Towards a Lightweight Model of BGP Safety

Matvey AryePrinceton University

Joint work with:Rob Harrison, Richard Wang, Jennifer Rexford (Princeton)

Pamela Zave (AT&T Research)

Internet is a network of networks – autonomous systems

BGP is the routing protocol between AS’s

Why is BGP important

Each AS has a significant amount of freedom in choosing routes

Node 1 may prefer the purple path over the orange path to node D

AS Preferences in BGP

1

23

D

BGP Convergence• An “Instance” is a topology and a set of AS preferences

• Some instances don’t converge (called Gadgets)– BGP’s routing protocol can oscillate.

• Finding gadgets is hard and has previously been done by hand

• We use lightweight modeling to automate gadget generation and analysis

Why Lightweight Model

• Formal modeling aids analysis– Requires rigorous definition of concepts

• Encoded in a way that is “shareable” between researchers– Automates analysis

• Lightweight modeling is easier– Small model of key concepts– Easier to develop than machine-verified proofs– Push-button analysis

Stable Path Problem

• Useful Model– Although static formulation of the BGP, captures

important properties:• SPP that is “solvable” is a prerequisite for BGP convergence• Although doesn’t capture dynamic properties fully

– Extensively Studied• Used in proofs of a lot of previous work

• Our model of SPP (almost) as compact as original description

• Automatically finding gadgets hard in SPP

Alloy

• Wanted a tool to help us generate SPP gadgets

• Alloy is a declarative modeling language– Can test assertions on predicates

• Compiles to SAT problem– SAT solvers are fast (on a lot of cases)

• Given a set of predicates, 2 answers:– Satisfiable– Unsatisfiable & Counterexample

Explore All Small SPP Instances

• Small instances are often informative– SPP gives each node a lot of degrees of freedom• So properties of small instances are often interesting • And often generalize to larger ones

– Counterexamples to assertions really useful • Explores full search space– Can make generalized assertions• Although only up to a certain size

Contributions• Created lightweight model of SPP

– Model very compact, machine and human readable– Full model in the paper

• Automatically generated unstable SPP gadgets– Bad Gadget, Disagree, many more

• Classified gadgets– Full list of interesting gadgets under 4 source nodes

• Verified new and known solvability predicates – “Absence of dispute wheel implies solvability”

Outline

• Review of SPP and Model

• Use 1: Gadget Generation

• Use 2: Test Known Solvability Predicates

• Discuss Future Work

SPP Topology

1

23

D

Source Node

Destination Node

SPP Permitted Paths

1

23

D

1d12d13d

List of Permitted

Paths

Representation In Alloy

• DstNode, SrcNode: Node

• Path: Sequence of Nodes– Sequence is an ordered list

• SrcNode.PermittedPaths: Sequence of Paths– First path in list most preferred

1D

1d13d

21d

Ensure Valid Topology with Facts

• Facts define correctness of construction– Assertions only run on correct constructions

• Example: ValidNonEmptyPath– Sequence has at least one element– No node appears more than once– Last node is DstNode

• Many more…

SPP Selection

1

23

D

1d12d13d

21d2d

32d31d3d

Each node selects exactly one path

SPP Solution

1

23

D

1d12d13d

21d2d

32d31d3d

All nodes happy with their selection simultaneously

Individual Happiness (within constraints)

• Solution– Each node has selected the best of its choices.

• Why? – No node can pick a better choice.

Pred SelectionIsSolution[selected]{

let choices = GetChoices[selected] | selected = GetBest[choices]}

Constraint Dependencies

Choices Node 1

Selection Node 2

Selection Node 1

Choices Node 2

SPP as a Model

• Each SPP instance has 0, 1, or 1+ solutions• Having exactly 1 solution is necessary but not

sufficient for safety.

All Instances

1 SPP Solution

Safety

Specify Solvability Predicate

Logically,Pred OneSolvable:one selection where SelectionIsSolutionPred MultiSolvable:some selection where SelectionIsSolution

Aside:• Selection is a set

– Quantifying over it requires 2nd order logic– Hard-code quantifications on a set-size basis for 1st order

No Solution (Bad Gadget)

1

23

D

12d1d

23d2d

31d3d

Two Solutions (Disagree)

1

23

D

12d1d

21d2d3d

Analysis Using the Model

• We know “all instances are one solvable” is incorrect

=> We use Alloy to give us example instances where predicate fails.

• Use model to test solvability predicates– “absence of dispute wheel implies one solvable”

Use 1: Generating Counterexamples

• Have Alloy Generate Counter Examples– Gadgets with no (multiple) solutions– Too Many (10000+ for 4 source nodes)

• Want Interesting Counterexamples

Interesting Gadget

1

23

D

12d1d

23d2d

31d3d

Uninteresting Gadget

1

23

D

12d1d

13d

23d2d

31d3d

Gadget Generation

• Intuitively, small gadgets are most interesting

• Start small– Find all gadgets for size

• Size++

• When analyzing bigger gadgets, exclude gadgets similar to those already found

Gadget Library

pred Gadget123{}

Predicate detects gadgets similar to the gadget found• Makes path rankings relative• Corrects for isomorphic reordering of node #s

Eliminate gadgets matching library predicates in future

Gadgets FoundUnsolvable Gadgets

Multiply Solvable Gadgets

Use 2: Evaluating Constraints

• Test Known Constraints

• Example: Create predicates for the dispute wheel– Verify “absence of a DW implies solvability”– Get instances that have a DW but are still solvable

• Quickly explore new conditions for solvability– See if they are sufficient or necessary– Get counterexamples of how they don’t fully capture

solvability

Conclusion

• Created a lightweight model of BGP

• Used model to generate gadgets

• Used iterative elimination to get minimal set of interesting gadgets

• Model could be used for quick “push button” analysis of new constraints

Future Work

• Develop new solvability predicates and model existing ones

• Apply the model to checking BGP router configurations for solvability

• Model the dynamic SPVP

Thanks