Understanding Opera.onal Rou.ng (part II) Geoffrey Xie Naval Postgraduate School

Transcription

1 Understanding Opera.onal Rou.ng (part II) Geoffrey Xie Naval Postgraduate School July 6, 2011

2 Route Aggrega.on Child Route Unallocated Child Prefix: e.g., / Aggregate Route / / /24 Des.na.on Next hop / / / RA Des.na.on Next hop / Route Aggrega.on reduces size of rou.ng tables and contains propaga.on of route flaps 2

3 Challenges for Understanding RA White box ISPs do not disclose details of incidents nor configura.ons Difficult to assess prevalence of anomalies and to what extent RA contributes to them Black box Can expose anomalies but difficult to iden.fy root causes Studies discovered loops, and conjectured RA to be responsible for them 3

4 Proposed Approach Study RA behavior as implemented in today s routers No precise specifica.on of RA behaviors Many ques.ons le^ unanswered Propose a model to analyze and reason about RA, iden.fy rou.ng abnormali.es that can be root caused to route aggrega.on, and design and prove more formal and comprehensive RA guidelines to ensure safe rou.ng 4

5 Main Results on RA A set of experiments to characterize RA behaviors Behaviors vary significantly across protocols and vendors A canonical router model with two new router primi.ves New model captures diversity of RA behaviors A comprehensive analysis of RA Expose four new types of rou.ng anomaly (e.g., route loss) Iden.fy the root causes for each anomaly Explain shortcoming of current vendor guidelines Present sufficient condi.ons for the RA to guarantee rou.ng safety A clean slate proposal for RA 5

6 Part 2 Outline Background Experiments Model Anomalies & Root Causes Analysis of Exis.ng Solu.ons New Safety Condi.ons Clean Slate Approach 6

7 Persistent Forwarding Loop Internet Service Provider Des.na.on Next hop / / / Enterprise Network /16 Des.na.on Next hop / / /

8 Persistent Forwarding Loop ISP Des.na.on Next hop / / / Enterprise Network /16 Des.na.on Next hop / / /

9 Blackhole / / / /24 9

10 Blackhole / / / /24 10

11 Blackhole / / / /24 11

12 Outline Background Experiments Model Anomalies & Root Causes Analysis of Exis.ng Solu.ons New Safety Condi.ons Clean Slate Approach 12

13 Experiment Setup Input Child routes Aggrega.on Router Output Aggregate route 13

14 RA Behaviors Cisco EIGRP Y Interface min() Y 5 RIP Y Interface min() N N/A OSPF N Area min(), max() Y 110 BGP Y AS Origin/ AS SET Juniper * N Crea.on per router; advmt per instance Y 200 Customizable Y

15 Outline Background Experiments Model Anomalies & Root Causes Analysis of Exis.ng Solu.ons New Safety Condi.ons Clean Slate Approach 15

16 Model Mo.va.on Ad hoc nature of current design & implementa.on Unified model to reason about RA and iden.fy root cause of anomalies Insight Diversity of behaviors can be captured by two primi.ves Outcomes depend on where those two primi.ves are applied (RIB, FIB, etc.) 16

17 RA Primi.ves add sink( ) Creates* sink route Assigns specific AD value * Sink route may not get installed in FIB adv aggr( ) Cisco only; handles adver.sement of aggregate routes Performed for each protocol instance and per rou.ng process Loca.on where the primi.ve examines for presence of child routes differs depending on implementa.on JUNOS implementa.ons rely on export policies to announce aggregate routes 17

18 Canonical Router Model (Cisco IOS) Local RIB EIGRP RIBin RIP RIBin Rou.ng Protocol Route Selec.on Alg. Router wide Route Selec.on Route Selec.on FIB RR RR add sink( ) EIGRP RIBout RIP RIBout adv aggr( ) adv aggr( ) adv aggr( ) 18

19 Canonical Router Model (Juniper JUNOS) Local RIB BGP RIBin RIP RIBin Rou.ng Protocol Route Selec.on Alg. Router wide Route Selec.on Route Selec.on RR RR add sink() BGP RIBout RIP RIBout Model allows us to infer whether a route is installed in FIB and how it may be adver.sed by a router FIB 19

20 Unexpected Route Loss r 1 : /24 r 2 : /16 I 1 I 2 r 3 : /16 I 3 r 4 : /8 I 4 r 1 r 2 Local RIB EIGRP RIBin Rou.ng Protocol Route Selec.on Alg. Route Selec.on FIB {r 3, r 4 } RR add sink( ) {r 1, r 2 }, {r 3, r 4 } EIGRP RIBout adv aggr( ) adv aggr( ) adv aggr( ) I 2 I 3 I 4 Des.na.on route (AD) /24 r1 (90) /16 r2 (90) r3 (5) /8 r4 (5)

21 Unexpected Route Loss r 1 : /24 r 2 : /16 I 1 I 2 r 3 : /16 I 3 r 4 : /8 I 4 r 1 r 2 Local RIB EIGRP RIBin Rou.ng Protocol Route Selec.on Alg. Route Selec.on FIB {r 3, r 4 } RR Add sink() {r 1, {r r 3, 1, r 24 }, {r 3, r 4 } {r 1, r 3, r 4 } EIGRP RIBout {r 1, r 3, r 4 } {r 1, r 3, r 4 } Adv aggr() Adv aggr() Adv aggr() I 2 I 3 I 4 r 3 r 4 r 1 No RA on I 4 Two routes r 1 and r 2 received to different prefixes One would expect both routes to be adver.sed on I 4 Des.na.on route (AD) /24 r1 (90) /16 r2 (90) r3 (5) /8 r4 (5)

22 Outline Background Experiments Model Anomalies & Root Causes Analysis of Exis.ng Solu.ons New Safety Condi.ons Clean Slate Approach 22

23 Anomalies In depth analysis based on model 1. Iden.fy root causes of known anomalies 2. Disclose four new anomalies Key findings 1. Sink route crea.on does not guarantee installa.on in FIB 2. Sink routes do not mean anomaly free rou.ng (e.g., route loss) 23

24 Root Causes of Known Anomalies Strict Monotonicity : A route s preference should strictly decrease when propagated Forwarding loops for unallocated child prefixes: Lack of sink routes Router adver.ses aggregate routes with holes Propaga.on of non existent routes, which should be least preferred Viola.on of SM Blackholes for some child prefixes: Interac.ons between mul.ple routers More difficult to iden.fy 24

25 New Anomalies Previously known: Forwarding loops (unallocated prefixes) Blackholes New discoveries: Route Loss Forwarding loops (allocated prefixes) Route Oscilla.ons Perpetual Count to Infinity 25

26 Perpetual Count to Infinity Core Network C 10.2/16, m: /24 D B A 10.2/16, m: /24 Access Network Des.na.on Next hop (AD) /24 A (110) Access Network /16 A (130) D (110) Adver.sement cycle con.nues un.l metric reaches max value; route is discarded, sink route is installed again, Perpetual count to infinity 26

27 Outline Background Experiments Model Anomalies & Root Causes Analysis of Exis.ng Solu.ons New Safety Condi.ons Clean Slate Approach 27

28 Inadequacy of Vendor Guidelines Installa.on of sink routes Topology specific guidelines 28

29 Vendor Guidelines: Sink Routes A router that generates an aggregate route for mul6ple, more specific routes must discard packets that match the aggregate route, but not any of the more specific routes. In other words, the next hop for the aggregate route should be the null des6na6on. This is necessary to prevent forwarding loops when some addresses covered by the aggregate are not reachable. Correctness criterion, but how to meet it? Crea.on of sink route does not guarantee installa.on in FIB Also, Installa.on of sink route in FIB can create blackholes 29

30 Vendor Guidelines: Topology Specific Approach 1 Add links Approach 2 Only choke point can act as aggrega.on router / / / /24 30

31 Difficulty of Anomaly Detec.on Theorem: The problem of determining whether the collec6on of route aggrega6on configura6ons in a network is vulnerable to persistent forwarding loops is NP hard. 31

32 Outline Background Experiments Model Anomalies & Root Causes Analysis of Exis.ng Solu.ons New Safety Condi.ons Clean Slate Approach 32

33 New Safety Condi.ons Desired Proper.es 1. Convergence 2. Loop free packet forwarding paths 3. No blackholes 4. No unexpected route losses Challenges network wide coordina.on stringent requirement on router 33

34 Sufficient Condi.ons 1. Convergence and loop free paths For an aggregate prefix, a sink route is added and always possesses the lowest unique AD value 2. Blackhole Preven.on A router adver6ses an aggregate route only if a set of routes that fully covers the address space of the aggregate route is present in the FIB 3. Preven.on of Route Loss add sink() and adv aggr() should not create a new route in the presence of another route in the router FIB adver6sing the same prefix as the aggregate. 34

35 Outline Background Experiments Model Anomalies & Root Causes Analysis of Exis.ng Solu.ons New Safety Condi.ons Clean Slate Approach 35

36 Mo.va.on RA reduces FIB sizes, by relying on the hierarchical IP addressing allowing routers to treat mul.ple des.na.on networks collec.vely as a single logical des.na.on 36

37 Seman.cs of Route A route implies all des6na6ons included in the adver6sed prefix to be reachable Route aggrega.on violates this assump.on Forwarding loops, blackholes, etc. 37

38 Proposed Solu.on Novel concept of nega6ve route It allows a router to indicate subsets of prefixes for which it does not have a route Difference from exis.ng invalid routes: a router removes an invalid route if it is present in Nega.ve routes are stored in RIB and FIB. the rou.ng table It eliminates all anomalies due to unreachable sub prefixes in aggregate route. 38

39 RA Conclusions RA is essen.al for Internet rou.ng scalability Current design is prone to anomalies Forwarding loops, perpetual count to infinity, unexpected route loss, blackholes, etc. We proposed the first analy.cal model to reason about RA Needs more asen.on from community 39

40 A Final Remark guide guide 40

41 More details of the RA analysis are in 1. [TR 11] Franck Le, Geoffrey G. Xie, and Hui Zhang, Understanding route aggrega.on. Technical Report, Carnegie Mellon University, CMU CS ,2010. Revised June

42 Related Work [XGF 07] J. Xia, L. Gao, and T. Fei. A Measurement Study of Persistent Forwarding Loops on the Internet. Computer Networks, [WSR 05] R. White, D. Slice, and A. Retana. Op6mal Rou6ng Design. Cisco Press, [KMJKWA 08] E. Katz Basses, H. V. Madhyastha, J. P. John, A. Krishnamurthy, D. Wetherall, and T. Anderson. Studying Black Holes in the Internet with Hubble. In Proc. USENIX NSDI Conference, [BFCW 09] H. Ballani, P. Francis, T. Cao, and J. Wang. Making Routers Last Longer with ViAggre. In Proc. USNIX NSDI Conference,

43 43

44 add sink() primi.ve 44

45 adv aggr() primi.ve 45