Security and Selfishness in Interdomain Routing Rahul Sami
Michael Schapira
Aviv Zohar
School of Information, University of Michigan Ann Arbor, USA
[email protected]
School of Engineering and Computer Science, The Hebrew University Jerusalem, Israel.
[email protected]
School of Engineering and Computer Science, The Hebrew University Jerusalem, Israel.
[email protected]
Abstract—The Border Gateway Protocol (BGP) establishes routes between the smaller networks that make up the Internet, called Autonomous Systems (ASes). ASes are owned by selfinterested, often competing, economic entities. We use economic and game-theoretic tools to show that security enhancements of BGP are sufficient to achieve incentive compatibility in realistic settings, i.e., ensuring that following BGP is the best course of action for every AS in the Internet. Specifically, we show that protocols like soBGP are incentive-compatible. We also propose a new control-plane mechanism for the commercial Internet. Our results should be contrasted with [19], where it is shown that S-BGP is incentive-compatible in realistic settings. We show that incentive compatibility can be achieved at a lower cost (in terms of overhead and complexity). This is because soBGP does not require online cryptographic signature validation, and because our new mechanism is based on very local security checks. Hence, we provide a strategic justification for the design and deployment of control-plane mechanisms that are easier to deploy than S-BGP, and less costly to execute. For our analysis we present a new condition for BGP convergence that generalizes previously known ones.
I. I NTRODUCTION The Border Gateway Protocol (BGP) is the standard protocol for interdomain routing in today’s Internet. Interdomain routing is the task of establishing routes between the administrative domains, called Autonomous Systems (ASes) that make up the Internet. ASes are owned by independent, selfish, and often competing economic entities. While BGP (and, in fact, the Internet itself) was designed to provide connectivity between largely trusted and obedient parties, in the age of commercial Internet none of these assumptions can be taken for granted. That is, one must take into account the possibility of ASes not adhering to BGP due to greed, malice, or even arbitrary reasons. There are two separate streams of research that address the issue of ASes’ “disobedience” (lack of compliant behaviour) in interdomain routing: (1) Security research (see [1]); (2) Distributed Algorithmic Mechanism Design, a field of research rooted in microeconomics and game-theory (introduced by Feigenbaum, Papadimitriou and Shenker [6]; see also [21]). The distributed algorithmic mechanism design approach was first applied to the context of interdomain routing by Feigenbaum et al. [5], and subsequently by many other works [8], [4], [7], [9], [19], [12]. These two research agendas differ in the assumptions they make on ASes’ (or rather ASes owners’) behaviour: Security researchers attempt to design mechanisms
that provide protection against arbitrary (Byzantine), and even unjustifiably malicious behaviour. In contrast, Distributed Algorithmic Mechanism Design (DAMD) assumes that ASes are rational, and aim to optimize their personal gain. That is, the standard DAMD approach to interdomain routing assumes that ASes’ rationality is expressed by their desire to forward packets along routes that are ranked as high as possible (given their local preferences), and that ASes will not stray from BGP (e.g., announce bogus routes, make different route selections, etc.) unless doing so would further this interest. Both streams of research face significant challenges. Security protocols can be very difficult to implement, and even if fully deployed may fail to ensure ASes’ obedience. For instance, an important security desideratum is Route Verification [19], which means that an AS cannot announce a route that wasn’t announced to it by one of its neighbouring ASes without being detected. Route Verification can be achieved by deploying security protocols like S-BGP [18] and IRV [13]. However, even if Route Verification holds, an AS that is announced several routes by its neighbours can always announce one of these routes and forward packets along another. Hence, the class of security mechanisms (known as control-plane mechanisms) that do not trace actual packets’ routes fail to guarantee good security. However, tracing the actual routes along which packets are forwarded to every destination AS (as might be done by a data-plane mechanism) is extremely hard to achieve in practice (see [20] and references therein). Unfortunately the DAMD approach faces different, yet equally serious, obstacles: It has been shown that adhering to BGP might not be in the best-interest of an AS even in small and realistic networks [19], [12]. While these two research agendas fail to achieve the objective of ASes’ obedience, a combination of concepts and tools from both succeeds. Recently, Levin et al. [19] have shown that BGP-based protocols for which Route Verification is assured achieve incentive compatibility. That is, if all ASes but one are following the protocol, then that AS can have no rational motivation not to do the same (even if it has complete knowledge about the network). We note that this result, like our results in this paper, can be extended to show that even coalitions of ASes, of any size, cannot gain through collaborative manipulation. Therefore, security protocols like S-BGP (that guarantee Route Verification) are incentive compatible.
2
soBGP is incentive compatible. In this paper, we significantly strengthen this result on combining incentives and security by relaxing the Route Verification requirement to a weaker requirement called “Topology Validation”. Topology Validation only requires ASes to be able to verify that an announced route exists in the network, and not that it was recently announced to the announcing AS. This implies that even security protocols like soBGP [22], that only achieve Topology Validation, are incentive compatible. This has many practical implications, as soBGP is much less costly to deploy than S-BGP, due to the fact that it is an offline protocol. That is, soBGP mitigates the computationally-expensive cost of validating cryptographic signatures by authenticating long term structural routing elements (such as the network topology) prior to the establishment of the BGP session (unlike the online S-BGP). Thus, the validation operations do not introduce significant run-time costs [1]. For our analysis we use a new condition for BGP convergence called “Iterated Dominance Tree”. This simple and intuitive condition may seem, at first sight, as a very severe restriction on the network and the routing policies of ASes. However, surprisingly, Iterated Dominance Tree generalizes all previously known sufficient conditions for BGP safety (i.e, for ensuring that BGP always converge to a stable solution [16]). In particular, Iterated Dominance Tree generalizes the No Dispute Wheel condition [15] (see Appendix), which is the broadest condition known, to date, to guarantee BGP safety. The fact that Iterated Dominance Tree is much easier to work with than previous sufficient conditions (like No Dispute Wheel) is very helpful to us in proving our result for soBGP. As the result of Levin et al. [19] was obtained under the No Dispute Wheel assumption, our result improves over theirs in this respect as well. Achieving incentive-compatibility in the commercial Internet. Other than showing that soBGP is incentive compatible, we also introduce a new security control-plane mechanism and show that it achieves incentive compatibility in the commercial Gao-Rexford setting [11]. The Gao-Rexford setting is said to accurately depict the business relationships in today’s Internet [17] (see Appendix). In this setting, every pair of neighbouring ASes have one of two business relationships: Either one AS is a customer of the other, or they are peers. These business relationships induce economic constraints, formalized by Gao and Rexford. Our new mechanism’s main strength is that it requires ASes only to verify information that was provided by other ASes that are two-hops away (that is, their neighbours’ neighbours in the AS network). It is possible to implement this mechanism via IRV. This will allow for incremental deployment, and will not require all ASes in the Internet to switch to a different protocol (like SBGP or soBGP). This is due to the fact that IRV’s operation is independent of the routing protocol. One of the Gao-Rexford constraints is a filtering constraint, i.e., it requires ASes not to announce certain routes to their neighbours. The issue of route filtering is of great importance,
as no route filtering, or “irresponsible” route filtering may lead to undesired phenomena like persistent BGP oscillations (see [3]). The Gao-Rexford setting, in which the filtering constraint provably prevents ongoing route oscillations, demonstrates this crucial role of ASes’ filtering policies. But, how can we make sure that ASes indeed filter routes as required? Will they not announce routes that are available to them (or even bogus routes) if they stand to gain from doing so? Moreover, even if we could force ASes to filter routes as required, what is to guarantee that they will follow BGP? Our new mechanism addresses these questions. Organization of the paper. In Section II we present the gametheoretic model and some security background. In Section III we define Iterated Dominance Trees and present our result for soBGP. In Section IV we prove our results for the GaoRexford setting. In Section V we conclude and present some open questions. II. BACKGROUND : G AME -T HEORY AND S ECURITY This section contains the game-theoretic and securityrelated preliminaries required for our results. A. The Game-Theoretic Model Our results are proven in the game-theoretic interdomain routing model presented by Levin et al. [19], which is an economic interpretation of the model of Griffin et al. [16], [15]. We describe the model in brief here; the reader is referred to [19] for more information. The network. The network is defined by an undirected graph G = (N, L). N consists of n source-nodes 1, ..., n (the players), and a unique destination-node d. Each source node i has a valuation function vi that assigns a non-negative value to every possible simple route from i to d (i.e., to every simple route in the complete graph over the nodes of G).1 As nodes must decide on a single routing option, it holds that vi (P ) 6= vi (Q) for any node i, and every two routes P, Q from i to d that do not have the same first link. Stable solutions. We define a stable solution as an n-tuple of routes in G, R1 , ..., Rn , such that: • Route consistency: For every i ∈ [n] there must be a node j ∈ [n] such that Ri = (i, j)Rj (that is, Ri starts with the link (i, j) ∈ L and then follows Rj ) it holds that Rj ∈ Ex(j, i). • Stability: If there is a link (i, j) ∈ L, and Ri 6= (i, j)Rj , then (i, j)Rj
