Policy Disputes in Path-Vector Protocols

The Border Gateway Protocol, BGP, is currently the only interdomain routing protocol employed on the Internet. As required of any interdomain protocol, BGP allows policy-based metrics to override distance-based metrics and enables each autonomous system to independently define its routing policies with little or no global coordination. Varadhan et al. have shown that there are collections of routing policies that together are not safe in the sense that they can cause BGP to diverge. That is, an unsafe collection of routing policies can result in some autonomous systems enchanging BGP routing messages indefinitely, without ever converging to a set of stable routes. In this paper, we present sufficient conditions on routing policies that guarantee BGP safety. We use a new formalism, called the Simple Path Vector Protocol (SPVP), that is designed to capture the underlying semantics of any path vector protocol such as BGP. We identify a certain circular set of relationships between routing policies at various autonomous systems that we call a dispute cycle. We show that systems with no dispute cycles are guaranteed to be safe. While these include systems whose policies are consistent with shortest paths under some link metric, the class of systems with no dispute cycles is strictly larger.