Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela."— Presentation transcript:

1 Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela Zave (AT&T Research)

2 Internet is a network of networks – autonomous systems BGP is the routing protocol between AS’s Why is BGP important

3 Each AS has a significant amount of freedom in choosing routes Node 1 may prefer the purple path over the orange path to node D AS Preferences in BGP 1 1 2 2 3 3 D D

4 BGP Convergence An “Instance” is a topology and a set of AS preferences Some instances don’t converge (called Gadgets) – BGP’s routing protocol can oscillate. Finding gadgets is hard and has previously been done by hand We use lightweight modeling to automate gadget generation and analysis

5 Why Lightweight Model Formal modeling aids analysis – Requires rigorous definition of concepts Encoded in a way that is “shareable” between researchers – Automates analysis Lightweight modeling is easier – Small model of key concepts – Easier to develop than machine-verified proofs – Push-button analysis

6 Stable Path Problem Useful Model – Although static formulation of the BGP, captures important properties: SPP that is “solvable” is a prerequisite for BGP convergence Although doesn’t capture dynamic properties fully – Extensively Studied Used in proofs of a lot of previous work Our model of SPP (almost) as compact as original description Automatically finding gadgets hard in SPP

7 Alloy Wanted a tool to help us generate SPP gadgets Alloy is a declarative modeling language – Can test assertions on predicates Compiles to SAT problem – SAT solvers are fast (on a lot of cases) Given a set of predicates, 2 answers: – Satisfiable – Unsatisfiable & Counterexample

8 Explore All Small SPP Instances Small instances are often informative – SPP gives each node a lot of degrees of freedom So properties of small instances are often interesting And often generalize to larger ones – Counterexamples to assertions really useful Explores full search space – Can make generalized assertions Although only up to a certain size

9 Contributions Created lightweight model of SPP – Model very compact, machine and human readable – Full model in the paper Automatically generated unstable SPP gadgets – Bad Gadget, Disagree, many more Classified gadgets – Full list of interesting gadgets under 4 source nodes Verified new and known solvability predicates – “Absence of dispute wheel implies solvability”

10 Outline Review of SPP and Model Use 1: Gadget Generation Use 2: Test Known Solvability Predicates Discuss Future Work

11 SPP Topology 1 1 2 2 3 3 D D Source Node Destination Node

12 SPP Permitted Paths 1 1 2 2 3 3 D D 1d 12d 13d List of Permitted Paths

13 Representation In Alloy DstNode, SrcNode: Node Path: Sequence of Nodes – Sequence is an ordered list SrcNode.PermittedPaths: Sequence of Paths – First path in list most preferred 1 1 D D 1d 13d 21d

14 Ensure Valid Topology with Facts Facts define correctness of construction – Assertions only run on correct constructions Example: ValidNonEmptyPath – Sequence has at least one element – No node appears more than once – Last node is DstNode Many more…

15 SPP Selection 1 1 2 2 3 3 D D 1d 12d 13d 21d 2d 32d 31d 3d Each node selects exactly one path

16 SPP Solution 1 1 2 2 3 3 D D 1d 12d 13d 21d 2d 32d 31d 3d All nodes happy with their selection simultaneously

17 Individual Happiness (within constraints) Solution – Each node has selected the best of its choices. Why? – No node can pick a better choice. Pred SelectionIsSolution[selected] { let choices = GetChoices[selected] | selected = GetBest[choices] }

18 Constraint Dependencies Choices Node 1 Selection Node 2 Selection Node 1 Choices Node 2

19 SPP as a Model Each SPP instance has 0, 1, or 1+ solutions Having exactly 1 solution is necessary but not sufficient for safety. All Instances 1 SPP Solution Safety

20 Specify Solvability Predicate Logically, Pred OneSolvable: one selection where SelectionIsSolution Pred MultiSolvable: some selection where SelectionIsSolution Aside: Selection is a set – Quantifying over it requires 2 nd order logic – Hard-code quantifications on a set-size basis for 1 st order

21 No Solution (Bad Gadget) 1 1 2 2 3 3 D D 12d 1d 23d 2d 31d 3d

22 Two Solutions (Disagree) 1 1 2 2 3 3 D D 12d 1d 21d 2d 3d

23 Analysis Using the Model We know “all instances are one solvable” is incorrect => We use Alloy to give us example instances where predicate fails. Use model to test solvability predicates – “absence of dispute wheel implies one solvable”

24 Use 1: Generating Counterexamples Have Alloy Generate Counter Examples – Gadgets with no (multiple) solutions – Too Many (10000+ for 4 source nodes) Want Interesting Counterexamples

25 Interesting Gadget 1 1 2 2 3 3 D D 12d 1d 23d 2d 31d 3d

26 Uninteresting Gadget 1 1 2 2 3 3 D D 12d 1d 13d 23d 2d 31d 3d

27 Gadget Generation Intuitively, small gadgets are most interesting Start small – Find all gadgets for size Size++ When analyzing bigger gadgets, exclude gadgets similar to those already found

28 Gadget Library pred Gadget123{ } Predicate detects gadgets similar to the gadget found Makes path rankings relative Corrects for isomorphic reordering of node #s Eliminate gadgets matching library predicates in future

29 Gadgets Found Unsolvable Gadgets Multiply Solvable Gadgets

30 Use 2: Evaluating Constraints Test Known Constraints Example: Create predicates for the dispute wheel – Verify “absence of a DW implies solvability” – Get instances that have a DW but are still solvable Quickly explore new conditions for solvability – See if they are sufficient or necessary – Get counterexamples of how they don’t fully capture solvability

31 Conclusion Created a lightweight model of BGP Used model to generate gadgets Used iterative elimination to get minimal set of interesting gadgets Model could be used for quick “push button” analysis of new constraints

32 Future Work Develop new solvability predicates and model existing ones Apply the model to checking BGP router configurations for solvability Model the dynamic SPVP

33 Thanks

Download ppt "Towards a Lightweight Model of BGP Safety Matvey Arye Princeton University Joint work with: Rob Harrison, Richard Wang, Jennifer Rexford (Princeton) Pamela."

Similar presentations

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Noam Nisan, Michael Schapira, Gregory Valiant, and Aviv Zohar.

Noam Nisan, Michael Schapira, Gregory Valiant, and Aviv Zohar.
Prepared by Ilya Kolchinsky.  n generals, communicating through messengers  some of the generals (up to m) might be traitors  all loyal generals should.

Prepared by Ilya Kolchinsky.  n generals, communicating through messengers  some of the generals (up to m) might be traitors  all loyal generals should.
Sept. 28 200Internet routing seminar (Fall 2000) An analysis of BGP convergence Properties Timothy G. Griffin Gordan Wilfong Presented by Tian Bu.

Sept Internet routing seminar (Fall 2000) An analysis of BGP convergence Properties Timothy G. Griffin Gordan Wilfong Presented by Tian Bu.
Does BGP Solve the Shortest Paths Problem? Timothy G. Griffin Joint work with Bruce Shepherd and Gordon Wilfong Bell Laboratories, Lucent Technologies.

Does BGP Solve the Shortest Paths Problem? Timothy G. Griffin Joint work with Bruce Shepherd and Gordon Wilfong Bell Laboratories, Lucent Technologies.
Part IV BGP Modeling. 2 BGP Is Not Guaranteed to Converge!  BGP is not guaranteed to converge to a stable routing. Policy inconsistencies can lead to.

Part IV BGP Modeling. 2 BGP Is Not Guaranteed to Converge!  BGP is not guaranteed to converge to a stable routing. Policy inconsistencies can lead to.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.

Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
1 Measurement of Highly Active Prefixes in BGP Ricardo V. Oliveira, Rafit Izhak-Ratzin, Beichuan Zhang, Lixia Zhang GLOBECOM’05.

1 Measurement of Highly Active Prefixes in BGP Ricardo V. Oliveira, Rafit Izhak-Ratzin, Beichuan Zhang, Lixia Zhang GLOBECOM’05.
(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)

(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)
STABLE PATH PROBLEM Presented by: Sangeetha A. J. Based on The Stable Path Problem and Interdomain Routing Timothy G. Griffin, Bruce Shepherd, Gordon Wilfong.

STABLE PATH PROBLEM Presented by: Sangeetha A. J. Based on The Stable Path Problem and Interdomain Routing Timothy G. Griffin, Bruce Shepherd, Gordon Wilfong.
BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.

BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.
Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.

Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.
1 A UML Class Diagram Analyzer Tiago Massoni Rohit Gheyi Paulo Borba Software Productivity Group Informatics Center – UFPE October 2004.

1 A UML Class Diagram Analyzer Tiago Massoni Rohit Gheyi Paulo Borba Software Productivity Group Informatics Center – UFPE October 2004.
Ashish Gupta Under Guidance of Prof. B.N. Jain Department of Computer Science and Engineering Advanced Networking Laboratory.

Ashish Gupta Under Guidance of Prof. B.N. Jain Department of Computer Science and Engineering Advanced Networking Laboratory.
1 Policy Disputes in Path-Vector Protocols A Safe Path-Vector Protocol Zacharopoulos Dimitris

1 Policy Disputes in Path-Vector Protocols A Safe Path-Vector Protocol Zacharopoulos Dimitris
Compiler Challenges, Introduction to Data Dependences Allen and Kennedy, Chapter 1, 2.

Compiler Challenges, Introduction to Data Dependences Allen and Kennedy, Chapter 1, 2.

Similar presentations

Ads by Google