Nick Feamster wrote:
2. I question what fraction of routing decisions come down to a blind tiebreak---nearly all of them are likely to be driven by some other consideration (reliability, cost, etc.). Our paper details a richer economic model by which ASes actually select paths, for example, but it's still unclear to me how coarse or fine-grained route selection really is in practice, and to what extent more complicated contracts have evolved. I wonder how common "blind tiebreaking" is in BGP, in real networks; the approach in Sharon's paper definitely may overstate how common that is if route selection considerations commonly involve things that are not visible in the AS graph (e.g., traffic ratios, congestion, performance), but academics could really benefit from some more insight into how rich these decisions are in practice.
We think a key point is getting lost here. Routing policies affect our result in the following crucial way -- they determine the size of ASes' "tiebreak sets" (section 6.6). A tiebreak set is a set of "equally good routes" that an source AS has to a destination AS; in our model, an AS should prefer to route along the _secure_ routes in its tiebreak set. Simply put, with a larger tiebreak set, there should be more competition over customer traffic, and thus more widespread S*BGP deployment. In our simulations we assumed that tiebreak sets were determined by Local-Pref (economic considerations) and AS-Path considerations. In practice, tiebreak sets could be larger (e.g., if ASes prefer shorter paths over customer paths) or smaller (e.g., if intradomain considerations, like hot potato routing, affect tiebreak sets) than those in our simulations. Like Nick said, this is a place where more data from the ops community would be helpful to help us figure out how big tiebreak sets really are. However, the key point we want to emphasize is that in the simulations we ran, the tiebreak sets are actually quite small: 1) The size of the average AS tiebreak set in our simulations is only 1.18; which mean that 80% of tiebreak sets have only one path, see also Figure 8. 2) Security does not play a role in the vast majority (96%) of routing decisions made in our simulations (Section 6.7). In other words, S*BGP deployment can be driven even by a fairly small amount of competition for customer traffic.
3. I think the discussion on the list so far misses what I see as the central question about the economic assumptions in that paper. The paper assumes that all destinations are equally valuable, which we know is not the case. This implicitly (and perhaps mistakenly?) shifts the balance of power to tier-1 ISPs, whereas in practice, it may be with other ASes (e.g., Google). In practice, ISPs may be willing to spend significant amounts of money to reach certain destinations or content (some destinations are more valuable than others... e.g., Google). If the most "valuable" destinations deployed S-BGP and made everyone who wanted to connect to them deploy it, that would be more likely to succeed than the approach taken in the paper, I think.
Our paper does not assume all destinations are equally valuable. 1) As mentioned in our response to Randy, we weight content providers more heavily (see Section 6.8.1; we ran experiments where the content providers collectively source 10%, 20%, 33% or 50% of Internet traffic). 2) From Section 6.8.1: "We test the robustness of our results... by modeling traffic locality [the idea that ASes are likely to send more traffic to ASes that are closer to them]..." Section 6.8.2 shows our results are insensitive to this assumption. Sincerely, Phillipa Gill, Michael Schapira, and Sharon Goldberg
On Sep 5, 2011, at 11:36 AM, Joe Maimon wrote:
Owen DeLong wrote:
On Sep 5, 2011, at 7:24 AM, Jennifer Rexford wrote:
One could argue that rejecting routes which you previously had no way to know you should reject will inherently alter the routing system and that this is probably a good thing.
Good point. Also, "tie breaking" in favor of signed-and-verified routes over not-signed-and-verified routes does not necessarily affect your traffic "positively or negatively" -- rather, if you are letting an arbitrary final tie break make the decision anyway, you are arguably *neutral* about the outcome...
-- Jen
This is true in terms of whether you care or not, but, if one just looks at whether it changes the content of the FIB or not, changing which arbitrary tie breaker you use likely changes the contents of the FIB in at least some cases.
The key point is that if you are to secure a previously unsecured database such as the routing table, you will inherently be changing the contents of said database, or, your security isn't actually accomplishing anything.
Owen
Except if you believe we have been lucky until now and security is all about the future where we may be less lucky.
What I would be interested in seeing is a discussion on whether any anti-competitive market distortion incentives exist for large providers in adopting secured BGP. We might be lucky there too.
Perhaps this will finally help solve the routing slot scalability problem. Might also jumpstart LISP. Which may put some more steam into v6. Welcome to the brave new internet.
Good for everyone, right?
Are you feeling lucky?
Joe
-- Sharon Goldberg Computer Science, Boston University http://www.cs.bu.edu/~goldbe