Daniel Massey

Observation and analysis of BGP behavior under stress

Despite BGPs critical importance as the de-facto Internet inter-domain routing protocol, there is little understanding of how BGP actually performs under stressful conditions when dependable routing is most needed. In this paper, we examine BGPs behavior during one stressful period, the Code Red/Nimda attack on September 18, 2001. The attack was correlated with a 30-fold increase in the BGP update messages at a monitoring point which peers with a number of Internet service providers. Our examination of BGPs behavior during the event concludes that BGP exhibited no significant abnormality, and that over 40% of the observed updates can be attributed to the monitoring artifact in current BGP measurement settings. Our analysis, however, does reveal several weak points in both the protocol and its implementation, such as BGPs sensitivity to the transport session reliability, its inability to avoid the global propagation of small local changes, and its certain implementation features whose otherwise benign effects only get amplified under stressful conditions. We also identify areas for improvement in the current network measurement and monitoring effort.

An analysis of BGP multiple origin AS (MOAS) conflicts

This paper presents a detailed study of BGP Multiple Origin AS (MOAS) conflicts observed in the Internet. A MOAS conflict occurs when a particular prefix appears to originate from more than one AS. We analyzed data from archived BGP routing tables over 1279 days. Most of the conflicts were short-lived, lasting only a small number of days. The potential causes for the MOAS conflicts and impact on BGP fault-tolerance are discussed in detail.

Improving BGP convergence through consistency assertions

This paper presents a new mechanism for improving the convergence properties of path vector routing algorithms, such as BGP. Using a routes path information, we develop two consistency assertions for path vector routing algorithms that are used to compare similar routes and identify infeasible routes. To apply these assertions in BGP, mechanisms to signal failure/policy withdrawal, and traffic engineering are provided. Our approach was implemented and deployed in a BGP testbed and evaluated using simulation. By identifying and ignoring the infeasible routes, we achieved substantial reduction in both BGP convergence time and the total number of intermediate route changes.

Detection of invalid routing announcement in the Internet

Network measurement has shown that a specific IP address prefix may be announced by more than one autonomous system (AS), a phenomenon commonly referred to as Multiple Origin AS, or MOAS. MOAS can be due to either operational need to support multi-homing, or false route announcements due to configuration or implementation errors, or even by intentional attacks. Packets following such bogus routes will be either dropped or in the case of an intentional attack, delivered to a machine of the attackers choosing. The paper presents a protocol enhancement to BGP which enables BGP to detect bogus route announcements from false origins. Rather than imposing cryptography-based authentication and encryption to secure routing message exchanges, our solution makes use of the rich connectivity among ASs that exists in the Internet. Simulation results show that this simple solution can effectively detect false routing announcements even in the presence of multiple compromised routers, become more robust in larger topologies, and can substantially reduce the impact of false routing announcements even with a partial deployment.

A Comparative Study of the DNS Design with DHT-Based Alternatives

The current Domain Name System (DNS) follows a hierarchical tree structure. Several recent efforts proposed to re-implement DNS as a peer-to-peer network with a flat structure that uses Distributed Hash Tables (DHT) to improve the system availability. In this paper we compare the performance and availability of these two designs, enabled by caching and redundancy in both cases. We show that the caching and redundancy mechanisms in each design are closely bound to its system structure. We further demonstrate that each of the two system structures provides unique advantages over the other, while each has its own shortcomings. Using analysis and tracedriven simulations, we show that hierarchical structure enables high performance caching and that DHT structures provide high degree of robustness against targeted attacks. We further show that the current DNS design offers engineering flexibilities which have been utilized to optimize system performance under typical Internet failures and traffic loads, and which can be further extended to overcome DNS weaknesses against the aforementioned attacks.

On Detection of Anomalous Routing Dynamics in BGP

BGP, the de facto inter-domain routing protocol, is the core component of current Internet infrastructure. BGP traffic deserves thorough exploration, since abnormal BGP routing dynamics could impair global Internet connectivity and stability. In this paper, two methods, signature-based detection and statistics-based detection, are designed and implemented to detect BGP anomalous routing dynamics in BGP UPDATEs. Signature-based detection utilizes a set of fixed patterns to search and identify routing anomalies. For the statistics-based detection, we devise five measures to model BGP UPDATEs traffic. In the training phase, the detector is trained to learn the expected behaviors of BGP from the historical long-term BGP UPDATEs dataset. It then examines the test dataset to detect “anomalies” in the testing phase. An anomaly is flagged when the tested behavior significantly differs from the expected behaviors. We have applied these two approaches to examine the BGP data collected by RIPE-NCC servers for a number of IP prefixes. Through manual analysis, we specify possible causes of some detected anomalies. Finally, comparing the two approaches, we highlight the advantages and limitations of each. While our evaluation is still preliminary, we have demonstrated that, by combining both signature-based and statistics-based anomaly detection approaches, our system can effectively and accurately identify certain BGP events that are worthy of further investigation.

Quantifying the operational status of the DNSSEC deployment

This paper examines the deployment of the DNS Security Extensions (DNSSEC), which adds cryptographic protection to DNS, one of the core components in the Internet infrastructure. We analyze the data collected from the initial DNSSEC deployment which started over 2 years ago, and identify three critical metrics to gauge the deployment: availability, verifiability, and validity. Our results provide the first comprehensive look at DNSSECs deployment and reveal a number of challenges that were not anticipated in the design but have become evident in the deployment. First, obstacles such as middle-boxes (firewalls, NATs, etc.) that exist in todays Internet infrastructure have proven to be problematic and have resulted in unforeseen availability problems. Second, the public-key delegation system of DNSSEC has not evolved as it was hoped and it currently leaves over 97% of DNSSEC zones isolated and unverifiable, unless some external key authentication mechanism is added. Furthermore, our results show that cryptographic verification is not equivalent to validation; a piece of verified data can still contain the wrong value. Finally, our results demonstrate the essential role of monitoring and measurement in the DNSSEC deployment. We believe that the observations and lessons from the DNSSEC deployment can provide insights into measuring future Internet-scale cryptographic systems.

Routing policies in named data networking

Modern inter-domain routing with BGP is based on policies rather than finding shortest paths. Network operators devise and implement policies affecting route selection and export independently of others. These policies are realized by tuning a variety of parameters, or knobs, present in BGP. Similarly, NDN, a information-centric future Internet architecture, will utilize a policy-based routing protocol such as BGP. However, NDN allows a finer granularity of policies (content names rather than hosts) and more traffic engineering opportunities. This work explores what routing policies could look like in an NDN Internet. We describe the knobs available to network operators and their possible settings. Furthermore, we explore the economic incentives present in an NDN Internet and reason how they might drive operators to set their policies.

Identifying BGP routing table transfers

BGP routing updates collected by monitoring projects such as RouteViews and RIPE have been a vital source to our understanding of the global routing system. The updates logged by these monitoring projects are generated either by individual route changes, or are part of BGP table transfer. In particular, a session reset between a monitoring station and its BGP peers can result in the peer sending its entire BGP routing table to the monitoring station. In this paper, we present a Minimum Collection Time (MCT) algorithm that accurately identify the start and duration of routing table transfers. Using three months of data from 14 different peers, MCT can identify routing table transfers triggered by BGP session resets with 100% accuracy, and can pinpoint the exact starting time of table transfers in 90% of the cases.

Analysis of BGP Update Surge during Slammer Worm Attack

Although the Internet routing infrastructure was not a direct target of the January 2003 Slammer worm attack, the worm attack coincided in time with a large, globally observed increase in the number of BGP routing update messages. Our analysis shows that the current global routing protocol BGP allows local connectivity dynamics to propagate globally. As a result, any small number of edge networks can potentially cause wide-scale routing overload. For example, two small edges ASes, which announced less than 0.25% of BGP routing table entries, contributed over 6% of total update messages observed at monitoring points during the worm attack. Although BGP route flap damping has been proposed to eliminate such undesirable global consequences of edge instability, our analysis shows that damping has not been fully deployed even within the Internet core. Our simulation further reveals that partial deployment of BGP damping not only has limited effect, but may also worsen the routing performance under certain topological conditions. The results show that it remains a research challenge to design a routing protocol that can prevent local dynamics from triggering global messages in order to scale well in a large, dynamic environment.