Verifying the Correctness of Wide-Area Internet Routing

Several studies have shown that wide-area Internet routing is fragile, with failures occurring for a variety of reasons. Routing fragility is largely due to the flexible and powerful ways in which BGP can be configured to perform various tasks, which range from implementing the policies of commercial relationships to configuring backup paths. Configuring routers in an AS is like writing a distributed program, and BGP’s flexible configuration and today’s relatively low-level configuration languages make the process error-prone. The primary method used by operators to determine whether their complex configurations are correct is to try them out in operation. We believe that there is a need for a systematic approach to verifying router configurations before they are deployed. This paper develops a static analysis framework for configuration checking, and uses it in the design of rcc, a “router configuration checker”. rcc takes as input a set of router configurations and flags anomalies and errors, based on a set of well-defined correctness conditions. We have used rcc to check BGP configurations from 9 operational networks, testing nearly 700 real-world router configurations in the process. Every network we analyzed had configuration errors, some of which were potentially serious and had previously gone unnoticed. Our analysis framework and results also suggest ways in which BGP and configuration languages should be improved. rcc has also been downloaded by 30 network operators to date.

[1]  Jennifer Rexford,et al.  Stable internet routing without global coordination , 2001, TNET.

[2]  Timothy G. Griffin,et al.  An experimental analysis of BGP convergence time , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[3]  Lixin Gao,et al.  Stable Internet routing without global coordination , 2000, SIGMETRICS '00.

[4]  Nick Feamster,et al.  Practical verification techniques for wide-area routing , 2004, Comput. Commun. Rev..

[5]  Jennifer Rexford,et al.  Inherently safe backup routing with BGP , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[6]  Simon L. Peyton Jones,et al.  Imperative functional programming , 1993, POPL '93.

[7]  Deborah Estrin,et al.  Persistent route oscillations in inter-domain routing , 2000, Comput. Networks.

[8]  Nick Feamster,et al.  A systematic approach to BGP configuration checking , 2003 .

[9]  Enke Chen,et al.  BGP Route Reflection - An Alternative to Full Mesh IBGP , 2000, RFC.

[10]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[11]  Abhijit Bose,et al.  Delayed Internet routing convergence , 2000, SIGCOMM.

[12]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[13]  Gordon T. Wilfong,et al.  The stable paths problem and interdomain routing , 2002, TNET.

[14]  Nick Feamster,et al.  Towards a logic for wide-area Internet routing , 2003, FDNA '03.

[15]  W. Norton,et al.  Internet Service Providers and Peering , 2001 .

[16]  Ratul Mahajan,et al.  Colt ? ? ? ? ? ? ◦ DTAG ? ◦ • ◦ ? ? ? ? ! ◦ ? ? ? ◦ ◦ ? ? Eqip ? ? ? ? ? ? , 2003 .

[17]  Timothy G. Griffin,et al.  On the correctness of IBGP configuration , 2002, SIGCOMM.

[18]  Rohit Dube,et al.  A comparison of scaling techniques for BGP , 1999, CCRV.

[19]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM 2002.

[20]  Nick Feamster,et al.  A model of BGP routing for network engineering , 2004, SIGMETRICS '04/Performance '04.

[21]  Dawson R. Engler,et al.  Some Lessons from Using Static Analysis and Software Model Checking for Bug Finding , 2003, SoftMC@CAV.

[22]  Ravishanker Chandra,et al.  BGP Communities Attribute , 1996, RFC.

[23]  Ping Pan,et al.  Internet Engineering Task Force , 1995 .

[24]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[25]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[26]  Vijay Ramachandran,et al.  Design principles of policy languages for path vector protocols , 2003, SIGCOMM '03.

[27]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM '02.

[28]  Dawson R. Engler,et al.  A framework for model checking network protocols , 2004 .

[29]  Gordon T. Wilfong,et al.  On the correctness of IBGP configuration , 2002, SIGCOMM.

[30]  George Varghese,et al.  Route flap damping exacerbates internet routing convergence , 2002, SIGCOMM '02.

[31]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[32]  Susan Hares,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[33]  Carl A. Gunter,et al.  Formal verification of standards for distance vector routing protocols , 2002, JACM.

[34]  Gordon T. Wilfong,et al.  An analysis of BGP convergence properties , 1999, SIGCOMM '99.

[35]  Albert G. Greenberg,et al.  The cutting EDGE of IP router configuration , 2004, Comput. Commun. Rev..

[36]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues , 2000, NDSS.

[37]  Ramesh Govindan,et al.  Route flap damping exacerbates internet routing convergence , 2002, SIGCOMM 2002.