Dynamic analyses: BGP update traces

The use of BGP update traces allows research on the dynamic behaviour of the Internet to be performed. Although research published as early as 1997 had used BGP update traces obtained from production routers [52, 77], the public availability of BGP update traces from RIS and ORV was the enabling factor for much subsequent research on interdomain routing; a brief overview of this work follows.

Visualising route changes

Perhaps the most obvious application of BGP update traces is visualising interdomain rout- ing changes. Several tools were developed for this purpose. One such tool is BGPlay [30], which combines table dumps with update traces to display the interdomain topology graph for a given prefix and displays routing changes to that prefix by animating the graph (see Fig. 1.1(b)). BGPlay uses advanced graph-drawing algorithms to display the interdomain topology and has been deployed both by RIS and ORV to provide an easily accessible user interface to the data they collect [115, 116]. Another tool, Link-Rank [79], takes a comple- mentary approach: it generates topology graphs in which edges are labelled with the number of BGP prefixes that are routed through that peering, thus providing a measure of the impact of a routing change and helping to identify the AS that caused it.

Analysis of BGP behaviour and performance

The analysis of BGP update traces has been instrumental in understanding the real-world be- haviour of BGP and analysing the causes of routing instability in the Internet. For example, in 1997 Labovitz et al. used BGP update traces to examine Internet routing instability, dis- covering that 99% of routing updates observed at the five major U.S. exchange points were

3.4. METHODS USING BGP ROUTING DATA 25

redundant and did not reflect actual topology changes [77]. The authors suggested that the majority of these was due to a specific implementation decision by one router vendor whose routers did not maintain state on which announcements had been made to peers, thus sending large numbers of redundant withdrawal messages — behaviour that nevertheless conformed to the BGP specification current at that time [82]. After publication, the router vendor modi- fied their implementation and two years later, the number of routing updates observed at the same collection points was an order of magnitude lower [78].

A study of Internet convergence times carried out the following year showed that the measured upper bound of interdomain convergence delay was an order of magnitude than previously thought, with some events triggering routing oscillations up to fifteen minutes long [76]. The authors observed that BGP announcements are propagated much faster than withdrawals and showed that this is due to the propagation of invalid paths. A router that receives a withdrawal only concludes that the destination is unreachable (and sends a with- drawal) when there are no other routes to the destination; before that, it will first switch to alternate paths, consequently sending out corresponding announcements to its neighbours. Route announcements and path changes thus continue until all possible paths are exhausted.

In 2003, Mao et al. [85] introduced BGP beacons, which are prefixes that are announced and withdrawn at regular intervals. The use of beacons coupled with a global network of ob- servation points provided by RIS and ORV route collectors allowed the authors to treat BGP updates using signal theory, modelling the global routing system as “a giant non-deterministic signal transducer” to analyse BGP convergence delays and update inter-arrival times (and thus route propagation times). The same work examines the effects of route flap dampening, a practice which suppresses the propagation of updates for a certain prefix if the prefix is the subject of too many BGP update messages in a short time [132]. Further work subsequently showed that the impact of route flap dampening on BGP convergence was much worse than previously thought, and that in certain topologies a single withdrawal followed by a single announcement of the same route was sufficient for the route to be suppressed for a substantial length of time [86].

Work has also been done on determining the root cause of BGP events, that is, identifying the AS or the peering responsible for routing changes, by correlating BGP updates for many different prefixes at different measurement points and using heuristics to determine “stable” links [18, 46]. The authors find that in many cases it is possible to pinpoint the origin of the routing changes to a single AS or to a BGP peering between two ASes.

Inferring topology from BGP dynamics

BGP update traces have also been used to deduce information about network topology. An- dersen et al. [2] used passive monitoring of BGP messages to cluster prefixes based on sim-

ilarities between their update times, which allows the individuation of groups of prefixes internal to an AS that are routed in similar ways, for example to the same ISP Point of Pres- ence (PoP). This has implications for intra-AS topology discovery: by grouping the prefixes internal to an AS, it is possible to reduce the number of probes that must be performed to map its internal topology.

Other work used update traces to deduce information about the interdomain topology that is not visible in table dumps. As with table dumps, the presence of an AS-path in an update implies the presence of an inter-AS link between every consecutive pair of ASes in the AS-path; however, the use of update traces has the advantage of detecting the presence of inter-AS links that were not visible when the table dumps were made. This makes it much more likely, for example, to detect backup links that are only used if primary links fail. This approach was proposed in [39], which reports that the combination of update traces with table dumps reveals a significantly larger number of inter-AS links than can be seen in table dumps alone. A more comprehensive approach was followed by Zhang et al. [140], who augmented BGP table dumps and update traces with looking glasses, route servers, and IRR data.

3.4.4

Evaluation

Topology discovery methods that use BGP routing information have several advantages. Firstly, this information is readily available in public repositories, so it is not necessary to deploy a measurement infrastructure and explore the network to determine the topology. Sec- ondly, unlike IRR data, the information provided by BGP corresponds to the actual state of the network: although it provides only a partial topology due to the distributed nature of BGP, the data is current and correct.

Unlike BGP table dumps, the use of BGP update traces allows the the dynamic behaviour of the network to be examined; this in turn allows the study of BGP behaviour and the detec- tion of backup links. Update traces are also extremely useful for operational purposes such as troubleshooting. Finally, since this information is obtained by real-time participation in the routing protocol of the Internet, these methods arguably provide much more up-to-date data than is contained in the IRR, which is often outdated, and than can be obtained by network probing, which requires long exploration times to explore any significant part of the network. For example, the data collected by the RIS route collectors is saved and uploaded to a central location every five minutes and inserted in the database shortly afterwards, and thus is almost immediately available.

However, methods using BGP update traces also have disadvantages. Firstly, they do not provide any information on the node-level topology of the Internet. Secondly, they require non-trivial infrastructure to collect and store the updates. Finally, even when used in conjunc- tion with BGP table dumps, they provide a less complete picture of interdomain routing than