towards a lightweight model of bgp safety
DESCRIPTION
Towards a Lightweight Model of BGP Safety. Matvey Arye Princeton University Joint work with : Rob Harrison, Richard Wang, Jennifer Rexford ( Princeton ) Pamela Zave (AT&T Research). Why is BGP important. Internet is a network of networks – a utonomous systems - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/1.jpg)
Towards a Lightweight Model of BGP Safety
Matvey AryePrinceton University
Joint work with:Rob Harrison, Richard Wang, Jennifer Rexford (Princeton)
Pamela Zave (AT&T Research)
![Page 2: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/2.jpg)
Internet is a network of networks – autonomous systems
BGP is the routing protocol between AS’s
Why is BGP important
![Page 3: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/3.jpg)
Each AS has a significant amount of freedom in choosing routes
Node 1 may prefer the purple path over the orange path to node D
AS Preferences in BGP
1
23
D
![Page 4: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/4.jpg)
BGP Convergence• An “Instance” is a topology and a set of AS preferences
• Some instances don’t converge (called Gadgets)– BGP’s routing protocol can oscillate.
• Finding gadgets is hard and has previously been done by hand
• We use lightweight modeling to automate gadget generation and analysis
![Page 5: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/5.jpg)
Why Lightweight Model
• Formal modeling aids analysis– Requires rigorous definition of concepts
• Encoded in a way that is “shareable” between researchers– Automates analysis
• Lightweight modeling is easier– Small model of key concepts– Easier to develop than machine-verified proofs– Push-button analysis
![Page 6: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/6.jpg)
Stable Path Problem
• Useful Model– Although static formulation of the BGP, captures
important properties:• SPP that is “solvable” is a prerequisite for BGP convergence• Although doesn’t capture dynamic properties fully
– Extensively Studied• Used in proofs of a lot of previous work
• Our model of SPP (almost) as compact as original description
• Automatically finding gadgets hard in SPP
![Page 7: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/7.jpg)
Alloy
• Wanted a tool to help us generate SPP gadgets
• Alloy is a declarative modeling language– Can test assertions on predicates
• Compiles to SAT problem– SAT solvers are fast (on a lot of cases)
• Given a set of predicates, 2 answers:– Satisfiable– Unsatisfiable & Counterexample
![Page 8: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/8.jpg)
Explore All Small SPP Instances
• Small instances are often informative– SPP gives each node a lot of degrees of freedom• So properties of small instances are often interesting • And often generalize to larger ones
– Counterexamples to assertions really useful • Explores full search space– Can make generalized assertions• Although only up to a certain size
![Page 9: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/9.jpg)
Contributions• Created lightweight model of SPP
– Model very compact, machine and human readable– Full model in the paper
• Automatically generated unstable SPP gadgets– Bad Gadget, Disagree, many more
• Classified gadgets– Full list of interesting gadgets under 4 source nodes
• Verified new and known solvability predicates – “Absence of dispute wheel implies solvability”
![Page 10: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/10.jpg)
Outline
• Review of SPP and Model
• Use 1: Gadget Generation
• Use 2: Test Known Solvability Predicates
• Discuss Future Work
![Page 11: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/11.jpg)
SPP Topology
1
23
D
Source Node
Destination Node
![Page 12: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/12.jpg)
SPP Permitted Paths
1
23
D
1d12d13d
List of Permitted
Paths
![Page 13: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/13.jpg)
Representation In Alloy
• DstNode, SrcNode: Node
• Path: Sequence of Nodes– Sequence is an ordered list
• SrcNode.PermittedPaths: Sequence of Paths– First path in list most preferred
1D
1d13d
21d
![Page 14: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/14.jpg)
Ensure Valid Topology with Facts
• Facts define correctness of construction– Assertions only run on correct constructions
• Example: ValidNonEmptyPath– Sequence has at least one element– No node appears more than once– Last node is DstNode
• Many more…
![Page 15: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/15.jpg)
SPP Selection
1
23
D
1d12d13d
21d2d
32d31d3d
Each node selects exactly one path
![Page 16: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/16.jpg)
SPP Solution
1
23
D
1d12d13d
21d2d
32d31d3d
All nodes happy with their selection simultaneously
![Page 17: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/17.jpg)
Individual Happiness (within constraints)
• Solution– Each node has selected the best of its choices.
• Why? – No node can pick a better choice.
Pred SelectionIsSolution[selected]{
let choices = GetChoices[selected] | selected = GetBest[choices]}
![Page 18: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/18.jpg)
Constraint Dependencies
Choices Node 1
Selection Node 2
Selection Node 1
Choices Node 2
![Page 19: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/19.jpg)
SPP as a Model
• Each SPP instance has 0, 1, or 1+ solutions• Having exactly 1 solution is necessary but not
sufficient for safety.
All Instances
1 SPP Solution
Safety
![Page 20: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/20.jpg)
Specify Solvability Predicate
Logically,Pred OneSolvable:one selection where SelectionIsSolutionPred MultiSolvable:some selection where SelectionIsSolution
Aside:• Selection is a set
– Quantifying over it requires 2nd order logic– Hard-code quantifications on a set-size basis for 1st order
![Page 21: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/21.jpg)
No Solution (Bad Gadget)
1
23
D
12d1d
23d2d
31d3d
![Page 22: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/22.jpg)
Two Solutions (Disagree)
1
23
D
12d1d
21d2d3d
![Page 23: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/23.jpg)
Analysis Using the Model
• We know “all instances are one solvable” is incorrect
=> We use Alloy to give us example instances where predicate fails.
• Use model to test solvability predicates– “absence of dispute wheel implies one solvable”
![Page 24: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/24.jpg)
Use 1: Generating Counterexamples
• Have Alloy Generate Counter Examples– Gadgets with no (multiple) solutions– Too Many (10000+ for 4 source nodes)
• Want Interesting Counterexamples
![Page 25: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/25.jpg)
Interesting Gadget
1
23
D
12d1d
23d2d
31d3d
![Page 26: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/26.jpg)
Uninteresting Gadget
1
23
D
12d1d
13d
23d2d
31d3d
![Page 27: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/27.jpg)
Gadget Generation
• Intuitively, small gadgets are most interesting
• Start small– Find all gadgets for size
• Size++
• When analyzing bigger gadgets, exclude gadgets similar to those already found
![Page 28: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/28.jpg)
Gadget Library
pred Gadget123{}
Predicate detects gadgets similar to the gadget found• Makes path rankings relative• Corrects for isomorphic reordering of node #s
Eliminate gadgets matching library predicates in future
![Page 29: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/29.jpg)
Gadgets FoundUnsolvable Gadgets
Multiply Solvable Gadgets
![Page 30: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/30.jpg)
Use 2: Evaluating Constraints
• Test Known Constraints
• Example: Create predicates for the dispute wheel– Verify “absence of a DW implies solvability”– Get instances that have a DW but are still solvable
• Quickly explore new conditions for solvability– See if they are sufficient or necessary– Get counterexamples of how they don’t fully capture
solvability
![Page 31: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/31.jpg)
Conclusion
• Created a lightweight model of BGP
• Used model to generate gadgets
• Used iterative elimination to get minimal set of interesting gadgets
• Model could be used for quick “push button” analysis of new constraints
![Page 32: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/32.jpg)
Future Work
• Develop new solvability predicates and model existing ones
• Apply the model to checking BGP router configurations for solvability
• Model the dynamic SPVP
![Page 33: Towards a Lightweight Model of BGP Safety](https://reader035.vdocuments.site/reader035/viewer/2022062323/568161ec550346895dd220ae/html5/thumbnails/33.jpg)
Thanks