Alexander J. T. Gurney

Lexicographic products in metarouting

Routing protocols often keep track of multiple route metrics, where some metrics are more important than others. Route selection is then based on lexicographic comparison: the most important attribute of each route is considered first, and if this does not give enough information to decide which route is better, the next attribute is considered; and so on. We investigate protocols that find globally optimal paths and protocols that find only locally optimal paths. In each case we characterize exactly when lexicographic products can be used to define well-behaved routing protocols. We apply our results to protocols that can partition a network into distinct administrative regions, such as OSPF areas and BGP autonomous systems. We show that in some cases this type of local autonomy is fully compatible with global optimality.

Increasing bisemigroups and algebraic routing

The Internet protocol used today for global routing -- the Border Gateway Protocol (BGP) -- evolved in a rather organic manner without a clear theoretical foundation. This has stimulated a great deal of recent theoretical work in the networking community aimed at modeling BGP-like routing protocols. This paper attempts to make this work more accessible to a wider community by reformulating it in a purely algebraic setting. This leads to structures we call increasing bisemigroups, which are essentially non-distributive semirings with an additional order constraint. Solutions to path problems in graphs annotated over increasing bisemigroups represent locally optimal Nash-like equilibrium points rather than globally optimal paths as is the case with semiring routing.

Impact of Path Characteristics and Scheduling Policies on MPTCP Performance

With increasing deployment of Multipath TCP (MPTCP) in multihoming and data enter scenarios, there is a need to understand how its performance is affected in practice-both by traditional factors such as RTT measurements, and by new multipath-specific considerations such as sub flow selection. We carried out an initial but comprehensive study using an actual MPTCP implementation in an emulated network environment, to explore the impact of different factors on MPTCP throughput. We find that path selection and packet scheduling have a large effect on performance, and that merely trusting the congestion control mechanism to do the right thing is not enough. Moreover, we provide evidence that throughput can be improved by slight modifications to the send buffers and path selection components of the implementation. Important challenges in network design remain, if only to ensure that multiple suitable paths exist in a network.

Having your cake and eating it too: routing security with privacy protections

Internet Service Providers typically do not reveal details of their interdomain routing policies due to security concerns, or for commercial or legal reasons. As a result, it is difficult to hold ISPs accountable for their contractual agreements. Existing solutions can check basic properties, e.g., whether route announcements correspond to valid routes, but they do not verify how these routes were chosen. In essence, todays Internet forces us to choose between per-AS privacy and verifiability. In this paper, we argue that making this difficult tradeoff is unnecessary. We propose private and verifiable routing (PVR), a technique that enables ISPs to check whether their neighbors are fulfilling their contractual promises to them, and to obtain evidence of any violations, without disclosing information that the routing protocol does not already reveal. As initial evidence that PVR is feasible, we sketch a PVR system that can verify some simple BGP policies. We conclude by highlighting several research challenges as future work.

FSR: formal analysis and implementation toolkit for safe inter-domain routing

We present the demonstration of a comprehensive toolkit for analyzing and implementing routing policies, ranging from high-level guidelines to specific router configurations. Our Formally Safe Routing (FSR) toolkit performs all of these functions from the same algebraic representation of routing policy. We show that routing algebra has a very natural translation to both integer constraints (to perform safety analysis using SMT solvers) and declarative programs (to generate distributed implementations). Our demonstration with realistic topologies and policies shows how FSR can detect problems in an ASs iBGP configuration, prove sufficient conditions for BGP safety, and empirically evaluate convergence time.We present the demonstration of a comprehensive toolkit for analyzing and implementing routing policies, ranging from high-level guidelines to specific router configurations. Our Formally Safe Routing (FSR) toolkit performs all of these functions from the same algebraic representation of routing policy. We show that routing algebra has a very natural translation to both integer constraints (to perform safety analysis using SMT solvers) and declarative programs (to generate distributed implementations). Our demonstration with realistic topologies and policies shows how FSR can detect problems in an ASs iBGP configuration, prove sufficient conditions for BGP safety, and empirically evaluate convergence time.

Neighbor-specific BGP: An algebraic exploration

There are several situations in which it would be advantageous to allow route preferences to be dependent on which neighbor is to receive the route. This idea could be realised in many possible ways and could interact differently with other elements of route choice, such as filtering: not all of these will have the property that a unique routing solution can always be found. We develop an algebraic model of route selection to aid in the analysis of neighbor-specific preferences in multipath routing. Using this model, we are able to identify a set of such routing schemes in which convergence is guaranteed.

Deconstructing MPTCP Performance

The paper seeks to broaden our understanding of MPTCP and focuses on the impact that initial sub-path selection can have on performance. Using empirical data, it demonstrates that which sub-path is chosen to start an MPTCP connection can have unintuitive consequences. Using numerical analysis and a model-driven investigation, the paper elucidates and validates the empirical results, and highlights MPTCPs non-linear coupling between paths as a primary cause for this behavior. The findings are both of operational interest and may help design better MPTCP schedulers, as they are also exposed to complex interactions with MPTCPs congestion control.

Reduction-based formal analysis of BGP instances

Todays Internet interdomain routing protocol, the Border Gateway Protocol (BGP), is increasingly complicated and fragile due to policy misconfigurations by individual autonomous systems (ASes). These misconfigurations are often difficult to manually diagnose beyond a small number of nodes due to the state explosion problem. To aid the diagnosis of potential anomalies, researchers have developed various formal models and analysis tools. However, these techniques do not scale well or do not cover the full set of anomalies. Current techniques use oversimplified BGP models that capture either anomalies within or across ASes, but not the interactions between the two. To address these limitations, we propose a novel approach that reduces network size prior to analysis, while preserving crucial BGP correctness properties. Using Maude, we have developed a toolkit that takes as input a network instance consisting of ASes and their policy configurations, and then performs formal analysis on the reduced instance for safety (protocol convergence). Our results show that our reductionbased analysis allows us to analyze significantly larger network instances at low reduction overhead.

Detecting unsafe BGP policies in a flexible world

Internet Service Providers (ISPs) need to balance multiple opposing objectives. On one hand, they strive to offer innovative services to obtain competitive advantages; on the other, they have to interconnect with potentially competing ISPs to achieve reachability, and coordinate with them for certain services. The complexity of balancing these objectives is reflected in the diversity of policies of the Border Gateway Protocol (BGP), the standard inter-domain routing protocol. Unforeseen interactions among the BGP policies of different ISPs can cause routing anomalies. In this work, we propose a methodology to allow ISPs to check their BGP policy configurations for guaranteed convergence to a single stable state. This requires that a set of ISPs share their configurations with each other, or with a trusted third party. Compared to previous approaches to BGP safety, we (1) allow ISPs to use a richer set of policies, (2) do not modify the BGP protocol itself, and (3) detect not only instability, but also multiple stable states. Our methodology is based on the extension of current theoretical frameworks to relax their constraints and use incomplete data. We believe that this provides a rigorous foundation for the design and implementation of safety checking tools.

Private and verifiable interdomain routing decisions

Existing secure interdomain routing protocols can verify validity properties about individual routes, such as whether they correspond to a real network path. It is often useful to verify more complex properties relating to the route decision procedure -- for example, whether the chosen route was the best one available, or whether it was consistent with the networks peering agreements. However, this is difficult to do without knowing a networks routing policy and full routing state, which are not normally disclosed. In this paper, we show how a network can allow its peers to verify a number of nontrivial properties of its interdomain routing decisions without revealing any additional information. If all the properties hold, the peers learn nothing beyond what the interdomain routing protocol already reveals; if a property does not hold, at least one peer can detect this and prove the violation. We present SPIDeR, a practical system that applies this approach to the Border Gateway Protocol, and we report results from an experimental evaluation to demonstrate that SPIDeR has a reasonable overhead.