Professional Documents
Culture Documents
Path Stability in Partially Deployed Secure BGP Routing
Path Stability in Partially Deployed Secure BGP Routing
Path Stability in Partially Deployed Secure BGP Routing
Computer Networks
journal homepage: www.elsevier.com/locate/comnet
Keywords: Border Gateway Protocol (BGP), as the current de-facto routing protocol connecting various cooperating
Routing domains on the Internet, did not consider security when it was originally designed. With the expansion
Secure BGP of the Internet, security is increasingly valued and many BGP enhancement mechanisms are proposed and
Partial Deployment
experimented. Some of them like BGPsec have been standardized and promoted by the IETF. However, the
Stability
deployment of these inter-domain secure routing mechanisms is subject to many economic and political
restrictions. Consequently, there will be a long period of partial deployment, during which instability of BGP
can be observed. Specifically, when some networks start deploying secure BGP mechanisms, they may be
involved in some temporary or persistent route oscillations. In this paper, we systematically study the stability
problem induced by partially deployed secure BGP mechanisms. We analyze the characteristics of topology
and routing strategies when BGP oscillations will be introduced. In particular, we propose dispute chain, a
derived structure of dispute wheel proposed in Griffin et al. (2002), to formally analyze this problem. Based
on dispute chain, we analyze how different security adoption strategies can cause BGP oscillations under the
general Gao–Rexford model. Our analysis shows that, even in a situation when there is no dispute wheel,
dispute chains may widely appear, indicating that BGP oscillation problems will be introduced when security
mechanisms are casually deployed, affecting the security and quality of inter-domain communications. To avoid
possible oscillations, we also propose some deployment guidelines from different perspectives of the operator
and the Internet, so that a wider deployment of security mechanisms will not blindly disrupt the Internet.
1. Introduction a single ISP, the deployment will increase the cost of the service,
while little security improvement will be received if many other ASes
The Internet consists of many independently managed domains have not deployed yet. Thus they are unwilling to actively deploy
called the Autonomous Systems (ASes). To ensure connectivity between those. On the other hand, the current inter-domain secure routing
ASes, Border Gateway Protocol (BGP) [1] is designed and run on mechanisms require ASes to disclose some network information or
the Internet. However, since BGP is initially designed for a secure grant a few organizations higher management authority of the Internet.
environment with only a few trustworthy ASes, the protocol does not This demand violates the principle of fairness and freedom when the
incorporate any security verification mechanisms into itself. As more Internet was originally designed, so their deployment also encounters
domains are added to the routing system, harmful routing events, resistance. Besides, many countries will not allow their networks to be
e.g., prefix hijack, happen frequently and cause a lot of damage to
influenced by organizations in other nations for political reasons. Due
the internet [2,3]. In order to remedy that, the BGP enhancement
to the fore mentioned reasons, the secure BGP mechanisms are likely
mechanisms have been designed and put into use in recent years, some
to stay in a partially deployed state for a long time, as previous works
of which have been standardized by the IETF, e.g., BGPsec [4] and
state [7–9].
ASPA [5].
However, the deployment of those mechanisms is limited by many As Griffin et al. propose [10], BGP can be viewed as a distributed
factors. On the one hand, more than 10K ASes on the Internet are algorithm for solving the stable paths problem. Unlike RIP or OSPF,
Internet Service Providers (ISPs) [6]. They obtain economic benefits the inter-domain routing process is guided by the routing policies of
by providing users with fast and stable network access services. For each AS. Each AS independently sets up its own policies to ensure
∗ Corresponding author at: Institute for Network Sciences and Cyberspace, Tsinghua University, China.
E-mail address: shixg@cernet.edu.cn (X. Shi).
https://doi.org/10.1016/j.comnet.2022.108762
Received 26 June 2021; Received in revised form 18 December 2021; Accepted 3 January 2022
Available online 22 January 2022
1389-1286/© 2022 Elsevier B.V. All rights reserved.
Y. Yang et al. Computer Networks 206 (2022) 108762
its own economic benefits and performance gains. As a result, for a 2. BGP protocol and security routing model
single AS, the optimal route to a destination in BGP is perhaps not the
shortest path, but rather a stable path following the routing policies 2.1. BGP routing selection
of each AS along the path. When an AS choose to deploy the BGP
security mechanism, it takes security into account when making routing In order to better study the path stability issues of BGP, we first
decisions, e.g., it prefers to choose a secure path rather than choose an review how BGP operates. BGP, as the only inter-domain routing pro-
insecure path. However, this may lead to conflicting routing policies tocol on the Internet, conveys different kinds of information through a
and further more, route oscillation. number of attributes. For example, the AS_PATH attribute is a sequence
The potential route oscillation induced by security related policies of ASes that the routing message passes through before it arrives at
is first noticed by Lychev et al. [11], as they give an example in their the current AS. As a representative of the path vector protocol, BGP
paper to illustrate the phenomenon. If there is not a perfect guidelines performs routing selections in accordance with the attribute. Each
to explain how to deploy security mechanisms around the Internet AS can independently use these attributes to make its own policies,
to avoid the oscillations, the full deployment of security mechanisms including import policies, best route selection and export policies. In
can be further delayed and BGP security cannot be guaranteed for a addition, each AS can also affect BGP externally by configuring some
long time. Even worse, Sami et al. [12] show that the convergence special attributes and customized import and export policies.
time will also increase nearly linearly as the Internet expands, which To model the BGP process, some implementation details of actual
significantly reduces the efficiency of inter-domain routing. Only if no BGP are simplified in this work. We ignore some BGP attributes related
routing oscillation is introduced into the Internet, the promotion of to external traffic engineering (e.g., MED attribute) and internal routing
inter-domain secure routing mechanisms is practical and the period of control (e.g., intra-domain cost), and focus on the necessary informa-
partial deployment can be shortened. tion for AS-level routing. We list the important BGP attributes that are
Therefore, in this paper, we focus on the stability issues of BGP involved in this paper as follows:
and systematically study the potential route oscillations induced by NLRI: network layer reachability information, i.e. destination IP
the partial deployment of security mechanisms. We firstly propose a prefix
topological structure called the Dispute Chain (DC). DC is a derived NEXT_HOP: the IP address of the next hop router
structure of the dispute wheel (DW) proposed in [10], which can be AS_PATH: an ordered list of ASes the route announcement traversed
used to analyze the BGP oscillation. Different from DW, DC can be LOCAL_PREF: local preference (set and passed within an AS to
used to predict the routing state when some secure BGP mechanisms locally rank routes)
are newly deployed, showing the relationships between the deployment
Although routers are connected to the Internet by a large number
progress of BGP security mechanisms and the formation of DWs. Based
of physical links, paths are limited by the routing policies of each AS.
on DC, we further discuss the possibility of BGP oscillations on the
Network operators can customize different import and export policies
Internet using the Gao–Rexford model (GR model) [13]. We find that
according to their economic and security needs. Each AS will check its
under the GR model, DW does not exist but DCs does, which implies
export policies before making route announcements to its neighbors.
that there is a risk of introducing new oscillations in deploying some
Only routes satisfying the policies can be propagated. Similarly, when
inter-domain security mechanisms. The side effects during partial de-
an announcement arrives at an AS, it can also be filtered by the import
ployment impact the Internet communication, impeding the promotion
policies of the AS.
of secure BGP routing. Next, according to the rigorous demonstration of
Therefore, if we consider ASes as nodes in a graph and regard inter-
different situations, we find the necessary condition for BGP oscillations
domain links as edges connecting those nodes, then the Internet is an
to happen. In the end we give a easy-to-implement suggestion for
undirected graph. The difference is that not all paths can exist in this
single-network operators to ensure that the path stability is maintained
graph. Just some of the permitted paths can be used to forward traffic.
if a part of ASes choose their security routing models cautiously. Also,
We define that a path P is permitted if a BGP announcement can be
from the perspective of the whole Internet, we propose two deployment
propagated from the origin to the end of P, i.e., it is not filtered out by
guidelines for different inter-domain secure route mechanisms, from
top down and from bottom up. We prove that as long as ASes deploy import or export policies of any AS on the path.
the mechanisms in sequence advised as the guidelines, they will not To the same destination, there are many permitted paths that an
suffer from new BGP oscillations. AS may receive from its neighbors. However, it eventually selects the
According to the previously mentioned research, the major contri- optimal one for forwarding. We call this process BGP routing selection.
butions of this paper involves three aspects: (1) We propose a structural In general, BGP routing selection can be summarized in three steps.
model Dispute Chain to predict the potential oscillations on the Inter- Firstly, ASes select routes with the highest local preference. Secondly,
net, which can be caused by insufficient deployment of secure BGP if there are multiple ones with the same local preference, route(s) with
or other routing changes. (2) We theoretically prove the existence of the shortest AS path is(are) preferred. Finally, if there are still multiple
path instability under the GR model and conduct some case study routes to choose from, ties are broken by comparing the next hop IP
(e.g. Fig. 7). (3) We instruct the selection of anycast sites. Using the address (other kinds of tie-breakers are also used in some ASes). ASes
approach introduced in this work, researchers and anycast service tend to assign the greater tie-breaker to the route with the lowest
operators can better understand the disturbance caused by BGP routing next hop. Since the next hop IP address is unique on the Internet, at
to anycast service, so that the choice of new site will consider not most one route with the greatest tie-breaker to a given NLRI can be
only cost and geographic factors, but also topological location for path selected as the optimal route at any time, i.e., BGP routing selection is
stability. deterministic.
The rest of the paper will be organized as follows. Section 2 reviews The deterministic routing selection process of BGP enable us to
some concepts to formalize the BGP routing and proposes the problem analyze BGP more precisely. For each AS, all permitted paths reaching
that the partial deployment of BGP security mechanisms would lead to it can be ranked according to routing priorities. And the ranking result
path instability. Section 3 proposes the Dispute Chain (DC) structure, as is unique. We define the ranking result of all permitted paths at an AS
a tool for instability analysis in theory. Section 4 discusses DW and DC as its route ranking, which reflects the AS’s routing policies. The specific
under the GR model, extracting the topological features with risks of route ranking of a permitted path P at some AS A can be denoted to
BGP oscillations. Section 5 offers the deployment strategies to single- 𝜆(𝑃 , 𝐴). As Fig. 1 shows, AS A has two permitted paths destined for
AS operators in practice, i.e. select a suitable security routing model destination D, namely A-E-D and A-B-C-D. Between them, A prefers the
according to their local info, and the Internet organization for a wise former because of economic cost, and only route along the latter when
initiative. At last, Section 6 presents the related work and Section 7 A-E-D fails. In this situation, we describe it formally as 𝜆(𝐴 − 𝐸 − 𝐷, 𝐴)
concludes. >𝜆(𝐴 − 𝐵 − 𝐶 − 𝐷, 𝐴).
2
Y. Yang et al. Computer Networks 206 (2022) 108762
3
Y. Yang et al. Computer Networks 206 (2022) 108762
Theorem 1. When the mechanisms are fully deployed, no new BGP oscil-
Fig. 3. The generation of DW due to BGPsec. lations will be introduced compared to the undeployed period.
4
Y. Yang et al. Computer Networks 206 (2022) 108762
various impacts on the route rankings at ASes on the Internet. So we Algorithm 1 Dispute chain search (DCS)
need a new tool to describe the potential BGP oscillations that may
Input: A permitted path X;
happen when security mechanisms are newly deployed to incur the
Output: Whether it contains any DW, W; A dispute tree T;
priority promotion.
1: Build the root node of T marked with path X, set it as the current
Since the deployment of a secure BGP mechanism requires many
node C. 𝑊 = 𝐹 𝐴𝐿𝑆𝐸.𝑁 = {};
considerations and the time synchronization of different organizations
2: For 2 ≤ 𝑖 ≤ 𝑙𝑒𝑛(𝐶), truncate from the i-th node of C’s path to the end,
is difficult to be consistent, we here assume that only one organization
denoted as C[i:]. After the traversal of i is completed, C is marked
will newly deploy the security mechanism at one time. Considering that
as DONE.
the deployment progress of the security mechanisms is rather slow [9],
3: Judge if C[i:] has the highest route ranking at its starting AS A, i.e.,
the assumption here is practical. Thus, to study the potential oscillation,
𝜆(𝐶[𝑖 ∶], 𝐴) = 𝑚𝑎𝑥(𝜆(?, 𝐴)). If no, 𝑁 = 𝑁 ∪ {𝐶[𝑖 ∶]}.
we only need to compare the routing status before and after the most
4: For each C[i:] in N and the permitted path P at C[i:]’s starting AS
recent deployment. To describe the status, we relax the third condition
A satisfying 𝜆(𝐶[𝑖 ∶], 𝐴) < 𝜆(𝑃 , 𝐴), judge if there is a node in T with
in the definition of DW and expand its derived structure, Dispute Chain
path starting at A. If yes, 𝑊 = 𝑇 𝑅𝑈 𝐸. Otherwise, add a node X to
(DC).
T. X is marked with path P and connected to the parent node C.
Dispute Chain is a sequence of ASes 𝐴 = (𝐴0 , 𝐴1 , … , 𝐴𝑘−1 ) and two
5: If there is any node of T not DONE, set one of them with the
sequences of AS paths 𝑃 = (𝑃0 , 𝑃1 , … , 𝑃𝑘−1 ) and 𝑄 = (𝑄0 , 𝑄1 , … , 𝑄𝑘−1 ),
minimum depth as C and turn to Step 2.
such that for each index 0 ≤ 𝑖 ≤ 𝑘 − 1, the following properties are 6: return (W, T);
satisfied. (Index k is to be interpreted to 0 modulo k)
(1) 𝑃𝑖 is a path from AS 𝐴𝑖 to the AS 𝐴𝑖+1 .
(2) 𝑃𝑖 𝑄𝑖+1 and 𝑄𝑖 are both permitted paths at AS 𝐴𝑖 .
(3) 𝜆(𝑄𝑖 , 𝐴𝑖 ) < 𝜆(𝑃𝑖 𝑄𝑖+1 , 𝐴𝑖 ) when i ≠ k-1
(4) 𝜆(𝑄𝑘−1 , 𝐴𝑘−1 ) > 𝜆(𝑃𝑘−1 𝑄0 , 𝐴𝑘−1 )
Compared with the definition of DW, DC does not reflect that the
partial order relations of route rankings form a complete circle. Instead,
at some AS, the route ranking is reversed. The partial order relations
develop a structure like a chain, which is why we name it DC.
Due to the high similarity between the definitions of DC and DW
(Section 2.2), DC can be expressed in almost the same way as DW,
i.e. Fig. 2(b), as long as we exchange the route rankings between 3-1-2-
0 and 3-0. The only difference is that the direct path to the destination Fig. 4. Dispute tree and its corresponding DC from the scenes in Fig. 3(a), as the
at last sequence AS (𝑄𝑘−1 ) has a higher route ranking than the detour output of DCS algorithm.
path (𝑃 𝑘 − 1𝑄0 ). In the follow-up, we will mark dispute structures to
refer its meaning, DW or DC.
Since there is only a little bit difference between DW and DC, they comparison, the algorithm outputs can be used to recover the definition
can be easily converted due to priority promotion. Therefore, we can of DC, helping researchers to calculate DC with network topology and
evaluate the potential instability brought by the deployment of security routing policies.
mechanisms with DC. If the deployed AS is located at the terminating First of all, the input of the calculation method is a permitted path,
end of a DC (𝐴𝑘−1 ) and the priority promotion occurs on the one acting as 𝑃𝑘−1 𝑄0 in DC’s definition. Then the DC can be calculated
permitted path (𝑃𝑘−1 𝑄0 ) whose next-hop is the starting end of the DC step by step based on the relationship of route rankings as Algorithm 1
(𝐴0 ), the deployment will lead to a new DW, resulting in the instability shows. Finally, it outputs a tree called dispute tree. The complete path
of BGP. To sum up, with the help of DC, we can focus our attentions from the root node to any leaf node can restore a DC.
to the terminating ends of any DC. For other ASes, they can adopt the Algorithm 1 can be used not only to calculate the DC starting with
mechanisms without the consideration of BGP instability. a certain route but also to judge whether there is any DW in such
topology. We show its function with the help of the example shown in
3.2. The calculation of dispute chain Fig. 3(a). Suppose we start DCS process with the permitted path 3-4-2-0
in the situation shown in Fig. 3(a), the path will be suppressed at the
DC can be used to evaluate the stability changes of the inter-domain intermediate AS 2 by 2-1-0. And 2-1-0 is also suppressed at AS 1 by 1-3-
routing system. Furthermore, it can also guide the selection of deployed 5-0. Consequently, the output of DCS contains W with the value FALSE
points and the choice of security routing models, which we will discuss and 𝑇 shown in Fig. 4(a). The node in 𝑇 shows the permitted path
in the following sections. The first step is to calculate DC according to
𝑃𝑖 𝑄𝑖+1 forming dispute chain, which can restore complete information
the topology and route information.
(including A and P in the definition) of DC by comparing the adjacent
nodes on dispute tree.
Theorem 4. To find DCs in a topology with determined route rankings is
For example, according to the path from the root to one leaf 1-3-5-
an NP problem.
0, its responding DC can be translated as follows. Firstly we place the
destination of the initial path AS 0 at the center of the DC and use its
Proof. Given C is a possible answer, we intend to check it in polynomial
source node AS 3 as the DC’s first endpoint. Then we turn to the next
time. Since the topology is certain, we can compare the route rankings
node along the path, namely node 2-1-0. The source of the responding
of AS paths sequence one by one. Considering that the ASes comparing
path (AS 2) is regarded as the second endpoint of DC. And we connect
two different permitted paths are less than the size of the topology, it
it to the previous endpoint and complete the nodes on the link based
is obvious to finish the process in polynomial time. □
on the previous path 3-4-2-0. Repeating the process until the leaf is
We propose a heuristic method DCS to calculate the dispute chain. executed, we connect all endpoints to the common destination node
The basic idea of DCS is to examine whether a route is suppressed at (AS 0 in this case). After completing the nodes on these new links based
some intermediate node along the path. The whole process is similar on path information, the DC related to the dispute tree is generated. It
to the breadth-first search, which compares the route rankings at is obvious that this DC is similar to DW in Fig. 3(c), the only difference
every intermediate node along the path. In accordance with the route is the path priorities on the last node 𝐴𝑘−1 .
5
Y. Yang et al. Computer Networks 206 (2022) 108762
Fig. 5. Security reach for path fragment verification mechanisms and complete path
verification mechanisms.
6
Y. Yang et al. Computer Networks 206 (2022) 108762
4.1. Dispute wheel under Gao–Rexford model Lemma 3. In the inter-domain topology, there is not a circle with zero or
negative length.
In this subsection, we explore whether the Internet under the GR
model can develop DWs under certain conditions. According to the Proof. Obvious. □
definition of DW, we derive the conditions that the topology must meet
with the laws of the export policies, and finally judge if the derived With the denotation of DW’s definition, the two permitted paths
conditions follow the topology assumptions of the GR model. 𝑃𝑖 𝑄𝑖+1 and 𝑄𝑖 have the same local preference at AS 𝐴𝑖 . However,
Suppose there is a DW on the Internet, the ASes involved in the DW 𝜆(𝑄𝑖 , 𝐴𝑖 ) < 𝜆(𝑃𝑖 𝑄𝑖+1 , 𝐴𝑖 ) still holds for each i. We can conclude that
are denoted to 𝐴 = (𝐴0 , 𝐴1 , … , 𝐴𝑘−1 ). All situations can be classified 𝑃𝑖 𝑄𝑖+1 must be shorter than 𝑄𝑖 or they have the same length. We
into three categories according to the local preferences of the permitted introduce the absolute value symbol to represent the length of an AS
paths 𝑃𝑥 𝑄𝑥+1 and 𝑄𝑥 forming this DW. path. Thus |𝑃𝑖 𝑄𝑖+1 | ≤ |𝑄𝑖 | for each index 0 ≤ 𝑖 ≤ 𝑘 − 1. If adding all the
Situation 1: The permitted paths 𝑃𝑥 𝑄𝑥+1 and 𝑄𝑥 forming the DW of inequalities, we can get that
AS A𝑥 have the different local preferences. Besides, the one with higher ∑
𝑘−1 ∑
𝑘−1 ∑
𝑘−1
local preference 𝑃𝑥 𝑄𝑥+1 is a customer route. |𝑃𝑖 𝑄𝑖+1 | ≤ |𝑄𝑖 | 𝑖.𝑒. |𝑃𝑖 | ≤ 0
According to GR-Assumption 3, the permitted paths under GR model 𝑖=0 𝑖=0 𝑖=0
exhibit some common characteristics. In general, the AS paths are The inequality above reflects that permitted paths 𝑃𝑖 form a circle
composed of 0 to n hops from providers, 0 to 1 hop from peers, and 0 to with zero or negative length, which violates Lemma 3.
n hops from customers in order. Therefore, if ASes receive a permitted All three possible cases are listed above under the GR model. We
path from a customer, every hop along the path is from customers. analyze each case separately and find that there is no DW under the
GR model no matter what situation it is. Therefore, we claim that DWs
Lemma 1. The suffixes of customer routes are always customer routes under cannot occur under the ideal GR model.
the GR model.
4.2. Dispute chain under the gao–rexford model
Proof. Obvious according to GR-Assumption 3. □
Similar to the discussion about DW, we analyze DC under the GR
Based on Lemma 1, we can discuss the routing details in Situation 1,
model in different situations. Suppose there is a DC on the Internet,
where permitted paths 𝑃𝑥 𝑄𝑥+1 and 𝑄𝑥 have different local preferences
the ASes involved are denoted to 𝐴 = (𝐴0 , 𝐴1 , … , 𝐴𝑘−1 ). For each index
and the former is a customer route. It is obvious that the suffix path
0 ≤ 𝑖 < 𝑘 − 1, the inequality 𝜆(𝑄𝑖 , 𝐴𝑖 ) < 𝜆(𝑃𝑖 𝑄𝑖+1 , 𝐴𝑖 ) always meets but
of 𝑃𝑥 𝑄𝑥+1 , 𝑄𝑥+1 is also a customer route. According to the definition
𝜆(𝑄𝑘−1 , 𝐴𝑘−1 ) > 𝜆(𝑃𝑘−1 𝑄0 , 𝐴𝑘−1 ). We divide all situations into three
of DW, 𝜆(𝑄𝑥+1 , 𝐴𝑥+1 ) < 𝜆(𝑃𝑥+1 𝑄𝑥+2 , 𝐴𝑥+1 ). Because permitted path
categories according to 𝑄𝑘−1 .
𝑃𝑥+1 𝑄𝑥+2 has a higher priority than 𝑄𝑥+1 , we can infer that it must
Situation 1: 𝑄𝑘−1 is a provider route.
also be a customer route with shorter path length or greater tie-breaker.
From the definition of DC, 𝑃𝑘−2 𝑄𝑘−1 is a permitted path at AS 𝐴𝑘−2 .
Similar to 𝑃𝑥 𝑄𝑥+1 , the suffix path of 𝑃𝑥+1 𝑄𝑥+2 , 𝑄𝑥+2 is also a customer
Hence 𝑃𝑘−2 must be a provider route due to the valley-free policy.
route. Repeating the process, 𝑃𝑖 𝑄𝑖+1 s for index 0 ≤ 𝑖 ≤ 𝑘 − 1 are always
Besides, 𝜆(𝑄𝑘−2 , 𝐴𝑘−2 ) < 𝜆(𝑃𝑘−2 𝑄𝑘−1 , 𝐴𝑘−2 ). So the permitted path with
customer routes. However, 𝑃𝑖 refers to a path from AS 𝐴𝑖 to 𝐴𝑖+1 . Thus
low routing priority 𝑄𝑘−2 is also a provider route. After that, we can
paths 𝑃0 , 𝑃1 , . . . , and 𝑃𝑘−1 consist of a Customer–Provider circle, which
infer that 𝑃𝑘−3 is also a provider route similar to the process of 𝑃𝑘−2 .
violates GR-Assumption 1. As a result, in this situation, DW cannot
At the last, 𝑃0 , 𝑃1 , … , 𝑃𝑘−2 are all provider routes. In addition, there is
appear on the Internet.
another inequality for DC, that is, 𝜆(𝑄𝑘−1 , 𝐴𝑘−1 ) > 𝜆(𝑃𝑘−1 𝑄0 , 𝐴𝑘−1 ).
Situation 2: The permitted paths 𝑃𝑥 𝑄𝑥+1 and 𝑄𝑥 forming the DW of
The path 𝑃𝑘−1 𝑄0 has a lower routing priority than the provider route
AS A𝑥 have the different local preferences. Besides, the one with higher
𝑄𝑘−1 . Thus 𝑃𝑘−1 is also a provider route under the GR model. Therefore,
local preference 𝑃𝑥 𝑄𝑥+1 is a peer route.
for all index i, 𝑃𝑖 s are always provider route and they constitute a
The analysis process of Situation 2 is similar to Situation 1. But we
Customer–Provider circle, which conflicts with GR-Assumption 1.
make appropriate modifications to Lemma 1, as follows:
Situation 2: 𝑄𝑘−1 is a peer route.
Similarly, we can find that 𝑃𝑘−2 must be a provider route since
Lemma 2. The suffixes of peer routes are always customer routes under the
𝑃𝑘−2 𝑄𝑘−1 is a permitted path. Considering 𝜆(𝑄𝑘−2 , 𝐴𝑘−2 ) < 𝜆(𝑃𝑘−2 𝑄𝑘−1 ,
GR model.
𝐴𝑘−2 ), 𝑄𝑘−2 can only be a provider route. Then, repeating the pre-
vious analysis process, 𝑃0 , 𝑃1 , … , 𝑃𝑘−2 are all provider routes accord-
Proof. Obvious according to GR-Assumption 3. □
ingly. Finally, we turn to analyze 𝑃𝑘−1 . Because 𝜆(𝑄𝑘−1 , 𝐴𝑘−1 ) >
Since 𝑃𝑥 𝑄𝑥+1 is a peer route, its suffix path 𝑄𝑥+1 must be a cus- 𝜆(𝑃𝑘−1 𝑄0 , 𝐴𝑘−1 ), 𝑃𝑘−1 may be either a peer route or a provider route.
tomer route based on Lemma 2. According to the definition of DW, If 𝑃𝑘−1 is a peer route, all permitted paths 𝑃𝑖 s constitute a Customer–
𝜆(𝑄𝑥+1 , 𝐴𝑥+1 ) < 𝜆(𝑃𝑥+1 𝑄𝑥+2 , 𝐴𝑥+1 ). Consequently, path 𝑃𝑥+1 𝑄𝑥+2 can Provider extended circle. If 𝑃𝑘−1 is a provider route, they constitute a
only be a customer route. Similarly, the suffix path of 𝑃𝑥+1 𝑄𝑥+2 , 𝑄𝑥+2 is Customer–Provider circle instead. In conclusion, some assumption of
also a customer route. We can further find that path 𝑃𝑥+2 𝑄𝑥+3 is another the GR model is always violated. In other words, this situation will not
customer route. Repeating the process, 𝑃𝑖 𝑄𝑖+1 s for index 0 ≤ 𝑖 ≤ 𝑘 − 1 happen under the GR model.
are always customer route as long as 𝑖 ≠ 𝑥. When 𝑖 = 𝑥, 𝑃𝑥 𝑄𝑥+1 is Situation 3: 𝑄𝑘−1 is a customer route.
a peer route due to the premise. To conclude, paths 𝑃0 , 𝑃1 , . . . , and In this situation, we are supposed to divide and discuss the type of
𝑃𝑘−1 are all customer routes except one which is a peer route instead. 𝑃𝑘−1 more finely.
They form a Customer–Provider extended circle together, violating GR- If 𝑃𝑘−1 is a customer route, path 𝑄0 must be a customer route be-
Assumption 2. Apart from this, because 𝑃𝑥 𝑄𝑥+1 is a peer route and cause 𝑃𝑘−1 𝑄0 is a permitted path. According to the inequality 𝜆(𝑄0 , 𝐴0 )
𝜆(𝑄𝑥 , 𝐴𝑥+1 ) < 𝜆(𝑃𝑥 𝑄𝑥+1 , 𝐴𝑥 ), path 𝑄𝑥 can only be a peer route or < 𝜆(𝑃0 𝑄1 , 𝐴0 ), 𝑃0 is also a customer route. Repeating the process in
provider route. But from the derivation results above, 𝑃𝑥−1 𝑄𝑥 is a turn, we can prove that all 𝑃𝑖 s are customer routes, i.e. a Customer–
customer route. The path cannot be a valley-free path, violating GR- Provider circle develops.
Assumption 3 at the same time. So DW cannot appear on the Internet If 𝑃𝑘−1 is a peer route, path 𝑄0 is also a customer route due
like this situation. to Lemma 2. Similar to the last subcase, 𝑃0 , 𝑃1 , … , 𝑃𝑘−2 are all cus-
Situation 3: The two permitted paths at the same AS involved in tomer routes while 𝑃𝑘−1 is a peer route, all of which constitute a
the DW have the same local preference. Customer–Provider extended circle.
7
Y. Yang et al. Computer Networks 206 (2022) 108762
5. The guideline for BGP security deployment Theorem 6. The valley node in the loop constituted by the AS sequence of
a DC must be located at the ending of the chain. Besides, this valley node
We have already learned that under the GR model some DCs indeed is not a stub AS.
appear on the Internet. In this section, we explore the specific structural
features of these DCs in the inter-domain topology and propose corre- Proof. According to the proof of Theorem 5, there must be only one
sponding deployment strategies based on them. It is worth noting that valley node in a DC, that is, the ending node 𝐴𝑘−1 . Because 𝑃𝑘−2 is a
the guidelines for deployment are derived from the GR model while peer or customer route, 𝑄𝑘−1 as the suffix of permitted path 𝑃𝑘−2 𝑄𝑘−1
the actual ASes do not fully comply with it. Hence the strategies only must be a customer route due to Lemma 1 and Lemma 2. That is, 𝐴𝑘−1
guide the deployment of inter-domain secure routing mechanisms in a has at least one customer, through which traffic from 𝐴𝑘−1 can reach
general direction. The local topology that does not follow the GR model the destination eventually. So the valley node namely 𝐴𝑘−1 is not a stub
should be analyzed and adjusted more subtly in practice. AS. □
5.1. Structural characteristics of the dispute chain 5.2. Deployment guideline for single-AS operators
According to the previous discussion, DC can happen on the Internet For single-AS operators, they are concerned about the impacts of
only in a particular topological structure, which is illustrated in Fig. 8. a security mechanism deployed in their ASes on the network perfor-
We introduce a concept valley node to describe the characteristics of mance. DCs can be used to evaluate the stability changes. If the priority
this topology and propose a theorem to state the relationship between promotion occurs at the terminating AS of a DC and turns the DC into
DC and valley node. a DW, the operators must regard such a deployment as a bad decision.
The valley node in a loop is defined as the AS whose two adjacent We show a general situation that may introduce a new DW in Fig. 9.
ASes in the loop are not its customers. In the figure, the secure ASes are painted green while the insecure AS
without the security mechanisms are still white. Since the deployed AS
Theorem 5. The loop constituted by the AS sequence of a DC in order has incurring oscillations must be the terminating AS of a DC, we assume
one and only one valley node. that the AS sequence of the DC is 𝐴 = (𝐴0 , 𝐴1 , … , 𝐴𝑘−1 ). For the
operator of AS 𝐴𝑘−1 , when it deploys some security mechanism on its
Proof. In Section 4.2, we prove that DC can only exist if 𝑄𝑘−1 is a domain, a new DW will be formed only if path 𝑃𝑘−1 𝑄0 is a secure path
customer route and 𝑃𝑘−1 is a provider route under the GR model. while 𝑄𝑘−1 is not. Meanwhile, the security routing model reverses the
First, we prove that 𝐴𝑘−1 must be a valley node. If not, 𝐴𝑘−2 must routing priority because of priority promotion. Therefore, we derive
a customer of AS 𝐴𝑘−1 and 𝑃𝑘−2 is a provider route accordingly. But that a certain security routing model that the deploying AS chooses is
we have known that 𝜆(𝑄𝑘−2 , 𝐴𝑘−2 ) < 𝜆(𝑃𝑘−2 𝑄𝑘−1 , 𝐴𝑘−2 ). Thus 𝑄𝑘−2 a necessary condition to cause oscillations.
must be a provider route. Since 𝑃𝑘−3 𝑄𝑘−2 is a permitted path, 𝑃𝑘−3
must be a provider route according to valley-free policy. Also, 𝑄𝑘−3 Theorem 7. Only if the terminating AS of a DC selects SEC-I model, a new
can be deduced that it is a provider route due to 𝜆(𝑄𝑘−3 , 𝐴𝑘−3 ) < DW may be introduced to the networks.
8
Y. Yang et al. Computer Networks 206 (2022) 108762
Fig. 9. The scenarios to cause BGP instability security mechanisms deployed (a)
complete path verification mechanisms like BGPsec (b) path fragment verification Fig. 10. The consistency of the two permitted paths along Top-down guideline.
mechanisms like ASPA.
9
Y. Yang et al. Computer Networks 206 (2022) 108762
Table 1
The required information for stable deployment.
Method Required Info Configuration Applicable mechanisms
Single-AS M. Neighbor contracts Specify a secure routing model Complete path, Path fragment
Top-down M. Provider contracts, Provider deployment info No requirements Only complete path verification
Bottom-up M. Customer contracts, Customer deployment info No requirements Complete path, Path fragment
AS operators in the last subsection, we put forward some suggestions the ASes. Also, some strategies are given to drive the global deploy-
for the deployment of secure BGP mechanisms from the macro and ment of those security mechanisms. Some researches focus on the
micro scales. For anycast service providers, the path stability is the effectiveness of the security mechanisms. Qiu et al. [25] propose an
basis of user experience. Lack of understanding of the Internet routing algorithm named TowerDefense to find the positions of the security
process makes it difficult for operators to customize the correct BGP mechanisms against BGP hijackings. Their suggestions are based on the
configurations. To ease the understanding of the readers, we summarize prevention effect of BGP attacks rather than stability. Some researches
the necessary information for stable deployment of secure BGP variants care about the stability of BGP, which is most closely related to this
in Table 1. As the table shows, Single-AS method avoids out-of-band paper. Lychev et al. [11] summarize the security routing models of BGP
interaction with other ASes via specifying a special security routing and discuss the stability in the partial deployment of BGP security. In
model. The Top-down/Bottom-up methods have no requirements for their work, the authors prove that the disagreements with the security
the local configurations but they needs to cooperate with other ASes. routing models between ASes may lead to BGP oscillations. To keep
The suggestions proposed in this part are derived based on the dispute the routes stable, they prove that if all ASes select the same security
structures. We hope that they can help in-depth analysis and promote routing model, the routing state must converge. Compared with our
the adoption of BGP security enhancements. guideline (Section 5.2), their proposal is more difficult to achieve. Their
conclusion requires that all ASes use the same model, which is almost
6. Related work impossible in practice. However, we only need a part of secure ASes
to adjust their security model to SEC-II or SEC-III models regardless
of the deployment details of other ASes. Recently, there are some
This work mainly focuses on the stability issues that may be caused
measurement works focusing on RPKI’s adoption [7,26,27]. They point
when the BGP security mechanisms are partially deployed. There-
out that although many ASes registered the Route Origin Authorizations
fore, the related work involves researches on the stability of BGP
to protect their prefixes from hijacking, only a part of them utilized
protocol and the analysis of inter-domain secure routing mechanism
the RPKI-based filters to limit the insecure AS paths a few years ago.
deployment.
But many networks begin to adopt RPKI filtering recently. This kind
Researches on the stability of eBGP were mainly carried out around
of hybrid inter-domain state without unified planning is more likely to
2000. Griffin et al. [19] show that to judge whether the practical BGP
cause the routing instability problem mentioned in this paper which we
is stable in the wild is an NP-hard problem, due to the exponential
hope to remind some network operators.
time and space to implement the problem in a high-level programming
language. Varadhan et al. [14] study the convergence properties of 7. Conclusion
an abstract BGP system. They find an example of BGP instability and
propose a structure return graph to analyze the convergence. The return The BGP oscillations brought about by the partial deployment of
graph is defined by the dynamic routing process while the DW and DC BGP security mechanisms are studied in this paper, which may lead to
can be calculated according to the static topology. Besides, the topology a decrease in the quality and speed of communications. We propose
structure and the permitted paths are restricted in their work. Griffin a derived structure of Dispute Wheel (DW) called Dispute Chain (DC)
et al. [10] formalize the Stable Paths Problem (SPP) and define a struc- to evaluate the routing state during deployment process of secure BGP
ture called Dispute Wheel (DW) to analyze it. They point out that if no routing. Through rigorous demonstration, we find that no DWs but
DW can be constructed in a topology, the SPP has the unique solution DCs can exist under the standard GR model. Under this situation, we
and BGP keeps stable under this configuration. Besides, they propose discuss the structural features of the DC in the inter-domain topology
the simple path vector protocol to capture the BGP at an abstract level, and eventually find a necessary condition to introduce new BGP oscilla-
extending the results to more BGP-like protocols. In addition, Griffin tions. Moreover, we propose some guidelines from different views of AS
et al. [20] also research the BGP oscillation problems incurred by MED operators and Internet organizations to promote the faster deployment
attributes. Based on DW, the authors present the first analysis of the of secure BGP mechanisms.
MED oscillation problem by encoding it in SPP. They state that the
oscillations can span multiple ASes. Labovitz et al. [21] initially study CRediT authorship contribution statement
the convergence rate. They demonstrate that multi-homed failover can
trigger oscillations in BGP and further show that the delays due to Yan Yang: Conceptualization, Methodology, Formal analysis, Writ-
instability increase with the number of ASes on the Internet from ing – original draft. Xingang Shi: Conceptualization, Methodology,
Writing – review & editing. Qiang Ma: Software, Validation. Yahui Li:
linear to exponential. Based on their work, Sami et al. [12] conduct
Formal analysis. Xia Yin: Resources, Supervision, Writing – review &
a more detailed analysis of BGP convergence time. Apart from these
editing. Zhiliang Wang: Writing – review & editing.
works about eBGP oscillations, there are some researches on iBGP
oscillations [22–24].
Declaration of competing interest
ASes are managed separately by different organizations or compa-
nies. For most of them, their primary purpose of assessing the Internet The authors declare that they have no known competing finan-
is to profit from network services. However, the inter-domain security cial interests or personal relationships that could have appeared to
mechanisms usually increase their operation and maintenance costs influence the work reported in this paper.
and cannot bring significant economic benefits. Consequently, the de-
ployment of these security mechanisms becomes a critical research Acknowledgments
direction. Some researches focus on the incentives for deployment. Gill
et al. [9] propose that AS operators tend to determine if they deploy We thank the anonymous reviewers for their comments. This work
these mechanisms based on the benefits. They establish a model for was supported by the National Key R&D Program of China under Grant
deployment simulation according to changes in traffic passing through 2018YFB1800401.
10
Y. Yang et al. Computer Networks 206 (2022) 108762
References Yan Yang received the B.E. and Ph.D. degrees in com-
puter science from Tsinghua University, China, in 2015
[1] Y. Rekhter, T. Li, S. Hares, A border gateway protocol 4 (BGP-4), RFC 4271, and 2020 respectively. Currently he is a senior engineer of
2005. Huawei. His research interests include inter-domain routing
[2] A. Toonk, Chinese ISP hijacks the internet, https://www.bgpmon.net/chinese- protocols, routing security and next generation Internet
isp-hijacked-10-of-the-internet/. architecture.
[3] YouTube Hijacking: A RIPE NCC RIS case study.
[4] E. M. Lepinski, E. K. Sriram, Bgpsec protocol specification, rfc8205, 2017.
[5] K. Patel, J. Snijders, R. Housley, A profile for autonomous system provider
authorization, draft-azimov-sidrops-aspa-profile-01, 2018.
[6] The CAIDA as relationships dataset, 2020, https://www.caida.org/data/as-
relationships/. (Accessed 1 August 2020). Xingang Shi received the B.E.degree from Tsinghua Uni-
[7] Y. Gilad, A. Cohen, A. Herzberg, M. Schapira, H. Shulman, Are we there yet? versity and the Ph.D. degree from The Chinese University
On RPKI’s deployment and security, in: NDSS, 2017. of Hong Kong. He is now working in the Institute for
[8] H. Chan, D. Dash, A. Perrig, H. Zhang, Modeling adoptability of secure BGP Network Sciences and Cyberspace at Tsinghua University.
protocol, ACM SIGCOMM Comput. Commun. Rev. 36 (4) (2006) 279–290. His research interests include network measurement and
[9] P. Gill, M. Schapira, S. Goldberg, Let the market drive deployment: A strategy routing protocols.
for transitioning to BGP security, in: SIGCOMM, 2011, pp. 14–25.
[10] T.G. Griffin, F.B. Shepherd, G. Wilfong, The stable paths problem and
interdomain routing, IEEE/ACM Trans. Netw. 10 (2) (2002) 232–243.
[11] R. Lychev, S. Goldberg, M. Schapira, BGP security in partial deployment: Is the
juice woth the squeeze? in: SIGCOMM, 2013, pp. 171–182.
Qiang Ma received the B.S. degree in computer science
[12] R. Sami, M. Schapira, A. Zohar, Searching for stability in interdomain routing,
from Tsinghua University, China, in 2018. He is currently
in: IEEE INFOCOM, 2009, pp. 549–557.
pursuing his Master’s degree at the Department of Computer
[13] L. Gao, J. Rexford, Stable internet routing without global coordination,
Science and Technology, Tsinghua University. His research
IEEE/ACM Trans. Netw. 9 (6) (2001) 681–692.
interests include routing protocols and routing security.
[14] K. Varadhan, R. Govindan, D. Estrin, Persistent route oscillations in inter-domain
routing, Comput. Netw. 32 (1) (2000) 1–16.
[15] G. Huston, G. Michaelson, Validation or route originaion using the resource
certificate public key infrastructure (PKI) and route origin authorizations (ROAs),
rfc 6483, 2012.
[16] A. Cohen, Y. Gilad, A. Herzberg, M. Schapira, Jumpstarting BGP security with
path-end validation, in: SIGCOMM, 2016, pp. 342–355.
[17] Y. Xiang, X. Shi, J. Wu, Z. Wang, X. Yin, Sign what you really care about–secure Yahui Li received the B.E. degree in software engineering
BGP AS-paths efficiently, Comput. Netw. 57 (10) (2013) 2250–2265. from Jilin University in 2015. She obtained the Ph.D. degree
[18] R. Anwar, H. Niaz, D. Choffnes, P. Gill, E. Katz-Bassett, Investigating interdomain in computer science from Tsinghua University in 2020. She
routing policies in the wild, in: Internet Measurement Conference (IMC), 2015, is now working in the Institute for Software at Beijing
pp. 71–77. Jiaotong University. Her research interests include formal
[19] T.G. Griffin, G. Wilfong, An analysis of BGP convergence properties, ACM methods, protocol testing and deep learning.
SIGCOMM Comput. Commun. Rev. 29 (4) (1999) 277–288.
[20] T.G. Griffin, G. Wilfong, Analysis of the MED oscillation problem in BGP, in: 10th
IEEE International Conference on Network Protocols (ICNP), 2002, pp. 90–99.
[21] C. Labovitz, A. Ahuja, A. Bose, F. Jahanian, Delayed internet routing
convergence, in: SIGCOMM, 2000, pp. 175–187. Xia Yin received the B.E., M.E. and Ph.D. degrees in com-
[22] A. Basu, C.-H.L. Ong, A. Rasala, F.B. Shepherd, G. Wilfong, Route oscillations in puter science from Tsinghua University in 1995, 1997 and
I-BGP with route reflection, in: SIGCOMM, 2002, pp. 235–247. 2000 respectively. She is a Full Professor in Department of
[23] A. Flavel, M. Roughan, Stable and flexible iBGP, in: SIGCOMM, 2009, pp. Computer Science and Technology at Tsinghua University.
183–194. Her research interests include future Internet architecture,
[24] A. Flavel, M. Roughan, N. Bean, A. Shaikh, Where’s waldo? practical searches formal methods, protocol testing and large-scale Internet
for stability in iBGP, in: IEEE International Conference on Network Protocols routing.
(ICNP), 2008, pp. 308–317.
[25] T. Qiu, L. Ji, D. Pei, J. Wang, J. Xu, Towerdefense: Deployment strategies for
battling against ip prefix hijacking, in: IEEE International Conference on Network
Protocols (ICNP), 2010, pp. 134–143.
[26] C. Testart, P. Richter, A. King, A. Dainotti, D. Clark, To filter or not to
filter: Measuring the benefits of registering in the RPKI today, in: International Zhiliang Wang received the B.E., M.E. and Ph.D. degrees
Conference on Passive And Active Network Measurement, Springer, 2020, pp. in computer science from Tsinghua University, China in
71–87. 2001, 2003 and 2006 respectively. Currently he is an
[27] A. Reuter, R. Bush, I. Cunha, E. Katz-Bassett, T.C. Schmidt, M. Wählisch, Towards Associate Professor in the Institute for Network Sciences and
a rigorous methodology for measuring adoption of RPKI route validation and Cyberspace at Tsinghua University. His research interests
filtering, ACM SIGCOMM Comput. Commun. Rev. 48 (1) (2018) 19–27. include formal methods, protocol testing, next generation
Internet and network measurement.
11