Embed Size (px)
DESCRIPTION
Interdomain Routing and Games. Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University. On the Agenda. Motivation: Are Internet protocols incentive compatible? Interdomain routing & path vector protocols Convergence issues BGP as a game - PowerPoint PPT Presentation
Citation preview
1
Interdomain Routing and Games
Hagay Levin, Michael Schapira and Aviv ZoharThe Hebrew University
2
On the Agenda
• Motivation: Are Internet protocols incentive compatible?
• Interdomain routing & path vector protocols
• Convergence issues
• BGP as a game
• Hardness of approximation of social welfare
• Incentive compatibility
• Conclusions
3
Are Current Network Protocols Incentive Compatible?
• Protocols for the network have been dictated by some designer
• Okay for cooperative settings• But what if nodes try to optimize
regardless of harm to others?• Example: TCP congestion control
– Requires sender to transmit less when the network is congested
– This is not optimal for the sender (always better off sending more)
4
Secure Network Protocols
• A lot of effort is going into re-designing network protocols to be secure.
• Routing protocols are currently known to be very susceptible to attacks.– Even inadvertent configuration errors of routers have
caused global catastrophes.
• Designers are also concerned about incentive issues in this context.
• Our work highlights some connections between incentives and security of BGP.
5
Interdomain Routing• Messages in the Internet are passed from one router
to the other until reaching the destination.• Goal of routing protocols: decide how to route packets
between nodes on the net.• The network is partitioned into Autonomous Systems
(ASes) each owned by an economic entity.– Within ASes routing is cooperative– Between ASes inherently non-cooperative
• Routing preferences are complex and uncoordinated.
AT&T
Qwest
Comcast
UUNET
My link to UUNET is forbackup purposes only.
Load-balance myoutgoing traffic.
Always chooseshortest paths.
Avoid routes through AT&T if at all possible.
6
Path Vector Protocols
receive routes from neighbors
choose“best”
neighbor
send updates
to neighbors
• The only protocol currently used to establish routes between ASes (interdomain routing): The Border Gateway Protocol (BGP).
• Performed independently for every destination autonomous system in the network.
• The computation by each node is an infinite sequence of actions:
7
Example of BGP Execution
d
13
2
54
d d d
1d
1d3d
3d
41d
41d
23d
23d 23d
23d
receive routes from neighbors
choose“best”
neighbor
send updates
to neighbors
8
• Theorem: In “reasonable economic settings”, BGP is almost incentive-compatible (And can be tweaked to be incentive compatible).
• Theorem: In these same settings it is also almost collusion proof.– To make it fully collusion proof we need a
somewhat stronger assumption.
Our Main Results Informally
9
BGP – Not Guaranteed to Converge
• Other examples may fail to converge for certain timings and succeed for others.
1 2
d
331d3d…
23d2d...
12d1d…
1d
31d
2d
12d
10
Finding Stable States
• Previously known: It’s NP-Hard to determine if a stable state even exists. [Griffin, Wilfong]
We add:• Theorem: Determining the existence of a
stable state requires exponential communication.
• In practice, BGP does converge in the Internet! Why?
11
The Gao-Rexford Framework: An economic explanation for network convergence.
peerproviders
customers
peer
Neighboring pairs of ASes have one of:• a customer-provider relationship • a peering relationship
Restrict the possible graphs and preferences:• No customer-provider cycles (cannot be your own customer)• Prefer to route through customers over peers, and peers
over providers.• Only provide transit services to customers.
Guarantees convergence of BGP.
12
Dispute Wheels• A Dispute Wheel [Griffin et. al.]
– A sequence of nodes ui and routes Ri, Qi.
– ui prefers RiQi+1 over Qi.
• If the network has no dispute wheels, BGP will always converge.
• Also guarantees convergence with node & link failures.
Gao-Rexford No Dispute Wheel
Robust ConvergenceShortest Path
13
Modeling Path Vector Protocols as a Game
• The interaction is very complex.– Multi-round– Asynchronous– Partial-information
• Network structure, schedule, other player’s types are all unknown.
• No monetary transfers!– More realistic– Unlike most works on incentive-compatibility in interdomain
routing.
14
Routing as a Game
• The source-nodes are the strategic agents
• Agent i has a value vi(R) for any route R
• The game has an infinite number of rounds
• Timing decided by an entity called the scheduler
– Decides which nodes are activated in each round.
– Delays update messages along selective links.
15
Routing as a Game (2)• A node that is activated in a certain round can
– Read update messages announcing routes.– Send update messages announcing routes.– Choose a neighboring node to forward traffic to.
• The gain of node i from the game is:– vi(R) if from some point on it has an unchanging route
R.– 0 otherwise. (can be defined as the maximal gained
path in an oscillation as well).
• a node’s strategy is its choice of a routing protocol.– Executing BGP is a strategy.
16
Approximating Social Welfare
• Theorem: Getting an approximation to the optimal social welfare is impossible unless P=NP even in Gao-Rexford settings.(Improvement on a bound achieved by [Feigenbaum,Sami,Shenker])
• Theorem: It requires exponential communication to approximate social welfare up to
2/1nO
1nO
17
Manipulating in The Protocol
• A node is said to deviate from BGP (or to manipulate BGP) if it does not follow BGP.
• We want nodes to comply with the alg. Otherwise, suffer a loss when they deviate
• Which forms of manipulation are available to nodes?– Misreporting preferences.– Reporting inconsistent information.– Announcing nonexistent routes. – Denying routes.– …
18
No Optimal Protocols
• Theorem: Any routing protocol that:1. Guarantees convergence to a solution for
any timing with any preference profile
2. Resists manipulation
Must contain a (weak) dictator: A node that always gets its most preferred path.
(Simple to prove using a variant of the Gibbard-Satterthwaite theorem)
19
• Suppose node 1 is a weak dictator.
• If it wants some crazy path, it must get it.
• This feels like an unreasonable protocol.
5 4
36 2
17
d
20
Is BGP Incentive-Compatible?
• Theorem: BGP is not incentive compatible even in Gao-Rexford settings.
m 1
2
d
m1dm12d
2md2d
12d1d
with manipulation
m 1
2
d
m1dm12d
2md2d
12d1d
without manipulation
21
• We define a property:
– Route verification means that an AS can verify that a route is available to a neighboring AS.
• Route verification is:– Achievable via computational means
(cryptographic signatures).
– An important part of secure BGP implementation.
Can we fix this?
22
• Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is incentive-compatible in ex-post Nash equilibrium.
• Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is collusion-proof in ex-post Nash equilibrium.
Incentive Compatibility
23
Open Questions
• Characterizing robust BGP convergence (“No dispute wheel” is sufficient but not necessary).
• Does robust BGP convergence with route verification imply incentive compatibility?
• Can network formation games help to explain the Internet’s commercial structure?
• Maintain incentive compatibility if the protocol is changed to deal with attacks and other security issues?
• How do congestion and load fit in?
24
Conclusions• Our results help explain BGP’s resilience to
manipulation in practice.– Manipulation requires extensive knowledge on
network topology & preferences of ASes.
– Faking routes requires manipulation of TCP/IP too.
– Manipulations by coalitions require Herculean efforts, and tight coordination.
• We show that proposed security improvements would benefit incentives in the protocol.
• Work in progress: other natural asynchronous games.– “Best Reply Mechanisms” with Noam Nisam and
Michael Schapira
