towards a logic for wide- area internet routing nick feamster hari balakrishnan
TRANSCRIPT
![Page 1: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/1.jpg)
Towards a Logic for Wide-Area Internet Routing
Nick FeamsterHari Balakrishnan
![Page 2: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/2.jpg)
IntroductionInternet routing is a massive distributed computing taskBGP4 is exceedingly complexComplexity arises due to wide variety of goals that must be metComplicated interactions and unintended side effects
![Page 3: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/3.jpg)
Introduction (contd.)
Propose routing logic – a set of rulesLogic used to determine satisfaction of desired propertiesDemonstrate how this logic can be used to analyze and aid implementation
![Page 4: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/4.jpg)
Motivation
Complexity of BGPFast convergence to correct loop-free pathsResilience to congestionAvoid packet loss and failuresConnecting autonomous and mutually distrusting domains
![Page 5: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/5.jpg)
Motivation (contd.)
Complexity stems from dynamic behavior during operationVast possibilities for configurationPrior work highlights many undesirable properties
![Page 6: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/6.jpg)
Motivation (contd.)
Poor IntegrityDoS, integrity attacks, misconfiguration
Slow ConvergencePath instability, delayed convergenceCongestion scenario not well-understood
![Page 7: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/7.jpg)
Motivation (contd.)Unpredictability
BGP is distributed and asynchronousPredicting effects of configuration change challenging
Poor control of information flowBGP implementation may expose information not intended to be public knowledge
![Page 8: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/8.jpg)
Motivation (contd.)
Specific modifications have unintended side effectsNeed for something that reasons ‘correctness’ of the protocolClassify protocols in terms of desired properties
![Page 9: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/9.jpg)
Desired PropertiesValidity
Existence of route implies existence of path
VisibilityExistence of path implies existence of route
Safety/StabilityNo participant should change its route in response to other routes
![Page 10: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/10.jpg)
Desired Properties (contd.)
DeterminismProtocol should arrive at same predictable set of routes
Information-flow ControlShould not expose more information than necessary
![Page 11: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/11.jpg)
Routing Logic Inputs
Specification of how protocol behavesSpecification of protocol configuration
Policy configurationGeneral configuration, e.g. which routers exchange routing information
Current version has no notion of time
![Page 12: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/12.jpg)
Hierarchical Routing Scopes
Organize routing domains into hierarchical levels called scopesProtocol in scope ‘i’ forwards packets via scope ‘i’ next-hop in that pathScope ‘i’ routing uses scope ‘i+1’ path to reach scope ‘i’ next hop
![Page 13: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/13.jpg)
Routing Domains are Organized Hierarchically
![Page 14: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/14.jpg)
Validity RulesReachability
Route transports packets to intended destinations
Policy conformanceConform to peering and transit agreements
ProgressNext-hop specified reduces total distance to the destination
![Page 15: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/15.jpg)
The Validity Rule
![Page 16: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/16.jpg)
Underlying IGP can result in forwarding loops
![Page 17: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/17.jpg)
Information Flow Control
Consists of objects, flow policy, partial ordering of security levelsPolicy defined in terms of partial ordering expressed as a latticeFlow model specifies
Process causing information flowHow flow should be controlled between parties
![Page 18: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/18.jpg)
An example information flow lattice
![Page 19: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/19.jpg)
Information ObjectsPolicy
Peering and transit agreementsRouter preferences
ReachabilityEvents affecting reachability
TopologyInternal network topologyInter-AS connectivity
![Page 20: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/20.jpg)
Noninterference Rule
Objects at higher security levels should not be visible to objects at lower levels
Security level of message not higher than level of recipient
![Page 21: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/21.jpg)
BGP implementations can result in information flow policy violations
![Page 22: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/22.jpg)
Potential Applications
Static analysis of existing network configurationProviding framework for design of high-level policy specificationAid designers of new protocols
![Page 23: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/23.jpg)
Configuration AnalysisTool verifies properties of legacy router configurationSuch tool under developmentUsed to check whether configuration satisfies specified information flow policy
![Page 24: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/24.jpg)
Configuration SynthesisGet rid of low-level configuration languagesRemove complexity, frequent misconfigurationSynthesize low-level configuration by translating high-level specification
![Page 25: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/25.jpg)
Protocol Design
Implement set of protocol abstractionsRelate to routing logic, determine satisfaction of propertiesLess susceptible to violating wide-area routing properties
![Page 26: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/26.jpg)
Related Work
Inspired by use of BAN logic for authentication protocol analysisApplication of BAN logic to Taos Operating systemBuilds on BGP anomalies noted by various previous work
![Page 27: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/27.jpg)
ConclusionsPresented a routing logic
Proving properties about protocol aspectsFormally describe how fundamental properties of BGP lead to violationsEvaluate future proposed modifications to BGPHelp design new protocols
![Page 28: Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan](https://reader036.vdocuments.us/reader036/viewer/2022062314/56649e195503460f94b06782/html5/thumbnails/28.jpg)
From 10,000 feet …Does not aim to fix all problems in BGPLays importance to formalizing current approach of understanding thingsIs a tool to analyze effects of modifications to implementationsApproach extendable to other complex protocols