w4140 network laboratory lecture 9 nov 12 - fall 2006 shlomo hershkop columbia university
DESCRIPTION
W4140 Network Laboratory Lecture 9 Nov 12 - Fall 2006 Shlomo Hershkop Columbia University. Announcements. Reminder : phase I project due end of week Lab 7 this week. Outline. Network Address Translation (NAT) Dynamic Host Configuration Protocol (DHCP) Firewalls - PowerPoint PPT PresentationTRANSCRIPT
W4140 Network Laboratory
Lecture 9Nov 12 - Fall 2006
Shlomo HershkopColumbia University
Announcements
Reminder : phase I project due end of week Lab 7 this week
Outline
Network Address Translation (NAT)
Dynamic Host Configuration Protocol (DHCP)
Firewalls
Typical Application and some news of a recent hacking (very sophisticated) on the cs network Or: what you learned this semester in real life
A hack to fix the IP address depletion problem. NAT is a router function where IP addresses (and possibly port
numbers) of IP datagrams are replaced at the boundary of a private network.
Breaks the End-to-End argument. But it became a standard: RFC 1631 - The IP Network Address
Translator (NAT)
Provides a form security by acting as a firewall home users. Small companies.
Network Address Translation: a hack
Is there any other solution to the IP address problem?
Basic operation of NAT
NAT device stores the address and port translation tables In the this example we mapped only addresses.
•Host
•private address: 10.0.1.2•public address: 128.143.71.21
Public Host
•Private Network •Internet
64.236.24.4
NATDevice
PrivateAddress
PublicAddress
10.0.1.1 128.59.16.21
•Source = 10.0.1.2•Destination = 64.236.24.4
•Source = 10.0.1.2•Destination = 64.236.24.4•Source = 128.143.71.21•Destination = 64.236.24.4
•Source = 128.143.71.21•Destination = 64.236.24.4
•Source = 64.236.24.4•Destination = 128.59.16.21
•Source = 64.236.24.4•Destination = 10.0.0.2
•Source = 64.236.24.4•Destination = 128.59.16.21•Source = 64.236.24.4•Destination = 128.59.16.21•Source = 64.236.24.4•Destination = 128.59.16.21•Source = 64.236.24.4•Destination = 10.0.0.2
Private Network
Private IP network is an IP network with Private IP Addresses (Can it be connected directly to the Internet?)
IP addresses in a private network can be assigned arbitrarily but they are usually picked from the reserved pool (can we use any?) Not registered and not guaranteed to be globally unique Question: how is public IP address assigned?
Generally, private networks use addresses from the following experimental address ranges (non-routable addresses): 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255
Main uses of NAT
Pooling of IP addresses
Supporting migration between network service providers
IP masquerading and internal firewall
Load balancing of servers
Pooling of IP addresses
Scenario: Corporate network has many hosts but only a small number of public IP addresses.
NAT solution: Corporate network is managed with a private address space.
NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses.
When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host.
Pooling of IP addresses
•Host
•private address: 10.0.1.2•public address: 128.143.71.21
•Private Network •Internet
Public Host64.236.24.4
NATDevice
PrivateAddress
PublicAddress
10.0.1.2 128.59.16.21
•Source = 10.0.1.2•Destination = 64.236.24.4
•Source = 10.0.1.2•Destination = 64.236.24.4•Source = 128.143.71.21•Destination = 64.236.24.4
•Source = 128.143.71.21•Destination = 64.236.24.4
Supporting migration between network service providers
Scenario: In practice (using CIDR), the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network.
NAT solution: Assign private addresses to the hosts of the corporate network NAT device has address translation entries which bind the
private address of a host to the public address. Migration to a new network service provider merely requires an
update of the NAT device. The migration is not noticeable to the hosts on the network.
Supporting migration between network service providers
Host
private address: 10.0.1.2public address: 128.14.71.21
Source = 10.0.1.2Destination = 213.168.112.3
NAT device
Private Address
PublicAddress
10.0.1.2 128.14.71.21
128.14.71.21
Source = 128.14.71.21Destination = 213.168.112.3
Private network
ISP 1allocates address
block 128.14.71.0/24 to private network:
Supporting migration between network service providers
Host
private address: 10.0.1.2public address: 128.14.71.21
150.140.4.120
Source = 10.0.1.2Destination = 213.168.112.3
NAT device
Private Address
PublicAddress
10.0.1.2128.14.71.21150.140.4.120
128.14.71.21150.140.4.120
Source = 150.140.4.120Destination = 213.168.112.3
ISP 2allocates address block
150.140.4.0/24 to private network:
Private network
ISP 1allocates address
block 128.14.71.0/24 to private network:
IP masquerading
Also called: Network address and port translation (NAPT), port address translation (PAT).
Scenario: Single public IP address is mapped to multiple hosts in a private network.
NAT solution: Assign private addresses to the hosts of the corporate network NAT device modifies the port numbers for outgoing traffic
IP masquerading
NAT device
Host 2
private address: 10.0.1.2
Private network
Source = 10.0.1.2Source port = 2001
Source = 128.59.71.21Source port = 80
Private Address
PublicAddress
10.0.1.2/2001 128.143.71.21/80
10.0.1.3/3020 128.143.71.21/4444
Host 1
private address: 10.0.1.3
Source = 10.0.1.3Source port = 3020
Internet
Source = 128.59.71.21Destination = 4444
128.16.71.2110.0.0.1
Load balancing of servers
Scenario: Balance the load on a set of identical servers, which are accessible from a single IP address
NAT solution: Here, the servers are assigned private addresses NAT device acts as a proxy for requests to the server from the
public network The NAT device changes the destination IP address of arriving
packets to one of the private addresses for a server A sensible strategy for balancing the load of the servers is to
assign the addresses of the servers in a round-robin fashion.
Load balancing of servers
Private network
Source = 101.248.22.3Destination = 128.16.71.21
NAT device
Private Address
PublicAddress
10.0.1.2 128.59.71.21
Inside network
10.0.1.4 128.59.71.21
Internet128.59.71.21
S1
S2
S3
10.0.1.4
10.0.1.3
10.0.1.2
PublicAddress
64.30.4.120
Outside network
101.248.22.3
Source = 64.30.4.120Destination = 128.16.71.21
Concerns about NAT
Performance: Modifying the IP header by changing the IP address requires
that NAT boxes recalculate the IP header checksum. Modifying port number requires that NAT boxes recalculate TCP
checksum.
Fragmentation Care must be taken that a datagram that is fragmented before it
reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments.
Concerns about NAT
End-to-end connectivity: NAT destroys universal end-to-end reachability of hosts on the
Internet. A host in the public Internet often cannot initiate communication
to a host in a private network. The problem is worse, when two hosts that are in a private
network need to communicate with each other.
Example: bittorrent, where each client is also a server….
NAT and FTP
H1 H2
public address:128.143.72.21
FTP client FTP server
PORT 128.143.72.21/1027
200 PORT command successful
public address:128.195.4.120
RETR myfile
150 Opening data connection
establish data connection
Normal FTP operation
NAT and FTP
NAT device with FTP support
H1
Private network
NATdevice
H2
private address: 10.0.1.3public address: 128.143.72.21
Internet
FTP client FTP server
PORT 10.0.1.3/1027 PORT 128.143.72.21/1027
200 PORT command successful200 PORT command successful
RETR myfile
establish data connection
RETR myfile
150 Opening data connection150 Opening data connection
establish data connection
NAT and FTP
FTP in passive mode and NAT.
H1
Private network
NATdevice
H2
private address: 10.0.1.3public address: 128.143.72.21
Internet
FTP client FTP server
PASV PASV
Entering Passive Mode128.195.4.120/10001
Entering Passive Mode128.195.4.120/10001
public address:128.195.4.120
Establish data connection Establish data connection
Configuring NAT in Linux
Linux uses the Netfilter/iptable Kernel package
Incomingdatagram
filterINPUT
Destinationis local?
filterFORW ARD
natOUTPUT
To application From application
Outgoingdatagram
natPOSTROUTING
(SNAT)
No
Yes filterOUTPUT
natPREROUTING
(DNAT)
Configuring NAT with iptable
First example:iptables –t nat –A POSTROUTING –s 10.0.1.2 –j SNAT --to-source 128.16.71.21
Pooling of IP addresses:iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.16.71.0–128.16.71.30
IP masquerading:
iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –o eth1 –j MASQUERADE
Load balancing:
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4
Dynamic Host Configuration Protocol
(DHCP)
Dynamic Assignment of IP addresses
Dynamic assignment of IP addresses is desirable for several reasons: IP addresses are assigned on-demand Avoid manual IP configuration Support mobility of laptops Wireless networking and Home NATs
No static IP means that we have to depend on DNS for the packet routing Use of a DDNS (Dynamic DNS entry) Free sites for that service in the internet
Dynamic Host Configuration Protocol (DHCP)
Designed in 1993
Requires a server and free IP address space
Supports temporary allocation (“leases”) of IP addresses
DHCP client can acquire all IP configuration parameters
Any potential security risks?
Can we use something that can prevent unauthorized users?
DHCP Interaction (simplified)
Argon 00:a0:24:71:e4:44 DHCP Server
DHCP Request 00:a0:24:71:e4:44Sent to 255.255.255.255
Argon 128.16.23.144
00:a0:24:71:e4:44 DHCP ServerDHCP Response: IP address: 128.16.23.144Default gateway: 128.16.23.1Netmask: 255.255.0.0
DHCP Message Format
Number of Seconds
OpCode Hardware Type
Your IP address
Unused (in BOOTP)Flags (in DHCP)
Gateway IP address
Client IP address
Server IP address
Hardware Address Length
Hop Count
Server host name (64 bytes)
Client hardware address (16 bytes)
Boot file name (128 bytes)
Transaction ID
Options
(There are >100 different options)
DHCP
OpCode: 1 (Request), 2(Reply) Note: DHCP message type is sent in an option
Hardware Type: 1 (for Ethernet) Hardware address length: 6 (for Ethernet) Hop count: set to 0 by client Transaction ID: Integer (used to match reply to response) Seconds: number of seconds since the client started to
boot Client IP address, Your IP address, server IP address,
Gateway IP address, client hardware address, server host name, boot file name: client fills in the information that it has, leaves rest blank
DHCP Message Type
Message type is sent as an option.
Value Message Type
1 DHCPDISCOVER
2 DHCPOFFER
3 DHCPREQUEST
4 DHCPDECLINE
5 DHCPACK
6 DHCPNAK
7 DHCPRELEASE
8 DHCPINFORM
DHCP operations
Src: 0.0.0.0, 68Dest: 255.255.255.255, 67DHCPDISCOVERYYiaddr: 0.0.0.0Transaction ID: 654
Src:128.195.31.1, 67
DHCPOFFERYiaddr: 128.59.20.147Transaction ID: 654
Dest: 255.255.255.255, 68
Lifetime: 3600 secsServer ID: 128.59.18.1
Src: 0.0.0.0, 68Dest: 255.255.255.255, 67DHCPREQUESTYiaddr: 128.59.20.147Transaction ID: 655server ID: 128.195.31.1Lifetime: 3600 secs
Src:128.59.18.1, 67
DHCPACKYiaddr: 128.59.20.147Transaction ID: 655
Dest: 255.255.255.255, 68
Lifetime: 3600 secsServer ID: 128.59.18.1
DHCP operations
More on DHCP operations
A client may receive DCHP offers from multiple servers
The DHCPREQUEST message accepts offers from one server.
Other servers who receive this message considers it as a decline
A client can use its address after receiving DHCPACK
DHCP replies can be unicast, depending on implementation
DHCP relay agent
DHCPDISCOVERGiaddr: 0
Src: 0.0.0.0., 68Dest: 255.255.255.255, 67
128.16.31.1 128.16.41.1
DHCPDISCOVERGiaddr: 128.16.41.1
Src: 0.0.0.0., 68Dest: 255.255.255.255, 67
DHCPOFFER
……
Giaddr: 128.16.41.1
Src: 128.16.31.10, 67Dest: 128.16.41.1, 67
DHCPOFFER
……
Giaddr: 128.16.41.1
Src: 128.16.41.1, 67Dest: 255.255.255.255, 68
128.16.31.10
History of DHCP
Three Protocols: RARP (until 1985, no longer used) BOOTP (1985-1993) DHCP (since 1993) Secure DHCP – not a standard yet…
Only DHCP is widely used today.
Solutions for dynamic assignment of IP addresses
Reverse Address Resolution Protocol (RARP) RARP is no longer used Works similar to ARP Broadcast a request for the IP address associated with a
given MAC address RARP server responds with an IP address Only assigns IP address (not the default router and
subnetmask)
RARP
Ethernet MACaddress(48 bit)
ARPIP address(32 bit)
BOOTP
BOOTstrap Protocol (BOOTP) Host can configure its IP parameters at boot time. 3 services.
IP address assignment. Detection of the IP address for a serving machine. The name of a file to be loaded and executed by the client
machine (boot file name)
Not only assigns IP address, but also default router, network mask, etc.
Sent as UDP messages (UDP Port 67 (server) and 68 (host))
Use limited broadcast address (255.255.255.255): These addresses are never forwarded
BOOTP Interaction
BOOTP can be used for downloading memory image for diskless workstations
Assignment of IP addresses to hosts is static
Argon00:a0:24:71:e4:44 BOOTP Server
BOOTP Request00:a0:24:71:e4:44Sent to 255.255.255.255
Argon128.143.137.144
00:a0:24:71:e4:44 DHCP ServerBOOTP Response:IP address: 128.143.137.144Server IP address: 128.143.137.100Boot file name: filename
(a) (b)
Argon128.143.137.14400:a0:24:71:e4:44 DHCP Server
128.143.137.100
TFTP“filename”
(c)
Lab errata
In Figure 7.1, the private network interface of Router2 should be labeled with IP address "10.0.1.1/24" (instead of 10.0.0.1/24).
Firewalls
Firewalls
Security solution to control data connections Some permitted Some denied Some proxy
Hardware based Software based
Simplest version
Software based – personal Windows machine
Zone alarm Application level control Network level control Can configure regards to host-host, group
Linux type iptables TCP wrappers Specific application level control
Next level
Dedicated hard based firewall At network gateway Between control zones
State of connection
Stateful firewall Keep track of where the connection is, and knowing the
underlying protocol will allow/deny connection Very expensive
Stateless firewall Each packet is treated in isolation of every other Very cheap
Example ftp opens up random port connections to pass information, which will drop the packets ?
Interesting application firewall
Anyone hear of port knocking ??
This isn’t a trick or treat thing
Rules of firewalls
Most firewalls work on hard coded rules Interface (sometimes) presents choices to users/admins File keeps track of the rules
Probabilistic Approaches: Anomaly detection firewalls learn from normal traffic what should
be allowed and what should be blocked
This course
So what is the advantage of this course
Hands on networking
Get to break things (and not get fired)
Get to play with some theoretical tools (educational only)
Understand the problem with the following stories:
CS network 1
Problem: Guest: Dhcp machines on the cs network were mysteriously
failing to establish network connection
Any ideas ??
CS network 2
Really bad hacking success
Throw out hacker
Arp attack in revenge
Back to BGP
BGP = RFC 1771
+ “optional” extensionsRFC 1997 (communities) RFC 2439 (damping) RFC 2796 (reflection) RFC3065 (confederation) …
+ routing policy configurationlanguages (vendor-specific)
+ Current Best Practices in management of Interdomain Routing
BGP was not DESIGNED. It EVOLVED.
The Border Gateway Protocol (BGP)
BGP Route Processing
Best Route Selection
Apply Import Policies
Best Route Table
Apply Export Policies
Install forwardingEntries for bestRoutes.
ReceiveBGPUpdates
BestRoutes
TransmitBGP Updates
Apply Policy =filter routes & tweak attributes
Based onAttributeValues
IP Forwarding Table
Apply Policy =filter routes & tweak attributes
Open ended programming.Constrained only by vendor configuration language
AS7018135.207.0.0/16AS Path = 6341
AS 1239Sprint
AS 1755Ebone
AT&T
AS 3549Global Crossing
135.207.0.0/16AS Path = 7018 6341
135.207.0.0/16AS Path = 3549 7018 6341
AS 6341
135.207.0.0/16
AT&T Research
Prefix Originated
AS 12654RIPE NCCRIS project
AS 1129Global Access
135.207.0.0/16AS Path = 7018 6341
135.207.0.0/16AS Path = 1239 7018 6341
135.207.0.0/16AS Path = 1755 1239 7018 6341
135.207.0.0/16AS Path = 1129 1755 1239 7018 6341
ASPATH Attribute
In fairness: could you do this “right” and still scale?
Exporting internalstate would dramatically increase global instability and amount of routingstate
AS 4
AS 3
AS 2
AS 1
Mr. BGP says that path 4 1 is better than path 3 2 1
Duh!
Shorter Doesn’t Always Mean Shorter
Thanks to Han Zheng
Routing Example 1
Thanks to Han Zheng
Routing Example 2
Tweak Tweak Tweak (TE)
For inbound traffic Filter outbound routes Tweak attributes on
outbound routes in the hope of influencing your neighbor’s best route selection
For outbound traffic Filter inbound routes Tweak attributes on
inbound routes to influence best route selection
outboundroutes
inboundroutes
inboundtraffic
outboundtraffic
In general, an AS has more control over outbound traffic
Forces outbound traffic to take primary link, unless link is down.
AS 1
primary link backup link
Set Local Pref = 100for all routes from AS 1 AS 65000
Set Local Pref = 50for all routes from AS 1
Backup Links with Local Preference (Outbound Traffic)
Forces outbound traffic to take primary link, unless link is down.
AS 1
primary link backup link
Set Local Pref = 100for all routes from AS 1
AS 2
Set Local Pref = 50for all routes from AS 3
AS 3provider provider
Multihomed Backups (Outbound Traffic)
Prepending will (usually) force inbound traffic from AS 1to take primary linkAS 1
192.0.2.0/24ASPATH = 2 2 2
customerAS 2
provider
192.0.2.0/24
backupprimary
192.0.2.0/24ASPATH = 2
Yes, this is a Glorious Hack …
Shedding Inbound Traffic with ASPATH Prepending
AS 1
192.0.2.0/24ASPATH = 2 2 2 2 2 2 2 2 2 2 2 2 2
customerAS 2
provider
192.0.2.0/24
192.0.2.0/24ASPATH = 2
AS 3provider
AS 3 will sendtraffic on “backup”link because it prefers customer routes and localpreference is considered before ASPATH length!
Padding in this way is oftenused as a form of loadbalancing
backupprimary
… But Padding Does Not Always Work
AS 1
customerAS 2
provider
192.0.2.0/24
192.0.2.0/24ASPATH = 2
AS 3provider
backupprimary
192.0.2.0/24ASPATH = 2 COMMUNITY = 3:70
Customer import policy at AS 3:If 3:90 in COMMUNITY then set local preference to 90If 3:80 in COMMUNITY then set local preference to 80If 3:70 in COMMUNITY then set local preference to 70
AS 3: normal customer local pref is 100,peer local pref is 90
COMMUNITY Attribute to the Rescue!
BGP Issues - What is a BGP Wedgie?
BGP policies make sense locally Interaction of local policies allows
multiple stable routings Some routings are consistent with
intended policies, and some are not If an unintended routing is
installed (BGP is “wedged”), then manual intervention is needed to change to an intended routing
When an unintended routing is installed, no single group of network operators has enough knowledge to debug the problem
¾ wedgie
Full wedgie
¾ Wedgie Example
AS 1 implements backup link by sending AS 2 a “depref me” community.
AS 2 implements this community so that the resulting local pref is below that of routes from it’s upstream provider (AS 3 routes)
AS 1
AS 2
AS 3 AS 4
customer
provider
peer peer
provider
customer
customer
providerbackup link
primary link
And the Routings are…
AS 1
AS 2
AS 3 AS 4
Intended Routing
AS 1
AS 2
AS 3 AS 4
Unintended RoutingNote: This is easy to reach from the intended routing just by “bouncing”the BGP session on the primary link.
Note: this would be the ONLY routing if AS2 translated its “depref me” community to a “depref me” community of AS 3
Recovery
AS 1
AS 2
AS 3 AS 4
AS 1
AS 2
AS 3 AS 4
AS 1
AS 2
AS 3 AS 4
Bring down AS 1-2 session Bring it back up!
Requires manual intervention Can be done in AS 1 or AS 2
Load Balancing Example
primary link for prefix P1backup link for prefix P2
AS 1
AS 2
AS 3 AS 4
provider
peer peer
provider
customer
AS 5customer
primary link for prefix P2backup link for prefix P1
Recovery for prefix P1 may cause a BGP wedgie for prefix P2 …
AS 1
AS 2
AS 3 AS 4
customer
provider
peer peer
provider
customer
customer
provider
primary link
Full Wedgie Example
AS 5
backup links
AS 1 implements backup links by sending AS 2 and AS 3 a “depref me” communities.
AS 2 implements its community so that the resulting local pref is below that of its upstream providers and it’s peers (AS 3 and AS 5 routes)
AS 5 implements its community so that the resulting local pref is below its peers (AS 2) but above that of its providers (AS 3)
customer
peer peer
And the Routings are…
AS 1
AS 2
AS 3 AS 4
AS 5
AS 1
AS 2
AS 3 AS 4
AS 5
Intended Routing Unintended Routing
Recovery??
AS 1
AS 2
AS 3 AS 4
AS 5
AS 1
AS 2
AS 3 AS 4
AS 5
Bring down AS 1-2 session
Bring up AS 1-2 session
Recovery
AS 1
AS 2
AS 3 AS 4
AS 5
AS 1
AS 2
AS 3 AS 4
AS 5
Bring down AS 1-2 sessionAND AS 1-5 session
AS 1
AS 2
AS 3 AS 4
AS 5
Try telling AS 5 that it hasto reset a BGP session that isnot associated with a BEST route!
Bring up AS 1-2 sessionAND AS 1-5 session
A Global ISP (or Corporate Intranet) Implemented with 5 ASes
AU++
APEMEA
LA
NA
AU
EMEA
NA AP
Full Wedgie Example, in a new Guise
LA
Intended Routing for some prefixes in AU
Message: Same problems can arisewith “traffic engineering” acrossdomains.
Recommendations
Be aware of BGP Wedgies Interdomain communities that can tweak a route’s preference
should be defined with care and consistently implemented Tools to enumerate all stable routings would be useful
inherently exponential in theory, but may not be that bad in practice (on instances much smaller than global Internet!)
I’m currently attempting an implementation on top of http://nms.lcs.mit.edu/bgp/rcc/
Dynamic Routing Protocols: Summary
Dynamic routing protocols: RIP, OSPF, BGP
RIP uses distance vector algorithm, and converges slow (the count-to-infinity problem)
OSPF uses link state algorithm, and converges fast. But it is more complicated than RIP.
Both RIP and OSPF finds lowest-cost path.
BGP uses path vector algorithm, and its path selection algorithm is complicated, and is influenced by policies.
BGP has its own problems see WIDGI by Tim Griffin
More Readings (Optional)
BGP Wedgies: Bad Routing Policy Interactions that Cannot be Debugged
JI’s Intro to interdomain routing.
"Interdomain Setting of PlanetLab Nodes." PlanetLab Meeting, May 14, 2004.
Understanding the Border Gateway Protocol (BGP) ICNP 2002 Tutorial Session
References
[VGE1996, VGE2000] Persistent Route Oscillations in Inter-Domain Routing. Kannan Varadhan, Ramesh Govindan, and Deborah Estrin. Computer Networks, Jan. 2000. (Also USC Tech Report, Feb. 1996)
[GW1999] An Analysis of BGP Convergence Properties. Timothy G. Griffin, Gordon Wilfong. SIGCOMM 1999
[GSW1999] Policy Disputes in Path Vector Protocols. Timothy G. Griffin, F. Bruce Shepherd, Gordon Wilfong. ICNP 1999
[GW2001] A Safe Path Vector Protocol. Timothy G. Griffin, Gordon Wilfong. INFOCOM 2001
[GR2000] Stable Internet Routing without Global Coordination. Lixin Gao, Jennifer Rexford. SIGMETRICS 2000
[GGR2001] Inherently safe backup routing with BGP. Lixin Gao, Timothy G. Griffin, Jennifer Rexford. INFOCOM 2001
– [GW2002a] On the Correctness of IBGP Configurations. Griffin and Wilfong.SIGCOMM 2002.
– [GW2002b] An Analysis of the MED oscillation Problem. Griffin and Wilfong. ICNP 2002.
Lab 6 this week
Goal: