don’t always “behave”
• The infamous BGP AS 7007 Incident:
7007
5165
4345
7074
6957
2134
AS # 7007’s Distance
2134 1
4345 1
5165 1
6957 1
7074 1
… …
8765 1
8765
…
Traffic enters “black hole”
The Future of Distributed Routing Protocols
• Controlled environments (e.g., Intra-domain Internet) have moved away from distributed routing protocols toward “link-state”
• But other future networks are expected to rely on distributed routing solutions:
– Ad hoc networks
– Sensor networks
– DTNs
– Mesh networks
• Our formal approach: start by understanding the self-monitoring capabilities of well-known distributed routing protocols
A Theory to detect “Bad” Nodes
• Rules:– “Bad” nodes misinform,
“Good” nodes can attempt to detect the bad nodes
– “Good” nodes are limited to information provided by the routing protocol
• Want to exchange additional info, modify the protocol
• Challenge: When can a good node determine something isn’t right?
Can I tell if my neighbors are giving me the correct information?
A Node’s Info: Its State• A node’s state is its (only) view of the network
– e.g., Distance-Vector (a.k.a. Bellman-Ford)Dest/ Neighbor
A B E
A 0 1 12
B 1 0 7
C 7 13 8
D 5 9 6
E 9 6 0
F 12 15 13
G 4 9 2
A
B
C
E
G
F
D
Note our convention: (I,J) in state table reports node I’s distance to J (not local node’s distance to J through I)
Detection• Assume: Routes have stabilized (routing
protocol inactive)
• Q: For routing protocol P, given a good node’s state, what misconfigurations can it detect/observe within the network?
• Note: A node can’t always detect a problem
N X Y1 1
D(X,Y) = 3N X Y
1 3
An undetectable misconfig at node N:
Prior Work
• Some work verifying the data plane:– [MCMS’05]: addresses subversion of forwarding
process (routers don’t forward packets as specified in control plane)
• Some work modifying protocols to explicitly facilitate detection of misbehaving nodes;– [SRKSS’04]: Listen & Whisper
– [HPS’05]: Secure BGP
• [LSP’82]: Byzantine Generals’ Problem: determine who in a group is lying
Prior Work: “Weak” Detection
• Process for constructing a weak detection method:
– Find a property that a node’s state should exhibit
– Check the property in a node’s state
– Declare misconfiguration in network if property is violated
• A detection method is “Weak” if it fails to identify a misconfiguration that is detectable using another method (on same state)
A Weak Detection Method: Symmetry
• In an undirected graph, D(X,Y) = D(Y,X)
– Here, D(A,B) = 1
– But D(B,A) = 4
• Using Symmetry, found a misconfiguration
• So why is Symmetry weak?
Dest/ Neighbor
A B E
A 0 1 12
B 4 0 7
C 12 13
8
D 5 9 6
E 9 6 4
F 12 15
13
G 4 9 2
Another Weak Detection Method: Triangle Inequality [DMZ’03]
• Triangle inequality should hold:
D(X,Z) ≤ D(X,Y) + D(Y,Z)
• Violated here:
– D(B,E) = 3
– D(B,A) = 1
– D(A,E) = 1
– D(B,E) > D(B,A) + D(A,E)
• Note: symmetry property not violated
Dest/ Neighbor
A B E
A 0 1 1
B 1 0 3
C 12 13 8
D 5 9 6
E 1 3 0
• Example shows why detection via symmetry is weak: failed to identify a detectable misconfiguration
• So why is triangle inequality weak?
Weakness of Triangle Inequality
• Suppose graph edge lengths are all 1
• No violation of symmetry or triangle inequality
Dest/ Neighbor
A B
A 0 2
B 2 0
C 3 1
D 3 3
A
BC
C is distance 1 from B
D
D is distance 3 from both A & B: nowhere to put connecting edge
A and B are our neighbors
Where to place edges?
“Strong” Detection• A detection method is “strong” if it always detects detectable misconfigurations
• More formally, Let
– μ be a method to detect misconfigurations
– C = {N} be the set of valid networks (what the network might look like)
– NR be the actual network (Note NR є C)
– sn(N) be the state of node n when the routing protocol is executed correctly (and stabilized) within a network N є C
– s’n(NR) be the state actually computed at node n (possibly with misconfigurations) in network NR
• Node n knows s’n(NR), C, and given N є C, can compute sn(N)
• Node n does not know NR or sn(NR)
• μ is a strong detection method if one of the following holds whenever s’n(NR) ≠ sn(NR) (n’s state affected by misconfiguration):
– Detected: μ detects that sn(NR) ≠ s’n(NR)
– Undetectable: No method μ’ exists that can detect sn(NR)≠s’n(NR)
A High-Complexity Strong Detection Algorithm
• Input:– State s’n(NR) of node n for the “real” but unknown network
NR
– Description of set of allowable networks, C = {N}
• Algorithm: For each N є C
– Compute sn(N) (n simulates protocol on N)
– If sn(N) = s’n(NR) then return MISCONFIG UNDETECTABLE (N might be the valid network)
• If no N є C matches, then MISCONFIG DETECTEDAlgorithm Complexity is ~C, often huge or infinite!
Low-Complexity Strong-Detection
• Q: Can Strong Detection be achieved with low complexity?
• A: Sometimes: we show how to do it for Bellman-Ford (a.k.a. Distance Vector) and variants of Path Vector (simplified BGP)
Strong Detection for D.V.
• Input at node n:
– S’n(NR): a single node’s (steady state) state table that reports each neighbor’s (supposed) distance to all nodes
– Set C of all allowable networks
• defined by {Axy}: Axy is the set of allowable lengths of edges between node x and y
• Axy can be any union of intervals that are closed from below
• e.g., Axy = [0,3) U [4,4] U [7,100]
• Other more common examples:
– Axy = [0,]
– Axy = [1] U []
Dest/ Neighbor
A B E
A 0 1 12
B 4 0 7
C 12 13
8
D 5 9 12
E 9 6 4
F 12 15
13
G 4 9 2S’n(NR)
Strong Detection in D.V. at a node, n
• Take node n’s state, s’n(NR)
• Use this state to build the canonical graph, G є C
• Simulate D.V. on G to generate simulated state sn(G)
• We will prove:
– If sn(G) ≠ s’n(NR), then misconfiguration detected
– Else, either there is no misconfiguration, or it is undetectable (using node n’s state) because G might be the actual network
Dest/ Neighbor
A B E
A 0 1 12
B 4 0 7
C 12
13
8
D 5 9 12
E 9 6 4
F 12
15
13
G 4 9 2
Dest/ Neighbor
A B E
A 0 1 12
B 4 0 7
C 12
13
8
D 5 9 12
E 9 6 4
F 12
15
13
G 4 9 2
s’n (NR)
sn(G)
G
A
B C
EF
D
G
A
BC
n E
F
D
G
n
Creating the Canonical Graph, G for an undirected network
• For each pair of nodes (x,y):
– Create edge (x,y) with length exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)|
– exy = ∞ if all values in Axy too small
• Consider state table on left
– eCD ≥ max(|12-5|, |13-9|, |8-12|) = 7
– If ACD = [1,1] U [4,6] U [8,10], then eCD = 8
Dest/ Neighbor
A B E
A 0 2 12
B 2 0 7
C 12 13
8
D 5 9 12
E 9 6 4
F 12 15
13
G 4 9 2
Proving Strongness of the Canonical Graph Method
• N: a network for which sn(N) = s’n(NR), when such a network N exists
• G: the canonical graph constructed by n from s’n(NR)
• fxy: length of edge (x,y) in N (when the edge exists)
• exy: length of edge (x,y) in G (edges always exist)
• dH(x,y): shortest path distance from x to y in a network H
• Assume: all edges have positive length (easy to extend when edges can also have length 0)
• High Level Sketch of Proof:
– If N exists where sn(N) = s’n(NR), then sn(G) = sn(N) = s’n(NR)
– If N does not exist, then sn(G) ≠ s’n(NR)
Bounds on exy
• Lemma 1: If sn(N) = s’n(NR) for some N є C and edge (x,y) exists in N with length fxy, then exy ≤ fxy (Canonical Graph Edges Never Longer)
• Proof: In N, x & y’s distances to any neighbor v must differ by at most fxy, i.e.: For each neighbor v, |dN(v,y) – dN(v,x)| ≤ fxy
• Hence maxm є V(n) |d(m,x) – d(m,y)| ≤ fxy
• Recall exy = smallest value in Axy ≥ maxm є V(n) |d(m,x) – d(m,y)|
• Since N є C, we have fxy є Axy and so exy ≤ fxy
n xyfxy
v
Shortest Path P from v to x in N
• Lemma 2: If sn(N) = s’n(NR) for some N є C, then dN(v,x) ≥ dG(v,x) for all neighbors v and all nodes x (Canonical Graph Shortest Paths are never longer)
• Proof:
• Choose any neighbor v to any node x, and choose any shortest path P from v to x in N
• By Lemma 1, each edge (a,b) N satisfies eab ≤ fab
• The path P through the same set of nodes can’t be longer in G than in N
• So there is a shortest path in G from v to x no longer than the path in N
nxxv
Path P from v to x in G
• Lemma 3: If sn(N) = s’n(NR) for some N є C, then dG(v,x) ≥ dN(v,x) for all neighbors v and all nodes x (Canonical Graph Paths never shorter)
• Proof: by contradiction. Select x with smallest dG(v,x) where dG(v,x) < dN(v,x)
• Let y be the node preceding x on a shortest path from v to x in G where edge exy connects y to x on this path
• hence dG(v,y) < dG(v,x) and exy = dG(v,x) - dG(v,y) (equality because exy is on x’s shortest path through y)
• dG(v,y) < dG(v,x), hence y not blue dG(v,y) ≥ dN(v,y)• Hence exy = dG(v,x) - dG(v,y) < dN(v,x) - dN(v,y) = | dN(v,x) - dN(v,y) |
vn
x
Distance from v in G
Blue nodes t satisfy dG(v,t) < dN(v,t)
yexy
xyin N:
But exy constructed = maxm |dN(m,x) – dN(m,y)|, and
maxm |dN(m,x) – dN(m,y)|≥ |dN(v,x) – dN(v,y)| !!
exy < | dN(v,x) - dN(v,y) | exy ≥ |dN(v,x) – dN(v,y)|
The Main Result
• Some N є C produces state sn(N) = s’n(NR) sn(G) = s’n(NR)
• Proof:
Follows from Lemma 2 (dG(v,x) ≤ dN(v,x)) and Lemma 3 (dG(v,x) ≥ dN(v,x))
If no N є C produces state s’n(N), since G є C, G cannot produce state = s’n(N)
• In other words, only need to check if sn(G) = s’n(NR)
• Complexity: O(|V|3)
– Construct the canonical graph, G
– Simulate Bellman-Ford
– Compare State Tables
Simulation Results
Simulation 1 How big does an error have to
be before it is detected? Define Detection Threshold:
max % change liar can make in distance report w/o getting caught.
As function of monitor-liar distance for single and multiple errors
Used topologies generated via BRITE
Distance Vector Detectability
-100
-50
0
50
100
0 20 40 60 80 100 120
Distance from Monitor to Liar (hops)
Dete
cti
on
Th
resh
old
(%
ch
an
ge)
Understatement to single Node Overstatement to Single Node
Understatement to All Nodes Overstatement to All Nodes
Detection is clearly function of distance
Lied-about
monitor
liara b
x
D(a,b)=y
Simulation Results cont’d
Distance Vector Detection Sensitivity
-100
-50
0
50
100
0 20 40 60 80 100 120
Distance from Monitor to Liar (% max distance)
De
tecti
on
Th
resh
old
(%
ch
an
ge
)
Monitor-Liar (understatement) Monitor-Liar (overstatement)
Liar-Lied About (understatement) Liar-Lied About (overstatement)
Monitor-Lied About (understatement) Monitor-Lied About (overstatement)
Simulation 2 How do distances affect
detection? Monitor-Liar Liar–Lied About Monitor–Lied About
Monitor-Liar distance most correlated with detection
Lied-about
monitor
liara b
x
D(a,b)=y
Path Vector Protocols (e.g., BGP)• Node state contains information about entire path to destination.
We consider 2 variants:
– V1: Each hop + link weight per hop given
– V2: Each hop + total path length given
• Strong Detection Result:
– V1: trivial to either find conflict, else state itself is feasible construction
– V2: State can be viewed as linear program:
• Path Pi formed by edges (xi1, xi2, …, xik) has length yi
• Equation in linear program: xi1 + xi2 + … xik = yi
• Strong Detection approach: determine existence of solution to linear program
– Solution exists cannot detect
– No solution exists misconfiguration
Extensions / Future Directions
• Same idea works for:
– Directed graphs
– Using state info from a set of trusted nodes
• Future Directions:
– Identifying the offending node (not just its existence)
– Performing Strong Detection for other routing protocols (Ad-hoc network, geographical positioning)
• See our paper in Sigmetrics’07
top related