BGP Security in Partial Deployment: Is the Juice Worth the Squeeze?
BBGP Security in Partial Deployment
Is the Juice Worth the Squeeze?
Full version from July 11, 2013
Robert Lychev*
Georgia TechAltanta, GA, USA [email protected]
Sharon Goldberg
Boston UniversityBoston, MA, USA [email protected]
Michael Schapira
Hebrew UniversityJerusalem, Israel [email protected]
ABSTRACT
As the rollout of secure route origin authentication with theRPKI slowly gains traction among network operators, thereis a push to standardize secure path validation for BGP ( i.e.,
S*BGP: S-BGP, soBGP, BGPSEC, etc.). Origin authentica-tion already does much to improve routing security. More-over, the transition to S*BGP is expected to be long andslow, with S*BGP coexisting in “partial deployment” along-side BGP for a long time. We therefore use theoretical andexperimental approach to study the security benefits pro-vided by partially-deployed S*BGP, vis-a-vis those alreadyprovided by origin authentication. Because routing policieshave a profound impact on routing security, we use a surveyof 100 network operators to find the policies that are likely tobe most popular during partial S*BGP deployment. We findthat S*BGP provides only meagre benefits over origin au-thentication when these popular policies are used. We alsostudy the security benefits of other routing policies, pro-vide prescriptive guidelines for partially-deployed S*BGP,and show how interactions between S*BGP and BGP canintroduce new vulnerabilities into the routing system.
Categories and Subject Descriptors:
C.2.2 [Computer-Communication Networks]: Network Protocols
Keywords: security; routing; BGP;
1. INTRODUCTION
Recent high-profile routing failures [9,14,42,43] have high-lighted major vulnerabilities in BGP, the Internet’s interdo-main routing protocol. To remedy this, secure origin authen-tication [10, 38, 40] using the RPKI [34] is gaining tractionamong network operators, and there is now a push to stan-dardize a path validation protocol ( i.e.,
S*BGP [28,33,49]).Origin authentication is relatively lightweight, requiring nei-ther changes to the BGP message structure nor online cryp-tographic computations. Meanwhile, path validation withS*BGP could require both [33]. The deployment of originauthentication is already a significant challenge [2]; here we *Most of this work was done while the first author was visiting Boston University.This is the authors’ full version of the work whose definitive conference version [37]was published in
SIGCOMM’13,
August 12–16, 2013, Hong Kong, China.Copyright is held by the owner/author(s). Publication rights licensed to ACM.Thisversion is from July 11, 2013. ask, is the deployment of S*BGP path validation worth theextra effort? (That is, is the juice worth the squeeze?)To answer this question, we must contend with the factthat any deployment of S*BGP is likely to coexist withlegacy insecure BGP for a long time. (IPv6 and DNSSEC,for example, have been in deployment since at least 1999 and2007 respectively.) In a realistic partial deployment scenario,an autonomous system (AS) that has deployed S*BGP willsometimes need to accept insecure routes sent via legacyBGP; otherwise, it would lose connectivity to the parts ofthe Internet that have not yet deployed S*BGP [33]. Mostprior research has ignored this issue, either by assuming thatASes will never accept insecure routes [6, 11], by studyingonly the full deployment scenario where every AS has al-ready deployed S*BGP [10, 22], or by focusing on creatingincentives for ASes to adopt S*BGP in the first place [11,19].We consider the security benefits provided by partially-deployed S*BGP vis-a-vis those already provided by ori-gin authentication. Fully-deployed origin authentication islightweight and already does much to improve security, evenagainst attacks it was not designed to prevent ( e.g., prop-agation of bogus AS-level paths) [22]. We find that, giventhe routing policies that are likely to be most popular dur-ing partial deployment, S*BGP can provide only meagreimprovements to security over what is already possible withorigin authentication; we find that other, less popular poli-cies can sometimes provide tangible security improvements.(“Popular” routing policies were found using a survey of 100network operators [18].) However, we also show that secu-rity improvements can come at a risk; complex interactionsbetween BGP and S*BGP can introduce new instabilitiesand vulnerabilities into the routing system.
With BGP, an AS learns AS-level paths to destinationASes (and their IP prefixes) via routing announcements fromneighboring ASes; it then selects one path per destinationby applying its local routing policies . Origin authenticationensures that the destination AS that announces a given IPprefix is really authorized to do so. S*BGP ensures that theAS-level paths learned actually exist in the network.In S*BGP partial deployment, security will be profoundlyaffected by the routing policies used by individual ASes, theAS-level topology, and the set of ASes that are secure ( i.e., have deployed S*BGP). Suppose a secure AS has a choicebetween a secure route (learned via S*BGP) and an inse-cure route (learned via legacy BGP) to the same destina- a r X i v : . [ c s . N I] J u l ion. While it seems natural that the AS should alwaysprefer the secure route over the insecure route, a networkoperator must balance security against economic and per-formance concerns. As such, a long secure route through a costly provider might be less desirable than a short insecureroute through a revenue-generating customer. Indeed, theBGPSEC standard is careful to provide maximum flexibil-ity, stating the relationship between an AS’s routing policiesand the security of a route “is a matter of local policy” [33].While this flexibility is a prerequisite for assuring opera-tors that S*BGP will not disrupt existing traffic engineeringor network management polices , it can have dire conse-quences on security. Attackers can exploit routing policiesthat prioritize economic and/or length considerations abovesecurity. In a protocol downgrade attack , for example, anattacker convinces a secure AS with a secure route to down-grade to a bogus route sent via legacy BGP, simply becausethe bogus route is shorter, or less costly (Section 3.2). Three routing models.
In Section 2 we develop modelsfor routing with partially-deployed S*BGP, based on classicmodels of AS business relationships and BGP [16,17,24–26].Our security st model supposes that secure ASes always prefer secure routes over insecure ones; while this is mostnatural from a security perspective, a survey of 100 networkoperators [18] suggests that it is least popular in partialdeployment. In our security nd model , a secure route ispreferred only if no less-costly insecure route is available.The survey confirms that our security rd model is mostpopular in partial deployment [18]; here a secure route ispreferred only if there is no shorter or less-costly insecureroute. In Appendix K we analyze the robustness of ourresults to assumptions made in these models. Threat model & metric.
Sections 3-4.1 introduce ourthreat model, and a metric to quantify security within thisthreat model; our metric measures the average fraction ofASes using a legitimate route when a destination is attacked.
Deployment invariants.
The vast number of choices forthe set S of ASes that adopt S*BGP makes evaluating secu-rity challenging. Section 4 therefore presents our (arguably)most novel methodological contribution; a framework thatbounds the maximum improvements in security possible foreach routing model, for any deployment scenario S . Deployment scenarios.
How close do real S*BGP de-ployments S come to these bounds? While a natural objec-tive would be to determine the “optimal” deployment S , weprove that this is NP-hard. Instead, Sections 5-6 use simu-lations on empirical AS-level graphs to quantify security inscenarios suggested in the literature [6,11,19,44], and deter-mine root causes for security improvements (or lack thereof). Algorithms & experimental robustness.
We de-signed parallel simulation algorithms to deal with the largespace of parameters that we explore, i.e., attackers, desti-nations, deployment scenarios S , and routing policies, (Ap-pendix B and H). We also controlled for empirical pitfalls,including (a) variations in routing policies (Appendix K) (b)the fact that empirical AS-level graphs tend to miss many Practitioners commonly resist deployment of a new proto-col because it “breaks” their networks; witness the zone enu-meration issue in DNSSEC [32] or the fact that IPv6 is some-times disabled because it degrades DNS performance [50]. peering links at Internet eXchange Points (IXPs) [3, 5, 45],(Section 2.2, Appendix J) (c) a large fraction of the Inter-net’s traffic originates at a few ASes [31] (Sections 2.2, 4.5, 5.2.2, 5.3.1).While our analysis cannot predict exactly how individualASes would react to routing attacks, we do report on strongaggregate trends.
Proofs.
Proofs of our theorems are in Appendix B-I.
Our simulations, empirically-validated examples, and the-oretical analyses indicate the following:
Downgrades are a harsh reality.
We find that proto-col downgrade attacks (Sections 1.1, 3.2) can be extremelyeffective; so effective, in fact, that they render deploymentsof S*BGP at large Tier 1 ISPs almost useless in the face ofattacks (Sections 4.6 and 5.3.1).
New vulnerabilities.
We find that the interplay be-tween topology and routing policies can cause some ASesto fall victim to attacks they would have avoided if S*BGPhad not been deployed. Fortunately, these troubling phe-nomena occur less frequently than phenomena that protectASes from attacks during partial deployment (Section 6).
New instabilities.
We show that undesirable phenomena(BGP Wedgies [23]) can occur if ASes prioritize securityinconsistently (Section 2.3).
Prescriptive deployment guidelines.
Other than sug-gesting that (1) ASes should prioritize security in the sameway in order to avoid routing instabilities, our results (2)confirm that deploying lightweight simplex
S*BGP [19, 33](instead of full-fledged S*BGP) at stub ASes at the edge ofthe Internet does not harm security (Section 5.3.2). More-over, while [6, 11, 19] suggest that Tier 1s should be earlyadopters of S*BGP, our results do not support this; instead,we suggest that (3) Tier 2 ISPs should be among the earliestadopters of S*BGP (Section 4.6, 5.2.3, 5.3.1).
Is the juice worth the squeeze?
We use our met-ric to compare S*BGP in a partial deployment S to thebaseline scenario where no AS is secure ( i.e., S = ∅ andonly origin authentication is in place). We find that largepartial deployments of S*BGP provide excellent protectionagainst attacks when ASes use routing policies that priori-tize security 1 st (Section 5.2.3); however, [18] suggests thatnetwork operators are less likely to use these routing poli-cies. Meanwhile, the policies that operators most favor ( i.e., security 3 rd ) provide only meagre improvements over originauthentication (Section 4.4). This is not very surprising,since S*BGP is designed to prevent path-shortening attacksand when security is 3 rd , ASes prefer (possibly-bogus) shortinsecure routes over longer secure routes.However, it is less clear what happens in security is 2 nd ,where route security is prioritized over route length. Un-fortunately, even when S*BGP is deployed at 50% of ASes,the benefits obtained in the security 2 nd model lag signif-icantly behind those available when security is 1 st . Whilesome destinations can obtain tangible benefits when securityis 2 nd , for others (especially Tier 1s) the security 2 nd modelbehaves much like the security 3 rd model (Section 5.2). Wecould only find clear-cut evidence of strong overall improve-ment in security when ASes prioritize security 1 st . ier 1 13 ASes with high customer degree & no providersTier 2 100 top ASes by customer degree & with providersTier 3 Next 100 ASes by customer degree & with providersCPs 17 Content provider ASes listed in Figure 13Small CPs Top 300 ASes by peering degree(other than Tier 1, 2, 3, and CP)Stubs-x ASes with peers but no customersStubs ASes with no customers & no peersSMDG Remaining non-stub ASes Table 1: Tiers.
2. SECURITY & ROUTING POLICIES
S*BGP allows an AS to validate the correctness of theAS-level path information it learns from its neighbors [10].(S-BGP [28] and BGPSEC [33] validate that every AS on apath sent a routing announcement for that path; soBGP [49]validates that all the edges in a path announcement physi-cally exist in the AS-level topology. As we shall see in Sec-tion 3, our analysis applies to all these protocols.) However,for S*BGP to prevent routing attacks, validation of pathsalone is not sufficient. ASes also need to use informationfrom path validation to make their routing decisions. Weconsider three alternatives for incorporating path validationinto routing decisions, and analyze the security of each.
An AS that adopts S*BGP must be able to process andreact to insecure routing information, so that it can stillroute to destination ASes that have not yet adopted S*BGP.The BGPSEC standard is such that a router only learns apath via BGPSEC if every AS on that path has adoptedBGPSEC; otherwise, the path is learnt via legacy BGP. (Thereasoning for this is in [48] and Appendix A of [19]):
Secure routes.
We call an AS that has adopted S*BGPa secure AS , and a path learned via S*BGP ( i.e., a pathwhere every AS is secure) a secure path or secure route ; allother paths are called insecure .If a secure AS can learn both secure and insecure routes,what role should security play in route selection? To bluntrouting attacks, secure routes should be preferred over inse-cure routes. But how should expensive or long secure routesbe ranked relative to revenue-generating or short insecureroutes? While it is well known that BGP routing policies differbetween ASes and are often kept private, we need a con-crete model of ASes’ routing policies so as to analyze andsimulate their behaviors during attacks. The following mod-els of routing with S*BGP are variations of the well-studiedmodels from [7, 16, 17, 19, 24–26].
AS-level topology.
The AS-level topology is representedby an undirected graph G = ( V, E ); the set of vertices V represents ASes and the set of links (edges) E representsdirect BGP links between neighboring ASes. We will some-times also refer to the “tiers” of ASes [15] in Table 1; the listof 17 content providers (CPs) in Table 1 (or see Table ?? and Figure 13) was culled from recent empirical work oninterdomain traffic volumes [4, 29–31, 47]. ASes’ business relationships.
Each edge in E is anno-tated with a business relationship: either (1) customer-to-provider , where the customer purchases connectivity fromits provider (our figures depict this with an arrow from cus- tomer to provider), or (2) peer-to-peer , where two ASes tran-sit each other’s customer traffic for free (an undirected edge). Empirical AS topologies.
All simulations and exam-ples described in this paper were run on the UCLA AS-level topology from 24 September 2012 [12]. We prepro-cessed the graph by (1) renaming all 4-byte ASNs in moreconvenient way, and (2) recursively removing all ASes thathad no providers that had low degree (and were not Tier 1ISPS). The resulting graph had 39056 ASes, 73442 customer-provider links and 62129 peer-to-peer links. Because empiri-cal AS graphs often miss many of peer-to-peer links in Inter-net eXchange Points (IXP) [3, 5, 45], we constructed a sec-ond graph where we augmented the UCLA graph with over550K peer-to-peer edges between ASes listed as members ofthe same IXP (on September 24, 2012) on voluntary onlinesources (IXPs websites, EuroIX, Peering DB, Packet Clear-ing House, etc. ). Our list contained 332 IXPs and 10,835mappings of member ASes to IXPs; after connecting every pair of ASes that are present in the same IXP (and were notalready connected in our original UCLA AS graph) with apeer-to-peer edge, our graph was augmented with 552933extra peering links. Because not all ASes at an IXP peerwith each other [3], our augmented graph is an upper boundon the number of missing links in the AS graph. When werepeated our simulations on this second graph, we foundthat all the aggregate trends we discuss in subsequent sec-tions still hold, which suggests they are robust to missingIXP edges. (Results in Appendix J.)
S*BGP routing.
ASes running BGP compute routes toeach destination AS d ∈ V independently. For every desti-nation AS d ∈ V , each source AS s ∈ V \{ d } repeatedly usesits local BGP decision process to select a single “best” routeto d from routes it learns from neighboring ASes. s thenannounces this route to a subset of its neighbors accordingto its local export policy . An AS s learns a route or hasan available route R if R was announced to s by one of itsneighbors; AS s has or uses a route R if it chooses R fromits set of available routes. AS s has customer ( resp., peer,provider) route if its neighbor on that route is a customer( resp., peer, provider); see e.g., AS 29518 in Figure 1 left.
When choosing between many routes to a destination d ,each insecure AS executes the following (in order):
Local pref (LP):
Prefer customer routes over peer routes.Prefer peer routes over provider routes.
AS paths (SP):
Prefer shorter routes over longer routes.
Tiebreak (TB):
Use intradomain criteria ( e.g., geographiclocation, device ID) to break ties among remaining routes.After selecting a single route as above, an AS announcesthat route to a subset of its neighbors:
Export policy (Ex):
In the event that the route is via acustomer, the route is exported to all neighbors. Otherwise,the route is exported to customers only.The relative ranking of the LP , SP , and TB are standard inmost router implementations [13]. The LP and Ex steps arebased on the classical economic model of BGP routing [16,17,25,26]. LP captures ASes’ incentives to send traffic alongrevenue-generating customer routes, as opposed to routingthrough peers (which does not increase revenue), or routingthrough providers (which comes at a monetary cost). Ex
928 342263128329518 310273Disagree!31027 – Nianet ISP in denmark3 MIT3340
DataNet Telecommunication
Ltd. In LA34226
RUBICOM ‐ HU ‐ AS – Hungarian network.31283, norwegian isp RouteCustomer Peer Secure AS Insecure AS
RouteCustomer ProviderPeer PeerSecure AS Insecure AS
RouteCustomer ProviderPeer PeerSecure AS Insecure AS
Figure 1: S*BGP Wedgie. captures ASes’s willingness to transit traffic only when paidto do so by a customer.
Robustness to LP model.
While this paper reportsresults for the above LP model, we also test their robustnessto other models for LP ; results are in Appendix K. Every secure
AS also adds this step to its routing policy.
Secure paths (SecP):
Prefer a secure route over an inse-cure route.We consider three models for incorporating the
SecP step:
Security st . The
SecP is placed before the LP step; thismodel supposes security is an AS’s highest priority. Security nd . The
SecP step comes between the LP and SP steps; this model supposes that an AS places economicconsiderations above security concerns. Security rd . The
SecP step comes between SP and TB steps; this model, also used in [19], supposes security is pri-oritized below business considerations and AS-path length. st model is unpopular. While the security 1 st model is the most “idealistic” fromthe security perspective, it is likely the least realistic. Duringincremental deployment, network operators are expected tocautiously incorporate S*BGP into routing policies, placingsecurity 2 nd or 3 rd , to avoid disruptions due to (1) changesto traffic engineering, and (2) revenue lost when expensivesecure routes are chosen instead of revenue-generating cus-tomer routes. The security 1 st model might be used onlyonce these disruptions are absent ( e.g., when most ASeshave transitioned to S*BGP), or to protect specific, highly-sensitive IP prefixes. Indeed, a survey of 100 network opera-tors [18] found that 10% would rank security 1 st , 20% wouldrank security 2 nd and 41% would rank security 3 rd . (Theremaining operators opted not to answer this question.) It is important to note that in each of our S*BGP routingmodels, the prioritization of the
SecP step in the route se-lection process is consistent across ASes. The alternative—lack of consensus amongst network operators as to whereto place security in the route selection process—can leadto more than just confusion; it can result in a number ofundesirable phenomena that we discuss next.
Figure 1.
Suppose that all ASes in the network, ex-cept AS 8928, have deployed S*BGP. The Swedish ISP AS29518 places security below LP in its route selection pro-cess, while the Norwegian ISP AS 31283 prioritizes securityabove all else (including LP ). Thus, while AS 29518 prefersthe customer path through AS 31283, AS 31283 prefers thesecure path through its provider AS 29518. The following undesirable scenario, called a “BGP Wedgie” [23] can occur.Initially, the network is in an intended stable routing state ,in which AS 31283 uses the secure path through its providerAS 29518 (left). Now suppose the link between AS 31027and AS 3 fails. Routing now converges to a different stablestate, where AS 29518 prefers the customer path through AS31283 (right). When the link comes back up, BGP does notrevert to the original stable state, and the system is stuckin an unintended routing outcome.“BGP Wedgies” [23] cause unpredictable network behaviorthat is difficult to debug. (Sami et al. [46] also showed thatthe existence of two stable states, as in Figure 1, impliesthat persistent routing oscillations are possible.) In Appendix D we prove that when all ASes prioritizesecure routes the same way, convergence to a single stablestate is guaranteed, regardless of which ASes adopt S*BGP:
Theorem
S*BGP convergence to a unique stable rout-ing state is guaranteed in all three S*BGP routing modelseven under partial S*BGP deployment.
This holds even in the presence of the attack of Section 3.1, cf., [35]. This suggests a prescriptive guideline for S*BGPdeployment: ASes should all prioritize security in the sameway. (See Section 5.3 for more guidelines.) The reminder ofthis paper supposes that ASes follow this guideline.
3. THREAT MODEL
To quantify “security” in each of our three models, we firstneed to discuss what constitutes a routing attack. We focuson a future scenario where RPKI and origin authenticationare deployed, and the challenge is engineering global S*BGPadoption. We therefore disregard attacks that are preventedby origin authentication, e.g., prefix- and subprefix-hijacks [7,9, 10, 14, 39] (when an attacker originates a prefix, or morespecific subprefix, when not authorized to do so). Instead,we focus on attacks that are effective even in the presence oforigin authentication, as these are precisely the attacks thatS*BGP is designed to prevent.Previous studies on S*BGP security [6, 11, 22] focused onthe endgame scenario, where S*BGP is fully deployed, mak-ing the crucial assumption that any secure AS that learnsan insecure route from one of its neighbors can safely ig-nore that route . This assumption is invalid in the contextof a partial deployment of S*BGP, where S*BGP coexistsalongside BGP. In this setting, some destinations may onlybe reachable via insecure routes. Moreover, even a secureAS may prefer to use an insecure route for economic or per-formance reasons (as in our security 2 nd or 3 rd models).Therefore, propagating a bogus AS path using legacy inse-cure BGP [22, 43] (an attack that is effective against fully-deployed origin authentication) can also work against some secure ASes when S*BGP is partially deployed.
We focus on the scenario where a single attacker AS m attacks a single destination AS d ; all ASes except m usethe policies in Section 2.2. The attacker m ’s objective is A routing state, i.e., the route chosen by each AS s ∈ V \{ d } to destination d , is stable if any AS s that re-runs itsroute selection algorithm does not change its route [24]. ROTOCOL DOWNGRADE, SECURITY second / third involving T1sAll T1s and their stubs and the CPs secureVictim 3356 levl 3 eNom , Inc . is a domain name registrar and Web hosting company tsells other products closely tied to domain names, such as SSL certificates3491 pccw GLOBAL3536
DoD network info center. m pccw GLOBAL m Figure 2: Protocol downgrade attack; Sec nd . to maximize the number of source ASes that send trafficto m , rather than d . This commonly-used objective func-tion [7,21,22] reflects m ’s incentive to attract (and thereforetamper / eavesdrop / drop) traffic from as many source ASesas possible. (We deal with the fact that ASes can source dif-ferent amounts of traffic [31] in Sections 4.5, 5.2.2, 5.3.1.) Attacker’s strategy.
The attacker m wants to convinceASes to route to m , instead of the legitimate destinationAS d that is authorized to originate the prefix under attack.It will do this by sending bogus AS-path information usinglegacy BGP. What AS path information should m propa-gate? A straightforward extension of the results in [22] toour models shows it is NP-hard for m to determine a bogusroute to export to each neighbor that maximizes the numberof source ASes it attracts. As such, we consider the arguablysimplest, yet very disruptive [7, 22], attack: the attacker,which is not actually a neighbor of the destination d , pre-tends to be directly connected to d . Since there is no need toexplicitly include IP prefixes in our models, this translates toa single attacker AS m announcing the bogus AS-level path“ m, d ” using legacy BGP to all its neighbor ASes. Sincethe path is announced via legacy BGP, recipient ASes willnot validate it with S*BGP, and thus will not learn that itis bogus. (This attack is equally effective against partially-deployed soBGP, S-BGP and BGPSEC. With soBGP, theattacker claims to have an edge to d that does not exist inthe graph. With S-BGP or BGPSEC the attacker claims tohave learned a path “ m, d ” that d never announced.) Ideally, we would like a secure AS with a secure route tobe protected from a routing attack. Unfortunately, however,this is not always the case. We now discuss a troublingaspect of S*BGP in partial deployment [27]:
Protocol downgrade attack.
In a protocol downgradeattack, a source AS that uses a secure route to the legit-imate destination under normal conditions, downgrades toan insecure bogus route during an attack.The best way to explain this is via an example:
Figure 2.
We show how AS 21740, a webhosting company,suffers a protocol downgrade attack, in the security 2 nd (or3 rd ) model. Under normal conditions (left), AS 21740 has asecure provider route directly to the destination Level 3 AS3356, a Tier 1 ISP. (AS 21740 does not have a peer route viaAS 174 due to Ex .) During the attack (right), m announcesthat it is directly connected to Level3, and so AS 21740 seesa bogus, insecure 4-hop peer route, via his peer AS 174.Importantly, AS 21740 has no idea that this route is bogus;it looks just like any other route that might be announcedwith legacy BGP. In the security 2 nd (and 3 rd ) model, AS21740 prefers an insecure peer route over a secure provider route, and will therefore downgrade to the bogus route. In Section 5.3.1, we show that protocol-downgrade attackscan be a serious problem, rendering even large partial de-ployments of S*BGP ineffective against attacks. Downgrades are avoided in the security st model. Protocol downgrade attacks can happen in the security 2 nd and 3 rd models, but not when security is 1 st : Theorem
In the security st model, for every at-tacker AS m , destination AS d , and AS s that, in normalconditions, has a secure route to d that does not go through m , s will use a secure route to d even during m ’s attack. The proof is in Appendix F. While the theorem holds onlyif the attacker m is not on AS s ’s route, this is not a severerestriction because, otherwise, m would attract traffic from s to d even without attacking.
4. INVARIANTS TO DEPLOYMENT
Given the vast number of possible configurations for apartial deployment of S*BGP, we present a framework forexploring the security benefits of S*BGP vis-a-vis origin au-thentication, without making any assumptions about whichASes are secure . To do this, we show how to quantify secu-rity (Section 4.1), discuss how to determine an upper bound on security available with any
S*BGP deployment for anyrouting model (Section 4.3.1), finally compare it to the secu-rity available with origin authentication (Section 4.2, 4.4).
We quantify improvements in “security” by determiningthe fraction of ASes that avoid attacks (per Section 3.1).The attacker’s goal is to attract traffic from as many ASes aspossible; our metric therefore measures the average fractionof ASes that do not choose a route to the attacker.
Metric.
Suppose the ASes in set S are secure and consideran attacker m that attacks a destination d . Let H ( m, d, S )be the number of “happy” source ASes that choose a legiti-mate route to d instead of a bogus route to m . (See Table 2).Our metric is: H M,D ( S ) = | D | ( | M |− | V |− (cid:88) m ∈ M (cid:88) d ∈ D \{ m } H ( m, d, S )Since we cannot predict where an attack will come from, orwhich ASes it will target, the metric averages over all attack-ers in a set M and destinations in a set D ; we can choose M and D to be any subset of the ASes in the graph, depend-ing on (i) where we expect attacks to come from, and (ii)which destinations we are particularly interested in protect-ing. When we want to capture the idea that all destinationsare of equal importance, we average over all destinations;note that “China’s 18 minute mystery” of 2010 [14] fits intothis framework well, since the hijacker targeted prefixes orig-inated by a large number of (seemingly random) destinationASes. However, we can also zoom in on important destina-tions D ( e.g., content providers [9,31,42]) by averaging overthose destinations only. We can, analogously, zoom in oncertain types of attackers M by averaging over them only.Averaging over fixed sets D and M (that are independentof S ) also allows us to compare security across deployments S and routing policy models. Tiebreaking & bounds on the metric.
Recall fromSection 2.2 that our model fully determines an AS’s rout- appy Chooses a legitimate secure/insecure route to d .unhappy Chooses a bogus insecure route to m .immune Happy regardless of which ASes are secure .doomed Unhappy regardless of which ASes are secure .protectable Neither immune nor doomed. Table 2: Status of source s when m attacks d . ing decision up to the tiebreak step TB of its routing pol-icy. Since computing H M,D ( S ) only requires us to distin-guish between “happy” and “unhappy” ASes, the tiebreakstep matters only when a source AS s has to choose be-tween (1) an insecure route(s) to the legitimate destination d (that makes it happy), and (2) an insecure bogus route(s)to m (that makes it unhappy). Importantly, s has no ideawhich route is bogus and which is legitimate, as both ofthem are insecure. Therefore, to avoid making uninformedguesses about how ASes choose between equally-good inse-cure routes, we will compute upper and lower bounds onour metric; to get a lower bound, we assume that every AS s in the aforementioned situation will always choose to beunhappy ( i.e., option (2)); the upper bound is obtained byassuming s always chooses to be happy ( i.e., (1)). See alsoAppendix E. Algorithms.
Our metric is determined by computingrouting outcomes, each requiring time O ( | V | ), over all pos-sible | M || D | attacker and destination pairs. We sometimestake M = D = V so that our computations approach O ( | V | );the parallel algorithms we developed for this purpose arepresented in Appendix B, H. At this point, we could compute the metric for variousS*BGP deployment scenarios, show that most source ASesare “happy”, argue that S*BGP has improved security, andconclude our analysis. This, however, would not give us thefull picture, because it is possible that most of the happyASes would have been happy even if S*BGP had not been de-ployed . Thus, to understand if the juice is worth the squeeze,we need to ask how many more attacks are prevented by aparticular S*BGP deployment scenario, relative to those al-ready prevented by RPKI with origin authentication. Moreconcretely, we need to compare the fraction of happy ASes before and after the ASes in S deploy S*BGP . To do this, wecompare the metric for a deployment scenario S against the“baseline scenario”, where RPKI and origin authenticationare in place, but no AS has adopted S*BGP, so that the setof secure ASes is S = ∅ .In [22], the authors evaluated the efficacy of origin authen-tication against attacks that it was not designed to prevent— namely, the “ m, d ” attack of Section 3.1. They randomlysampled pairs of attackers and destinations and plotted thedistribution of the fraction of “unhappy” source ASes (ASesthat route through the attacker, see Table 2). Figure 3 of [22]shows that attacker is able to attract traffic from less thanhalf of the source ASes in the AS graph, on average. We nowperform a computation and obtain a result that is similar inspirit; rather than randomly sampling pairs of attackers anddestinations as in [22], we instead compute a lower bound onour metric over all possible attackers and destinations. Wefind that H V,V ( ∅ ) ≥
60% on the basic UCLA graph, and H V,V ( ∅ ) ≥
62% on our IXP-augmented graph.It is striking that both our and [22]’s result indicate morethan half of the AS graph is already happy even before
Sec 1st Sec 2nd Sec 3rd A v e r age F r a c t i on o f S ou r c e s . . . Figure 3: Partitions
S*BGP is deployed. To understand why this is the case,recall that with origin authentication, an attacking AS m must announce a bogus path “ m, d ” that is one hop longerthan the path “ d ” announced by the legitimate destinationAS d . When we average over all ( m, d ) pairs and all thesource ASes, bogus paths through m will appear longer, onaverage, than legitimate paths through d . Since path lengthplays an important role in route selection, on average, moresource ASes choose the legitimate route. How much further can we get with a partial deploymentof S*BGP? We now obtain bounds on the improvements insecurity that are possible for a given routing policy model,but for any set S of secure ASes.We can obtain these bounds thanks to the following cru-cial observation: ASes can be partitioned into three dis-tinct categories with respect to each attacker-destinationpair ( m, d ). Some ASes are doomed to route through theattacker regardless of which ASes are secure. Others are immune to the attack regardless of which ASes are secure.Only the remaining ASes are protectable , in the sense thatwhether or not they route through the attacker depends onwhich ASes are secure (see Table 2).To bound our metric H M,D ( S ) for a given routing policymodel ( i.e., security 1 st , 2 nd , or 3 rd ) and across all partial-deployment scenarios S , we first partition source ASes intocategories — doomed, immune, and protectable — for each( m, d ) pair and each routing policy model. By computingthe average fraction of immune ASes across all ( m, d ) ∈ M × D for a given routing model, we get a lower boundon H M,D ( S ) ∀ S and that routing model. We similarly getan upper bound on H M,D ( S ) by computing the average frac-tion of ASes that are not doomed. We return to Figure 2 to explain our partitioning:
Doomed.
A source AS s is doomed with respect to pair( m, d ) if s routes through m no matter which set S of ASesis secure. AS 174 in Figure 2 is doomed when security is 2 nd (or 3 rd ). If security is 2 nd (or 3 rd ), AS 174 always prefersthe bogus customer route to the attacker over a (possiblysecure) peer path to the destination AS 3356, for every S . Immune.
A source AS s is immune with respect to pair( m, d ) if s will route through d no matter which set S ofASes is secure. AS 3536 in Figure 2 is one example; thissingle-homed stub customer of the destination AS 3356 can never learn a bogus route in any of our security models.When security is 2 nd or 3 rd , another example of an immuneAS is AS 10310 in Figure 14; its customer route to the legit-imate destination AS 40426 is always more attractive thanits provider route to the attacker in these models. Protectable. AS s is protectable with respect to pair( m, d ) if it can either choose the legitimate route to d , orhe bogus one to m , depending on S . With security 1 st ,AS 174 in Figure 2 becomes protectable. If it has a secureroute to the destination AS 3356, AS 174 will choose it andbe happy; if not, it will choose the bogus route to m . The intuition behind the following partitioning of ASes isstraightforward. The subtleties involved in proving that anAS is doomed/immune are discussed in Appendix E.
Security st . Here, we suppose that all ASes are pro-tectable; the few exceptions ( e.g., the single-homed stub ofFigure 2) have little impact on the count of protectable ASes.
Security nd . Here, an AS is doomed if it has a routeto the attacker with better local preference LP than everyavailable route to the legitimate destination; ( e.g., the bogus customer route offered to AS 174 in Figure 2 has higher LP than the legitimate peer route). An immune AS has a routeto the destination that has higher LP than every route tothe attacker. For protectable AS, its best available routesto the attacker and destination have exactly the same LP . Security rd . Here, a doomed AS has a path to m with(1) better LP OR (2) equal LP and shorter length SP ,than every available path to d . The opposite holds for animmune AS. A protectable AS has best available routes to m and d with equal LP and path length SP . For each routing model, we found the fraction of doomed/protectable / immune source ASes for each attacker destina-tion pair ( m, d ), and took the average over all ( m, d ) ∈ V × V .We used these values to get upper- and lower bounds on H V,V ( S ) for all deployments S , for each routing model. Figure 3:
The colored parts of each bar represent the av-erage fraction of immune, protectable, and doomed sourceASes, averaged over all O ( | V | ) possible pairs of attackersand destinations. Since H V,V ( S ) is an average of the frac-tion of happy source ASes over all pairs of attackers anddestinations, the upper bound on the metric H V,V ( S ) ∀ S isthe average fraction of source ASes that are not doomed.The upper bound on the metric H V,V ( S ) ∀ S is therefore: ≈ st , 89% with security 2 nd , and 75%with security 3 rd . (The same figure computed on our IXP-edge-augmented graph looks almost exactly the same, withthe proportions being ≈ H V,V ( ∅ )in the baseline setting where S = ∅ and there is only originauthentication; in Section 4.2 we found that H V,V ( ∅ ) = 60%(and 62% for the IXP-edge-augmented graph). Therefore,we can bound the maximum change in our security metric H V,V ( S ) ∀ S for each routing policy model by computing thedistance between the solid line and the boundary betweenthe fraction of doomed and protectable ASes. We find: Security rd : Little improvement. Figure 3 shows thatthe maximum gains over origin authentication that are pro-vided by the security 3 rd model are quite slim — at most15% — regardless of which ASes are secure. (This followsbecause the upper bound on the metric H V,V ( S ) ≤ S while the lower bound on the baseline setting is H V,V ( ∅ ) ≥ maximum gains ∀ S ; in a realistic S*BGP deployment, the gains are likely tobe much smaller. This result is disappointing, since the secu-rity 3 rd model is likely to be the most preferred by network STUB STUB−X SMDG SMCP CP T3 T2 T1 A v e r age F r a c t i on o f S ou r c e s . . . . . . DoomedProtectableImmune
Figure 4: Partitions by destination tier. Sec rd . operators (Section 2.2.3), but it is not especially surprising.S*BGP is designed to prevent path shortening attacks; how-ever, in the security 3 rd model ASes prefer short (possiblybogus) insecure routes over a long secure routes, so it is nat-ural that this model realizes only minimal security benefits. Security nd : More improvement. Meanwhile, routesecurity is prioritized above route length with the security 2 nd model, so we could hope for better security benefits. Indeed,Figure 3 confirms that the maximum gains over origin au-thentication are better: 89 −
60 = 29%. But can these gainsbe realized in realistic partial-deployment scenarios? Weanswer this in question in Section 5.
Decreasing numbers of immune ASes?
The fractionof immune ASes in the security 2 nd (12%) and 1 st ( ≈ more secure ASes can sometimes result in less happy ASes; these “collateral damages”, that occur only inthe security 1 st and 2 nd models, account for the decrease inthe number of immune ASes. Thus far, we have been averaging our results over all pos-sible attacker-destination pairs in the graph. However, somedestination ASes might be particularly important to secure,perhaps because they source important content ( e.g., thecontent provider ASes (CPs)) or transit large volumes oftraffic (the Tier 1 ASes). As such, we broke down the met-ric over destinations in each tier in Table 1.
Figure 4.
We show the partitioning into immune / pro-tectable / doomed ASes in the security 3 rd model, but thistime averaged individually over all destinations in each tier,and all possible attackers V . The thick horizontal line overeach vertical bar again shows the corresponding lower boundon our metric H V, Tier ( ∅ ) when no AS is secure. Apart fromthe Tier 1s (discussed next), we observe similar trends as inSection 4.4, with the improvement in security ranging from8 −
15% for all tiers; the same holds for the security 2 nd model, shown in Figure 5 . Strangely enough, Figure 4 shows that when Tier 1 des-tinations are attacked in the security 3 rd model, the vastmajority ( ≈ nd (Figure 5). Therefore, in these models, S*BGP can do littleto blunt attacks on Tier 1 destinations.How can it be that Tier 1s, the largest and best connected(at least in terms of customer-provider edges) ASes in ourAS graph, are the most vulnerable to attacks? Ironically, it TUB STUB−X SMDG SMCP CP T3 T2 T1 A v e r age F r a c t i on o f S ou r c e s . . . . . . DoomedProtectableImmune
Figure 5: Partitions by destination tier. Sec nd . STUB STUB−X SMDG SMCP CP T3 T2 T1 a v e r age f r a c t i on o f s ou r c e s . . . . . . DoomedProtectableImmune
Figure 6: Partitions by attacker tier. Sec rd . is the Tier 1s’ very connectivity that harms their security.Because the Tier 1s are so well-connected, they can chargemost of their neighbors for Internet service. As a result,most ASes reach the Tier 1s via costly provider paths thatare the least preferred type of path according to the LP step in our routing policy models. Meanwhile, it turns outthat when a Tier 1 destination is attacked, most source ASeswill learn a bogus path to the attacker that is not througha provider, and is therefore preferred over the (possibly se-cure) provider route to the T1 destination in the security 2 nd or 3 rd models. In fact, this is exactly what lead to the pro-tocol downgrade attack on the Tier 1 destination AS 3356in Figure 2. We will later (Section 5.3.1) find that this is aserious hurdle to protecting Tier 1 destinations. Next, we break things down by the type of the attacker, toget a sense of type of attackers that S*BGP is best equippedto defend against.
Figure 6.
We bucket our counts of doomed, protectable,and immune ASes for the security 3 rd model by the attackertype in Table 1, for all | V | possible attacker-destinationpairs. As the degree of the attacker increases, it’s attack be-comes more effective; the number of immune ASes steadilydecreases, and the number of doomed ASes correspondinglyincreases, as the the tier of the attacker grows from stub toTier 2. Meanwhile, the number of protectable ASes remainsroughly constant across tiers. The striking exception to thistrend is that the the Tier 1 attacker is significantly less ef-fective than even the lowest degree (stub) attackers. Whileat this observation might seem unnatural at first, there is aperfectly reasonable explanation: when a Tier 1 attacks, itsbogus route will look like a provider route from the perspec-tive of most other source ASes in the graph. Because the LP step of our routing model depreferences provider routesrelative to peer and customer routes, the Tier 1 attacker’sbogus route will be less attractive than any legitimate routethrough a peer or provider, and as such most ASes will beimmune to the attack. The same observations hold whensecurity is 2 nd . Tier 1s can still be protected as sources.
However,before we completely give up on the Tier 1s obtaining any benefit from S*BGP, we reproduced Figures 4 - 5 but thistime, bucketing the results by the tier of source. (Figureomitted.) We found that each source tier, including the Tier1s, has roughly the same average number of doomed (25%),immune (60%), and protectable (15%) ASes. It follows that,while S*BGP cannot protect Tier 1 destinations from attack,S*BGP still has the potential to prevent a Tier 1 sourcesfrom choosing a bogus route.
Robustness of results.
We repeated this analysis onour IXP-augmented graph (Appendix J) and using differentrouting policies (Appendix K). Please see the appendicesfor details.
5. DEPLOYMENT SCENARIOS
In Section 4.4 we presented upper bounds on the improve-ments in security from S*BGP deployment for choice of se-cure ASes S . We found that while only meagre improve-ments over origin authentication are possible in the security3 rd model, better results are possible in the security 2 nd and1 st models. However, achieving the bounds in Section 4.4could require full S*BGP deployment at every AS. Whathappens in more realistic deployment scenarios? First, wefind that the security 2 nd model often behaves disappoint-ingly like the security 3 rd model. We also find that Tier 1destinations remain most vulnerable to attacks when secu-rity is 2 nd or 3 rd . We conclude the section by presentingprescriptive guidelines for partial S*BGP deployment. Robustness to missing IXP edges.
We repeated theanalysis in Section 5.2-5.3 over the AS graph augmentedwith IXP peering edges and saw almost identical trends. Wesee a slightly higher baseline of happy ASes when S = ∅ (Sec-tion 4.4), which almost always causes the improvement inthe metric (over the baseline scenario) to be slightly smallerfor this graph. (Plots in Appendix J.) We first need to decide which ASes to secure. Ideally, wecould choose the smallest set of ASes that maximizes thevalue of the metric. To formalize this, consider the follow-ing computational problem, that we call “Max-k-Security”:Given an AS graph, a specific attacker-destination pair ( m, d ),and a parameter k >
0, find a set S of secure ASes of size k that maximizes the total number of happy ASes. Then: Theorem
Max-k-Security is NP-hard in all three rout-ing policy models.
The proof is in Appendix I. This result can be extended tothe problem of choosing the set of secure ASes that maximizethe number of happy ASes over multiple attacker-destinationpairs (which is what our metric computes).
Instead of focusing on choosing the optimum set S of ASesto secure (an intractable feat), we will instead consider a fewpartial deployment scenarios among high-degree ASes S , assuggested in practice [44] and in the literature [6, 11, 19]. Non-stub attackers.
We now suppose that the set of at-tackers is the set of non-stub ASe in our graph M (cid:48) ( i.e., not“Stubs” or “Stubs-x” per Table 1). Ruling out stub ASes isconsistent with the idea that stubs cannot launch attacks if
20 40 60 80 100 . . . . . . Number of Non−Stubs in S _ _ _ __ _ _ __ _ _ __ _ _ __ _ _ __ _ _ _
Security 1stSecurity 2ndSecurity 3rd (a) . . . . . . Number of Non−Stubs in S _ _ __ _ __ _ __ _ __ _ __ _ _
Security 1stSecurity 2ndSecurity 3rd (b)
Figure 7: Tier 1+2 rollout: For each step S inrollout, upper and lower bounds on (a) H M (cid:48) ,V ( S ) − H M (cid:48) ,V ( ∅ ) and (b) H M (cid:48) ,V ( S ) − H M (cid:48) ,d ( ∅ ) averaged overall d ∈ S . The x -axis is the number of non-stub ASesin S . The “error bars” are explained in Section 5.3.2. their providers perform prefix filtering [10, 22], a functional-ity that can be achieved via IRRs [1] or even the RPKI [41],and does not require S*BGP. Gill et al. [19] suggest bootstrapping S*BGP deploymentby having secure ISPs deploy S*BGP in their customers thatare stub ASes. We therefore consider this “rollout”:
Tier 1 & Tier 2 rollout.
Other than the empty set,we consider three different secure sets. We secure X Tier1’s and Y Tier 2’s and all of their stubs, where ( X, Y ) ∈{ (13 , , (13 , , (13 , } ; this corresponds to securing about33%, 40%, and 50% of the AS graph.The results are shown in Figure 7(a) , which plots, for eachrouting policy model, the increase in the upper- and lowerbound on H M (cid:48) ,V ( S ) (Section 4.1) for each set S of secureASes in the rollout ( y -axis), versus the number of non-stubASes in S ( x -axis). We make a few important observations: Tiebreaking can seal an AS’s fate.
Even with a largedeployment of S*BGP, the improvement in security is highlydependent on the vagarities of the intradomain tiebreakingcriteria used to decide between insecure routes. (See alsoSection 4.1’s discussion on tiebreaking.) Even when we se-cure 50% of ASes in the security 1 st model (the last stepof our rollout), there is still a gap of more than 10% be-tween the lower and upper bounds of our metric. Thus,in a partial S*BGP deployment, there is a large fraction ofASes that are balanced on a knife’s edge between an inse-cure legitimate route and an insecure bogus route; only the(unknown-to-us) intradomain routing policies of these ASescan save them from attack. This is inherent to any partialdeployment of S*BGP, even in the security 1 st model. Meagre improvements even when security is nd . Asexpected, the biggest improvements come in the security1 st model, where ASes make security their highest priorityand deprecate all economic and operational considerations.When security is 1 st and 50% of the AS graph is secure(at the last step in the rollout), the improvement over thebaseline scenario is significant; about 24%. While we mighthope that the security 2 nd model would present improve-ments that are similar to those achieved when security is1 st , this is unfortunately not the case. In both the security . . . . Metric Improvemens for T1+T2+CPs
Number of Non−Stub, Non−CP ASes in S C hange i n t he M e t r i c H _ M ' V ( S ) _ _ _ __ _ _ __ _ _ __ _ _ __ _ _ __ _ _ _ Security 1stSecurity 2ndSecurity 3rd
Figure 8: Tier 1+2+CP rollout: H M (cid:48) ,CP ( S ) − H M (cid:48) ,C ( ∅ ) for each step in the rollout. The x -axisis the number of non-stub, non-CP ASes in S . nd and 3 rd models we see similarly disappointing increasesin our metric. We explain this observation in Section 6.2. Since much of the Internet’s traffic originates at the con-tent providers (CPs), we might consider the impact of S*BGPdeployment on CPs only. We considered the same rolloutas above, but with all 17 CPs secure, and computed themetric over CP destinations only , i.e., H M (cid:48) ,CP ( S ). The re-sults, presented in Figure 8, are very similar to those inFigure 7(a): improvements of at least 26% 9 . st , 2 nd , and 3 rd respectively. We note, however,that CP destinations have a higher fraction of happy sourcesthan other destinations on average, (see Figure 4). Thus far, we have looked at the impact of S*BGP in ag-gregate across all destinations d ∈ V (or d ∈ CP ). Becausesecure routes can only exist to secure destinations, we nowlook at the impact of S*BGP on individual secure destina-tions d ∈ S , by considering H M (cid:48) ,d ( S ). Figure 7(b).
We plot the upper and lower bounds on the change in the metric, i.e., H M (cid:48) ,d ( S ) − H M (cid:48) ,d ( ∅ ), averagedacross secure destinations only , i.e., d ∈ S . As expected,we find large improvements when security is 1 st , and smallimprovements when security is 3 rd . Interestingly, however,when security is 2 nd the metric does increase by 13 − st , it doessuggest that at least some secure destinations benefit morewhen security is 2 nd , rather than 3 rd .For more insight, we zoom in on this last step in our rollout: Figure 9.
For the last step in our rollout, we plot up-per and lower bounds on the change in the metric, i.e., H M (cid:48) ,d ( S ) − H M (cid:48) ,d ( ∅ ), for each individual secure destination d ∈ S . For each of our three models, the lower bound foreach d ∈ S is plotted as a non-decreasing sequence; these arethe three “smooth” lines. The corresponding upper boundfor each d ∈ S was plotted as well. For security 1 st , the up-per and lower bounds are almost identical, and for security2 nd and 3 rd , the upper bounds are the “clouds” that hoverover the lower bounds. A few observations: Security st provides excellent protection. We findthat when security is 1 st , a secure destination can reap the . . . . . . Destinations Sueqence in S C hange i n t he M e t r i c H _ M ' V ( S ) llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll l Security 1stSecurity 2ndSecurity 3rd
Figure 9: Non-decreasing sequence of H M (cid:48) ,d ( S ) − H M (cid:48) ,d ( ∅ ) ∀ d ∈ S . S is all T1s, T2s, and their stubs. full benefits of S*BGP even in (a large) partial deployment.To see this, we computed the true value of H M (cid:48) ,d ( S ) for allsecure destinations d ∈ S , and found that it was between96 . − .
9% on average (across all d ∈ S ). Security nd and rd are similar for many destina-tions. Figure 9 also reveals that many destinations obtainroughly the same benefits from S*BGP when security is 2 nd as when security is 3 rd . Indeed, 93% of 7500 secure destina-tions that see <
4% (lower-bound) improvement in Figure 9when security is 3 rd , do the same when security is 2 nd aswell. What is the reason for this? There are certain typesof protocol downgrade attacks that succeed both when se-curity is 2 nd and when security is 3 rd ( i.e., when the boguspath has better LP than the legitimate path, see e.g., Fig-ure 2). In Section 6.2 we shall show that protocol downgradeattacks are the most significant reason for the metric to de-grade; therefore, for destinations where these “ LP -based”protocol downgrade attacks are most common, the security2 nd model looks much like the security 3 rd model. Tier 1s do best when security is st , and worst whenit is nd or rd . When security is 1 st , our data also showsthat the secure destinations that obtain the largest ( > H M (cid:48) ,d ( S ) (relative to thebaseline setting H M (cid:48) ,d ( ∅ )) include: (a) all 13 Tier 1s, and(b) ≥
99% of “Tier 1 stub” destinations ( i.e., stub ASes suchthat all their providers are Tier 1 ASes). On the other hand,these same destinations experience the worst improvementswhen security is 2 nd or 3 rd ( i.e., a lower bound of < nd or 3 rd , most source ASes that want to reach aTier 1 destination are doomed , because of protocol down-grade attacks like the one shown in Figure 2. This explainsthe meagre benefits these destinations obtain when securityis 2 nd or 3 rd . On the other hand, protocol downgrade at-tacks fail when security is 1 st . Therefore, in the security1 st model, the Tier 1 destinations (and by extension, Tier 1stub destinations) obtain excellent security when S*BGP ispartially deployed; moreover, they see most significant gainssimply because they were so highly vulnerable to attacks inthe absence of S*BGP (Figure 4, Section 4.6). Security nd helps some secure destinations. Finally,when security is 2 nd , about half of the secure destinations d ∈ S see benefits that are discernibly better than what ispossible when security is 3 rd , though not quite as impressive . . . . Destinations Sueqence in S C hange i n t he M e t r i c H _ M ' V ( S ) lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll l Security 1stSecurity 2ndSecurity 3rd
Figure 10: Non-decreasing sequence of H M (cid:48) ,d ( S ) − H M (cid:48) ,d ( ∅ ) ∀ d ∈ S . S is all T2s, and their stubs. . . . . Metric Improvemens for T2
Number of Non−Stubs in S C hange i n t he M e t r i c H _ M ' V ( S ) _ _ _ _ __ _ _ _ __ _ _ _ __ _ _ _ __ _ _ _ __ _ _ _ _ Security 1stSecurity 2ndSecurity 3rd
Figure 11: Tier 2 rollout: H M (cid:48) ,D ( S ) − H M (cid:48) ,D ( ∅ ) foreach step in the T2 rollout. The x -axis is the numberof non-stub, non-CP ASes in S . as those when security is 1 st . These destinations includesome Tier 2s and their stubs, but never any Tier 1s.Similar observations hold for earlier steps in the rollout. The results of the previous section motivate considering adeployment that excludes securing the Tier 1 ISPs.
Secure just the Tier 2s?
We reproduce the analysis ofSection 5.2.1 and Section 5.2.3 with a rollout among only theTier 2s and theirs stubs. There are 100 Tier 2 ISPs in ourAS graph (Table 1), and our Tier 2 rollout secures Y Tier2 ASes, and all of their stubs, where Y ∈ { , , , } ;this amounts to securing about 18%, 24%, 30%, and 38% ofASes.The results in Figure 11 are similar to those in Fig-ure 7(a), except that the metric grows even more slowly,and we see smaller improvements when security is 1 st . Thisis consistent with our earlier observation (Section 5.2.3) thatthe most dramatic improvements observed when security is1 st are for Tier 1 destinations; the improvements for Tier 2destinations and their stubs are much smaller when securityis 1 st . This causes the gap between the security 2 nd and 1 st models to become smaller for the Tier 2 rollout (relative tothe Tier 1+2 rollout of Section 5.2.3); this can be observedfrom Figure 10 which reproduces the results of Figure 9 forthe last step of the Tier 2 rollout. However, the gap betweensecurity 2 nd and 1 st is smaller not only because Tier 2s see . . . . . . Destinations Sueqence in S C hange i n t he M e t r i c H _ M ' V ( S ) ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● Security 1stSecurity 2ndSecurity 3rd
Figure 12: Non-decreasing sequence of H M (cid:48) ,d ( S ) − H M (cid:48) ,d ( ∅ ) ∀ d ∈ S . S is all non stubs. bigger improvements when security is 2 nd model; this is alsobecause they see worse improvements when security is 1 st . Secure just the nonstubs?
Finally, we consider secur-ing only non-stub ASes ( i.e., . .
7% and 2 .
2% worst-case improve-ment in the metric H M (cid:48) ,D ( S ) when security is 1 st , 2 nd , and3 rd respectively; this scenario therefore is similar to last stepin our Tier 2 rollout, with exception that the gap betweenthe security 2 nd and 1 st model is even smaller. This is cor-roborated by Figure 12 , which reproduces the results ofFigure 9 for the scenario where only non-stub ASes are se-cure. We see that the benefits available when security is 2 nd almost reach those that are possible when security is 1 st . Summary.
Taken together, our suggest that in the security1 st model, destinations that are Tier 1s or their stubs see thelargest improvements in security. In such cases, the security2 nd model behaves much like the security 3 rd model. How-ever, in cases where Tier 1s and their stubs are not secure,the gap between the security 2 nd and 1 st model diminishes,in exchange for smaller gains when security is 1 st . Section 2.3 suggested that ASes use consistent routingpolicies. We now suggest a few more deployment guidelines.
Previous work [6, 11, 19] suggests that Tier 1s should bethe earliest adopters of S*BGP. However, the discussion inSections 4.6 and 5.2.3 suggests that securing Tier 1s mightnot lead to good security benefits at the early adoption stage,when ASes are most likely to rank security 2 nd or 3 rd . Wenow confirm this. All Tier 1s and their stubs.
Even in a deployment thatincludes all
13 Tier 1 ASes and their stubs ( i.e., ≈
20% of the AS graph), improvements in security werealmost imperceptible. With security 2 nd or 3 rd , the averagechange in H M (cid:48) ,d ( S ) − H M (cid:48) ,d ( ∅ ) over secure destinations d ∈ S causes the metric to increase by < . Tier 1s, their stubs, and content providers.
Follow-ing [19, 44], we consider securing the CPs, the Tier 1s andall of their stubs, and obtained similar results.
Analysis.
Why is a deployment at more than 20% of theASes in AS graph, including the large and well-connectedTier 1s, provide so little improvement in security? Recall that in Section 4.6 and Figure 4, we showed that when Tier1 destinations are attacked, the vast majority of source ASesare doomed and almost none are protectable. It follows thatif a source retains a secure route to a Tier 1 destination dur-ing an attack, that source is likely to be immune. The sameargument also applies to other secure destinations ( i.e.,
CPsof stub customers of T1s); this is because, in the deploymentscenarios above, most secure routes traverse a Tier 1 as theirfirst hop. Because almost every source AS that continuedto use a secure route during an attack would have routed tothe legitimate destination even if no AS was secure, we seelittle improvements in our security metric.
Figure 13 confirms this. We show what happens to thesecure routes to each CP destination when security is 3 rd ;similar observations hold when security is 2 nd . The heightof each bar is the fraction of routes to each CP destinationthat are secure under normal conditions. The lower partof the bar shows secure routes that were lost to protocoldowngrade attacks (averaged over all attacks by non-stubsin M (cid:48) ), and the middle part shows the fraction of secureroutes from immune source ASes to the destination. Weclearly see that (1) most secure routes are lost to protocoldowngrade attacks, and (2) almost all the secure routes thatremain during attacks from source ASes that are immune . Choose Tier 2s as early adopters.
We found thatearly deployments at the Tier 2 ISPs actually fare betterthan those at the larger, and better connected Tier 1s. Forexample, securing the 13 largest Tier 2s (in terms of cus-tomer degree) and all their stubs (a total of 6918 ASes), theaverage change in H M (cid:48) ,d ( S ) − H M (cid:48) ,d ( ∅ ) over secure destina-tions d ∈ S is ≈
1% when security is 2 nd or 3 rd . This alsoagree with our observations in Section 5.2.4. Next, we consider [19, 33]’s suggestion for reducing com-plexity by securing stubs with simplex S*BGP . Simplex S*BGP.
Stub ASes have no customers of theirown, and therefore (by Ex ) they will never send S*BGP an-nouncements for routes through other ASes. They will, how-ever, announce routes to their own IP prefixes. For this rea-son [19,33] suggests either (1) allowing ISPs to send S*BGPmessages on behalf of their stub customers or (2) allowingstubs to deploy S*BGP in a unidirectional manner, send-ing outgoing S*BGP messages but receiving legacy BGPmessages. Since a stub propagates only outgoing BGP an-nouncements for a very small number of IP prefixes (namely, A v e r age F r a c t i on o f S ou r c e s . . . AS AS AS AS AS AS AS AS AS AS AS AS AS AS AS AS AS G oog l e L i m e li gh t A k a m a i M i c r o s o ft Y ahoo Lea s e w eb E dge c a s t A m a z on F a c eboo k N e tf li x QQ T w i tt e r P ando r a W i k i ped i a A pp l e H u l u B a i du Sources with Secure Routes in Normal ConditionsImmune Sources with Secure RoutesDowngraded Sources
Figure 13: What happens to secure routes to eachCP destination during attack. S is the Tier 1s, theCPs, and all their stubs and security is rd . ecurity model 1 st nd rd Protocol downgrade attacks X (cid:88) (cid:88) Collateral benefits (cid:88) (cid:88) (cid:88)
Collateral damages (cid:88) (cid:88) X Table 3: Phenomena in different security models the prefixes owned by that stub), simplex mode can decreasecomputational load, and make S*BGP adoption less costly.Given that 85% of ASes are stubs, does this harm security?
Figure 7(a)-7(b).
The “error bars” in Figure 7(a)-7(b)show what happens when we suppose that all stubs run sim-plex S*BGP. There is little change in the metric. To explainthis, we note that (1) a stub’s routing decision does not affectany other AS’s routing decision, since by Ex stubs do notpropagate BGP routes from one neighbor to another, and(2) a stub’s routing decisions are limited by the decisionsmade by its providers, so if its providers avoid attacks, sowill the stub, but (3) the stub acts like a secure destination,and therefore (nonstub) ASes establishing routes to the stubstill benefit from S*BGP. These results indicate that simplexS*BGP at stubs can lower the complexity of S*BGP deploy-ment without impacting overall security. Stub ASes that areconcerned about their own security as sources (rather thandestinations) can, of course, always choose to deploy fullS*BGP.
6. ROOT CAUSES & NON-MONOTONICITY
We now examine the reasons for the changes in our secu-rity metric as S*BGP is deployed. We start by discussingtwo subtle phenomena: the collateral damages and collat-eral benefits incurred by insecure ASes from the deploymentof S*BGP at other
ASes. We then use these phenomena ina root-cause analysis of the results of Section 5.
The most obvious desiderata from S*BGP deployment isthat the Internet should become only more secure as moreASes adopt S*BGP. Unfortunately, however, this is not al-ways the case. Security is not monotonic , in the sense thatsecuring more ASes can actually make other ASes unhappy.To explain this, we use a running example taken from theUCLA AS graph, where the destination (victim) AS d isPandora’s AS40426 (a content provider) and the attacker m is an anonymized Tier 2 network. We consider the network before and after a partial deployment of S*BGP S and seehow the set of happy ASes changes; S consists of all 100 Tier2s, all 17 content providers, and all of their stubs. Figure 14.
We show how AS 52142, a Polish ISP, suffersfrom collateral damage when security is 2 nd . On the left, weshow the network prior to S*BGP deployment. AS 52142 isoffered two paths, both insecure: a 3-hop path through hisprovider AS 5617 to the legitimate destination AS 40426,and a 5-hop bogus route to the attacker. (The route to m isreally 4 hops long, but m (falsely) claims a link to AS 40426so AS 52142 thinks it is 5 hops long.) AS 52142 will choosethe legitimate route because it is shorter. On the right, weshow the network after S*BGP deployment. AS 5617 hasbecome secure and now prefers the secure route throughits neighbor Cogent AS 174. However, AS 5617’s secureroute is 5 hops long (right), significantly longer than the 2 hop route AS 5617 used prior to S*BGP deployment (left).Thus, after S*BGP deployment AS 52142 learns a 6-hoplegitimate route through AS 5617, and a 5-hop bogus route.Since AS 52142 is insecure, it chooses the shorter route, andbecomes unhappy as collateral damage. Collateral damages.
A source AS s / ∈ S obtains collat-eral damages from an S*BGP deployment S with respect toan attacker m and destination d if (a) s was happy when theASes in T are secure, but (b) s is unhappy when the ASesin S are secure, and S ⊃ T . No collateral damages in the security rd model: Thecollateral damage above occurs because AS 5617 prefers a longer secure route over a shorter insecure route. This canalso happen in the security 1 st model (but see also Ap-pendix A), but not when security is 3 rd . See Table 3. Theorem
In the security rd model, if an AS s has aroute to a destination d that avoids an attacker m when theset of secure ASes is S , then s has a route to a destination d that avoids attacker m for every set of secure ASes in T ⊃ S . The proof is in Appendix G. The security 3 rd model is ouronly monotone model; more secure ASes cannot result infewer happy ASes, so the metric H M,D ( S ) grows monotoni-cally in S . Fewer immune ASes as security becomes more im-portant?
Collateral damages also explain why the frac-tion of immune ASes in the security 2 nd model in Figure 3is smaller than the number of happy ASes in the baselinescenario (Section 4.4). This is because in the security 2 nd model, collateral damages mean that securing some ASescan actually make other ASes more vulnerable to attack. Insecure ASes can also become happy as a collateral ben-efit , because other
ASes obtained secure routes:
Figure 14.
We show how AS 5166, with the Departmentof Defense Network Information Center, obtains collateralbenefits when its provider AS 174, Cogent, deploys S*BGP.On the left, we show the network prior to the deploymentof S*BGP; focusing on Cogent AS 174, we see that it fallsvictim to the attack, choosing a bogus route through its cus-tomer AS 3491. As a result, AS 5166 routes to the attackeras well. On the right, we show the network after S*BGPdeployment. Now, both AS 174 and AS 3491 are secure,and choose a longer secure customer route to the legitimatedestination. As a result, AS 5166, which remains insecure,becomes happy as a collateral benefit.
Collateral benefits.
A source AS s / ∈ S obtains collateralbenefits from an S*BGP deployment S with respect to anattacker m and destination d if (a) s is unhappy when theASes in T are secure, but (b) s is happy when the ASes in S are secure, and S ⊃ T .Collateral benefits are possible in all three routing policymodels (Table 3). Here is an example when security is 3 rd : Figure 15.
We show how AS34223, a Russian ISP, obtainscollateral benefits in the security 3 rd model. The left subfig-ure shows how AS34223 and and its provider AS3267 reactto the attack before S*BGP deployment; AS3267 learns twopeer routes of equal length – one bogus route to the at-tacker m and one legitimate route to Pandora’s AS 40426.AS3267 then tiebreaks in favor of the attacker, so both
166 1031040426 3257 m Telekomunikacja Polska S.A.
Network
Information.
NON MONTONICITY EXAMPLE, SECURITY SECOND (AS52142)ALSO COLLATERAL BENEFIT, SECURITY SECOND (as5166)Victim 40426 Pandora, Attacker Iranian ISP 12880, tokens: t2_100_cp_stub174 COGENT 5166 1031040426 3257 m Figure 14: Collateral benefits & damages; sec nd . COLLATERAL BENEFITS EXAMPLE, SECURITY THIRDVictim 40426 Pandora, Attacker Iranian ISP 12880, tokens: t2_100_cp_stub
Yahoo!12389
ROSTELECOM
RUSSIA34223
ZAO N ‐ REGION
RUSSIA3267
STATE
INSTITUTE OF INFO
TECH
RUSSIA m Yahoo!12389
ROSTELECOM
RUSSIA34223
ZAO N ‐ REGION
RUSSIA3267
STATE
INSTITUTE OF INFO
TECH
RUSSIA m Figure 15: Collateral benefits; security rd . AS3267 and his customer AS34223 become unhappy. On theright, we show what happens after partial S*BGP deploy-ment. AS3267 has a secure route to Pandora of equal lengthand type as the insecure route to m ; so AS3267 chooses thesecure route, and his insecure customer AS34223 becomeshappy as a collateral benefit. Which of the phenomena in Table 3 have the biggest im-pact on security? We now check how these phenomena playout in the last step of the Tier 1 & Tier 2 rollout of Sec-tion 5.2.1. Recall that S is all 13 Tier 1s, all 100 Tier 2s andall of their stubs, i.e., roughly 50% of the AS graph. Figure 16 (left).
We start with a root cause analysis forthe security 3 rd model. Recall that Theorem 6.1 showed thatcollateral damages do not occur in the security 3 rd model,and so we do not consider them here. Changes in secure routes.
We start with an analysissimilar to that of Section 5.3.1; The bottom three parts ofthe bar show the fraction of secure routes available in normalconditions, prior to any routing attacks. (Averaging is acrossall V sources and destinations.) During routing attacks,these routes can be broken down into three types: (1) secureroutes lost to protocol downgrade attacks (lowest part of thebar), (2) secure routes that are “wasted” on ASes that wouldhave been happy even in the absence of S*BGP (secondlowest part), and (3) secure routes that protected ASes thatwere unhappy in the absence of S*BGP (third lowest part).(Averaging is, as usual, over M (cid:48) and D = V and all V sourceASes.) Importantly, improvements in our security metriccan only result from the small fraction of secure routes inclass (3); the remaining secure routes either (1) disappeardue to protocol downgrades, or (2) are “wasted” on ASesthat would have avoided the attack even without S*BGP. Changes in the metric.
The top two parts of the bar showhow (the lower bound on) the metric H M (cid:48) ,V ( S ) grows rela-tive to the baseline scenario S = ∅ due to: (a) secure routesin class (3), and (b) (the lower bound on) the fraction of in-secure ASes that obtained collateral benefits. Figure 16(left)thus illustrates the importance of collateral benefits. Figure 16 (right).
We perform the same analysis for thesecurity 1 st model. By Theorem 3.1, protocol downgrade at-tacks occur only rarely in this model, so these are not visiblein the figure. However, we now have to account for collateral a v e r age f r a c t i on o f s ou r c e s . . . . . metricchange s e c u r e r ou t e s unde r no r m a l c ond i t i on s s e c u r e r ou t e s a ft e r a tt a ck collateral damagescollateral benefitssecure routes given to unhappy nodessecure routes given to happy nodesdowngrades . . . . . m e t r i cc hange s e c u r e r ou t e s unde r no r m a l c ond i t i on s Figure 16: Changes in the metric explained. Sec rd (left) and Sec st (right). damages (Section 6.1.1), which we depict with the smallersliver on right of the figure. We obtain the change in themetric by subtracting the collateral damages from the gainsresulting from (a) offering secure routes to unhappy ASesand (b) collateral benefits. Fortunately, we find collateraldamages to be a relatively rare phenomenon. Fitting it all together?
This analysis reveals thatchanges in the metric can be computed as follows: (Secureroutes created under normal conditions) + (collateral ben-efits) − (protocol downgrades) − (secure routes “wasted”on ASes that are already happy) − (collateral damages).We find that all of these phenomena (with the exception ofcollateral damage) have significant impact on the securitymetric. These observations also drive home the point thatthe number of routes learned via S*BGP in normal condi-tions is a poor proxy for the “security” of the network; moresophisticated metrics like the ones we use here are required.Results where security 2 nd look very similar to resultswhen security is 3 rd , with the addition of a small amount ofcollateral damage. The bottom line is, when security is 2 nd or 3 rd , (1) protocol downgrade attacks cause many secureroutes that were available under normal conditions to dis-appear, and (2) those ASes that retain their secure routesduring the attack would have been happy even if S*BGPhad not been deployed; the result is meagre increases in thesecurity metric. Meanwhile, when security is 1 st , few down-grades occur, and the security metric is greatly improved.
7. RELATED WORK
Over the past decades several security extensions to BGPhave been proposed; see [10] for a survey. However, pro-posals of new security extensions to BGP, and their subse-quent security analyses typically assume that secure ASeswill never accept insecure routes [6, 11], which is reasonablein the full deployment scenario where every AS has alreadydeployed S*BGP [7,10,22]. There have also been studies onincentives for S*BGP adoption [11, 19]; these works suggestthat “S*BGP and BGP will coexist in the long term” [19],which motivated our study of S*BGP in partial deployment.The partial deployment scenarios we considered have beensuggested in practice [44] and in this literature [6, 11, 19].Our work is most closely related to [22], which also mea-sures “security” as the fraction of source ASes that avoidhaving their traffic intercepted by the attacking AS. How-ever, [22] always assumes that the S*BGP variant is fully de-ployed . Thus, as discussed in Section 4.2, [22] also finds thatfully-deployed origin authentication provides good securityagainst attack we studied here ( i.e., announcing “ m, d ” usinginsecure BGP, see Section 3.1), but rightly assumes this at-ack fails against fully-deployed S*BGP. Moreover, [22] doesnot analyze interactions between S*BGP and BGP that ariseduring partial deployment ( e.g.,
Table 3).Finally, [8] includes cryptographic analysis of S*BGP inpartial deployment, and an Internet draft [27] mentions pro-tocol downgrade attacks. However, neither explores how at-tacks on partially-deployed S*BGP can impact routing, orconsiders the number / type of ASes harmed by an attack.
8. CONCLUSION
On one hand, our results give rise to guidelines for partially-deployed S*BGP: (1) Deploying lightweight simplex S*BGPat stub ASes, instead of full-fledged S*BGP; this reduces de-ployment complexity at the majority of ASes without com-promising overall security. (2) Incorporating S*BGP intorouting policies in a similar fashion at all ASes, to avoidintroducing routing anomalies like BGP Wedgies. (3) De-ploying S*BGP at Tier 2 ISPs, since deployments of S*BGPat Tier 1s can do little to improve security. On the otherhand, we find that partially-deployed S*BGP provides, onaverage, limited security benefits over route origin authen-tication when ASes do not prioritize security 1 st .We hope that our work will call attention to the chal-lenges that arise during partial deployment, and drive thedevelopment of solutions that can help surmount them. Oneidea is to find ways to limit protocol downgrade attacks, asthese cause many of our negative results. For example, onecould add “hysteresis” to S*BGP, so that an AS does not im-mediately drop a secure route when “better” insecure routeappears. Alternatively, one could find deployment scenariosthat create “islands” of secure ASes that agree to prioritizesecurity 1 st for routes between ASes in the island; the chal-lenge is to do this without disrupting existing traffic engi-neering or business arrangements. Other security solutionscould also be explored. For example, origin authenticationwith anomaly detection and prefix filtering could be easierto deploy (they can be based on the RPKI), and may be aseffective as partially-deployed S*BGP. Acknowledgments
We are grateful to BU and XSEDE for computing resources,and Kadin Tseng, Doug Sondak, Roberto Gomez and DavidO’Neal for helping us get our code running on various plat-forms. We thank Walter Willinger and Mario Sanchez forproviding the list of ASes in each IXP that we used to gen-erate our IXP-augmented AS graph, Phillipa Gill for use-ful discussions and sharing the results of [18] with us, andLeonid Reyzin, Gonca Gursun, Adam Udi, our shepherdTim Griffin and the anonymous SIGCOMM reviewers forcomments on drafts of this paper. This work was supportedby NSF Grants S-1017907, CNS-1111723, ISF grant 420/12,Israel Ministry of Science Grant 3-9772, Marie Curie CareerIntegration Grant, IRG Grant 48106, the Israeli Center forResearch Excellence in Algorithms, and a gift from Cisco.
9. REFERENCES [1] IRR power tools. http://sourceforge.net/projects/irrpt/ , 2011.[2] Working group 6 secure bgp deployment report. Technicalreport, FCC CSRIC http://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRICIII_9-12-12_WG6-Final-Report.pdf , 2012. [3] B. Ager, N. Chatzis, A. Feldmann, N. Sarrar, S. Uhlig, andW. Willinger. Anatomy of a large european IXP. In
SIGCOMM’12 , 2012.[4] Alexa. The top 500 sites on the web. , October 1 2012.[5] B. Augustin, B. Krishnamurthy, and W. Willinger. IXPs:Mapped? In
IMC’09 , 2009.[6] I. Avramopoulos, M. Suchara, and J. Rexford. How smallgroups can secure interdomain routing. Technical report,Princeton University Comp. Sci., 2007.[7] H. Ballani, P. Francis, and X. Zhang. A study of prefixhijacking and interception in the Internet. In
SIGCOMM’07 , 2007.[8] A. Boldyreva and R. Lychev. Provable security of s-bgpand other path vector protocols: model, analysis andextensions. In
CCS’12 , pages 541–552.[9] M. A. Brown. Rensys Blog: Pakistan hijacks YouTube. .[10] K. Butler, T. Farley, P. McDaniel, and J. Rexford. Asurvey of BGP security issues and solutions.
Proceedings ofthe IEEE , 2010.[11] H. Chang, D. Dash, A. Perrig, and H. Zhang. Modelingadoptability of secure BGP protocol. In
SIGCOMM’06 ,2006.[12] Y.-J. Chi, R. Oliveira, and L. Zhang. Cyclops: The InternetAS-level observatory.
SIGCOMM CCR , 2008.[13] Cisco. Bgp best path selection algorithm: How the bestpath algorithm works. Document ID: 13753, May 2012. .[14] J. Cowie. Rensys blog: China’s 18-minute mystery. .[15] A. Dhamdhere and C. Dovrolis. Twelve years in theevolution of the internet ecosystem.
Trans. Netw. ,19(5):1420–1433, 2011.[16] L. Gao, T. Griffin, and J. Rexford. Inherently safe backuprouting with BGP.
IEEE INFOCOM , 2001.[17] L. Gao and J. Rexford. Stable Internet routing withoutglobal coordination.
Trans. Netw. , 2001.[18] P. Gill, S. Goldberg, and M. Schapira. A survey ofinterdomain routing policies. NANOG’56, October 2012.[19] P. Gill, M. Schapira, and S. Goldberg. Let the market drivedeployment: A strategy for transistioning to BGP security.
SIGCOMM’11 , 2011.[20] P. Gill, M. Schapira, and S. Goldberg. Modeling onquicksand: dealing with the scarcity of ground truth ininterdomain routing data.
SIGCOMM Comput. Commun.Rev. , 42(1):40–46, Jan. 2012.[21] S. Goldberg, S. Halevi, A. D. Jaggard, V. Ramachandran,and R. N. Wright. Rationality and traffic attraction:Incentives for honest path announcements in BGP. In
SIGCOMM’08 , 2008.[22] S. Goldberg, M. Schapira, P. Hummon, and J. Rexford.How secure are secure interdomain routing protocols? In
SIGCOMM’10 , 2010.[23] T. Griffin and G. Huston. BGP wedgies. RFC 4264, 2005.[24] T. Griffin, F. B. Shepherd, and G. Wilfong. The stablepaths problem and interdomain routing.
Trans. Netw. ,2002.[25] G. Huston. Peering and settlements - Part I.
The InternetProtocol Journal (Cisco) , 2(1), March 1999.[26] G. Huston. Peering and settlements - Part II.
The InternetProtocol Journal (Cisco) , 2(2), June 1999.[27] S. Kent and A. Chi. Threat model for bgp path security.Internet draft: draft-ietf-sidr-bgpsec-threats-04, 2013.[28] S. Kent, C. Lynn, and K. Seo. Secure border gatewayprotocol (S-BGP).
JSAC , 2000.29] C. Labovitz. Arbor blog: Battle of the hyper giants. http://asert.arbornetworks.com/2010/04/the-battle-of-the-hyper-giants-part-i-2/ .[30] C. Labovitz. Internet traffic 2007 - 2011. Global PeeringForum. Santi Monica, CA., April 2011.[31] C. Labovitz, S. Iekel-Johnson, D. McPherson, J. Oberheide,and F. Jahanian. Internet inter-domain traffic. In
SIGCOMM’10 , 2010.[32] B. Laurie, G. Sisson, R. Arends, Nominet, and D. Blacka.Dns security (dnssec) hashed authenticated denial ofexistence. RFC 5155, March 2008.[33] M. Lepinski. Bgpsec protocol specification:draft-ietf-sidr-bgpsec-protocol-06. Internet-Draft, 2012.[34] M. Lepinski and S. Kent.
RFC 6480: An Infrastructure toSupport Secure Internet Routing .[35] R. Lychev, S. Goldberg, and M. Schapira. Networkdestabilizing attacks. In
PODC’12 , 2012.[36] R. Lychev, S. Goldberg, and M. Schapira. Networkdestabilizing attacks. Arxiv Report 1203.1281, march 2012.[37] R. Lychev, S. Goldberg, and M. Schapira. Is the juiceworth the squeeze? BGP security in partial deployment. In
SIGCOMM’13 , 2013.[38] P. McDaniel, W. Aiello, K. Butler, and J. Ioannidis. Originauthentication in interdomain routing.
Computer Networks ,November 2006.[39] S. Misel. “Wow, AS7007!”. Merit NANOG Archive, April1997. .[40] P. Mohapatra, J. Scudder, D. Ward, R. Bush, andR. Austein.
BGP Prefix Origin Validation . InternetEngineering Task Force Network Working Group, 2012. http://tools.ietf.org/html/draft-ietf-sidr-pfx-validate-09 .[41] P. Palse. Serving ROAs as RPSL route[6] Objects from theRIPE Database. RIPE Labs, June 2010. https://labs.ripe.net/Members/Paul_P_/content-serving-roas-rpsl-route-objects .[42] T. Paseka. Cloudflare blog: Why google went offline today.,November 2012. http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about .[43] A. Pilosov and T. Kapela. Stealing the Internet: AnInternet-scale man in the middle attack, 2008.DEFCON’16.[44] Reuters. Internet providers pledge anti-botnet effort, March22 2012.[45] M. Roughan, W. Willinger, O. Maennel, D. Perouli, andR. Bush. 10 lessons from 10 years of measuring andmodeling the internet’s autonomous systems.
JSAC ,29(9):1810–1821, 2011.[46] R. Sami, M. Schapira, and A. Zohar. Searching for stabilityin interdomain routing. In
INFOCOM’09 , 2009.[47] Sandvine. Fall 2012 global internet phenomena, 2012.[48] K. Sriram. BGPSEC design choices and summary ofsupporting discussions. Internet-Draft:draft-sriram-bgpsec-design-choices-03, January 2013.[49] R. White. Deployment considerations for secure origin BGP(soBGP). draft-white-sobgp-bgp-deployment-01.txt, June2003, expired.[50] D. Wing and A. Yourtchenko. Happy eyeballs: Trendingtowards success with dual-stack hosts. Internet draft:draft-wing-v6ops-happy-eyeballs-ipv6-01, October 2010.
APPENDIXA. MORE COLLATERAL DAMAGE
Figure 14 revealed that collateral damages can be causedby secure ASes that choose long secure paths. When securityis 1 st , collateral damages can also be caused by secure ASesthat choose expensive secure paths: Figure 17.
We show how AS 4805, Orange Businessin Oceania, suffers from collateral damage when securityis 1 st . On the left, we show the network prior to S*BGPdeployment. Orange Business AS4805 learns two routes:a legitimate route through its peer Optus CommunicationsAS 7474, and a bogus route through its provider AS 2647.Since AS 4805 prefers peer routes over provider routes perour LP rule, it will choose the legitimate route and avoid theattack. On the right, we show what happens after S*BGPdeployment. Now, Optus Communications AS 7474 hasstarted using a secure route. However, this secure routeis through its provider AS 7473. Observe that AS 7474 isno longer willing to announce a route to its peer AS 4805as this would violate the export policy Ex . AS 4805 is nowleft with the bogus provider route through AS 2647, andbecomes unhappy as collateral damage. B. COMPUTING ROUTING OUTCOMES
Below we present algorithms for computing S*BGP rout-ing outcomes in the presence of an attacker (per Section 3.1),in each of our three S*BGP routing models. These algo-rithms receive as input an attacker-destination pair ( m, d )and the set of secure ASes S and output the S*BGP rout-ing outcome (in each of our three S*BGP routing mod-els). We point out that our algorithms can also be usedto compute routes during normal conditions (when thereis no attacker m = ∅ ), and when no AS is secure S = ∅ . In these algorithms, which extend the algorithmic ap-proach used in [19, 20, 22] to handle partial S*BGP deploy-ment in the presence the adversary described in Section 3.1,we carefully construct a partial two-rooted routing tree byperforming multi-stage breadth-first-search (BFS) computa-tions with d and m as the two roots. We prove the correct-ness of our algorithms (that is, that they indeed computethe desired S*BGP routing outcomes) in Appendix B.5. Insubsequent sections, we show how to use these algorithmsto partition ASes into doomed/immune/protectable nodes,to determine which ASes are happy, or experience protocoldowngrade attacks for a given ( m, d )-pair and deployment S . B.1 Notation and preliminaries.
Since BGP (and S*BGP) sets up routes to each destina-tion independently, we focus on routing to a unique desti-nation d . We say that a route is legitimate if it does notcontain the attacker m (either because there is no attacker m = ∅ or because the attacker is not on the route). Wesay that a route is attacked otherwise. Observe that in thepresence of an attacker m launching the attack of Section 3,all attacked routes have m as the first hop following d . Weuse the following definition of “perceivable routes” from [36]. NON MONTONICITY EXAMPLE, SECURITY FIRSTVictim 40426 Pandora, Attacker Iranian ISP 12880, tokens: t2_100_cp_stub4805“
EQUANT ‐ OCEANIA
Orange
Business AS for Oceania region coveringand
New ‐ Zealand countries “AS7474
ASN ‐ OPTUS ‐ NET
Optus
Communications ‐‐ Jonesboro,
Arkansas, m EQUANT ‐ OCEANIA
Orange
Business AS for Oceania region coveringand
New ‐ Zealand countries “AS7474
ASN ‐ OPTUS ‐ NET
Optus
Communications ‐‐ Jonesboro,
Arkansas, m X Figure 17: Collateral damages; security st . efinition B.1 (Perceivable routes). A simple (loop-free) route R = { v i − , . . . , v , d } is perceivable at AS v i ifone of the two following conditions holds:1. R is legitimate (so v (cid:54) = m ), and for every < j < i itfollows that v j announcing the route ( v j , . . . , d ) to v j +1 does not violate Ex .2. R is attacked (so v = m ), and for every < j < i itfollows that v j announcing the route ( v j , . . . , d ) to v j +1 does not violate Ex . Intuitively, an AS’s set of perceivable routes captures allthe routes this AS could potentially learn during the S*BGPconvergence process. All non-perceivable routes from an AScan safely be removed from consideration as the Ex condi-tion ensures that they will not propagate from the destina-tion/attacker to that AS.We say that a route ( v i − , . . . , v , d ) is a customer route if v i − is a customer of v i . We define peer routes and provider routes analogously. We say that a route R = { v i , v i − , ..., v , d } contains AS x , if at least one AS in { v i , v i − , ..., v , d } is x . PR and BPR sets.
Let PR ( v i , m, d ) be the set of perceiv-able routes from v i for the attacker-victim pair ( m, d ) whenattacker m attacks destination d using the attack describedin Section 3.1. (We set m = ∅ when there is no attacker.)Given a set of secure ASes S , for every AS v i we definethe BPR ( v i , S, m, d ) to be the set of all perceivable routes in PR ( v i , m, d ) that are preferred by v i over all other perceiv-able routes, before the arbitrary tiebreak step TB , accordingto the routing policy model ( i.e., security 1 st , 2 nd , or 3 rd )under consideration. (Again, we set m = ∅ when there is noattacker and S = ∅ when no ASes are secure). We define Nxt ( v i , S, m, d ) to be the set of all neighbors of v i that arenext hops of all routes in BPR ( v i , S, m, d ). We will just use Nxt ( v i ) when it is clear what S , m and d are.Observe that in each of our models, all routes in BPR ( v i , S, m, d )must (1) belong to the same type—customer routes, peerroutes, or provider routes, (2) be of the same length, and(3) either all be (entirely) secure or insecure. B.2 Algorithm for security rd . We now present our algorithm for computing the S*BGProuting outcome in the security 3 rd model in the presenceof a set of secure ASes S and an attacker m . We note thatthis algorithm also serves to compute the routing outcomewhen no ASes are secure, i.e., S = ∅ . As in [36] (whichstudies a somewhat different BGP routing model and doesnot consider S*BGP) we exhibit an iterative algorithm Fix-Routes (FR) that, informally, at each iteration fixes a singleAS’s route and adds that AS to a set
I ⊆ V . This goes onuntil all ASes are in I (that is, all ASes’ routes are fixed).We will later prove that FR indeed outputs the BGP routingoutcome.FR consists of three subroutines: Fix Customer Routes (FCR),
Fix Peer Routes (FPeeR), and
Fix ProviderRoutes (FPrvR), that FR executes in that order. Note thatat the very beginning of this algorithm, I contains only thelegitimate destination d and the attacker m (if there is anattacker). We now describe FR and its subroutines. Step I: The FCR subroutine.
FR starts with FCR;at this point I contains only the legitimate destination d and the attacker m . Intuitively, FCR constructs a partial two-rooted tree (rooted at d and m on the graph, using aBFS computation in which only customer-to-provider edgesare traversed.Initially, d has path length 0 and m has pathlength 1 (to capture the fact that m announces that it isdirectly connected to d in the attack of Section 3.1).We set PR ( v i ) = PR ( v i , m, d ) and BPR ( v i ) = BPR ( v i , S, m, d )for every AS v i . We let r be the FR iteration and initializeit to r := 0.While there is an AS s / ∈ I such that PR r − ( s ) containsat least one customer route, we “fix” the route of (at least)one AS by executing the following steps:1. r++;2. Select the AS v i / ∈ I that has the shortest customer route in its set BPR r − ( v i ) (if there are multiple suchASes, choose one arbitrarily);3. Add v i to I ; set Nxt ( v i ) to be v i ’s next-hop on the routein BPR r − ( v i ) selected according to its tie-breaking rule TB ;4. Remove, for every AS v j , all routes in PR r − ( v i ) thatcontain v i but whose suffix at v i is not in BPR r − ( v i )to obtain the new set PR r ( v i ); set BPR r ( v j ) to be v j ’smost preferred routes in PR r ( v i )5. Add all ASes v j such that PR r ( v i ) = ∅ to I . Step II: the FPeeR subroutine.
This step starts with I and the configuration of the routing system and the PR and BPR sets the way it is after execution of FCR (all theASes discovered the FCR step have their route selectionslocked), i.e., I contains only d , m , and ASes with eitherempty or customer routes. We now use only single peer-to-peer edges to connect new yet-unexplored ASes to the ASesthat were locked in the partial routing tree in the 1 st stageof the algorithm.While there is an AS s / ∈ I such that PR r − ( s ) containsat least one peer route, the following steps are executed:1. r++2. select an AS v i / ∈ I ;3. add v i to I ; set Nxt ( v i ) to be v i ’s next-hop on the routein BPR r − ( v i ) selected according to its tie-breaking rule TB ;4. remove, for every AS v j , all routes in PR r − ( v i ) thatcontain v i but whose suffix at v i is not in BPR r − ( v i )to obtain the new set PR r ( v i ); set BPR r ( v j ) to be v j ’smost preferred routes in PR r ( v i )5. add all ASes v j such that PR r ( v i ) = ∅ to I . Step III: The FPrvR subroutine.
We now run a BFScomputation in which only provider-to-customer edges aretraversed, that is, only ASes who are direct customer ofthose ASes that have already been added to the partial two-rooted tree are explored. This step starts with I and theconfiguration of the routing system and the PR and BPR sets the way it is after the consecutive execution of FCRand FPeeR.While there is an AS s / ∈ I such that PR r − ( s ) containsat least one provider route, we execute the identical steps asin FCR, with the exception that we look for the v i that hasthe shortest provider route in its set BPR r − ( v i ). .3 Algorithm for security nd . Our algorithm for the security 2 nd model is a refinementof the iterative algorithm Fix Routes (FR) presented abovefor the security 3 rd model. This new algorithm is also a 3-stage BFS in which customer routes are fixed before peerroutes, which are fixed before provider routes. In each stagewe are careful to prioritize ASes with secure routes over ASeswith insecure routes.We present the following two new subroutines. (1) FixSecure Customer Routes (FSCR): FSCR is identical toFCR, with the sole exception that for the AS chosen ateach iteration r has a BPR r − that contains a secure cus-tomer route; (2) Fix Secure Provider Routes (FSPrvR):FSPrvR is identical to FPrvR, with the sole exception thatfor the AS chosen at each iteration r has a BPR r − thatcontains a secure provider route. The variant of FR for thesecurity 3 rd model executes the subroutines the followingorder:1. FSCR2. FCR3. FPeeR4. FSPrvR5. FPrvR B.4 Algorithm for security st . Once again, we present a variant of the Fix Routes (FR)algorithm. This multi-stage BFS computation first discoversall ASes that can reach the destination d via secure routesand only then discovers all other ASes (as in our algorithmfor the security 3 rd model).We present the following new subroutine. Fix SecurePeer Routes (FSPeeR): FSPeeR is identical to FSPeeR,except that the AS chosen at each iteration r has a secure peer route in its BPR r − set. This variant of FR executesthe subroutines in the following order:1. FSCR2. FSPeeR3. FSPrV4. FCR5. FPeeR6. FPrvR B.5 Correctness of Algorithms
We now prove that that our algorithms for computingthe S*BGP routing outcomes indeed output the desired out-come.
B.5.1 Correctness of algorithm for security rd . The proof that our algorithm for the security 3 rd modeloutputs the S*BGP routing outcome in this model followsfrom the combination of the lemmas below. Recall that eachof our algorithms computes, for every AS v i , a next-hop AS Nxt ( v i ). Let R v i be the route from v i induced by thesecomputed next-hops. Lemma
B.2.
Under S*BGP routing, the route of everyAS added to I in FCR is guaranteed to stabilize to the route R v i . Proof.
We prove the lemma by induction on the FCRiteration. Consider the first iteration. Observe that the ASchosen at this iteration of FCR must be a direct providerof d (that is, have a customer route of length 1). Hence, inthe security 3 rd model, once this AS learns of d ’s existenceit will select the direct route to d and never choose a dif-ferent route thereafter (as this is its most preferred route).Now, let us assume that for every AS chosen in iterations1 , . . . , r the statement of the lemma holds. Let v i be theAS chosen at iteration r + 1 of FCR. Consider v i ’s BPR setat that time. By definition, every route in the
BPR set isperceivable and so must comply with Ex at each and every“hop” along the route. Notice, that this, combined with thefact that all routes in v i ’s BPR set are customer routes, im-plies that the suffix of every such route is also a perceivablecustomer route. Consider an AS v j that is v i ’s next-hop onsome route in v i ’s BPR set. Notice that v j ’s route is fixed atsome iteration in { , . . . , r } (as v j has a shorter perceivablecustomer route than v i ). Hence, by the induction hypoth-esis, at some point in the S*BGP convergence process, v j ’sroute converges to R v j for every such AS v j . Observe that,from that point in time onward, v i ’s best available routes areprecisely those capture by BPR in the r + 1’th iteration ofFCR. Hence, from that moment onwards v i will repeatedlyselect the route R v i according to the tiebreak step TB andnever select a different route thereafter. Lemma
B.3.
Under S*BGP routing, the route of everyAS added to I in FPeeR is guaranteed to stabilize to theroute R v i . Proof.
Consider an AS v i chosen at some iteration ofFPeeR. Observe if ( v i , v i − , . . . , d ) is a perceivable peer routethen ( v i − , . . . , d ) must be a perceivable customer route (tosatisfy the Ex condition). Hence, for every such route in v i ’s BPR set it must be the case that the route of v i ’s next-hop onthis route v j was fixed in FCR. By Lemma B.2, at some pointin the S*BGP convergence process, v j ’s route converges to R v j for every such AS v j . Observe that, from that point intime onward, v i ’s best available routes are precisely thosecapture by its BPR set at the iteration of FPeeR in which v i is chosen. Hence, v i will select the route R v i accordingto the tiebreak step TB and never select a different routethereafter. Lemma
B.4.
Under S*BGP routing, the route of everyAS added to I in FPrvR is guaranteed to stabilize to theroute R v i . Proof.
We prove the lemma by induction on the numberof FPrvR iterations. Consider the first iteration. Let v i bethe AS chosen at this iteration, let v j be a next-hop of v i onsome route R in v i ’s BPR set, and let Q be the suffix of R at v j . Observe that Q cannot possibly be a provider route,for otherwise v j would have been chosen in FPrvR before v i . Hence, Q must be either a customer route or a peerroute, and so v j ’s route must have been fixed in either FCRor FPeeR. Hence, by the previous lemmas, under S*BGPconvergence, every such v j ’s route will eventually convergeto R v j . Observe that once all such ASes’ routes have con-verged and onwards v i ’s best available routes are preciselythose captured by BPR in the r + 1’th iteration of FPrvR.Hence, v i will select the route R v i according to the tiebreakstep TB and never select a different route thereafter.Now, let us assume that for every AS chosen in iterations1 , ..., r the statement of the lemma holds. Let v i be the AShosen at iteration r + 1 of FPrvR and consider v i ’s BPR set at this time. Let v j again be a next-hop of of v i onsome route R in v i ’s BPR set, and let Q be the suffix of R at v j . Observe that if Q is a provider route then v j ’s routemust have been fixed in FPrvR at some point in iterations { , . . . , r } . If, however, Q is either a customer route or apeer route v j ’s route must have been fixed in either FCR orFPeeR. Hence, by the previous lemmas and the inductionhypothesis, under S*BGP convergence, every such v j ’s routewill eventually converge to R v j . From that moment onwards v i ’s best available routes are precisely those captured by BPR in the r + 1’th iteration of FprvR. Hence, v i will selectthe route R v i according to the tiebreak step TB and neverselect a different route thereafter. B.5.2 Correctness of algorithm for security nd . The proof that our algorithm for the security 2 nd modeloutputs the S*BGP routing outcome in this model followsfrom the combination of the lemmas below. Let R v i be theroute from v i induced by the algorithm’s computed next-hops. Lemma
B.5.
Under S*BGP routing, the route of everyAS added to I in FSCR is guaranteed to stabilize to theroute R v i . Proof.
The proof is essentially the proof of Lemma B.2(where now all routes must be secure).
Lemma
B.6.
Under S*BGP routing, the route of everyAS added to I in FCR is guaranteed to stabilize to the route R v i . Proof.
As in proof of Lemma B.2, this lemma is provedvia induction on the FCR iteration. Consider the first itera-tion. Let v i be the AS chosen at this iteration and let v j bea next-hop on a route in v i ’s BPR set. Observe that it mustbe that either v j = d or v j ’s route was fixed in FSCR (forotherwise, v j would have been selected in FCR before v i ).Hence, Lemma B.5 (and the fact that d ’s route is triviallyfixed) implies that under S*BGP convergence each such v j ’sroute will stabilize at some point and from that point on-wards v i will repeatedly select R v i (see similar argument inLemma B.2). Now, let us assume that for every AS chosenin iterations 1 , . . . , r the statement of the lemma holds. Let v i be the AS chosen at iteration r + 1 of FCR. Consider v i ’s BPR set at that time and consider again an AS v j that is v i ’s next-hop on some route in v i ’s BPR set. Notice that v j ’sroute must either have been fixed in FCR at some iterationin { , . . . , r } (if v j has a shorter perceivable customer routethan v i ) or in FSCR (if v j has a secure customer route to d ). Hence, by the induction hypothesis, at some point in theS*BGP convergence process, v j ’s route converges to R v j forevery such AS v j . As before, from that point in time onward v i will repeatedly select R v i . Lemma
B.7.
Under S*BGP routing, the route of everyAS added to I in FPeeR is guaranteed to stabilize to theroute R v i . Proof.
The proof is identical to that of Lemma B.3.
Lemma
B.8.
Under S*BGP routing, the route of everyAS added to I in FSPrvR is guaranteed to stabilize to theroute R v i . Proof.
The proof is essentially the proof of Lemma B.4(where now all routes must be secure).
Lemma
B.9.
Under S*BGP routing, the route of everyAS added to I in FPrvR is guaranteed to stabilize to theroute R v i . Proof.
As in the proof of Lemma B.2, we prove thislemma by induction on the number of FPrvR iterations.Consider the first iteration. Let v i be the AS chosen at thisiteration, let v j be a next-hop of v i on some route R in v i ’s BPR set, and let Q be the suffix of R at v j . Observe thateither Q is a customer/peer route, in which case v j ’s routewas fixed before F SP rvR or Q is a secure provider route, inwhich case v j ’s route was fixed in F SP rvR . We can now useLemma B.8 and an argument similar to that in the proof ofLemma B.2 to conclude that v i ’s route will indeed convergeto R v i at some point in the S*BGP routing process.Now, let us assume that for every AS chosen in iterations1 , ..., r the statement of the lemma holds. Let v i be the ASchosen at iteration r + 1 of FPrvR and consider v i ’s BPR setat this time. Let v j again be a next-hop of of v i on someroute R in v i ’s BPR set, and let Q be the suffix of R at v j .Observe that if Q is a provider route then v j ’s route musthave been fixed in either FSPrvR or in FPrvR at some pointin iterations { , . . . , r } . If, however, Q is either a customerroute or a peer route v j ’s route must have been fixed ineither FCR or FPeeR. Hence, by the previous lemmas andthe induction hypothesis, under S*BGP convergence, everysuch v j ’s route will eventually converge to R v j . Again, wecan conclude that v i ’s route too will converge to R v i . B.5.3 Correctness of algorithm for security st . The proof that our algorithm for the security 1 st modeloutputs the S*BGP routing outcome in this model followsfrom the combination of the lemmas below (whose proofs isalmost identical to the proof for the other two models andis therefore omitted). Again, let R v i be the route from v i induced by the algorithm’s computed next-hops. Lemma
B.10.
Under S*BGP routing, the route of everyAS added to I in FSCR is guaranteed to stabilize to the route R v i . Lemma
B.11.
Under S*BGP routing, the route of everyAS added to I in FSPeeR is guaranteed to stabilize to theroute R v i . Lemma
B.12.
Under S*BGP routing, the route of everyAS added to I in FSPrvR is guaranteed to stabilize to theroute R v i . Lemma
B.13.
Under S*BGP routing, the route of everyAS added to I in FCR is guaranteed to stabilize to the route R v i . Lemma
B.14.
Under S*BGP routing, the route of everyAS added to I in FPeeR is guaranteed to stabilize to theroute R v i . Lemma
B.15.
Under S*BGP routing, the route of everyAS added to I in FPrvR is guaranteed to stabilize to theroute R v i . . BOUNDS ON HAPPY ASES. We use the three algorithms in Appendix B.2-B.4 to com-pute upper and lower bounds on the set of happy ASes (asdiscussed in Section 4.1), for a given attacker-destinationpair ( m, d ), set of secure ASes S and routing model. Todo this, each algorithm records, for every AS discovered inthe BFS computation, whether (1) all routes in its BPR atthat iteration lead to the destination, or (2) all these routeslead to the attacker or (3) some of these routes lead to thedestination and others to the attacker. The number of ASesin the 1 st category is then set to be a lower bound on thenumber of happy ASes. The total number of ASes in the 1 st and 3 rd category is set to be an upper bound on the numberof happy ASes.The correctness of this approach follows from the correct-ness of our algorithms (Appendix B.5), and the fact that allthe routes in the BPR r ( v i ) of a node v i at iteration r have thesame length, type, and are either all secure or insecure, sothe TB criteria completely determines which of these routesare chosen. As such, ASes in the 1 st category choose legiti-mate routes (and are happy) regardless of the TB criteria,ASes in the 2 nd category choose attacked routes (and areunhappy) regardless of the TB criteria, and whether ASesin the 3 rd category are happy completely depends on the TB criteria. D. BGP CONVERGENCE.
Taken together, Lemmas B.2-B.15 proven in Appendix B.5above imply Theorem 2.1; that is, when all ASes prioritizesecure routes the same way, convergence to a single stablerouting state is guaranteed, regardless of which ASes adoptS*BGP, even in presence of attacks discussed in Section 3.
E. PARTITIONS.
Recall from Section 4.3.1 that a source AS s is protectable if S*BGP can affect whether or not it routes to the legit-imate destination d or the attacker m ; the source AS s is doomed (resp. immune ) if it always routes to the attacker m (resp. routes to the legitimate destination d ), regardlessof how S*BGP is deployed in the network. In the security1 st model all ASes are assumed to be protectable (we dothis to avoid the complications discussed in Appendix E.3).In this section we describe how we compute the sets of im-mune, doomed, and protectable ASes with respect to anattacker-destination pair ( m, d ) in the security 2 nd and 3 rd models. To do this, we set S = ∅ and compute the BGProuting outcome for that ( m, d ) pair using the algorithm inSection B.2. E.1 Computing partitions: security rd To determine the partitions for the security 3 rd model,this algorithm records, for every AS discovered in the BFScomputation whether (1) all routes in its BPR set at thatiteration lead to the destination, or (2) all these routes leadto the attacker or (3) some of these routes lead to the des-tination and others to the attacker. We classify ASes inthe 1 st category as immune, ASes in the 2 nd category asdoomed, and ASes in the 3 rd category as protectable. Weshow below that this indeed coincides with our definitionsof immune, doomed, and protectable ASes in Section 4.3.1for the security 3 rd model. The following allows us to prove the correctness of ouralgorithm for computing partitions: Corollary
E.1.
In the security rd routing model, forany destination d , attacker m , source s and deployment S ⊆ V , s will stabilize to a route of the same type and length asany route in BR ( s, ∅ , m, d ) . Proof.
This follows from the correctness of our algo-rithm for computing routes in the security 3 rd model (Ap-pendix B.2). Note that because in the security 3 rd modelroute security is prioritized below path length, all routesin BPR r ( s ) must be contained in BPR ( s, ∅ , m, d ), where BPR r ( s ) is the set of best perceivable routes of s duringiteration r of the subroutine FCR, FPeeR or FPrvR of ouralgorithm, when BPR ( s, S, m, d ) contains customer, peer orprovider routes respectively. Recognize that by the correct-ness of our algorithm, s must stabilize to a route in BPR r ( s )for some iteration r of exactly one of these subroutines.Therefore, any s that has customer routes in BPR ( s, ∅ , m, d )will be “fixed” to a route in the FCR subroutine for anychoice of S . Similarly, if s has peer ( resp., provider) routesin BPR ( s, ∅ , m, d ), it will be “fixed” to a route in the FPeeR( resp., FPrvR) subroutine for any choice of S . Therefore,the type of the route will be fixed to the same type as thatof the BPR ( s, ∅ , m, d ) for all S . Moreover, when we chooseto “fix” the route of s in the appropriate subroutine, we doso by selecting s with a shortest routes out of all the sourcesthat have not been “fixed”, and regardless of S , and it followsthe the length of the route will be the same for all S .Corollary E.1 tells us that for determining whether s isimmune, doomed or protectable in security 3 rd model, it issufficient to keep track of all the routes of the best type andshortest length of s (i.e. all the routes in BPR ( s, ∅ , m, d )),because s is guaranteed to stabilize to one of these routes.Therefore, if all such routes are legitimate ( resp., attacked),then s will always stabilize to a legitimate ( resp., attacked)route under any S*BGP deployment S , so s must be im-mune ( resp., doomed). However, if some of these routes arelegitimate and some are attacked, then whether s stabilizesto a route to m or d depends on deployment S , so s mustbe protectable. E.2 Computing partitions: security nd The algorithm for determining partitions for the security2 nd model is slightly different from that used when security isthird. We still use the algorithm from Appendix B.2, exceptthat now, for every AS discovered in the BFS computationwe need to keep track of all perceivable routes in its PR set that are of the same type as the routes in its BPR set.We keep track of whether (1) all such routes lead to thedestination, or (2) all such routes lead to the attacker or (3)some of these routes lead to the destination and others to theattacker. We classify ASes in the 1 st category as immune,ASes in the 2 nd category as doomed, and ASes in the 3 rd category as protectable.The following allows us to prove the correctness of thisalgorithm: Corollary
E.2.
In the security nd routing model, forany destination d , attacker m source s and deployment S ⊆ V , s will stabilize to a route of the same type as any routein BPR ( s, ∅ , m, d ) . roof. This follows from the correctness of our algo-rithm for computing routes in the security 2 nd model (Ap-pendix B.3). Because in the security 2 nd model security isprioritized above route length, but below route type, all theroutes in BPR ( s ) r must be contained in the set of routes in PR ( s, m, d ) that are of the same type as routes in BPR ( s, ∅ , m, d ).Recall that BPR r ( s ) is the set of best perceivable routes of s during iteration r of the appropriate subroutines FSCRand FCR, FPeeR, or FSPrvR and FPrvR of our algorithm,if BPR ( s, S, m, d ) contains customer, peer or provider routesrespectively. Also, note that by the correctness of our al-gorithm, s must stabilize to a route in BPR r ( s ) for someiteration r of exactly one of these subroutines.Therefore, if s has customer routes in BPR ( s, ∅ , m, d ), itwill be “fixed” to a route during either the FSCR or FCRsubroutines of this algorithm for any choice of S . If s haspeer routes in BPR ( s, ∅ , m, d ), it will be “fixed” to a routein the FPeeR subroutine for any choice of S . Finally, if s has provider routes in BPR ( s, ∅ , m, d ), it will be “fixed” to aroute in either FSPrvR or FPrvR subroutines for any choiceof S .Corollary E.2 tells us that to determine if s is immune,doomed or protectable in security 2 nd model, it is sufficientto keep track of all the routes of the best type of s ( i.e., . all s ’s perceivable routes of the same type as routes in BPR ( s, ∅ , m, d )), because s is guaranteed to stabilize to oneof these routes. Therefore, if all such perceivable routes arelegitimate ( resp., attacked) , then s must stabilize to a legit-imate ( resp., attacked) route under any S*BGP deployment S , so s must be immune ( resp., doomed). However, if someof these routes are legitimate and some are attacked, thenwhether s stabilizes to a route to m or d depends on deploy-ment S , so s must be protectable. E.3 Computing partitions: security st In this paper we assume that all source ASes are pro-tectable in security 1 st model (see e.g., Figure 3). Techni-cally, however, there can be doomed and immune ASes inthe security 1 st model, in a few exceptional cases; here weargue the the number of such ASes is negligible. Doomed ASes.
We can characterize doomed ASes asfollows.
Observation
E.3.
In the security st model, for a par-ticular destination-attacker pair ( d, m ) , a source AS v i isdoomed if and only if every one of its perceivable routes PR ( v i , m, d ) contains m . If every perceivable route from v i to d contains m , thenthere is no S*BGP deployment scenario that could resultin v i being happy. On the other hand, if v i is not doomed,then there must be at least one S*BGP deployment scenariothat results in v i being happy, in which case v i must selecta route to d that does not contain m .ASes that single-homed to the attacking AS m are cer-tainly doomed, per Observation E.4. There are 11 ,
953 and11 ,
585 single-homed stub ASes (without peers) for the reg-ular and the IXP-augmented graphs respectively. As an up-per bound, we consider only the former number. Recall fromSection 4.1 that our security metric is an average of happysources, where the average is taken over all sources and allappropriate destination-attacker pairs. It follows that thatfor any one destination, there can be at most 11 ,
953 doomed single-homed ASes when summed over all attackers and allsources. Therefore, the fraction of doomed sources does notexceed . .
01% when considering all and only non-stub attackers respectively. While Observation E.4 suggeststhere could be other doomed nodes (other than the just thesingle-homed stub ASes), however, the Internet graph is suf-ficiently well-connected to ensure that the number of suchASes is small.
Immune ASes.
A similar characterization is possible forimmune ASes.
Observation
E.4.
In the security st model, for a par-ticular destination-attacker pair ( d, m ) , a source AS v i isimmune if every one of its perceivable routes PR ( v i , ∅ , m ) contains d . As we discussed above, immune ASes tend to be single-homed stub ASes.
F. PROTOCOL DOWNGRADE ATTACKS.
In Section 3.2 we discussed how protocol downgrades canoccur in the security 2 nd and 3 rd model. We now proveTheorem 3.1, that shows that protocol downgrade attacksare avoided in the security 1 st model; that is, every AS s that uses a secure route that does not contain the attacker m under normal conditions, will continue to use that secureroute when m launches its attack. Proof of Theorem 3.1.
The theorem follows from thecorrectness of the algorithm in Appendix B.4 for comput-ing routes when security is 1 st . Suppose the set of secureroutes is S . Consider an AS s who has its secure route R s fixed during the FSCR, FSPeerR, FSPrR subroutine of thealgorithm in Appendix B.4 when the set of secure ASes is S and the attacker is m = ∅ ( i.e., during normal conditions,when there is no attack). If R s does not contain m , then s will have its route fixed to exactly the same secure route R s during the FSCR, FSPeeR, FSPrvR subroutine of thealgorithm in Appendix B.4 when the set of secure ASes is S and m attacks. This follows because all routes that contain m must be fixed after the FSCR, FSPeeR, FSPrvR portionsof the algorithm (since, by definition, all routes containing m must be insecure during m ’s attack). An inductive argu-ment shows that all ASes on route R s will therefore be fixedto the same route that they used in normal conditions, andthe theorem follows. F.1 Computing protocol downgrades.
To quantify the success of protocol downgrade attackswith respect to an attacker-destination pair ( m, d ) and a setof secure ASes S , we need to first establish which ASes havea secure route to the destination under normal conditions,that is, when there is no attack. To do this, we compute theS*BGP routing outcome when there is no attacker (setting m = ∅ for the set S ) for the specific model under consid-eration. The algorithm records for every AS discovered inthis BFS computation whether (1) all routes in its BPR setat that iteration is secure or (2) all these routes are inse-cure. We then compute the S*BGP routing outcome forthe pair ( m, d ) for the set S (for the specific model underconsideration)). Again, the algorithm records for every ASdiscovered in this BFS computation whether (1) all routesin its BPR set at that iteration are secure or (2) all theseroutes are insecure. We conclude that a protocol-downgradettack against an AS is successful if that AS falls in the 1 st category in the first of these computations and in the 2 nd category in the second computation. The correctness of thisapproach follows from the correctness of our algorithms inAppendix B. G. MONOTONICITY
In Section 6.1 and Appendix A we showed that collateraldamage is possible in the security 2 nd and 1 st models. Wenow prove Theorem 6.1 that shows that collateral damagedoes not occur in the security 3 rd model; that is, for any des-tination d , attacker m , source s and S*BGP deployments T and S ⊆ T , if s stabilizes to a legitimate route in deployment S , then s stabilizes to a legitimate route in deployment T . Proof of Theorem 6.1.
The theorem follows from thecorrectness of our algorithm for computing routing outcomeswhen security is 3 rd (Appendix B.2). First, an inductive ar-gument shows that every AS s that the algorithm “fixes” to asecure route in deployment S is also “fixed” to a secure routein T ; it follows that all such ASes stabilize to a legitimateroute in both S and T . Next we argue that every AS s thatthe algorithm “fixes” to an insecure legitimate route in S isalso fixed to a legitimate route in T . There are two cases:(a) if s is fixed to a secure route in T , it uses a legitimateroute, (b) otherwise, an inductive argument shows that thealgorithm computes the same next hop Nxt ( s ) for s in bothdeployments T and S , and since the route was legitimate in S , it will be legitimate in T as well. H. SIMULATIONS
Our simulations compute the following for each destina-tion d :1. The S*BGP routing outcome for each of our 3 S*BGProuting models and for every deployment set S consid-ered in the paper (to enable computations that quantifyprotocol downgrade attacks );2. The BGP routing outcome with respect to every possi-ble pair ( m, d ) and with S = ∅ (to compute partitionsinto doomed/immune/protectable ASes, and to deter-mine which ASes where happy in the baseline scenariowhere S = ∅ );3. The S*BGP routing outcome for every possible ( m, d )in each of our 3 S*BGP routing models and for everydeployment set S considered in the paper (to computethe happy ASes, to detect phenomena like collateralbenefits and damages, and as part of computations thatquantify protocol downgrade attacks );To do this, we use the algorithms in Appendix B.2-B.4,where the we execute the FCR, FSCR, FPeeR, FSPeeR,FPrvR, and FSPrvR subroutines using breath-first searches.The overall complexity of our simulations is therefore O ( | M || D | ( | V | + | E | ) for each deployment S . We optimize the running timeof our simulations in two ways: Re-using information.
Instead of running multiple com-putations “from scratch” our simulations often re-use infor-mation and pass it on from one computation to the next( e.g., an AS that is doomed with respect to a specific attacker-destination pair ( m, d ) will not route to d regardless of thedeployment scenario S , etc. ). Parallelization.
We run these computations in parallelacross all destinations d . Our code was written in C++ and e n s w s s e e e d …… m element ASes set ASes Figure 18: Reduction parallelization was achieved with MPI on a BlueGene andBlacklight supercomputers.
I. HARDNESS RESULTS
We prove Theorem 5.1, that shows that the“Max-k-Security”problem is NP-hard in each of our three routing models.Recall from Section 5.1, in the “Max-k-Security” problem,we are given an AS graph, G = ( V, E ), a specific attacker-destination pair ( m, d ), and a parameter k >
0, find a set ofASes S of size k that maximizes the total number of happyASes.To prove Theorem 5.1, we consider a slightly differentproblem that we will call the “Decisional-k- (cid:96) -Security” prob-lem (D k(cid:96) SP): Given an AS graph, a specific attacker-destinationpair ( m, d ), and parameters k > ≤ (cid:96) ≤ | V | , deter-mine if there is a set of secure ASes S of size k that resultsin at least (cid:96) happy ASes. Notice that this problem is in NP(since we can check the number of happy ASes in polynomialtime given the algorithms discussed in Appendix B) and iscertainly poly-time reducible to “Max-k-Security”. There-fore, the following theorem implies Theorem 5.1: Theorem
I.1. D k(cid:96) SP is NP-Complete in each of our threerouting policy models.
Proof.
We present a poly-time reduction from the SetCover Decisional Problem (SCDP). In SCDP, we are givena set N with n elements, a family F of w subsets of N andan integer γ ≤ w , and we must decide if there exist γ subsetsin the family F that can cover all the elements in N .Our reduction is shown in Figure 18. For each element e i ∈ N in the SCDP instance, we create an AS e i in ourD k(cid:96) SP instance and connect it to the attacker via a provider-to-customer edge. For each subset s j ∈ F , we create an AS s j in our our D k(cid:96) SP instance and connect it to the desti-nation d via a provider-to-customer edge. We connect AS e i to AS s j via a provider-to-customer edge if e i ∈ s j inthe SCDP problem. Moreover, we require that every e i ’shas a tiebreak criteria TB that prefers the route through m over any route through any s j . Notice that the perceivableroutes at every e i are of the same length and type; namely,two-hop customer routes. Finally, we let (cid:96) = n + w + 1, andlet k = n + γ + 1.Suppose that our SCDP instance has a γ -cover. We arguethat this implies that our corresponding D k(cid:96) SP should beable to choose a set S of k secure ASes that ensure thatat least (cid:96) ASes are happy. The following set S of secureSes suffice: S = { d, e , ..., e n } ∪ { s j | s j is in the γ cover } .Notice that S is of size k = n + γ + 1, and results in exactly (cid:96) = n + w + 1 happy ASes. (This follows because d is happyby definition, all the set ASes s , ..., s w are happy regardlessof the choice of S , and all the element ASes e , ..., e n chooselegitimate routes to the destination because they have secureroutes to d by construction.)On the other hand, suppose we are able to secure exactly k ASes while ensuring that (cid:96)
ASes are happy. First, notethat all the set ASes s , ..., s w and the destination AS andare immune; they are happy regardless of which ASes aresecure. Next, note that if any of the n element ASes e , ..., e n are insecure, then by construction it will choose a route tothe attacker and be unhappy, and we will have less than (cid:96) happy nodes. Similarly, if the destination d is insecure, byconstruction all of the element ASes will choose an insecureroute to the attacker. Thus, if we secure all the elementASes and the destination, we have k − − n = γ remainingASes to secure; by construction, these must be distributedamongst the set ASes, and thus we will have a γ -cover byconstruction.Finally, note that this result holds in all three secure rout-ing models; the reduction is agonistic to how ASes rank secu-rity in their route preference decisions, since the perceivableroutes at every element AS e i have the same length andtype.To extend this result to multiple destinations D and at-tackers M , we can show the hardness of the following vari-ant of the “Max-k-Security” problem: given G ( V, E ), sets
M, D ⊆ V and an integer k , the objective is to maximizethe average number of happy ASes across all ( m, d ) pairs in M × D . The argument is the same as the above, except thatnow we create multiple copies of the m and d nodes (andtheir adjacent edges) in Figure 18, and let M be the copiesof the m nodes and D be the copies of the d nodes. J. THE IXP-AUGMENTED GRAPH
We repeated our experiments on the IXP-augmented graphdescribed in Section 2.2 to obtain the following results.
J.1 Plots for Section 4.
Sec 1st Sec 2nd Sec 3rd A v e r age F r a c t i on o f S ou r c e s . . . DoomedProtectableImmune (a)
STUB STUB−X SMDG SMCP CP T3 T2 T1 A v e r age F r a c t i on o f S ou r c e s . . . . . . DoomedProtectableImmune (b)
STUB STUB−X SMDG SMCP CP T3 T2 T1 A v e r age F r a c t i on o f S ou r c e s . . . . . . DoomedProtectableImmune (c)
STUB STUB−X SMDG SMCP CP T3 T2 T1 a v e r age f r a c t i on o f s ou r c e s . . . . . . DoomedProtectableImmune (d)
Figure 19: Plots for Section 4, IXP-augmentedgraph. (a) Partitions. (b) Partitions by destina-tion tier. Sec rd . (c) Partitions by destination tier.Sec nd . (d) Partitions by attacker tier. Sec rd . .2 Plots for Section 5. . . . . Metric Improvemens for T1+T2
Number of Non−Stubs in S C hange i n t he M e t r i c H _ M ' V ( S ) _ _ _ __ _ _ __ _ _ __ _ _ __ _ _ __ _ _ _ Security 1stSecurity 2ndSecurity 3rd (a) . . . . Metric Improvemens for T1+T2+CPs
Number of Non−Stub, Non−CP ASes in S C hange i n t he M e t r i c H _ M ' V ( S ) _ _ _ __ _ _ __ _ _ __ _ _ __ _ _ __ _ _ _ Security 1stSecurity 2ndSecurity 3rd (b) . . . . Metric Improvemens for T2
Number of Non−Stubs in S C hange i n t he M e t r i c H _ M ' V ( S ) _ _ _ _ __ _ _ _ __ _ _ _ __ _ _ _ __ _ _ _ __ _ _ _ _ Security 1stSecurity 2ndSecurity 3rd (c)
Figure 20: Plots for Section 5, IXP-augmentedgraph. For each plot, the x -axis is the number ofnon-stub, non-CP ASes in S and the “error bars”are explained in Section 5.3.2. (a) Tier 1+2 rollout:For each step S in rollout, upper and lower boundson H M (cid:48) ,V ( S ) − H M (cid:48) ,V ( ∅ ) . (b) Tier 1+2+CP rollout: H M (cid:48) ,CP ( S ) − H M (cid:48) ,C ( ∅ ) for each step in the rollout. (c)Tier 2 rollout: H M (cid:48) ,D ( S ) − H M (cid:48) ,D ( ∅ ) for each step inthe T2 rollout. A v e r age F r a c t i on o f S ou r c e s . . . AS AS AS AS AS AS AS AS AS AS AS AS AS AS AS AS AS G oog l e L i m e li gh t A k a m a i M i c r o s o ft Y ahoo Lea s e w eb E dge c a s t A m a z on F a c eboo k N e tf li x QQ T w i tt e r P ando r a W i k i ped i a A pp l e H u l u B a i du Sources with Secure Routes in Normal ConditionsImmune Sources with Secure RoutesDowngraded Sources
Figure 21: Plot for Section 5, IXP-augmentedgraph. What happens to secure routes to each CPdestination during attack. S is the Tier 1s, the CPs,and all their stubs and security is rd . . . . . . Destinations Sueqence in S C hange i n t he M e t r i c H _ M ' V ( S ) llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll l Security 1stSecurity 2ndSecurity 3rd (a) . . . . Destinations Sueqence in S C hange i n t he M e t r i c H _ M ' V ( S ) lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll l Security 1stSecurity 2ndSecurity 3rd (b) . . . . . . Destinations Sueqence in S C hange i n t he M e t r i c H _ M ' V ( S ) llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll l Security 1stSecurity 2ndSecurity 3rd (c)
Figure 22: Plot2 for Section 5, IXP-augmentedgraph. Non-decreasing sequence of H M (cid:48) ,d ( S ) − H M (cid:48) ,d ( ∅ ) ∀ d ∈ S . (a) S is all T1s, T2s, and theirstubs. (b) S is all T2s and their stubs. (c) S is allnon stubs. .3 Plots for Section 6. a v e r age f r a c t i on o f s ou r c e s . . . . . . m e t r i cc hange s e c u r e r ou t e s unde r no r m a l c ond i t i on s s e c u r e r ou t e s a ft e r a tt a ck collateral damagescollateral benefitssecure routes given to unhappy nodessecure routes given to happy nodesdowngrades a v e r age f r a c t i on o f s ou r c e s . . . . . . . m e t r i cc hange s e c u r e r ou t e s unde r no r m a l c ond i t i on s collateral damagescollateral benefitssecure routes given to unhappy nodessecure routes given to happy nodesdowngrades Figure 23: Plots for Section 6, IXP-augmentedgraph. Changes in the metric explained. Sec rd (top) and Sec st (bottom). K. SENSITIVITY TO ROUTING POLICY
Thus far, all our analysis has worked within the model oflocal preference ( LP ) presented in Section 2.2.1. While thesurvey of [18] found that 80% of network operators do prefercustomer routes over peer and provider routes, there aresome exceptions to this rule. Therefore, in this Appendix weinvestigate alternate models of local preference, and considerhow they impact the results we presented in Section 4; we arecurrently in the process of extending this sensitivity analysisto the results in Section 5-6. K.1 An alternate model of local preference.
All our results thus far have used the following model oflocal preference:
Local pref (LP):
Prefer customer routes over peer routes.Prefer peer routes over provider routes.However, [18] also found some instances where ASes, es-pecially content providers, prefer shorter peer routes overlonger customer routes. For this reason, we now investigatethe following model of local preference:
Local pref (LPk):
Paths are ranked as follows: • Customer routes of length 1. • Peer routes of length 1. • ... • Customer routes of length k . • Peer routes of length k . • Customer paths of length > k . • Peer paths of length > k . • Provider paths.Following the LP k step, we have the SP and TB steps asin Section 2.2.1. As before, the security 1 st model ranks SecP above LP k, the security 2 nd model ranks SecP be-tween LP k and SP , and the security 3 rd model ranks SecP between SP and TB . Remark.
We will study this policy variant for variousvalues of k ; note that letting k → ∞ is equivalent a rout-ing policy where ASes equally prefer customer and providerroutes, as follows: • Prefer peer and customer routes over provider routes. • Prefer shorter routes over longer routes. • Break ties in favor of customer routes. • Use intradomain criteria ( e.g., geographic location, de-vice ID) to break ties among remaining routes.
K.2 Results with LP We start with an analysis of the LP LP k variants.Here, a peer route of length less than or equal to 2 hops ispreferred over a longer customer route. Partitions.
In Figure 24 we show the partitions forthe LP cf., Figure 3 and Section 4.4). Thethick solid horizontal line shows the fraction of happy sourceASes in the baseline scenario (where no AS is secure). Asin Section 4.4, we find that with security 3 rd only limitedimproved improvements in the metric H V,V ( S ) are possible,relative to the baseline scenario H V,V ( ∅ ); 82 −
71 = 11%for the UCLA AS graph, and 88 −
72 = 13% for the IXPaugmented graph, both of which are slightly less than whatwe saw for our original LP model. In the security 2 nd model,we again see better improvements than security 3 rd , but ec 1st Sec 2nd Sec 3rd A v e r age F r a c t i on o f S ou r c e s . . . DoomedProtectableImmune (a)
Sec 1st Sec 2nd Sec 3rd A v e r age F r a c t i on o f S ou r c e s . . . DoomedProtectableImmune (b)
Figure 24: Partitions for the LP2 policy variant, (a)UCLA graph (b) IXP-augmented graph. not quite as much as we saw with our original LP model;92 −
71 = 21% for the UCLA AS graph, and 94 −
72 = 22%for the IXP augmented graph. Interestingly, however, wedo see one difference between the UCLA AS graph and theIXP augmented graph in this model; namely, we see moreimmune ASes when security is 2 nd for the IXP augmentedgraph (41% vs. 55%). We discuss the observation in moredetail shortly. Partitions by destination tier.
In Figure 25 we showthe partitions broken down by destination tier (see Table 1)when security is 2 nd and 3 rd for the LP cf., Fig-ure 4, Figure 5 and Section 4.5). The thick solid horizontalline shows the fraction of happy source ASes in the baselinescenario (where no AS is secure) for each destination tier.While in Section 4.5 we found that most destination tiershave roughly the same number of protectable ASes here wesee slightly different trends. Most of the protectable nodes are at stub and SMDG(low-degree non-stub ASes) destinations. The higher-degreeAS destinations, i.e.,
Tier 2s, Tier 2s, and CPs, have veryfew protectable ASes but many more immune ASes as com-pared to the results we obtained for our original LP modelin Figure 4. This is even more apparent for the IXP aug-mented graph in the LP not require pro-tection from S*BGP in the LP s that has a long ( > ≤ d . In LP s willchose the short peer route, so an attacker m that wishes toattract traffic from s must be exactly one hop away from s (so that he can announce the bogus two-hop path “ m, d ”directly to s , that s will prefer if m is his customer, or if m is a peer that is preferred according to his tiebreak rule).When m is not one hop away from s , s is immune. Since m is unlikely to be exactly one-hop away from every source ASthat prefers a short peer route in LP LP STUB STUB−X SMDG SMCP CP T3 T2 T1 A v e r age F r a c t i on o f S ou r c e s . . . . . . DoomedProtectableImmune (a)
STUB STUB−X SMDG SMCP CP T3 T2 T1 A v e r age F r a c t i on o f S ou r c e s . . . . . . DoomedProtectableImmune (b)
STUB STUB−X SMDG SMCP CP T3 T2 T1 A v e r age F r a c t i on o f S ou r c e s . . . . . . DoomedProtectableImmune (c)
STUB STUB−X SMDG SMCP CP T3 T2 T1 A v e r age F r a c t i on o f S ou r c e s . . . . . . DoomedProtectableImmune (d)
Figure 25: Partitions by destination tier for theLP2 policy variant. (a) UCLA graph, security rd .(b) IXP-augmented graph, security rd . (c) UCLAgraph, security nd . (d) IXP-augmented graph, se-curity nd . it contains more peering edges, and therefore more shortpeering routes. While in Section 4.6 we found that most ASes that wishto reach Tier 1 destinations are doomed, this is no longerthe case in the LP rd .What is the reason for this? Consider the security 2 nd model. Many of the protocol downgrades we saw with theoriginal LP model resulted from a source AS s preferring(possibly-long) bogus customer path to the attacker m , over(possibly-short) peer or provider routes to the legitimatedestination ( e.g., Figure 2). However, in the LP s will only prefer a bogus customer path only if s has no shorter ( ≤ peer or customer route to thelegitimate destinations; when s has such route, we consider s to be immune ( cf., Section 4.3.1). For example, whileS 174 in Figure 2 was doomed in our original LP modelwhen security is 2 nd , with the LP nd AS 147 is now immune, because it has a one-hop peer routeto the legitimate Tier 1 destination!Our results indicate that this situation is common. Com-paring Figure 25 with Figure 4-5, suggests that during at-tacks on Tier 1, 2, and CP destinations, there are many ASesthat have short ( ≤ d , and are therefore choosing those routes insteadof long bogus customer routes to the attacker m . Moreover,in the IXP-augmented graph, that are many more ( ≈ X )peering edges than in the UCLA graph, which accounts forthe increased number of immune nodes we saw for the secu-rity 2 nd model in Figure 24.While this is good news for the Tier 1s, we point out thatin the LP i.e., >>