interdomain routing and games michael schapira joint work with hagay levin and aviv zohar...
Post on 20-Jan-2016
215 Views
Preview:
TRANSCRIPT
Interdomain Routing and Games
Michael Schapira
Joint work with Hagay Levin
and Aviv Zohar
האוניברסיטה העברית בירושליםהאוניברסיטה העברית בירושליםThe Hebrew University of JerusalemThe Hebrew University of Jerusalem
The Agenda
• An introduction to interdomain routing (a networking approach).
• A Distributed Algorithmic Mechanism Design (DAMD) perspective (an economic approach).
• Our Results:– A formulation of interdomain routing as a game.– Realistic settings in which BGP is immune to rational
manipulations.– …
An Introduction to An Introduction to Interdomain RoutingInterdomain Routing
(A Networking Approach)(A Networking Approach)
Interdomain Routing
Establish routes between Autonomous Systems (ASes).
Currently done only by the Border Gateway Protocol (BGP).
AT&T
Qwest
Comcast
UUNET
Why is Interdomain Routing Hard?
• Route choices are based on local policies.
• Expressiveness: Policies are complex.
• Autonomy: Policies are uncoordinated
AT&T
Qwest
Comcast
UUNET
My link to UUNET is forbackup purposes only.
Load-balance myoutgoing traffic.
Always chooseshortest paths.
Avoid routes through AT&T ifat all possible.
Interdomain Routing
• Routes to every destination AS are computed independently.
• There is an AS graph G=<N,L>. – N consists of n source nodes 1,…,n and
a destination node d.
– L represents physical links between ASes.
Interdomain Routing
receive routes from neighbours
choose“best”
neighbour
send updatesto neighbours
• Every source-node i is defined by a valuation function vi that assigns a non-negative value to each (simple) route from i to d.
• The computation performed by a single node is an infinite sequence of stages:
Interdomain Routing
• The route assignment reached by BGP forms a confluent routing tree rooted in d.– Routes are consistent (route choices depend
on neighbours’ choices).– Routes are loop-free (nodes announce full
routes).
• The final route assignment is stable.– Every node prefers its assigned route over
any other available route.
Example of Stability
1 2
d
Prefer routes
through 2
Prefer routes through 1
2, I’m available
1, my routeis 2d
1, I’m available
Assumptions on the Network
• The network is asynchronous.– Nodes can be activated in different timings.
– Update messages can be arbitrarily delayed along selective links.
• Network malfunctions are possible.– Link and node failures.
BGPPros:
• Nodes need have no a-priori knowledge about the network topology or about other nodes.
• The protocol is adaptive to changes in network topology (link and node failures).
• ….
Cons:
• The lack of global coordination might result in persistent route oscillations (protocol divergence).
Example of Instability: Oscillation
1 2
d
BGP might oscillateforever between
1d, 2dand
12d, 21d
Prefer routes
through 2
Prefer routes through 1
1, 2, I’m thedestination
1, my routeis 2d
2, my routeis 1d
The Hardness of Stability
• Theorem: Determining whether a ``stable solution’’ exists is NP-Hard. [Griffin-Wilfong]
• Theorem: Determining whether a ``stable solution’’ exists requires exponential communication between the source-nodes.– Independent of the P-NP assumption.– Communication complexity is linear in the “size” of the local preferences
of nodes.
• Networking researchers seek constraints that guarantee BGP stability (for any timing, even in the presence of network malfunctions). [Balakrishnan, Feamster, Gao, Griffin, Jaggard, Johari, Ramachandran, Rexford, Shepherd, Sobrinho, Wilfong, …]
• A realistic and well known set of such constraints are the Gao-Rexford constraints.– The Internet is formed by economic forces.– ASes sign long-term contracts that determine who
provides connectivity to whom.
Guaranteeing Robust Convergence
Gao-Rexford FrameworkNeighboring pairs of ASes have one of:
– a customer-provider relationship(One node is purchasing connectivity fromthe other node.)
– a peering relationship(Nodes have offered to carry each other’stransit traffic, often to shortcut a longer route.)
peerproviders
customers
peer
Dispute Wheels
• If BGP oscillates, the valuation functions and the topology of the network induce a structure called a Dispute Wheel. [Griffin-Shepherd-Wilfong]
• The absence of a Dispute Wheel ensures robust BGP convergence.
• The Gao-Rexford constraints are a special case of “No Dispute Wheel”. [Gao-Griffin-Rexford]
Dispute Wheels
• A Dispute Wheel: – A sequence of nodes ui and routes Ri, Qi.
– ui prefers RiQi+1 over Qi.
Example of a Dispute Wheel
1 2
d
Prefer routes
through 2
Prefer routes through 1
2
1
d
A DAMD PerspectiveA DAMD Perspective
(An Economic Approach)(An Economic Approach)
Do Nodes Always Adhere to the Protocol?
• BGP was designed to guarantee connectivity between trusted and obedient parties.
• The commercial Internet: ASes are owned by economic and often competing entities.– Might deviate from BGP if it suits their interests.
Two Research Agendas
• Security research – Malicious nodes.
– Cyptographic modifications of BGP (S-BGP)
• Distributed Algorithmic Mechanism Design [Feigenbaum-Papadimitriou-Shenker]
– Rational nodes.– Seeks realistic conditions for which BGP is
incentive-compatible. [Feigenbaum-Papadimitriou-Sami-Shenker]
Our ResultsOur Results
Our Main Results• A novel game-theoretic model of interdomain
routing.
• A surprising connection between the two research agendas (security and DAMD).
• Theorem: (bad news): BGP is not incentive-compatible even if No Dispute Wheel holds.
• Theorem: (good news): Cryptographic modifications of BGP (e.g., S-BGP) are incentive-compatible if No Dispute Wheel holds (no monetary transfers).
Interdomain RoutingInterdomain RoutingGamesGames
A Static Game
• The source-nodes are the strategic agents (their valuation functions define their types).
• Each source-node chooses an outgoing edge.– Choices are simultaneous.
• A node’s payoff is:– vi(R) if the route R from i to d is induced by the
nodes’ choices.– 0 otherwise.
A Static Game
• A pure Nash equilibrium is a set of nodes’ choices from which no node wishes to unilaterally deviate.
• Pure Nash equilibria = stable routing outcomes
1 2
d
Prefer routes
through 2
Prefer routes
through 1
The Convergence Game
• The game consists of an infinite number of rounds.
• A node that is activated in a certain round can perform the following actions:– Read update messages announcing routes.
– Send update messages announcing routes.
– Choose a neighbouring node to forward traffic to.
The Convergence Game
• There exists an adversarial entity called the scheduler that is in charge of: – Deciding which nodes are activated in each round.– Delaying update messages along selective links.– Removing links and nodes from the AS graph.
• Informally, a node’s strategy is its choice of a routing protocol.– Executing BGP is a strategy.
The Convergence Game
• A route is said to be stable if from some round onwards every node on the route forwards traffic to the next-hop node on that route.
• The payoff of node i from the game is:– vi(R) if there is a route R from i to d which is
stable.
– 0 otherwise.
BGP and Incentives
• A node is said to deviate from BGP (or to manipulate BGP) if it does not follow BGP.
• What forms of manipulation are available to nodes?– Misreporting preferences.– Reporting inconsistent information.– Announcing nonexistent routes. – Denying routes.– …
BGP and Incentives
Two possible incentive-related requirements from BGP:
• Incentive-compatibility: No unilateral deviation from BGP by an AS can strictly improve the routing outcome of that AS.
• Collusion-proofness: No deviation from BGP by coalitions of ASes of any size can strictly improve the routing outcome of even a single AS in the coalition without strictly harming another [Feigenbaum-S-
Shenker].
About the Convergence Game
• The game is complex.– Multi-round.– Asynchronous.– Partial-information
• No monetary transfers!– Very rare in mechanism design.– Unlike most works on incentive-compatibility and
interdomain routing– More realistic.
Known Results
. . .
. . . .
d
k i
IFvk(R1) > vk(R2)
R2
R1
THENvi((i,k)R1) > vi((i,k)R2)
Valuations are policy consistentiff, for all routes R1 and R2
(analogous toisotonicity [Sob.03])
Known results
• Policy consistency is known to hold for interesting special cases:– Shortest-path routing.– Next-hop policies.
• Theorem: If No Dispute Wheel and Policy Consistency hold, then BGP is incentive-compatible, and even collusion-proof. [Feigenbaum-Ramachandran-S, Feigenbaum-S-Shenker]
Known results
• A Problem: Policy Consistency is unrealistic.– Too strong.
• Can it be removed?
Realistic Settings in which Realistic Settings in which BGP is Incentive-Compatible BGP is Incentive-Compatible
and Collusion-Proofand Collusion-Proof
Is BGP Incentive-Compatible?
• Theorem: BGP is not incentive compatible even in Gao-Rexford settings.
m 1
2
d
m1dm12d
2md2d
12d1d
with manipulation
m 1
2
d
m1dm12d
2md2d
12d1d
without manipulation
• We define the following property:
–Route verification means that an AS can verify that a route announced by a neighbouring AS is available.
• Route verification can be achieved via security tools (S-BGP etc.).–Not an assumption on the nodes!
Can we fix this?
• Many forms of manipulation are still available:– Misreporting preferences over available
routes.– Reporting inconsistent information.– Denying routes.– …
Does this solve the problem?
• Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is incentive-compatible.
• Theorem: If the “No Dispute Wheel” condition holds, then BGP with strong route verification is collusion-proof.
Our Main Results
Dispute Wheels – A Reminder
• A Dispute Wheel: – A sequence of nodes ui and routes Ri, Qi.
– ui prefers RiQi+1 over Qi.
The Gao-Rexford constraintsare a special case of
the “No Dispute Wheel”condition.
• Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is incentive-compatible.
• Proof (sketch): – By contradiction. – Assume that the “No Dispute Wheel”
condition holds, and that BGP is not incentive-compatible.
– We present sequences of nodes and routes that form a dispute wheel.
BGP with Route Verification
Proof Sketch
d
s
Ts
Ms
• Let s be the manipulator.
• Let T be the routing tree reached if all nodes follow the protocol.
• Let M be the the routing tree reached after s rationally manipulates BGP.
• vs(Ms) > vs(Ts)
Proof Sketch
d
s
1Ts
Ms
M1
T1
• There must exist a node i on Ms such that Mi≠Ti
• Let 1 be the node closest to d on Ms with this property.
• For each node i that is closer to d on Ms it holds that Mi=Ti.
• This implies: v1(T1) > v1(M1)
Proof Sketch
d
s
1
2
Ts
Ms
M1
T1
T2
M2
• Similarly, Let 2 be the node i closest to d on T1 such that Mi≠Ti.
• This implies: v2(M2) > v2(T2)
Proof Sketch
d
s
1
2
3
4
Ts
Ms
M1
T1
T2
M2
M3
T3
T4
k
Mk
Tk
• We choose 3,4,5,… in asimilar manner.
• Eventually some nodewill appear twice (assume that this nodeis s).
• We have a dispute wheel!
• Why do we need route verification?
• The manipulator can lie about its route.
• For instance, k might believe that s’s route in M is Ls.
• Still,
vs(Ms) > vs(Ts) > vs(Ls)
d
s
1
2
3
4
k Ts
Ms
M1
T1
T2
M2
M3
T3
T4
Tk
Mk
Ls
Proof Sketch
• Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is collusion-proof.
• A Problem: Is route verification achievable even in the presence many manipulators?
BGP with Route Verification
• Corollary: If No Dispute Wheel holds, then BGP is Pareto optimal.
• Pareto optimality means that BGP’s outcome is such that there is no other outcome that is:– Strictly preferred by one node.
– Weakly preferred by all other nodes.
BGP is Socially Just
• The total social welfare of a routing outcome is the sum of values nodes assign to their routes = ∑i vi(Pi).
• No Dispute Wheel and Policy Consistency guarantee BGP convergence to a social-welfare maximizing solution. [Feigenbaum-Ramachandran-S]
What About Social-Welfare?
Approximating Social Welfare
• Theorem: Obtaining an approximation to the optimal social welfare is impossible unless P=NP, even in Gao-Rexford settings.(Improvement on a bound achieved by [Feigenbaum,Sami,Shenker])
• Theorem: Exponential communication is required in order to achieve an approximation of to the social welfare.
2/1nO
1nO
Conclusions
• The main results:– Bad news: BGP is not incentive-compatible
even if No Dispute Wheel holds.
– Good news: A modification of BGP (route verification) is incentive-compatible.
• Helps explain BGP’s relative resilience to manipulations in practice.
Conclusions
• Our results should motivate research on guaranteeing route verification in the Internet.
• Where’s the justice?– Bad news: Social-welfare optimization
might be hopeless.
– Good news: BGP is Pareto optimal.
Follow Up Works
• “Best-reply mechanisms” (with Noam Nisan and Aviv Zohar)– Extensions to more general game-theoretic
settings.
• Work in progress (with Rahul Sami and Aviv Zohar)– More on BGP convergence and selfishness.
• Characterizing robust BGP convergence (“No dispute wheel” is sufficient but not necessary).
• Does robust BGP convergence with route verification imply incentive compatibility?
• Can network formation games help explain the Internet’s commercial structure?
Open Questions
• Generalize the model to allow other forms of “attacks” [Butler-Farley-McDaniel-Rexford]
Open Questions
Thank YouThank You
top related