foundations of inter-domain routing ph.d. dissertation defense vijay ramachandran dissertation...
TRANSCRIPT
Foundations ofInter-Domain RoutingPh.D. Dissertation DefenseVijay RamachandranDissertation Director: Joan Feigenbaum
Committee Members: Jim Aspnes, Paul Hudak,Tim Griffin (University of Cambridge)
V. Ramachandran — Ph.D. Dissertation Defense 2April 20, 2005
Overview This dissertation develops a theoretical
framework for the design and analysis of path-vector protocols primarily used for Internet inter-domain routing.
The framework can be used to understand the interactions of local routing policies and their effects on protocol behavior.
It can also be used to understand the design space of path-vector protocols and inherent trade-offs among desirable protocol properties.
V. Ramachandran — Ph.D. Dissertation Defense 4April 20, 2005
Apply Policy =filter routes & tweak attributes
BGP Route Processing
Routing Table
Apply Import Policies
Best Route Selection
Apply Export Policies
Install forwardingentries for best
routes
ReceiveBGPupdates
Storageof routes
TransmitBGP updates
Based onattributevalues
IP Forwarding Table
Apply Policy =filter routes & tweak attributes Open-ended programming:
constrained only by vendor configuration language
V. Ramachandran — Ph.D. Dissertation Defense 5April 20, 2005
BGP Route-Selection Procedure1. Highest local preference2. Shortest AS-path length3. For each AS next-hop, lowest MED
value4. eBGP routes over iBGP routes5. Shortest iBGP distance to egress
point
V. Ramachandran — Ph.D. Dissertation Defense 6April 20, 2005
Motivation (1) Given certain policy inputs, BGP will oscillate
or converge nondeterministically.[VGE ’00, GSW ’02, MGWR ’02, Cisco ’01]
These anomalies are difficult for operatorsto debug because the problems traverse autonomously administered networks.
New features are often implemented without testing resulting worst-case scenarios.
V. Ramachandran — Ph.D. Dissertation Defense 7April 20, 2005
Motivation (2) The BGP specification contains no
guidance on how to provide “good” routing policies.
Policies are unconstrained.Can policies be constrained to guarantee
convergence, and how can those constraintsbe described?
What is lost, if anything? Formal models allow rigorous analysis and
design at different levels of abstraction.
V. Ramachandran — Ph.D. Dissertation Defense 8April 20, 2005
Prefer sendingtraffic throughneighbor 2
Prefer sendingtraffic throughneighbor 1
Protocol-Divergence Example
0
1 2
0
20
0
10
20120
10 21010 20
120 210
V. Ramachandran — Ph.D. Dissertation Defense 9April 20, 2005
Related Work:Formally Modeling Policy Semantics [GSW ’02] introduced the Stable Paths
Problem (SPP) as the underlying theoretical problem that BGP is trying to solve.
SPP is NP-hard; solvability convergence.
An SPP instance is a graph in which each node represents one AS and has a policy in
the form of a linear preference ordering on
paths.
V. Ramachandran — Ph.D. Dissertation Defense 10April 20, 2005
SPP Results [GSW ’02]
DISAGREE (multiple solutions)
BAD GADGET (no solution)
Dispute Wheel
No dispute wheel impliesrobust convergence.
V. Ramachandran — Ph.D. Dissertation Defense 11April 20, 2005
Related Work:Local and Global Constraints [GR ’01] showed that Hierarchical
BGP (HBGP) is robust.Neighbors are divided into three classes:
customers, providers, and peers.Preference and scoping rules apply to
routes learned from different types of neighbors.
No customer/provider cycles. [GGR ’01] added an attribute to HBGP
to allow safe back-up routing.
Localconstrai
nt
Globalconstrai
nt
V. Ramachandran — Ph.D. Dissertation Defense 12April 20, 2005
The Design Space of Path-Vector Protocols [GJR ’03] Robustness: Does the protocol predictably converge,
even after node and link failures?
Expressiveness: What routing policies are permitted?
Autonomy: What degree of independence do operators have in local-policy configuration?
Policy Opaqueness: Can local route settings be kept private?
Transparency: How directly does the protocol apply local-policy transformations to route data?
Global Constraint: What network assumptions are needed?
V. Ramachandran — Ph.D. Dissertation Defense 13April 20, 2005
Three Levels of Abstraction [JR ’05]
Path-Vector Algebras [Sob. ’03]A description of the most important criteria involved in determiningbest routes. Does not include implementation details, e.g., a routeadvertisement is considered an atomic action.
Path-Vector Policy Systems (PVPS) [GJR ’03]A combination of message-passing system (protocol), policy language,and global constraint. The underlying path-vector system modelsimport & export policies, path selection, and route data structures.
Instances of the Stable Paths Problem (SPP) [GSW ’02]A routing configuration, indicating the preference order of permittedpaths on a given network. Solutions are consistent assignments;unique solutions give predictable convergence to a stable assignment.
Sets ofProtocols
Protocols
Networks
V. Ramachandran — Ph.D. Dissertation Defense 14April 20, 2005
Path-Vector Policy Systems [GJR ’03]
( PV , PL , K )
Policy Language:
How can policies be described?PL acts as a local constraint on the expressiveness of policies.
Policy Language:
How can policies be described?PL acts as a local constraint on the expressiveness of policies.
Path-Vector System:
The underlying message-exchange system for route information. Whatis exchanged and how?
Path-Vector System:
The underlying message-exchange system for route information. Whatis exchanged and how?
Global Constraint:
What assumptions about the network must be true to achieve robustness?
Global Constraint:
What assumptions about the network must be true to achieve robustness?
Question:
What role do these components play in achieving protocol design goals?
Question:
What role do these components play in achieving protocol design goals?
Formal model of path-vector routing:
V. Ramachandran — Ph.D. Dissertation Defense 15April 20, 2005
Linear Best-Route Selection Model Ignore iBGP and MED-attribute values. Assume that the route-selection procedure,
at each node, for each destination:1. maps each route to a rank in some totally
ordered set based on its attribute values; and2. chooses as best the path with minimal rank.
Rank is influenced by local policy, but the ranking criteria are the same at each node.
V. Ramachandran — Ph.D. Dissertation Defense 16April 20, 2005
Robustness Condition[GJR ’03, Sob. ’03]Conjecture: No path-vector policy system
can exactly capture all robust configurations.
Theorem: A protocol in which a path’s rank monotonically increases as it is extended (imported by a neighbor) is robust.
This is the broadest-known sufficient condition for robustness, equivalent to dispute-wheel freeness on SPP instances.
V. Ramachandran — Ph.D. Dissertation Defense 17April 20, 2005
Trade-Offs in Implementation[GJR ’03]Theorem. A globally unconstrained PVPS
expressive enough to capture all increasing configurations either does not support autonomy of neighbor ranking or is not transparent, or both.
Theorem. A transparent, robust PVPS that supports autonomy of neighbor ranking and is at least as expressive as shortest paths must have a non-trivial global constraint.
V. Ramachandran — Ph.D. Dissertation Defense 18April 20, 2005
Algebras and PVPSes (1) [JR ’05]
Protocolsusinglength
Protocolsusing localpreference
Both,primarily
length
Both,primarilyloc. pref.
Robust protocols
ShortestPaths
Shortest Paths withpreference tie-breaking
Monotone preferences with length tie-breaking
Strictly monotonepreferences
BGP
Monotone(or arbitrary)preferences
For both,some
network instances
are convergent
V. Ramachandran — Ph.D. Dissertation Defense 19April 20, 2005
Algebras and PVPSes (2) [JR ’05] The expressiveness of an algebra or PVPS
is the set of SPP equivalence classes permitted as legal routing configurations.
Given an algebra, we can construct a canonical PVPS that is exactly as expressive.
Given a PVPS, we can construct a canonical algebra that describes the same rank criteria.
V. Ramachandran — Ph.D. Dissertation Defense 20April 20, 2005
Class-Based Systems [JR’ 04] The PVPS framework can be used to generalize
the HBGP constraints from [GR’ 01, GGR’ 01]. A class-based PVPS is described by:
A set of classes (types of neighbor assignments, e.g., customer/provider/peer) and consistency relationships
Class relative-preference and scoping rules These systems are transparent and have
“some” autonomy of neighbor ranking; they requirea nontrivial global constraint.
V. Ramachandran — Ph.D. Dissertation Defense 21April 20, 2005
Relative Preference and Scope
Relative Preference:
If class i is to be preferred over class j, then node v should prefer routes from node w over those from node x.
Relative Preference:
If class i is to be preferred over class j, then node v should prefer routes from node w over those from node x.
Scope:
If class i routes cannot be exported to a class-k neighbor, then node u will only learn about the path uvxQ.
Scope:
If class i routes cannot be exported to a class-k neighbor, then node u will only learn about the path uvxQ.
V. Ramachandran — Ph.D. Dissertation Defense 22April 20, 2005
Class-Based Robustness [JR’ 04] From the class description alone, we can
construct a global constraint involving a check on pairs of class assignments. Networks obeying this constraint are robust. Networks violating this constraint allow nodes to
write policies that induce routing anomalies. We give two types of enforcement algorithms:
a centralized algorithm that detects a set of nodes whose class assignments permit a policy-induced anomaly; and
a distributed algorithm that detects whether two specific nodes’ class assignments could induce an anomaly.
V. Ramachandran — Ph.D. Dissertation Defense 23April 20, 2005
Nonlinear Route-Selection Model Recent work generalizes the PVPS
framework to include protocols that do not assume linear route-selection procedures.This permits modeling the MED attribute and
both iBGP and eBGP sessions.Because previous convergence constraints
depend on a notion of rank, these do not applyin the generalized case.
Relies on generalized SPP [GW ’02].
V. Ramachandran — Ph.D. Dissertation Defense 24April 20, 2005
Generalized SPP [GW ’02] Recall BGP selection:
lowest MED value from paths to the same AS; then
shortest IGP distance. IGP distances are shown
near intra-domain links. MED values are shown
in parentheses near inter-domain links.
This example oscillates.MED-EVIL (no solution)
V. Ramachandran — Ph.D. Dissertation Defense 25April 20, 2005
Independent Route Ranking
MED-EVIL (condensed)
V. Ramachandran — Ph.D. Dissertation Defense 27April 20, 2005
Generalized Dispute Digraphs Given a GSPP
instance, form its generalized dispute digraph: nodes are paths; edges correspond to
the four relations. Theorem. If a GSPP
is not robust, this graph contains a cycle.
MED-EVIL Dispute Digraph
V. Ramachandran — Ph.D. Dissertation Defense 28April 20, 2005
Proof Method
Given a protocol oscillation, choose a path whose first node is the last oscillating node on the path.
Follow the oscillation until the selection changes; this change occurred because of a linear or nonlinear selection. This corresponds to some relation between two paths; repeat with the ‘related’ path. Choose a subpath to find the last oscillating node.
Because the oscillation is finite, we must re-visit a path.We have just traced a cycle in the dispute digraph.
Cycle in MED-EVIL protocol-selection states.
V. Ramachandran — Ph.D. Dissertation Defense 29April 20, 2005
Protocol-Design Applications Multiple-Path Broadcast
[B+ ’02] and [MC ’04] propose changing BGP to broadcast additional routes to avoid MED-induced oscillations.
We can prove the effect of this behavior using ourformal model.
Improvement: Detect an IRR violation on-the-fly and request the needed route.
“Compare-all-MEDs” and “Set AS-distinct local preferences” [MGWR ’02] can be proven correct.
V. Ramachandran — Ph.D. Dissertation Defense 30April 20, 2005
Summary The PVPS framework allows for a study of
path-vector-protocol design—most importantly, a rigorous way to prove: what balance of local and global constraints are
needed for robustness; and what else is lost when these constraints are
implemented. The framework has provided concrete and
reasonable guidelines for class-based systems. The framework has been extended to include
protocols with IRR-violating selection procedures.
V. Ramachandran — Ph.D. Dissertation Defense 31April 20, 2005
Open Questions Analogous local constraints for the
generalized case Real, deployable policy-configuration
languages More examples of exact trade-offs
between local and global constraints (to date, only class-based systems give this)
Full characterization of robust systems?