Interdomain Routing and GamesMichael Schapira
Joint work with Hagay Levinand Aviv Zohar The Hebrew University of Jerusalem
The Agenda An introduction to interdomain routing (a networking approach).
A Distributed Algorithmic Mechanism Design (DAMD) perspective (an economic approach).
Our Results:A formulation of interdomain routing as a game.Realistic settings in which BGP is immune to rational manipulations.
An Introduction to Interdomain Routing(A Networking Approach)
Interdomain RoutingEstablish routes between Autonomous Systems (ASes).
Currently done only by the Border Gateway Protocol (BGP).
Why is Interdomain Routing Hard?Route choices are based on local policies.Expressiveness: Policies are complex.Autonomy: Policies are uncoordinatedMy link to UUNET is for backup purposes only.Load-balance my outgoing traffic.Always choose shortest paths.Avoid routes through AT&T if at all possible.
Interdomain Routing Routes to every destination AS are computed independently.
There is an AS graph G=. N consists of n source nodes 1,,n and a destination node d.L represents physical links between ASes.
Interdomain Routing Every source-node i is defined by a valuation function vi that assigns a non-negative value to each (simple) route from i to d.
The computation performed by a single node is an infinite sequence of stages:
Interdomain Routing The route assignment reached by BGP forms a confluent routing tree rooted in d.Routes are consistent (route choices depend on neighbours choices).Routes are loop-free (nodes announce full routes).
The final route assignment is stable.Every node prefers its assigned route over any other available route.
Example of Stability12dPrefer routes through 2Prefer routes through 12, Im available1, my routeis 2d1, Im available
Assumptions on the Network The network is asynchronous.Nodes can be activated in different timings.Update messages can be arbitrarily delayed along selective links.
Network malfunctions are possible.Link and node failures.
BGPPros: Nodes need have no a-priori knowledge about the network topology or about other nodes.
The protocol is adaptive to changes in network topology (link and node failures).
Cons: The lack of global coordination might result in persistent route oscillations (protocol divergence).
Example of Instability: Oscillation12dBGP might oscillate forever between
1d, 2dand12d, 21dPrefer routes through 2Prefer routes through 11, 2, Im thedestination1, my routeis 2d2, my routeis 1d
The Hardness of StabilityTheorem: Determining whether a ``stable solution exists is NP-Hard. [Griffin-Wilfong]
Theorem: Determining whether a ``stable solution exists requires exponential communication between the source-nodes.Independent of the P-NP assumption.Communication complexity is linear in the size of the local preferences of nodes.
Guaranteeing Robust Convergence Networking researchers seek constraints that guarantee BGP stability (for any timing, even in the presence of network malfunctions). [Balakrishnan, Feamster, Gao, Griffin, Jaggard, Johari, Ramachandran, Rexford, Shepherd, Sobrinho, Wilfong, ]
A realistic and well known set of such constraints are the Gao-Rexford constraints.The Internet is formed by economic forces.ASes sign long-term contracts that determine who provides connectivity to whom.
Gao-Rexford FrameworkNeighboring pairs of ASes have one of: a customer-provider relationship (One node is purchasing connectivity from the other node.) a peering relationship (Nodes have offered to carry each others transit traffic, often to shortcut a longer route.) peerproviderscustomerspeer
Dispute WheelsIf BGP oscillates, the valuation functions and the topology of the network induce a structure called a Dispute Wheel. [Griffin-Shepherd-Wilfong]
The absence of a Dispute Wheel ensures robust BGP convergence.
The Gao-Rexford constraints are a special case of No Dispute Wheel. [Gao-Griffin-Rexford]
Dispute WheelsA Dispute Wheel: A sequence of nodes ui and routes Ri, Qi.ui prefers RiQi+1 over Qi.
Example of a Dispute Wheel12dPrefer routes through 2Prefer routes through 1
A DAMD Perspective
(An Economic Approach)
Do Nodes Always Adhere to the Protocol?BGP was designed to guarantee connectivity between trusted and obedient parties.
The commercial Internet: ASes are owned by economic and often competing entities.Might deviate from BGP if it suits their interests.
Two Research AgendasSecurity research Malicious nodes.Cyptographic modifications of BGP (S-BGP)
Distributed Algorithmic Mechanism Design [Feigenbaum-Papadimitriou-Shenker]Rational nodes.Seeks realistic conditions for which BGP is incentive-compatible. [Feigenbaum-Papadimitriou-Sami-Shenker]
Our Main ResultsA novel game-theoretic model of interdomain routing.
A surprising connection between the two research agendas (security and DAMD).
Theorem: (bad news): BGP is not incentive-compatible even if No Dispute Wheel holds.
Theorem: (good news): Cryptographic modifications of BGP (e.g., S-BGP) are incentive-compatible if No Dispute Wheel holds (no monetary transfers).
Interdomain Routing Games
A Static GameThe source-nodes are the strategic agents (their valuation functions define their types).
Each source-node chooses an outgoing edge.Choices are simultaneous.
A nodes payoff is:vi(R) if the route R from i to d is induced by the nodes choices.0 otherwise.
A Static GameA pure Nash equilibrium is a set of nodes choices from which no node wishes to unilaterally deviate.
Pure Nash equilibria = stable routing outcomes12dPrefer routes through 2Prefer routes through 1
The Convergence GameThe game consists of an infinite number of rounds.
A node that is activated in a certain round can perform the following actions:Read update messages announcing routes.Send update messages announcing routes.Choose a neighbouring node to forward traffic to.
The Convergence GameThere exists an adversarial entity called the scheduler that is in charge of: Deciding which nodes are activated in each round.Delaying update messages along selective links.Removing links and nodes from the AS graph.
Informally, a nodes strategy is its choice of a routing protocol.Executing BGP is a strategy.
The Convergence GameA route is said to be stable if from some round onwards every node on the route forwards traffic to the next-hop node on that route.
The payoff of node i from the game is:vi(R) if there is a route R from i to d which is stable.0 otherwise.
BGP and IncentivesA node is said to deviate from BGP (or to manipulate BGP) if it does not follow BGP.
What forms of manipulation are available to nodes?Misreporting preferences.Reporting inconsistent information.Announcing nonexistent routes. Denying routes.
BGP and Incentives Two possible incentive-related requirements from BGP: Incentive-compatibility: No unilateral deviation from BGP by an AS can strictly improve the routing outcome of that AS.
Collusion-proofness: No deviation from BGP by coalitions of ASes of any size can strictly improve the routing outcome of even a single AS in the coalition without strictly harming another [Feigenbaum-S-Shenker].
Knowledge Assumptionsknowledgeomniscientagentsno knowledgeassumptionsAn ex-post Nash equilibrium Im better off following the protocol as long as everyone else does (no knowledge assumptions on network topology, nodes true preferences, message timings, ). [Shneidman-Parkes]
About the Convergence GameThe game is complex.Multi-round.Asynchronous.Partial-information
No monetary transfers!Very rare in mechanism design.Unlike most works on incentive-compatibility and interdomain routingMore realistic.
Known Results. . .. . . .dkiIFvk(R1) > vk(R2)R2R1THENvi((i,k)R1) > vi((i,k)R2)Valuations are policy consistent iff, for all routes R1 and R2(analogous to isotonicity [Sob.03])
Known resultsPolicy consistency is known to hold for interesting special cases:Shortest-path routing.Next-hop policies.
Theorem: If No Dispute Wheel and Policy Consistency hold, then BGP is incentive-compatible, and even collusion-proof. [Feigenbaum-Ramachandran-S, Feigenbaum-S-Shenker]
Known resultsA Problem: Policy Consistency is unrealistic.Too strong.
Can it be removed?
Realistic Settings in which BGP is Incentive-Compatible and Collusion-Proof
Is BGP Incentive-Compatible?Theorem: BGP is not incentive compatible even in Gao-Rexford settings.
Can we fix this?We define the following property:
Route verification means that an AS can verify that a route announced by a neighbouring AS is available.
Route verification can be achieved via security tools (S-BGP etc.).Not an assumption on the nodes!
Does this solve the problem?Many forms of manipulation are still available:Misreporting preferences over available routes.Reporting inconsistent information.Denying routes.
Our Main ResultsTheorem: If the No Dispute Wheel condition holds, then BGP with route verification is incentive-compatible.
Theorem: If the No Dispute Wheel condition holds, then BGP with strong route verification is collusion-proof.
Dispute Wheels A ReminderA Dispute Wheel: A sequence of nodes ui and routes Ri, Qi.ui prefers RiQi+1 over Qi.
The Gao-Rexford constraintsare a