Do Not Complicate Routing Security with Voodoo Economics

Sharon Goldberg goldbe at cs.bu.edu
Mon Sep 5 20:04:21 UTC 2011


Nick Feamster wrote:
> 2. I question what fraction of routing decisions come down to a blind tiebreak---nearly all of them are likely to be driven by some other consideration (reliability, cost, etc.).  Our paper details a richer economic model by which ASes actually select paths, for example, but it's still unclear to me how coarse or fine-grained route selection really is in practice, and to what extent more complicated contracts have evolved.  I wonder how common "blind tiebreaking" is in BGP, in real networks; the approach in Sharon's paper definitely may overstate how common that is if route selection considerations commonly involve things that are not visible in the AS graph (e.g., traffic ratios, congestion, performance), but academics could really benefit from some more insight into how rich these decisions are in practice.

We think a key point is getting lost here.

Routing policies affect our result in the following crucial way --
they determine the size of ASes' "tiebreak sets" (section 6.6).  A
tiebreak set is a set of  "equally good routes" that an source AS has
to a destination AS; in our model, an AS should prefer to route along
the _secure_ routes in its tiebreak set. Simply put, with a larger
tiebreak set, there should be more competition over customer traffic,
and thus more widespread S*BGP deployment.

In our simulations we assumed that tiebreak sets were determined by
Local-Pref (economic considerations) and AS-Path considerations.   In
practice, tiebreak sets could be larger (e.g., if ASes prefer shorter
paths over customer paths) or smaller (e.g.,  if intradomain
considerations, like hot potato routing, affect tiebreak sets) than
those in our simulations.  Like Nick said, this is a place where more
data from the ops community would be helpful to help us figure out how
big tiebreak sets really are.

However, the key point we want to emphasize is that in the simulations
we ran, the tiebreak sets are actually quite small:
1) The size of the average AS tiebreak set in our simulations is only
1.18; which mean that 80% of tiebreak sets have only one path, see
also Figure 8.
2) Security does not play a role in the vast majority (96%) of routing
decisions made in our simulations (Section 6.7).
In other words, S*BGP deployment can be driven even by a fairly small
amount of competition for customer traffic.

> 3. I think the discussion on the list so far misses what I see as the central question about the economic assumptions in that paper.  The paper assumes that all destinations are equally valuable, which we know is not the case.  This implicitly (and perhaps mistakenly?) shifts the balance of power to tier-1 ISPs, whereas in practice, it may be with other ASes (e.g., Google).  In practice, ISPs may be willing to spend significant amounts of money to reach certain destinations or content (some destinations are more valuable than others... e.g., Google).  If the most "valuable" destinations deployed S-BGP and made everyone who wanted to connect to them deploy it, that would be more likely to succeed than the approach taken in the paper, I think.

Our paper does not assume all destinations are equally valuable.

1) As mentioned in our response to Randy, we weight content
providers more heavily  (see Section 6.8.1; we ran experiments where
the content providers collectively source 10%, 20%, 33% or 50% of
Internet traffic).

2) From Section 6.8.1: "We test the robustness of our results... by
modeling traffic locality [the idea that ASes are likely to send more
traffic to ASes that are closer to them]..." Section 6.8.2 shows our results are
insensitive to this assumption.

Sincerely,
Phillipa Gill, Michael Schapira, and Sharon Goldberg

> On Sep 5, 2011, at 11:36 AM, Joe Maimon wrote:
>
>>
>>
>> Owen DeLong wrote:
>>>
>>> On Sep 5, 2011, at 7:24 AM, Jennifer Rexford wrote:
>>>
>>>>
>>>>>
>>>>> One could argue that rejecting routes which you previously had no way to
>>>>> know you should reject will inherently alter the routing system and that this
>>>>> is probably a good thing.
>>>>
>>>> Good point.  Also, "tie breaking" in favor of signed-and-verified routes over not-signed-and-verified routes does not necessarily affect your traffic "positively or negatively" -- rather, if you are letting an arbitrary final tie break make the decision anyway, you are arguably *neutral* about the outcome...
>>>>
>>>> -- Jen
>>>
>>> This is true in terms of whether you care or not, but, if one just looks at whether it changes the content of the FIB or not, changing which arbitrary tie breaker you use likely changes the contents of the FIB in at least some cases.
>>>
>>> The key point is that if you are to secure a previously unsecured database such as the routing table, you will inherently be changing the contents of said database, or, your security isn't actually accomplishing anything.
>>>
>>> Owen
>>>
>>
>>
>> Except if you believe we have been lucky until now and security is all about the future where we may be less lucky.
>>
>> What I would be interested in seeing is a discussion on whether any anti-competitive market distortion incentives exist for large providers in adopting secured BGP. We might be lucky there too.
>>
>> Perhaps this will finally help solve the routing slot scalability problem. Might also jumpstart LISP. Which may put some more steam into v6. Welcome to the brave new internet.
>>
>> Good for everyone, right?
>>
>> Are you feeling lucky?
>>
>>
>> Joe
>>
>
>
>



-- 
Sharon Goldberg
Computer Science, Boston University
http://www.cs.bu.edu/~goldbe




More information about the NANOG mailing list