the strategic justification for bgp hagay levin, michael schapira, aviv zohar
Post on 21-Dec-2015
216 views
TRANSCRIPT
The Strategic Justification for BGP
Hagay Levin, Michael Schapira, Aviv Zohar
On the agenda
• Introduction– BGP– Gao-Rexford– Dispute Wheels
• A game theory perspective on routing• Results:
– No perfect routing algorithms.– In reasonable economic settings, BGP is
incentive compatible in ex-post Nash.– BGP and colluding agents.
The Internet
• The Internet is composed of Autonomous Systems (ASes). Each AS is a network owned by an economic entity.
• ASes are interconnected.• There are many protocols that may be chosen
to handle routing inside ASes.• Only one protocol is used for inter-domain
routing: The Border Gateway Protocol (BGP)• We will think of each AS as a single node in
the network graph.
Next-Hop Routing in the Internet
• Done independently for each destination.
• Every packet carries with it the target address.
• Given a destination, a router along the way only selects the next-hop in the route.– This is all maintained in a large routing table– Can be implemented in Hardware
• The routing protocol needs to select this next hop.
BGP• Nodes in the network have preferences over
routes.– (We assume they have some valuation)
• Can only choose between routes they are offered by neighbors.
• Preferences are complex:– Microsoft don’t want to route through the
competition.– Google wants a minimal number of hops– The CIA never wants to route through Russia.
BGP
• BGP is a very simple algorithm:– A node considers the route offered by each of its
neighbors.– It selects the most attractive one as its next hop.– Then announces the new route to all its
neighbors.– The algorithm is initiated when the destination
announces its presence to its neighbors and ripples through the network.
Routes are selected based on knowledge of the entire path.
BGP
• BGP converges when:– All nodes know the current path of their neighbors– No one wants to change their next hop.
• BGP is asynchronous. – Messages can be delayed along some links.– Some nodes may be slower than others.
The Appeal of BGP
• Myopic decisions.
• Local actions.
• Very little to maintain for each destination (huge number of destinations in the net).
• Recovers from node and link failures.
• No knowledge assumptions about the net.
• Allows the nodes to make decisions based on the full path.– The exact policy is up to the node itself!
Problem
• BGP does not always converge.
• Sometimes there is more than one stable routing tree, sometimes there are none!
• May depend on the asynchronous timing.
• Example (Naughty Gadget):
1 2
d
12d > 1d 21d > 2d
Gao-Rexford
• Route oscillations are due to preference structure and network topology.
• These are not arbitrary:– The Internet is shaped by economic forces.– ASes sign routing contracts to decide who
provides connectivity to whom.
• Gao & Rexford Modeled the economic relationships between ASes.– Customers, Providers, and Peers.
The Gao-Rexford Constraints
Model only two types of connections:
• Customer to Provider
• Peer to Peer
2 1
4
5
3
The Gao-Rexford Constraints
1. No customer-provider cycles.– You cannot be your own
customer indirectly
2. Prefer to route through customers over peers over providers.
3. Provide transit services only to customers.
– Do not reveal to a provider/peer routes through other providers/peers.
Topology
Preferences
Strategy
2 1
4
5
3
The Gao-Rexford Constraints
• If all three Gao-Rexford constraints hold, BGP is guaranteed to converge, for any timing.
• Deleting edges and nodes maintains the constraints.
• Gao & Rexford were mostly interested in convergence. – How do we force nodes to play by the rules?
(Constraint 3)
Dispute Wheels
[Griffin, Shepherd & Wilfong]
• A condition on Topology + Preferences.
• A set of nodes ui and paths R,Q.
• ui prefersRiQi+1 Over Qi
Dispute Wheels
• A generalization of convergence conditions for BGP.
• No Dispute Wheels implies: – BGP converges for all timings.– A unique stable state.
• Griffin-Gao-Rexford later show that:The GR constraints imply no dispute wheel.
• Graphs with metric-like preferences also have no dispute wheels.
So far…
Gao-Rexford1+2+3
No Dispute Wheel Convergence
Metric Preferences
A Game-Theory Perspective
• Why should nodes follow the protocol?
• Routing is after all a game. Nodes can play strategically.
• The Game is:– Temporal (and maybe infinite)– Asynchronous (who plays when? Which
messages are delayed?)– With partial information
• Nodes only see their own neighbors.• Learn things during the run.
A Negative Result
• Fix a graph G• Fix a routing alg. A (the “best” alg. you have for G).• If for all preference expressed by nodes over paths
in G the algorithm A– assigns a the same routing tree deterministically
in any asynchronous timing, – is incentive compatible,– has at least 3 possible outcomes
Then A is dictatorial.
Meaning some node in G always gets its most preferred route.
5 4
36 2
17
d
Negative Result.
For example:
if node 1 is the
Dictator in this graph
It may choose any path it
wants to d,
Thereby forcing many others
along the way.
Remarks
• Alg. A may also be centralized.• The manipulation implied is easy – only lie
about your preferences.• Graph G and Deterministic alg. A together are
actually a social choice function.– From here, proof is by reduction from Gibbard
Satterthwaite.
• Conclusion: if we want non-manipulability, we can’t expect reasonable algorithms that always converge.
Another Negative result
• BGP ‘as is’ is not incentive compatible even in Gao-Rexford settings.
Honest Graph Manipulated Graph
The Manipulator
• The lie is possible because the manipulator invents an edge in the Graph.
• The manipulator has a very large bag of tricks.– can drop messages, – send inconsistent ones, – lie about routes, – etc.
Path Verification
• We can fix our counter example by adding path verification.
• A node will know if the routes it is promised are available to its neighbor.– Can be done with cryptographic signatures.
• Note: An available route might not be used in practice! – The manipulator can report one available path but
send packets along another.
+Path Verification
+Path Verification
Our Main Result
Gao-Rexford1+2+3
No Dispute Wheel
Convergence
Incentive Compatibility
The Right Solution Concept
• Dominant strategy would be best but is very rare.
• The regular Nash Eq. is an unreasonable eq.– You do not know the exact strategy of others, only
their general protocol (BGP)– Don’t know preferences of others.– Don’t know the network structure
• Ex-Post Nash much better:– Given the fact that everyone is using BGP, BGP is
the best response(for all preferences, net structures, timings etc.)
Proof Sketch.
• We take a graph that has no dispute wheel.
• It converges to some routing tree T.
• We will assume that BGP with route verification is not incentive compatible.
• Show a sequence of nodes that forms a dispute wheel, and thereby reach a contradiction.
• This is only a sketch! (I’m ignoring lots of messy details and subcases)
•Assume:
Manipulator m
Manages to benefit from manipulation
Mm >m Tm
• The path Mm could not be an available option in T.
– Otherwise m would choose it.
d
m
Tm
Mm
• There must exist a node ‘1’ along Mm that has M1≠T1
• We choose ‘1’ to be the lowest node on Mm with this property.
• All nodes below it route the same in both trees.
• Meaning M1 is an available option in T. This implies:
T1 >1 M1
• T1 cannot be an available option in M (or it would be chosen)
d
m
1Tm
Mm
M1
T1
• There must exist a node ‘2’ along T1 that has M2≠T2
• We choose ‘2’ to be the lowest node on T1 with this property.
• All nodes below it route the same in both trees.
• Meaning T2 is an available option in M. This implies:
M2 >2 T2
• M2 cannot be an available option in T (or it would be chosen)
d
m
1
2
Tm
Mm
M1
T1
T2
M2
• So there must exist nodes 4,5,6… that are chosen in the same manner.
• Eventually some node appears twice.
• (Let’s assume it’s the manipulator)
• We have a dispute Wheel!
d
m
1
2
3
4
k Tm
Mm
M1
T1
T2
M2
M3
T3
T4
Mk
Tk
• So where did we need route verification?
• Maybe the wheel has an odd number of nodes.
• The last node is above the manipulator on an M path.
• It may believe in a false path.
• Still,
Mm >m Tm >m Lm
d
m
1
2
3
4
k Tm
Mm
M1
T1
T2
M2
M3
T3
T4
Tk
Mk
Lm
A stronger result
• With a slightly stronger route verification assumption (That is not possible to implement with digital signatures) and in graphs with no dispute wheel, BGP is collusion proof in ex-post Nash.
• Against any size of a defecting coalition.
Clusters of manipulator nodes are the reason we need the stronger assumption here.
Final Result
• The 3rd Gao Rexford constraint speaks about the strategy of each node
(Do not advertise a peer/provider to some other peer/provider)
• Modify the strategy to ignore routes to
• BGP` + gao rexford 1,2 is also converging, and incentive compatible.
• We replace the 3rd constraint with the rationality assumption and equilibrium.
Conclusion
• A very small modification of BGP makes it incentive compatible in ex-post Nash to all kinds of manipulations.
• In fact, even without the modification, it is very hard to manipulate – You have to fool TCP/IP, traceroute, have lots of
knowledge on the graph and prefernces.
• Manipulation by a coalition also requires Herculean efforts, and amazing coordination.
Open Questions
• Convergence -> Incentive compatibility?
• Better Conditions for BGP convergence?
• Network Formation Theory to explain structure?
Thank You!