Partial specification of routing configurations WRiPE, 17 October - - PowerPoint PPT Presentation

Partial specification

• f routing configurations

WRiPE, 17 October 2011, Vancouver

Alexander Gurney Limin Jia Anduo Wang Boon Thau Loo

Charlevoix map, 1744 (Image: U. South Carolina) (Image: NASA Goddard Space Flight Center)

full partial

Partial specification in routing

• We very often lack complete information

about the network configuration.

– What are our neighbors doing? – What are we doing? – How can I reason about parts of the network that are not configured yet?

• Our theoretical tools must take account of

this situation.

Convergence analysis workflow

Design a network configuration Does it pass the safety test? Great! yes no, try again

Test incomplete configurations

If the general idea is OK, then carry

• n to specify more details,

refining the design, checking at each stage, until the configuration is finished.

Our paper

• A modest extension to “stable paths

problem” analysis.

• Some path preferences are known, some are

unknown (undecided).

• The topology and protocol are fixed.

d A B C

The destination we are trying to reach

Bd ≺ BCAd ≺ BAd ABd ≺ ACBd ≺ Ad

Path preferences for A: ABd is best, Ad is worst

CAd ≺ CABd ≺ CBd

Some paths don’t appear in the list: they are not permitted (like CBAd here)

Stable paths problem instance

d A B C

The destination we are trying to reach

Bd ≺ BAd; {BCAd} ABd ≺ ACBd ≺ Ad

Path preferences for A: ABd is best, Ad is worst

CAd ≺ CABd ≺ CBd

Some paths don’t appear in the list: they are not permitted (like CBAd here)

Partial stable paths problem instance

Paths may be permitted but unranked, like BCAd

• here. We have not yet

decided how good it is.

Completing a PSPP

• If we have Bd ≺ BAd, with BCAd unranked,

there are three options.

• 1. BCAd ≺ Bd ≺ BAd
• 2. Bd ≺ BCAd ≺ BAd
• 3. Bd ≺ BAd ≺ BCAd
• Each of these determines a full SPP.

Dispute wheels

• A “bad” sub-configuration
• Oscillation implies the presence of a wheel
• If there are no wheels, then BGP converges

d

• Cycle of nodes, each with a path to d.
• Everybody would rather go round

the cycle than go straight in.

• These preferences are irreconcilable:

the nodes will never “agree” which

• ne has to suffer and take the direct

path.

Correctness property

• We know what safety means for complete

SPP instances (≈ BGP configurations)

• For partial SPPs (PSPPs), safety means that

there is at least one way of resolving the remaining preferences, so that the resulting complete SPP is safe.

• How easy is this to check?

Where do dispute wheels lurk?

known part unknown part

Where do dispute wheels lurk?

known part unknown part There could already be a wheel – and this will not go away.

Where do dispute wheels lurk?

known part unknown part In the unknown part, anything could happen.

Where do dispute wheels lurk?

known part unknown part Could there be a partial configuration that has no wheel yet, but where every completion contains a wheel?

Unfortunately, yes

• However, the good news is that we can

detect this situation, without having to look at every possible completion.

• We can follow a similar procedure as for
• rdinary dispute wheel checking.

C A B d E F ABd ≺ Ad BCEd ≺ Bd {CAd, CEd} unranked EFd ≺ Ed FCAd ≺ Fd If CAd ≺ CEd then A, B and C are in a dispute wheel. If CEd ≺ CAd then C, E and F are in a dispute wheel.

C A B d E F ABd ≺ Ad BCEd ≺ Bd CAd ≺ CEd EFd ≺ Ed FCAd ≺ Fd If CAd ≺ CEd then A, B and C are in a dispute wheel. If CEd ≺ CAd then C, E and F are in a dispute wheel.

C A B d E F ABd ≺ Ad BCEd ≺ Bd CEd ≺ CAd EFd ≺ Ed FCAd ≺ Fd If CAd ≺ CEd then A, B and C are in a dispute wheel. If CEd ≺ CAd then C, E and F are in a dispute wheel.

Use the “paths digraph”

• Encodes the preference and topology

information is a slightly different form.

• As new preferences are added, we include

new arcs in the paths digraph.

• Dispute wheels correspond to cycles in the

paths digraph.

C A B d E F

ABd ≺ Ad BCEd ≺ Bd {CAd, CEd} unranked EFd ≺ Ed FCAd ≺ Fd

C A B d E F

ABd ≺ Ad BCEd ≺ Bd {CAd, CEd} unranked EFd ≺ Ed FCAd ≺ Fd d FCAd CEd CAd BCEd Ad ABd Bd Fd EFd Ed

C A B d E F

ABd ≺ Ad BCEd ≺ Bd {CAd, CEd} unranked EFd ≺ Ed FCAd ≺ Fd d FCAd CEd CAd BCEd Ad ABd Bd Fd EFd Ed

Observations

• No need to define “dispute wheel” on PSPPs
• Just look for cycles in the paths digraph
• If there is already a cycle, adding new arcs

will not make it go away.

• If there is no cycle, we can topologically

sort the digraph, and insert any new arcs in the direction of the sort. So in this case we can always avoid making a dispute wheel.

The configuration space

• A partial configuration is implicitly

associated with the set of its completions.

• We now know how to see if at least one of

these completions is safe.

• What is the structure of the safe space?
• Is there any way to choose an “optimal”

completion, if there is more than one safe choice?

Our idea

• In this paper, we look at safe completion for

MED/IGP interaction.

• We know everything except the IGP arc

weights (and therefore the path preferences they induce).

• Using PSPP theory, we can derive numeric

safety constraints for these weights.

R S A B C Y X d

MED: 1 MED: 0

w x y z

w x y z safe 1 5 4 12 no 20 5 4 12 yes 1 2 1 4 no

Methodology

• Construct a PSPP instance for the known

preferences.

• For unknown preferences, we know where

the preference arc will be, but not which direction it will point.

• Consider all ways of orienting those arcs

that do not create a cycle in the paths digraph.

R S A B C Y X d

MED: 1 MED: 0

w x y z

R S A B C Y X d

MED: 1 MED: 0

w x y z

R S A B C Y X d

MED: 1 MED: 0

w x y z

R S A B C Y X d

MED: 1 MED: 0

w x y z (w + z < x) or (x < w + z and x < y) (RSCYd ≺ RAXd) or (RAXd ≺ RSCYd and RAXd ≺ RBYd)

Result

• We obtain a logical formula over possible

path preferences, something like:

(p ≺ q) ∨ (q ≺ p ∧ r ≺ s) ∨ (s ≺ r ∧ u ≺ t)

• Each preference corresponds to an integer

inequality over the arc weights, like:

p ≺ q if and only if a + b + c < d + e

Bounding the safe space

• What we end up with is a collection of

linear integer inequalities.

• However, we have disjunctions. So the safe

space is, in general, not convex.

– Each clause in the DNF does determine a convex subspace

• The actual safe space may be larger than we

detect here.

Each inequality defines a half-space.

y > x + 2

x > 7 y > 4

The safe space can be non-convex , due to the presence of disjunctions.

P

A common pattern: P is enough but if we can’t have it, then we need Q.

¬P ∧ Q

Idea: Use with LWO

• Link weight optimization: Given traffic

demand matrix, determine IGP weights that are in some way “good”.

• These weights are also used in BGP, where

they can cause instability.

• Use our “safe space” predicate to bound the
• ptimization process – find weight matrices

that are optimal subject to the constraint.

Idea: Look at robustness

• Is a given weight

matrix close to the boundary of the safe space, or somewhere in the interior?

• Are there good ways

to transition from

• ne safe matrix to

another?

Idea: Identify solution regimes

• Each disjunction is giving a different way to

achieve safety

– “Make w really big” – or “Make w + x + y smaller than f + h”

• Can we use PSPP exploration to identify

families of solutions?

Some future work

• Extend to “algebraic” model of routing
• Consider more examples of partial

specification – what else could be unknown?

• Consider probabilistic models of partial

information

• Consider “policy privacy” issues

Thank you!

Joan Blaeu, 1664