57
Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar תתתתתתתתתתת תתתתתת תתתתתתתתתתת תתתתתת תתתתתתתת תתתתתתתתThe Hebrew University of The Hebrew University of Jerusalem Jerusalem

Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

  • View
    214

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Interdomain Routing and Games

Michael Schapira

Joint work with Hagay Levin

and Aviv Zohar

האוניברסיטה העברית בירושליםהאוניברסיטה העברית בירושליםThe Hebrew University of JerusalemThe Hebrew University of Jerusalem

Page 2: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

The Agenda

• An introduction to interdomain routing (a networking approach).

• A Distributed Algorithmic Mechanism Design (DAMD) perspective (an economic approach).

• Our Results:– A formulation of interdomain routing as a game.– Realistic settings in which BGP is immune to rational

manipulations.– …

Page 3: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

An Introduction to An Introduction to Interdomain RoutingInterdomain Routing

(A Networking Approach)(A Networking Approach)

Page 4: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Interdomain Routing

Establish routes between Autonomous Systems (ASes).

Currently done only by the Border Gateway Protocol (BGP).

AT&T

Qwest

Comcast

UUNET

Page 5: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Why is Interdomain Routing Hard?

• Route choices are based on local policies.

• Expressiveness: Policies are complex.

• Autonomy: Policies are uncoordinated

AT&T

Qwest

Comcast

UUNET

My link to UUNET is forbackup purposes only.

Load-balance myoutgoing traffic.

Always chooseshortest paths.

Avoid routes through AT&T ifat all possible.

Page 6: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Interdomain Routing

• Routes to every destination AS are computed independently.

• There is an AS graph G=<N,L>. – N consists of n source nodes 1,…,n and

a destination node d.

– L represents physical links between ASes.

Page 7: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Interdomain Routing

receive routes from neighbours

choose“best”

neighbour

send updatesto neighbours

• Every source-node i is defined by a valuation function vi that assigns a non-negative value to each (simple) route from i to d.

• The computation performed by a single node is an infinite sequence of stages:

Page 8: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Interdomain Routing

• The route assignment reached by BGP forms a confluent routing tree rooted in d.– Routes are consistent (route choices depend

on neighbours’ choices).– Routes are loop-free (nodes announce full

routes).

• The final route assignment is stable.– Every node prefers its assigned route over

any other available route.

Page 9: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Example of Stability

1 2

d

Prefer routes

through 2

Prefer routes through 1

2, I’m available

1, my routeis 2d

1, I’m available

Page 10: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Assumptions on the Network

• The network is asynchronous.– Nodes can be activated in different timings.

– Update messages can be arbitrarily delayed along selective links.

• Network malfunctions are possible.– Link and node failures.

Page 11: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

BGPPros:

• Nodes need have no a-priori knowledge about the network topology or about other nodes.

• The protocol is adaptive to changes in network topology (link and node failures).

• ….

Cons:

• The lack of global coordination might result in persistent route oscillations (protocol divergence).

Page 12: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Example of Instability: Oscillation

1 2

d

BGP might oscillateforever between

1d, 2dand

12d, 21d

Prefer routes

through 2

Prefer routes through 1

1, 2, I’m thedestination

1, my routeis 2d

2, my routeis 1d

Page 13: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

The Hardness of Stability

• Theorem: Determining whether a ``stable solution’’ exists is NP-Hard. [Griffin-Wilfong]

• Theorem: Determining whether a ``stable solution’’ exists requires exponential communication between the source-nodes.– Independent of the P-NP assumption.– Communication complexity is linear in the “size” of the local preferences

of nodes.

Page 14: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• Networking researchers seek constraints that guarantee BGP stability (for any timing, even in the presence of network malfunctions). [Balakrishnan, Feamster, Gao, Griffin, Jaggard, Johari, Ramachandran, Rexford, Shepherd, Sobrinho, Wilfong, …]

• A realistic and well known set of such constraints are the Gao-Rexford constraints.– The Internet is formed by economic forces.– ASes sign long-term contracts that determine who

provides connectivity to whom.

Guaranteeing Robust Convergence

Page 15: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Gao-Rexford FrameworkNeighboring pairs of ASes have one of:

– a customer-provider relationship(One node is purchasing connectivity fromthe other node.)

– a peering relationship(Nodes have offered to carry each other’stransit traffic, often to shortcut a longer route.)

peerproviders

customers

peer

Page 16: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Dispute Wheels

• If BGP oscillates, the valuation functions and the topology of the network induce a structure called a Dispute Wheel. [Griffin-Shepherd-Wilfong]

• The absence of a Dispute Wheel ensures robust BGP convergence.

• The Gao-Rexford constraints are a special case of “No Dispute Wheel”. [Gao-Griffin-Rexford]

Page 17: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Dispute Wheels

• A Dispute Wheel: – A sequence of nodes ui and routes Ri, Qi.

– ui prefers RiQi+1 over Qi.

Page 18: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Example of a Dispute Wheel

1 2

d

Prefer routes

through 2

Prefer routes through 1

2

1

d

Page 19: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

A DAMD PerspectiveA DAMD Perspective

(An Economic Approach)(An Economic Approach)

Page 20: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Do Nodes Always Adhere to the Protocol?

• BGP was designed to guarantee connectivity between trusted and obedient parties.

• The commercial Internet: ASes are owned by economic and often competing entities.– Might deviate from BGP if it suits their interests.

Page 21: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Two Research Agendas

• Security research – Malicious nodes.

– Cyptographic modifications of BGP (S-BGP)

• Distributed Algorithmic Mechanism Design [Feigenbaum-Papadimitriou-Shenker]

– Rational nodes.– Seeks realistic conditions for which BGP is

incentive-compatible. [Feigenbaum-Papadimitriou-Sami-Shenker]

Page 22: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Our ResultsOur Results

Page 23: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Our Main Results• A novel game-theoretic model of interdomain

routing.

• A surprising connection between the two research agendas (security and DAMD).

• Theorem: (bad news): BGP is not incentive-compatible even if No Dispute Wheel holds.

• Theorem: (good news): Cryptographic modifications of BGP (e.g., S-BGP) are incentive-compatible if No Dispute Wheel holds (no monetary transfers).

Page 24: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Interdomain RoutingInterdomain RoutingGamesGames

Page 25: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

A Static Game

• The source-nodes are the strategic agents (their valuation functions define their types).

• Each source-node chooses an outgoing edge.– Choices are simultaneous.

• A node’s payoff is:– vi(R) if the route R from i to d is induced by the

nodes’ choices.– 0 otherwise.

Page 26: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

A Static Game

• A pure Nash equilibrium is a set of nodes’ choices from which no node wishes to unilaterally deviate.

• Pure Nash equilibria = stable routing outcomes

1 2

d

Prefer routes

through 2

Prefer routes

through 1

Page 27: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

The Convergence Game

• The game consists of an infinite number of rounds.

• A node that is activated in a certain round can perform the following actions:– Read update messages announcing routes.

– Send update messages announcing routes.

– Choose a neighbouring node to forward traffic to.

Page 28: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

The Convergence Game

• There exists an adversarial entity called the scheduler that is in charge of: – Deciding which nodes are activated in each round.– Delaying update messages along selective links.– Removing links and nodes from the AS graph.

• Informally, a node’s strategy is its choice of a routing protocol.– Executing BGP is a strategy.

Page 29: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

The Convergence Game

• A route is said to be stable if from some round onwards every node on the route forwards traffic to the next-hop node on that route.

• The payoff of node i from the game is:– vi(R) if there is a route R from i to d which is

stable.

– 0 otherwise.

Page 30: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

BGP and Incentives

• A node is said to deviate from BGP (or to manipulate BGP) if it does not follow BGP.

• What forms of manipulation are available to nodes?– Misreporting preferences.– Reporting inconsistent information.– Announcing nonexistent routes. – Denying routes.– …

Page 31: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

BGP and Incentives

Two possible incentive-related requirements from BGP:

• Incentive-compatibility: No unilateral deviation from BGP by an AS can strictly improve the routing outcome of that AS.

• Collusion-proofness: No deviation from BGP by coalitions of ASes of any size can strictly improve the routing outcome of even a single AS in the coalition without strictly harming another [Feigenbaum-S-

Shenker].

Page 32: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

About the Convergence Game

• The game is complex.– Multi-round.– Asynchronous.– Partial-information

• No monetary transfers!– Very rare in mechanism design.– Unlike most works on incentive-compatibility and

interdomain routing– More realistic.

Page 33: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Known Results

. . .

. . . .

d

k i

IFvk(R1) > vk(R2)

R2

R1

THENvi((i,k)R1) > vi((i,k)R2)

Valuations are policy consistentiff, for all routes R1 and R2

(analogous toisotonicity [Sob.03])

Page 34: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Known results

• Policy consistency is known to hold for interesting special cases:– Shortest-path routing.– Next-hop policies.

• Theorem: If No Dispute Wheel and Policy Consistency hold, then BGP is incentive-compatible, and even collusion-proof. [Feigenbaum-Ramachandran-S, Feigenbaum-S-Shenker]

Page 35: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Known results

• A Problem: Policy Consistency is unrealistic.– Too strong.

• Can it be removed?

Page 36: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Realistic Settings in which Realistic Settings in which BGP is Incentive-Compatible BGP is Incentive-Compatible

and Collusion-Proofand Collusion-Proof

Page 37: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Is BGP Incentive-Compatible?

• Theorem: BGP is not incentive compatible even in Gao-Rexford settings.

m 1

2

d

m1dm12d

2md2d

12d1d

with manipulation

m 1

2

d

m1dm12d

2md2d

12d1d

without manipulation

Page 38: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• We define the following property:

–Route verification means that an AS can verify that a route announced by a neighbouring AS is available.

• Route verification can be achieved via security tools (S-BGP etc.).–Not an assumption on the nodes!

Can we fix this?

Page 39: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• Many forms of manipulation are still available:– Misreporting preferences over available

routes.– Reporting inconsistent information.– Denying routes.– …

Does this solve the problem?

Page 40: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is incentive-compatible.

• Theorem: If the “No Dispute Wheel” condition holds, then BGP with strong route verification is collusion-proof.

Our Main Results

Page 41: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Dispute Wheels – A Reminder

• A Dispute Wheel: – A sequence of nodes ui and routes Ri, Qi.

– ui prefers RiQi+1 over Qi.

The Gao-Rexford constraintsare a special case of

the “No Dispute Wheel”condition.

Page 42: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is incentive-compatible.

• Proof (sketch): – By contradiction. – Assume that the “No Dispute Wheel”

condition holds, and that BGP is not incentive-compatible.

– We present sequences of nodes and routes that form a dispute wheel.

BGP with Route Verification

Page 43: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Proof Sketch

d

s

Ts

Ms

• Let s be the manipulator.

• Let T be the routing tree reached if all nodes follow the protocol.

• Let M be the the routing tree reached after s rationally manipulates BGP.

• vs(Ms) > vs(Ts)

Page 44: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Proof Sketch

d

s

1Ts

Ms

M1

T1

• There must exist a node i on Ms such that Mi≠Ti

• Let 1 be the node closest to d on Ms with this property.

• For each node i that is closer to d on Ms it holds that Mi=Ti.

• This implies: v1(T1) > v1(M1)

Page 45: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Proof Sketch

d

s

1

2

Ts

Ms

M1

T1

T2

M2

• Similarly, Let 2 be the node i closest to d on T1 such that Mi≠Ti.

• This implies: v2(M2) > v2(T2)

Page 46: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Proof Sketch

d

s

1

2

3

4

Ts

Ms

M1

T1

T2

M2

M3

T3

T4

k

Mk

Tk

• We choose 3,4,5,… in asimilar manner.

• Eventually some nodewill appear twice (assume that this nodeis s).

• We have a dispute wheel!

Page 47: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• Why do we need route verification?

• The manipulator can lie about its route.

• For instance, k might believe that s’s route in M is Ls.

• Still,

vs(Ms) > vs(Ts) > vs(Ls)

d

s

1

2

3

4

k Ts

Ms

M1

T1

T2

M2

M3

T3

T4

Tk

Mk

Ls

Proof Sketch

Page 48: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• Theorem: If the “No Dispute Wheel” condition holds, then BGP with route verification is collusion-proof.

• A Problem: Is route verification achievable even in the presence many manipulators?

BGP with Route Verification

Page 49: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• Corollary: If No Dispute Wheel holds, then BGP is Pareto optimal.

• Pareto optimality means that BGP’s outcome is such that there is no other outcome that is:– Strictly preferred by one node.

– Weakly preferred by all other nodes.

BGP is Socially Just

Page 50: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• The total social welfare of a routing outcome is the sum of values nodes assign to their routes = ∑i vi(Pi).

• No Dispute Wheel and Policy Consistency guarantee BGP convergence to a social-welfare maximizing solution. [Feigenbaum-Ramachandran-S]

What About Social-Welfare?

Page 51: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Approximating Social Welfare

• Theorem: Obtaining an approximation to the optimal social welfare is impossible unless P=NP, even in Gao-Rexford settings.(Improvement on a bound achieved by [Feigenbaum,Sami,Shenker])

• Theorem: Exponential communication is required in order to achieve an approximation of to the social welfare.

2/1nO

1nO

Page 52: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Conclusions

• The main results:– Bad news: BGP is not incentive-compatible

even if No Dispute Wheel holds.

– Good news: A modification of BGP (route verification) is incentive-compatible.

• Helps explain BGP’s relative resilience to manipulations in practice.

Page 53: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Conclusions

• Our results should motivate research on guaranteeing route verification in the Internet.

• Where’s the justice?– Bad news: Social-welfare optimization

might be hopeless.

– Good news: BGP is Pareto optimal.

Page 54: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Follow Up Works

• “Best-reply mechanisms” (with Noam Nisan and Aviv Zohar)– Extensions to more general game-theoretic

settings.

• Work in progress (with Rahul Sami and Aviv Zohar)– More on BGP convergence and selfishness.

Page 55: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• Characterizing robust BGP convergence (“No dispute wheel” is sufficient but not necessary).

• Does robust BGP convergence with route verification imply incentive compatibility?

• Can network formation games help explain the Internet’s commercial structure?

Open Questions

Page 56: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

• Generalize the model to allow other forms of “attacks” [Butler-Farley-McDaniel-Rexford]

Open Questions

Page 57: Interdomain Routing and Games Michael Schapira Joint work with Hagay Levin and Aviv Zohar האוניברסיטה העברית בירושלים The Hebrew University of Jerusalem

Thank YouThank You