Theoretical Bounds on Control-Plane Self Monitoring

in Routing Protocols

Raj Kumar RajendranVishal Misra

Dan Rubenstein

How do Routing Protocols behave when Errors are present?

• Routing Protocols are fairly well understood, e.g.,

– Link State: reacts quickly to connectivity changes, scales well, small packets

– Distance Vector (a.k.a. Bellman-Ford): simple, efficient, converges-quickly

– BGP (Path-Vector): some problems in convergence when routes change, significant literature for evaluating and understanding

• Critical Assumption for correctness: Nodes follow the proper protocol procedure

• Q: What happens when some nodes don’t follow the protocol (maliciously or by error)?

Nodes do make errors

• The infamous BGP AS 7007 Incident:

7007

5165

4345

7074

6957

2134

AS # 7007’s Distance

2134 2

4345 1

5165 3

6957 2

7074 1

… …

8765 8

8765

…

Normal Operation paths to 8765

And can be highly disruptive

• The infamous BGP AS 7007 Incident:

7007

5165

4345

7074

6957

2134

AS # 7007’s Distance

2134 1

4345 1

5165 1

6957 1

7074 1

… …

8765 1

8765

…

Abnormal Operation paths to 8765

What can we do to detect such errors and prevent disruption?

• Traditional approach– Modify the protocol to add additional

checks

• May not be practical due to large installed base

• Not clear what checks we should add

• Alternative approach– Clues that something is amiss may

already exist

– We are just not using it

Does the information given to me by my

neighbors make sense?

• Our Solution– Protocols have an inherent capacity for

self-monitoring

– Harness this capacity!

What can be detected without changing the protocol?

• Node has some information it uses for routing

Dest/ Neighbor

A B E

A 0 8 12

B 1 0 7

C 7 13 8

D 5 9 6

E 9 6 0

F 12 15 13

G 4 9 2

• In the process of executing the protocol each node receives additional information. This is its state

• State can be thought of as the node’s view of the network– Eg. Distance Vector (Bellman Ford)

• A node can inspect its state for inconsistencies that indicate errors

A

B

E

C

G

F

D

Dest Dist Next Hop

C 7 A

D 5 A

F 12 A

G 2 E

E.g. Distance Vector

Route Information

State

Inspecting one’s State for errors

• Q: How can a good node inspect its state for indications of errors by other nodes?

– What should the node “look for”?

– If an inspection is being carried out, is the node detecting everything that it can?

– Note: there are (classes of) errors that are undetectable, no matter what the node does.

N X Y1 1

D(X,Y) = 3N X Y1 3

An undetectable misconfig at node N:

Prior Work: “Weak” Detection

• How can a node inspect its state for errors

• Simple approach:

– Identify a property that should hold

– Check if the property holds

– Declare an error if a property is violated

• Example:

– In an undirected graph, D(X,Y) = D(Y,X)

• Here, D(A,B) = 1

• But D(B,A) = 4

– Error!Dest/ Neighbor A B E

A 0 1 12

B 4 0 7

C 12 13 8

D 5 9 6

E 9 6 4

F 12 15 13

G 4 9 2

• So why is symmetry weak?

Weak Detection via Triangle Inequality [DMZ’03]

• No conflict of D(X,Y) = D(Y,X)

• Triangle Inequality (Another property) is violated: D(X,Y) + D(Y,Z) ≥ D(X,Z)

– D(B,E) = 3

– D(B,A) = 1

– D(A,E) = 1

– D(B,A) + D(A,E) < D(B,E)

Dest/ Neighbor

A B E

A 0 1 1

B 1 0 3

C 12 13 8

D 5 9 6

E 1 3 0

• So symmetry is weak

– Failed to detect an inconsistency observed by another method (triangle inequality)

Even the Triangle Inequality is “Weak”

Suppose graph edge lengths must be 1 (hop-count)

Dest/ Neighbor

A B

A 0 2

B 2 0

C 3 1

D 3 3

d(A,D) ≠ 3!!!

How do we know if we’ve checked everything we can?

A

B

C

D

• No violation of symmetry or triangle inequality

• But still an observable misconfiguration

“Strong” Detection

• Bird’s Eye view of how it works– Let Sn be my state (node n)

– C = {N} be the set of valid networks

– For each network N

• Run the protocol on N

• Resulting in state Sn(N) at my node

– SN ≠ S

• Error !

– If for some K є C, Sn(K) = S

• Either no error (K is the actual network)

• Or undetectable error (no check can tell that K is not the actual network)

• We propose a solution called Strong Detection

• Definition: A detection method is “Strong” if it detects all detectable errors

What network could have resulted in my

state?Those two networks and this

bizarre one fit. Either everything’s OK or some bozo

is giving me wrong information!

There were no networks. Something

must be wrong

G

A

B

C

nE

FD

G

A

BC

nE

FD

G

A

B

C

n E

FD

G

A

B

C

nE

FD

G

A

B

C

n E

FDG

AB C

n EF

D

G

AB C

n EF

D

G

ABCnE

FD

G

A

BC

n EF

D GA

BC

n EF

D

G

A

BC

nEF

D GA

BC

nEF

D

G

AB C

n EF

D

G

A

B

C

nE

F

D

G

A

BC

nE

FD

High-Complexity Strong Detection

Problem

• The proposed Strong detection technique is computationally infeasible

– The number of potential networks C={N} to check can be huge!

• We need to find a way to reduce the number of potential networks to check

How can self-monitoring be practically used

• Q: Can Strong Detection be achieved with low complexity?

• A: Sometimes: We show how to do it for

– Bellman-Ford (a.k.a. Distance Vector)

– Path-Vector

Strong Detection for D.V.

• Input at node n:

– Sn: a single node’s state table that reports each neighbor’s (supposed) distance to all nodes

– Set C of all allowable networks

Dest/ Neighbor

A B E

A 0 1 12

B 4 0 7

C 12 13

8

D 5 9 12

E 9 6 4

F 12 15

13

G 4 9 2Sn

Strong Detection in D.V. at a node, n

• Take node n’s state, Sn

• Use this state to build the canonical graph, M є C

• Simulate D.V. on M to generate simulated state Sn(M)

• We prove:– If Sn(M) ≠ Sn, then

error detected

– Else, either there is no error, or it is undetectable because M might be the actual network

Dest/ Neighbor

A B E

A 0 1 12

B 4 0 7

C 12

13

8

D 5 9 12

E 9 6 4

F 12

15

13

G 4 9 2

Dest/ Neighbor

A B E

A 0 1 12

B 4 0 7

C 12

13

8

D 5 9 12

E 9 6 4

F 12

15

13

G 4 9 2

Sn

Sn(M)

G

A

B C

EF

D

G

A

BC

n E

F

D

M

n

Creating the Canonical Graph, M for an undirected network

• For every pair of nodes (x,y):

– Create edge (x,y) with length exy = max |d(m,x) – d(m,y)|

• Note: Is fully connected

Dest/ Neighbor

A B E

A 0 1 12

B 4 0 7

C 12 13

8

D 5 9 12

E 9 6 4

F 12 15

13

G 4 9 2G

A

C

nE

F

D

eDE=max(|5-9|,|9-6|,|12-4|} = 8

8

eEF=max(|9-12|,|6-15|,|4-13|} = 9

9

B

The proof that this canonical graph is all we need to check is in the paper

Experimental Setup

• Five different networks with 50, 100,200,400 and 800 nodes

– Constructed by the BRITE topology generator

– The networks mimic the topology of the Internet

• Nodes distributed on the X-Y plane and edge-weights set to be Euclidean distance between them

• In each experiment a “monitor” and “liar” node were chosen with distance uniformly dist.

• Liar node publishes incorrect distances

– About all routes

– Or distance to a “target” node

• The monitor node attempts to detect this lie

– We studied how large the lie had to be before it is detected

– How the distances between monitor, liar and target affect detection

Experimental Results

Distance Vector Detectability

- 100

- 50

0

50

100

0 20 40 60 80 100 120

Distance from Monitor to Liar (hops)

Det

ecti

on T

hres

hold

(%

chan

ge)

Understatement to single Node Overstatement to Single Node

Understatement to All Nodes Overstatement to All Nodes

Simulation 1

• How big does an error have to be before it is detected

• As a function of the shortest-path between the monitor and liar

Detectability decreases with monitor-liar distance

Experimental Results (2)Distance Vector Detection Sensitivity

-100

-50

0

50

100

0 20 40 60 80 100 120

Distance from Monitor to Liar (% max distance)

Det

ecti

on T

hres

hold

(%ch

ange

)

Monitor/Liar (understatement) Monitor/Liar (overstatement)Liar/Target (understatement) Liar/Target (overstatement)

Monitor/Target(understatement) Monitor/Target (overstatement)

Simulation 2

• How do distances between the different node-types affect detection?

– Monitor/Liar

– Liar/Target

– Monitor/Target

Detection sensitivity most affected by Monitor/Liar distance

Path-Vector

• We also have low complexity solutions for flavors of path-vector protocols

– With hop-by-hop distances

– Total distance

– Incomplete information

• Eg. Ad-hoc protocols

Conclusion

• We provide a technique called “Strong Detection” that detects all detectable errors

• We provide a practical implementation of this for the Distance Vector protocol

• Routing Protocols have inherent capacities to self monitor for Errors

• We show that Errors fall into two classes

– Those that can be detected through self-monitoring

– Those that cannot (whatever the method)