Abstract
Protocol and system designers use verification techniques to analyze a system's correctness properties. Network operators need verification techniques to ensure the "correct" operation of BGP. BGP's distributed dependencies cause small configuration mistakes or oversights to spur complex errors, which sometimes have devastating effects on global connectivity. These errors are often difficult to debug because they are sometimes only exposed by a specific message arrival pattern or failure scenario.This paper presents an approach to BGP verification that is primarily based on static analysis of router configuration. We argue that: (1) because BGP's a configuration affects its fundamental behavior, verification is a program analysis problem, (2) BGP's complex, dynamic interactions are difficult to abstract and impossible to enumerate, which precludes existing verification techniques, (3) because of BGP's flexible, policy-based configuration, some aspects of BGP configuration must be checked against a higher-level specification of intended policy, and (4) although static analysis can catch many configuration errors, simulation and emulation are also necessary to determine the precise scenarios that could expose errors at runtime. Based on these observations, we propose the design of a BGP verification tool, discuss how it could be applied in practice, and describe future research challenges.
- BICKNELL, L. Re: transit across the ixs. http://www.merit. edu/mail.archives/nanog/1999--02/msg00192.html, February 1999.Google Scholar
- BUSH, R. It's 1918 in Bologna. http://www. merit. edu/mail.archives/nanog/msg11169.html, July 2003.Google Scholar
- BUSH R., ET AL. Watching your router configurations and detecting those exciting little changes. http://www.nanog.org/mtg-0310/rancid.html, October 2003. Panel at NANOG 29.Google Scholar
- FARROW, R. Routing instability on the Internet. Network Magazine (March 4, 2002). http://www.networkmagazine.com/article/NMG20020304S0007/2.Google Scholar
- FEAMSTER, N., AND BALAKRISHNAN, H. A systematic approach to BGP configuration checking. http://www.nanog.org/mtg-0310/feamster.html, October 2003. NANOG 29.Google Scholar
- FEAMSTER, N., AND BALAKRISHNAN, H. Towards a logic for wide-area Internet routing. In ACM SIGCOMM Workshop on Future Directions in Network Architecture (Karlsruhe, Germany, Aug. 2003). Google ScholarDigital Library
- FEAMSTER, N., BORKENHAGEN, J., AND REXFORD, J. Techniques for interdomain traffic engineering. Computer Communications Review 33, 5 (October 2003). Google ScholarDigital Library
- FEAMSTER, N., WINICK, J., AND REXFORD, J. A model of BGP routing for network engineering. In submission, Nov. 2003.Google Scholar
- Goldwire Formulator, 2003. http://www.goldwiretech. com/products/formulator.cfm.Google Scholar
- GOTTLIEB, J., GREENBERG. A., REXFORD, J., AND WANG, J. Automated Provisioning of BGP Customers. IEEE Network (2003).Google Scholar
- GOVINDAN, R., ALAETTINOGLU, C., VARADHAN, K., AND ESTRIN, D. Route servers for inter-domain routing. Networks and ISDN Systems 30 (1998), 1157--1174. Google ScholarDigital Library
- GRIFFIN, T., AND WILFONG, G. Analysis of the MED oscillation problem in BGP. In Proc. ICNP (Paris, France, November 2002). Google ScholarDigital Library
- GRIFFIN, T., AND WILFONG, G. On the corrections of IBGP configuration. In Proc. ACM SIGCOMM (Pittsburgh, PA, August 2002). Google ScholarDigital Library
- GRIFFIN, T. G. SHEPHERD, F. B., AND WILFONG, G. The stable paths problem and interdomain routing. IEEE Transactions on Networking 10, 1 (2002), 232--243. Google ScholarDigital Library
- MAHAJAN, R., WETHERALL. D., AND ANDERSON, T. Understanding BGP misconfiguration. In Proc. ACM SIGCOMM (Aug. 2002), pp. 3--17. Google ScholarDigital Library
- McPHERSON, D., GILL, V., WALTON, D., AND RETANA, A. Border Gateway Protocol (BGP) Persistent Route Oscillation Condition. Internet Engineering Task Force, August 2002. RFC 3345. Google ScholarDigital Library
- PAYNE, J. Filtering Customer BGP Sessions, http://www.merit.edu/mail.archives/nanog/msg11184.html, July 2003.Google Scholar
- REKHTER, Y., AND LI, T. A Border Gateway Protocol 4 (BGP-4). Internet Engineering Task Force, 1995. RFC 1771. Google ScholarDigital Library
- REXFORD, J. State of the art in router configuration. http://www.merit.edu/mail.archives/nanog/2002-01/msg00265.html, January 2002.Google Scholar
Index Terms
- Practical verification techniques for wide-area routing
Recommendations
Automated verification of practical garbage collectors
POPL '09: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesGarbage collectors are notoriously hard to verify, due to their low-level interaction with the underlying system and the general difficulty in reasoning about reachability in graphs. Several papers have presented verified collectors, but either the ...
Modeling the optimized link-state routing protocol for verification
TMS/DEVS '12: Proceedings of the 2012 Symposium on Theory of Modeling and Simulation - DEVS Integrative M&S SymposiumThe exhaustive property verification of mobile ad hoc routing protocols has proven difficult, especially for proactive protocols. Several attempts to produce tractable models have failed. This article presents the application of formal methods to verify ...
An abstraction refinement approach combining precise and approximated techniques for efficient program verification: abstract for the invited talk
SAVCBS '09: Proceedings of the 8th international workshop on Specification and verification of component-based systemsPredicate abstraction is a powerful technique to reduce the state space of a program to a finite and affordable number of states. It produces a conservative over-approximation where concrete states are grouped together according to the predicates. Given ...
Comments