Towards a Logic for Wide-Area Internet Routing

Nick FeamsterHari Balakrishnan

IntroductionInternet routing is a massive distributed computing taskBGP4 is exceedingly complexComplexity arises due to wide variety of goals that must be metComplicated interactions and unintended side effects

Introduction (contd.)

Propose routing logic – a set of rulesLogic used to determine satisfaction of desired propertiesDemonstrate how this logic can be used to analyze and aid implementation

Motivation

Complexity of BGPFast convergence to correct loop-free pathsResilience to congestionAvoid packet loss and failuresConnecting autonomous and mutually distrusting domains

Motivation (contd.)

Complexity stems from dynamic behavior during operationVast possibilities for configurationPrior work highlights many undesirable properties

Motivation (contd.)

Poor IntegrityDoS, integrity attacks, misconfiguration

Slow ConvergencePath instability, delayed convergenceCongestion scenario not well-understood

Motivation (contd.)Unpredictability

BGP is distributed and asynchronousPredicting effects of configuration change challenging

Poor control of information flowBGP implementation may expose information not intended to be public knowledge

Motivation (contd.)

Specific modifications have unintended side effectsNeed for something that reasons ‘correctness’ of the protocolClassify protocols in terms of desired properties

Desired PropertiesValidity

Existence of route implies existence of path

VisibilityExistence of path implies existence of route

Safety/StabilityNo participant should change its route in response to other routes

Desired Properties (contd.)

DeterminismProtocol should arrive at same predictable set of routes

Information-flow ControlShould not expose more information than necessary

Routing Logic Inputs

Specification of how protocol behavesSpecification of protocol configuration

Policy configurationGeneral configuration, e.g. which routers exchange routing information

Current version has no notion of time

Hierarchical Routing Scopes

Organize routing domains into hierarchical levels called scopesProtocol in scope ‘i’ forwards packets via scope ‘i’ next-hop in that pathScope ‘i’ routing uses scope ‘i+1’ path to reach scope ‘i’ next hop

Routing Domains are Organized Hierarchically

Validity RulesReachability

Route transports packets to intended destinations

Policy conformanceConform to peering and transit agreements

ProgressNext-hop specified reduces total distance to the destination

The Validity Rule

Underlying IGP can result in forwarding loops

Information Flow Control

Consists of objects, flow policy, partial ordering of security levelsPolicy defined in terms of partial ordering expressed as a latticeFlow model specifies

Process causing information flowHow flow should be controlled between parties

An example information flow lattice

Information ObjectsPolicy

Peering and transit agreementsRouter preferences

ReachabilityEvents affecting reachability

TopologyInternal network topologyInter-AS connectivity

Noninterference Rule

Objects at higher security levels should not be visible to objects at lower levels

Security level of message not higher than level of recipient

BGP implementations can result in information flow policy violations

Potential Applications

Static analysis of existing network configurationProviding framework for design of high-level policy specificationAid designers of new protocols

Configuration AnalysisTool verifies properties of legacy router configurationSuch tool under developmentUsed to check whether configuration satisfies specified information flow policy

Configuration SynthesisGet rid of low-level configuration languagesRemove complexity, frequent misconfigurationSynthesize low-level configuration by translating high-level specification

Protocol Design

Implement set of protocol abstractionsRelate to routing logic, determine satisfaction of propertiesLess susceptible to violating wide-area routing properties

Related Work

Inspired by use of BAN logic for authentication protocol analysisApplication of BAN logic to Taos Operating systemBuilds on BGP anomalies noted by various previous work

ConclusionsPresented a routing logic

Proving properties about protocol aspectsFormally describe how fundamental properties of BGP lead to violationsEvaluate future proposed modifications to BGPHelp design new protocols

From 10,000 feet …Does not aim to fix all problems in BGPLays importance to formalizing current approach of understanding thingsIs a tool to analyze effects of modifications to implementationsApproach extendable to other complex protocols