Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
-
Upload
douglas-simpson -
Category
Documents
-
view
221 -
download
1
Transcript of Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
Towards a Logic for Wide-Area Internet Routing
Nick FeamsterHari Balakrishnan
IntroductionInternet routing is a massive distributed computing taskBGP4 is exceedingly complexComplexity arises due to wide variety of goals that must be metComplicated interactions and unintended side effects
Introduction (contd.)
Propose routing logic – a set of rulesLogic used to determine satisfaction of desired propertiesDemonstrate how this logic can be used to analyze and aid implementation
Motivation
Complexity of BGPFast convergence to correct loop-free pathsResilience to congestionAvoid packet loss and failuresConnecting autonomous and mutually distrusting domains
Motivation (contd.)
Complexity stems from dynamic behavior during operationVast possibilities for configurationPrior work highlights many undesirable properties
Motivation (contd.)
Poor IntegrityDoS, integrity attacks, misconfiguration
Slow ConvergencePath instability, delayed convergenceCongestion scenario not well-understood
Motivation (contd.)Unpredictability
BGP is distributed and asynchronousPredicting effects of configuration change challenging
Poor control of information flowBGP implementation may expose information not intended to be public knowledge
Motivation (contd.)
Specific modifications have unintended side effectsNeed for something that reasons ‘correctness’ of the protocolClassify protocols in terms of desired properties
Desired PropertiesValidity
Existence of route implies existence of path
VisibilityExistence of path implies existence of route
Safety/StabilityNo participant should change its route in response to other routes
Desired Properties (contd.)
DeterminismProtocol should arrive at same predictable set of routes
Information-flow ControlShould not expose more information than necessary
Routing Logic Inputs
Specification of how protocol behavesSpecification of protocol configuration
Policy configurationGeneral configuration, e.g. which routers exchange routing information
Current version has no notion of time
Hierarchical Routing Scopes
Organize routing domains into hierarchical levels called scopesProtocol in scope ‘i’ forwards packets via scope ‘i’ next-hop in that pathScope ‘i’ routing uses scope ‘i+1’ path to reach scope ‘i’ next hop
Routing Domains are Organized Hierarchically
Validity RulesReachability
Route transports packets to intended destinations
Policy conformanceConform to peering and transit agreements
ProgressNext-hop specified reduces total distance to the destination
The Validity Rule
Underlying IGP can result in forwarding loops
Information Flow Control
Consists of objects, flow policy, partial ordering of security levelsPolicy defined in terms of partial ordering expressed as a latticeFlow model specifies
Process causing information flowHow flow should be controlled between parties
An example information flow lattice
Information ObjectsPolicy
Peering and transit agreementsRouter preferences
ReachabilityEvents affecting reachability
TopologyInternal network topologyInter-AS connectivity
Noninterference Rule
Objects at higher security levels should not be visible to objects at lower levels
Security level of message not higher than level of recipient
BGP implementations can result in information flow policy violations
Potential Applications
Static analysis of existing network configurationProviding framework for design of high-level policy specificationAid designers of new protocols
Configuration AnalysisTool verifies properties of legacy router configurationSuch tool under developmentUsed to check whether configuration satisfies specified information flow policy
Configuration SynthesisGet rid of low-level configuration languagesRemove complexity, frequent misconfigurationSynthesize low-level configuration by translating high-level specification
Protocol Design
Implement set of protocol abstractionsRelate to routing logic, determine satisfaction of propertiesLess susceptible to violating wide-area routing properties
Related Work
Inspired by use of BAN logic for authentication protocol analysisApplication of BAN logic to Taos Operating systemBuilds on BGP anomalies noted by various previous work
ConclusionsPresented a routing logic
Proving properties about protocol aspectsFormally describe how fundamental properties of BGP lead to violationsEvaluate future proposed modifications to BGPHelp design new protocols
From 10,000 feet …Does not aim to fix all problems in BGPLays importance to formalizing current approach of understanding thingsIs a tool to analyze effects of modifications to implementationsApproach extendable to other complex protocols