Beruflich Dokumente
Kultur Dokumente
† Electrical
and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA, USA.
∗ Computer Science, Naval Postgraduate School, Monterey, CA, USA.
‡ Computer Science, Carnegie Mellon University, Pittsburgh, PA, USA.
Keywords: route reditribution, instabilities, static analysis
Abstract
Route redistribution (RR) has become an integral part of IP network design as the result of a grow-
ing need for disseminating certain routes across routing protocol boundaries. While RR resembles
BGP in several nontrivial aspects, surprisingly, the safety of RR has not been systematically stud-
ied by the networking community. This paper presents the first analytical model for evaluating
the safety of RR configurations. We first illustrate how easily inaccurate configuration of RR
may cause severe routing instabilities, including route oscillations and persistent routing loops. At
the same time, general observations regarding the root causes of these instabilities are provided.
We then introduce a formal model based on the general observations to represent and study the
safety of route redistribution. Using the model, we prove that the problem of confirming that a
RR configuration is free from permanent loops is NP-hard. Given this complexity, we present a
set of sufficient conditions, which can be checked in polynomial time with the proposed analytical
model, for ensuring the safety of a RR configuration. Finally, the paper proposes potential changes
to the current RR protocol to guarantee safety.
1 Introduction
Recent studies show that some enterprise networks rival carrier networks in terms of scale and
complexity of routing design [14]. One may even argue that because of a more dynamic business
environment fueled by acquistions and mergers, large enterprise networks may be more difficult
to control and manage than the carrier networks. One source of this difficulty stems from the fact
that the routing structure of a large enterprise network typically consists of multiple domains or
routing instances [14]. Routing instances form for many reasons. Company acquisitions, depart-
ments administered by different teams, and multi-vendor equipment may lead to such situations
[4]. Alternatively, network administrators may intentionally create separate routing instances to
filter routes, limit reachability and enforce policies [3].
Routers within one routing instance typically run the same routing protocol to fully share reach-
ability information and they by default do not exchange routing information with routers in other
routing instances. Considering the network in Figure 1, two routing instances are depicted. Routers
in the RIP instance do not have visibility of the addresses in the OSPF instance and vice versa. To
allow the exchange of routing information between different routing instances, vendors have in-
troduced a feature called route redistribution. Route redistribution is a configuration option local
to a router. It designates the exchange of routing information from one routing process to another
within the same router. For routers in the RIP instance to learn the prefixes from the OSPF in-
stance, a router (e.g., D or E) needs to run a process of RIP and a process of OSPF and inject the
OSPF prefixes into the RIP instance.
As such, vendors introduced route redistribution to address a need from network operations.
Contrary to traditional routing protocols, there is no standard specifying it. While significant efforts
are usually gathered to design routing protocols and address potential issues, the specification of
route redistribution does not receive as much attention. Consequently, route redistribution is often
misconfigured leading to sub-optimal routing and even severe instabilities such as route oscillations
and persistent routing loops. Although the risks of route redistribution have been acknowledged,
there is currently no general guideline to configure it correctly. Solutions are developed on an
ad-hoc basis for specific situations [3] but most existing solutions do not satisfy network design
goals. Route redistribution has two main objectives. The first one consists in propagating routing
information between different routing instances for connectivity purposes. The second objective
is route back up: in the event of a network failure (e.g., link B-C of Figure 1), routing instances
should provide alternate paths (router C should still be able to reach router A through the C-E-
F -D-A path.) However, to avoid route oscillations and routing loops, current recommendation
prevents routes from one routing instance to be re-injected back into that same instance. Such
restriction stops instabilities but also prevents networks from achieving their goals. In addition,
most solutions apply to scenarios with only two routing instances, but large operational networks
often include more than two routing instances [14].
Route redistribution is an important feature, but is sensitive and error prone. Race conditions
resulting from network failures can cause unpredictable consequences. To the best of the authors’
knowledge this paper is the first to analyze route redistribution and attempt to identify the origins
of the observed instabilities. Our work is based on two key insights. First, we observe that the
way route redistribution effects the flow of routes is very similar to that of a distance vector routing
1
RIP OSPF
Router A
Router D Router G
Router B Router F
Router E Router H
Router C
Figure 1: An example enterprise network that consists of two routing routing instances. Without
route redistribution, the routers in the RIP instance do not have knowledge of the destinations in
the OSPF instance, and vice-versa.
protocol, albeit with a larger scope since the routes are passed between routing instances. Second,
the policy-based functionality of route redistribution makes it resemble BGP in several nontrivial
ways.
The rest of the paper is organized as follows. Section 2 describes the route redistribution
procedure. Section 3 illustrates some of the instabilities that route redistribution can cause. Section
4 introduces a model to abstract route redistribution. The model clarifies and helps to identify the
formation of route oscillations and persistent routing loops (section 5). We show that determining
whether a configuration of route redistribution can converge to a state containing a cycle is NP-
hard. This complexity motivates us to search for a set of sufficient conditions in section 6. Finally,
in section 7, from the developed understanding, we derive a set of changes that would free route
redistribution from the discussed instabilities. Such modifications will allow network operators to
fully benefit from the route redistribution feature, for example, allowing routing instances to back
up each other and without having to worry about potential instabilities.
2 Background
Although a router may run multiple routing protocols at the same time, it forwards packet according
to routes stored in a protocol-agnostic table called Forwarding Information Base (FIB). Routing
instabilities such as oscillations and loops are always the consequence of some routers installing
some wrong routes in their FIBs. As background information for the rest of the paper, this section
briefly explains how a router populates its FIB and describes the role of route redistribution in that
procedure. Without loss of generality, all discussions are with respect to a single destination prefix,
denoted by P , unless noted otherwise.
2
Routing Instance 1 Routing Instance 2
RIP OSPF 27
Router D Router G
Figure 2: Router’s route selection procedure. Router D may need to perform route selection
among three routing processes while G may need to select between two. D and G belong to the
same OSPF routing instance.
3
2.2 Route Redistribution
A router running multiple routing processes does not by default redistribute routes among these
processes. Route redistribution (RR) must be explicitly configured. The RR configuration and op-
eration can be complex. Contrary to most routing protocols which optimize a metric, RR is driven
by policies, making it very similar to BGP. As in BGP, access control lists can be applied and
tags can be assigned to the different prefixes. In Cisco, route-map allows network administrators
to filter the routes, prioritize the received announcements (by assigning different ad values) and
modify the attributes of the redistributed routes. Figure 3(a) provides an example of a Cisco con-
figuration redistributing routes from a RIP process into an OSPF one. The route-map statements
filter the route and modify the attributes of the redistributed routes. In Juniper routers, RR is spec-
ified through routing policies (i.e., import and export statements) [8]. Figure 3(b), extracted from
[8], provides an example of a JUNOS configuration redistributing the routes from a RIP routing
process into an OSPF routing process.
When configuring a route redistribution, a number of parameters need to be specified. First,
the next-hop of the redistributed route is set to the redistributing router. Some routing protocols
(e.g., OSPF and BGP) allow an optional forwarding address — where data should instead be
directed to — to be advertised. Second, a metric value associated with the new route in the target
routing process (i.e., the process that receives the route) needs to be defined. It can be manually
configured, and if not specified, a default value may be assigned to the redistributed route. The
value of the metric is important since the target routing process may disseminate the redistributed
route to other routers within the same routing instance and when that happens the value of the
metric may influence the router selection outcomes at these routers. Additional route attributes
can be specified depending on the target routing process. As an example, in OSPF, a route can be
injected either as a Type 1 route or a Type 2 route. Each route type differs in the way the cost of
the route is computed. A Type 2 route has a constant external cost (i.e., the value specified when
the route is redistributed into the routing instance), independent of the internal link costs traversed
to reach the corresponding egress router. A Type 1 route ’s cost is the sum of the external cost and
all the internal link costs traversed to reach the corresponding egress point. As another difference,
Type 1 routes are always preferred over Type 2 routes [2]. Depending on the network topology
and objectives, redistribution as Type 1 or Type 2 may be preferred [15]. These attributes affect
the route selection process (within a routing instance) and can also cause instabilities as illustrated
in the subsequent sections.
While RR is a complex, policy-driven vector protocol like BGP, there is no RFC or other form
of standards about it. Vendor Web sites or manuals usually only provide guidelines and sample
configuration files. It took us many hours of reading and experimentation to identify the following
two very basic operational characteristics of RR. First, a route is redistributed only if it is active,
i.e., present in the router’s FIB. Consequently, RR is not a transitive operation. For example, let’s
consider a router running three routing processes X, Y and Z. Suppose that redistributions from
X to Y and from Y to Z are configured. If initially no route to P exists in the FIB and the
router learns a route to P through X, the route is redistributed into Y . However, the route will
not be further redistributed into Z from Y because Y is not the selected process for P . Second,
a router seems able to differentiate locally redistributed routes from routes that routing processes
4
router ospf 27 policy−statement rip−2−ospf {
redistribute rip subnet tag 1 route−map from protocol rip;
filter_domain2 then {
distance rip 200 metric 5;
! accept;
route−map filter_domain2 deny 10 }
match tag 2 }
route−map filter_domain2 permit 20 }
ospf {
export rip−2−ospf;
}
(a) (b)
Figure 3: (a) Excerpt of a Cisco RR configuration for router D of the example enterprise network.
The “redistribute” command enables RR from the RIP process into the OSPF process. A route-
map is applied to enforce policies. (b) Excerpt of a Juniper RR configuration for router E of the
same network. In Juniper, export policies refer to “the policies to routes being exported from the
routing table into a routing protocol” [1]. This terminology focuses on the router’s routing table
and explicates the use of the “export” statement to inject the RIP routes into the OSPF routing
process.
learn from their protocol operations. Routes redistributed from the local FIB apparently will not
be considered by the route selection procedure. Continuing from the previous example, suppose Y
has a lower ad than X. The router will not switch to designate Y as the selected process for P after
the route redistribution from X to Y . In other words, RR does not impact local route selection.
However, since it is possible (and quite often) that a routing process disseminates redistributed
routes to other routers in the same routing instance, RR does a have profound impact on how the
network as a whole populates the FIBs.
5
Routing Routing
Instance 1 Instance 2
Router C
RIP (120) OSPF (110)
Workgroup Switch
CiscoSystems Catalyst
Router B
Workgroup Switch
Router E
Catalyst Workgroup Switch
CiscoSystems
CiscoSystems Catalyst
Router A Router D
Routing
Workgroup Switch
Instance 3
Workgroup Switch
CiscoSystems Catalyst
CiscoSystems Catalyst
IGRP (100)
Figure 4: Scenario 1. The network consists of 3 routing instances and routers C, E and D are
performing mutual route redistribution. The values in brackets represent the ad of the routing
instances.
t1 Initially, only A’s FIB has an entry to P . After starting the RIP process on A, the connected
route is redistributed into RIP (1).
t2 D’s FIB includes an entry to P . The route is learnt from RIP and points to B.
t3 E’s FIB contains a route to P with D as the next-hop: This is because D redistributes the route
from RIP (1) into IGRP (3).
t4 C’s FIB presents a route to P . The installed route is from OSPF (i.e., C.2) and E is the next-
hop: C receives two routes from RIP (from B) and OSPF (from E). Since OSPF presents a
lower ad (110 vs. 120), the latter route is selected.
t5 B’s FIB may be updated. The current next-hop, A, may be replaced with C: As B receives the
route from A and the redistributed one from C, we have 2 cases.
• If the route from C presents a lower metric, C becomes the next-hop, causing a routing
loop (B-C-E-D).
• If the route from A presents a lower metric, A remains the next-hop resulting in a
sub-optimal path (D, E, C, B, A) from D to A.
6
Routing Routing
Instance 1 Instance 2
Router C
RIP (120) CiscoSystems
Workgroup Switch
Catalyst OSPF (110)
Router B Router E
Workgroup Switch Workgroup Switch
CiscoSystems Catalyst CiscoSystems Catalyst
Router A Router D
Workgroup Switch Workgroup Switch
Catalyst CiscoSystems Catalyst
CiscoSystems
Figure 5: Routers C and D are performing mutual route redistribution. Mutual route redistribu-
tion between two routing instances can result in persistent routing loops (B-C-E-D) for prefixes
originated from the RIP domain or injected into the RIP domain (e.g., through router A)
When repeating the experiment, the loop sometimes formed in the opposite direction (B-D-E-
C) because of the messages arrival order.
This configuration consisted of three routing instances. However, networks with only two rout-
ing instances can be vulnerable as well. The configuration in Figure 5 shows an example. The
network may be migrating from RIP to OSPF. Mutual redistribution is performed at two redis-
tributing routers to exchange routing information and to allow domain back up. This scenario also
resulted into a persistent routing loop. When C first redistributed the route route from C.1 into
C.2, D received two choices and preferred D.2 because of the lower ad. Then, D redistributed
D.2 into D.1 and B selected D as its next-hop (because of the smaller the metric value).
t3 Because both routers cease to advertise the route into 2, this routing instance no longer has a
route to the destination.
7
Router D
Workgroup Switch
CiscoSystems Catalyst
100 200
100.100.100/24 CiscoSystems
Workgroup Switch
Catalyst OSPF 2
Router C
Router B Router F
OSPF 1 CiscoSystems
Workgroup Switch
Catalyst CiscoSystems
Workgroup Switch
Catalyst
200.200.200/24 Router E
Workgroup Switch
CiscoSystems Catalyst
Router A
CiscoSystems
Workgroup Switch
Catalyst 200 100
Figure 6: Scenario 3. Internal routes of convex protocol are vulnerable to instabilities. Packets
sent from host (100.100.100.1) to host (200.200.200.2) result in a persistent routing loop (C, B,
E, F )
t4 C and D only have one way to reach the destination (i.e., through C.1 and D.1). Therefore,
they each update their FIB and redistribute the route from 1 into 2.
Noting that the states at (t=1) and (t=4) are identical, the route oscillates between the two
routing instances.
One may argue that such oscillations, even though possible, are not likely to occur in prac-
tice. For these oscillations to happen, the signaling messages from the redistributing routers must
be processed in a specific sequence order. Routers’ load, link delay and other factors will most
probably disrupt this synchronization putting an end to the oscillation. We later show that RR can
actually cause permanent route oscillations, independently from any race conditions.
8
t1 The Link-State Advertisement (LSA) corresponding to the internal 200.200.200/24 prefix (con-
nected to A) is flooded into OSPF 1. The LSA is installed in each router’s link state
database and causes Shortest Path First (SPF) calculations. C and E’s FIB include a route
to 200.200.200/24 pointing to B and A.
t2 C and E redistribute 200.200.200/24 into OSPF 2. They each send an LSA to advertise the new
prefix.
t3 The entry in E’s routing table is modified. The selected routing process is updated to E.2, and
the next-hop to F : When E receives the LSA from C, it has two options to that destination:
either using OSPF 1 or using OSPF 2. Typically, according to the OSPF specifications,
intra-area routes are preferred over inter-area routes, and inter-area routes are preferred over
external routes. However, these rules apply to routes within a same routing process, but not
to routes learned from different processes [3]. Therefore, because the administrative distance
of OSPF 2 is lower, router E prefers this routing process.
As for C, since C.1 presents a lower administrative distance value for OSPF 1, C maintains
its existing entry.
t4 When host (100.100.100.1) sends traffic to host (200.200.200.2), the traffic gets trapped in a
persistent routing loop (D-C-B-E-F -C)
9
Routing Routing Routing
Filters
Filters
Process Process Process
RIB
Filters
Filters
Process Process Process
Filters
Filters
Process Process Process
RIB
Local Routing
Filters
Route Process
(e.g., static) RIB
Figure 7: Per-router route selection and route redistribution logics. A router first selects the pre-
ferred routing process based on the ad values. Then, it installs the best route in the FIB, and
redistributes the active route according to the configured policies.
10
4: selected-process(P).ad ← u.ad
5: Select best route from selected-process(P) (according to metric) and install it in FIB
6: active-route(P) ← selected best route
7: end if
8: end for
Then, the router redistributes the active route according to the RR logic.
Procedure RR at router r
1: for all routing process u ∈ V such that redistribution of P from selected-process(P) to u is
enabled do
2: Redistribute active-route(P) into u according to applied routing policies
3: end for
As mentionned in section 2, routing policies can narrow the scope of the redistributed routes
to prefixes matching an ACL or carrying specifying tag(s). Attributes (e.g., tag(s), ad) of the
redistributed routes can also be modified.
Finally, it is important to note that if r redistributes a route from u to v, the route is not installed
in v.RIB [4].
11
originating routing
process
Instance 2
C OSPF
(110)
C
Instance
1
RIP E E
(120)
D
Instance 3
D IGRP
(100)
Figure 8: Illustration of the route redistribution graph of the network in scenario 1. The values in
brackets indicate the default ad of the routing instances.
• t=0
12
• We insert the redistributing routers that are connected to (i.e., have an edge either from or
to) an originating vertex into CL.
Main loop
1: while CL 6= EMPTY SET do
2: t++
3: Remove a subset S of routers from CL
4: for all router r ∈ S concurrently do
5: Execute route-selection logic at r:
Among all vertices v that are connected to r and that have an eligible route (i.e., v is
colored dark and have a router other than r redistributing a route into v, or v is striped),
select the routing instance with the lowest ad.
6: if r’s selected routing process has changed then
7: //let r.u denotes the new selected routing process
8: Execute route-redistribution logic at r:
Each edge from u through r is activated while all other edges through r are deactivated
13
t=0
LEGEND Instance 2
OSPF
originating routing C
process (110)
C
configured route
Instance
1
redistribution
E E
RIP
active route
(120)
redistribution D
Instance 3
D
data path IGRP
CL = {C, D} (100)
S = {C, D}
C S = {E}
C
Instance 1
1
RIP E E
Instance
E E
(120)
RIP
(120)
D
D
Instance 3 Instance 3
D D
IGRP IGRP
New CL = {C} (100) (100)
New CL = {E}
S = {C}
Figure 9: Illustration of an activation sequence and the corresponding routing states for the network
in scenario 1.
14
vation sequences and consequently, detect the potential formation of cycle. Figure 9 illustrates an
activation sequence which converges to a permanent cycle in the network of Figure 4.
t=0 A route P is originated by the RIP routing instance (1). Routers C and D are connected to 1.
Consequently, CL (t=0) = {C, D}.
t=1 We assume S(t=1) = {C, D} ⊆ CL (t=0). We run the route selection and RR logics at routers
C and D. C learns a route to P through C.1 and redistributes it from C.1 into C.2. The
corresponding edge (from C.1 to C.2) becomes solid to indicate that the redistribution is
active. Router E which is connected to 2 is inserted into CL. Similarly, D learns a route to
P and redistributes it from D.1 to D.3. The edge from D.1 to D.3 also becomes solid. We
have CL (t=1) = {E}.
t=2 We assume S(t=2) = {E}. We run the route selection and RR logics at router E. Router
E is receiving a route to P through E.2 and E.3. Because E.3 presents a lower ad (100),
E selects E.3 as its selected routing process and redistributes the route from E.3 into E.2.
The edge from E.3 to E.2 becomes solid to indicate that the corresponding redistribution is
active. Since C is connected to 2, C is added to CL (t=2). CL (t=2) = {C}.
t=3 We assume S(t=3) = {C}. Router C has two choices to reach P (through C.1 and C.2).
Because C.2’s ad is lower than the one from C.1, C.2 becomes the selected routing process
at C and C redistributes from C.2 into C.1. The edge from C.1 to C.2 is de-activated and
instead the one from C.2 to C.1 is active. We have CL (t=3) = {D}.
t=4 We assume S(t=4) = {D}. D has only one choice to the destination (i.e., through D.1). No
other router than D announces a route to P into 2. Therefore, D maintains its selected
routing process (D.1), and CL (t=4) = {EMPTY SET}.
The paths (thick arrows) taken by the data packets to reach P are represented in the final graph.
They form a cycle that reveals the potential formation of a routing loop.
Some configurations of RR always converge to a state containing a cycle (independently of the
activation sequence) (e.g., Figure 4). Other configurations always converge to a cycle-free state.
Some configurations can converge to a state which includes a cycle depending on the activation
sequence: as an example, in scenario 5 (Figure 10), the first activation sequence (1) does not
result in any cycle but the second activation sequence (2) does. Finally, some configurations may
converge after some arbitrary time (Figure 5) and others may always diverge (section 5.2).
We define a RR graph as safe if for all activation sequences, the redistributions converge to
cycle-free state.
15
A B
(90)
1
A 2 B 3
D
(100)
C
(90)
4 4
(80) (80)
1
(90) A 2 3
(90)
1 A 2 B 3
D
(100) (90)
(100) (90)
4
(80) 4
(80)
1
A 2 3
(90)
1 A 2 B 3
(100) (90)
(90)
(100) (90)
D C
C, 105
4 4
(80) (80)
1 B, 90
1
(90) A 2 3
A 2 B 3
D
(100) (90)
(90)
(100) (90)
C
4 C, 105
(80) D 4
(80)
Figure 10: Scenario 5. Detection of persistent routing loops. Sequence 1 does not result in any
routing loop but sequence 2 discloses a potential routing loop. The values on the edges represent
the customized ad: router C has a customized ad (105) value for routing process 4, overriding the
default value (80).
t=1 C learns a route to the prefix through C.1 and redistributes the route from C.1 into C.2.
t=2 A learns a route through A.2 and redistributes the route from A.2 into A.3.
t=3 B receives the route through B.3, installs it in its FIB and redistributes the route from B.3
into B.4.
t=4 A receives two routes to the destination: one from A.2 and another one from A.4. Because
A.4 has a lower ad, A.4 becomes the selected routing process. Consequently, A stops redis-
tributing from A.2 into A.3.
16
A
1
C A B
2 3 4
t=0
(80)
(110) (90) (80)
A
(80)
1
C
2
A
3
B
4
t=1
(80)
(110) (90) (80)
A
C A B
1
2 3 4
t=2
(80) (110) (90) (80)
A
1
C A B
(80)
2 3 4
t=3
(110) (90) (80)
A
1
C A B
t=4
(80)
2 3 4
(110) (90) (80)
A
1
C A B
2 3 4
t=5
(80)
(110) (90) (80)
A
1
C A B
2 3 4
t=6
(80)
(110) (90) (80)
Figure 11: Scenario 6. Illustration of permanent route flap. Router A runs 3 routing processes but
no redistribution is enabled neither from nor to A.4. The routing states highlight the formation of
permanent oscillations since the states at t=1 and t=5 are identical.
t=5 Because A stopped redistributing from A.2 into A.3, B no longer receives any announcement.
B removes the route and stops announcing it into B.4.
t=6 Consequently, A.4 no longer receives a route to the destination either. We note that this state
is identical to the one at t=1. A permanent route oscillation has formed. This instability has
been observed in the conducted experiments.
These permanent oscillations come from the fact that the redistribution of the routes into the
routing processes depends on the routes present in the FIB, which in turn depend on the routes
present in the routing processes. Section 2 explained that routes redistributed from a router does
not directly impact the local route selection. However, since the redistributed routes may get further
redistributed, those routes can come back and ultimately affect the route selection outcomes.
17
Xi Xi
(80) ai bi (80)
Yi
ai (80) bi
O
ai bi
O
1 2
(90)
(90)
(a)
Xi Xi Xi Xi
ai bi (80) ai bi (80)
Yi Yi
ai (80) bi ai (80) bi
O
ai bi
O
O
ai bi
O
(90)
(90)
(90)
(90)
(b) X i = true (c) X i= false
Figure 12: Assignment of variable. Each variable is represent by the configuration in figure (a).
Depending on the activation sequence, we can obtain two different stable routing states. 1) if
the redistributed route from bi arrives at ai before ai is activated (and before ai processes any
former route withdrawals from bi ), we obtain the routing state depicted in (b). We associate such
reditribution outcome with the value TRUE for Xi . 2) if the redistributed route from ai arrives at
bi before bi is activated (and before bi processes any former route withdrawals from ai ), we obtain
the routing state depicted in figure (c). We associate such redistribution outcome with the value
FALSE for Xi .
18
Uk
(100)
fk
Ck dk Vk
(80) (90)
g1 g3
g2
X1 X1 X2 X2 X3 X3
(80) (80) (80) a2 b2 (80) (80) b3 (80)
a1 b1 a3
Y1 b1 Y2 b2 a3 Y3
(80)
a2 (80) (80) ek
a2 b2 Wk Zk
a1 b3 (80) (80)
a 1
b3
O
O 2 dk
1 (90)
a3 b1
(90)
Figure 13: Construction of the sub-graph for clause Ck = X1k ∨ ¬X2k ∨ ¬X3k
instance of 3-CNF SAT, (B = C1 ∧ C2 ∧ ... ∧ Cn ), i.e., a Boolean formula with n 3-CNF clauses.
Each clause Ck , (1 ≤ k ≤ n), is composed of three distinct literals: Ck = l1k ∨ l2k ∨ l3k . We construct
a route redistribution graph G such that B is satisfiable if and only if there exists a activation
sequence such that G converges to a state including a cycle. We construct G as follows :
• We place two originating vertices O1 , O2 into O.
19
e3, 90
U1 e1, 90 U2 e2, 90 U3
(100) (100)
(100)
f2 f3
f1
d1 C2 d2 V2 C3 d3 V3
C1 V1
(80) (90) (80) (90)
(80) (90) g1
g3
g3 g2
g1
g2 g2
g1 X1 X1 X2 X2 X3 X3 g3
(80) a1 b1 (80) (80) a2 b2 (80) (80) a3 b3 (80)
Y1 b1 Y2 b2 a3 Y3
(80)
a2 (80) (80) e3
e1 e2 W3 Z3
W1 Z1 a2 b2 W2 Z2
a1 b3 (80) (80) (80) (80)
(80) (80) b3
a 1
O1
O 2 d2
d1
(90)
a3 b1 (90)
d3
Figure 14: Graph for B = (X1 ∨ X2 ∨ X3 ) ∧ (X1 ∨ ¬X2 ∨ ¬X3 ) ∧ (¬X1 ∨ X2 ∨ ¬X3 ).
the variable assignment (Figure 12) and by construction of G, the router gi (or ¬gi depending on
the form of lik ), corresponding to the literal lik , redistributes a route from Xi (or ¬Xi depending on
the form of lik ) into the routing instance Ck . As such, each routing instance Ck has a route to P .
Then, ∀k ∈ [1, n], the router fk redistributes the route from Ck into Uk .
Every router ek is running four processes (Uk , Uk+1 , Wk and Zk ). We show that Uk is the
selected routing process at ek : Only processes Uk and Uk+1 have a route. Zk does not have a
route since router dk picks Ck as its selected routing process. Consequently, no router announces
a route to Zk , and neither Zk nor Wk have a route to P . Among Uk and Uk+1 , Uk presents a lower
administrative distance at ek and is therefore preferred.
We have shown that ∀k ∈ [1, n], the router ek learns a route to P from Uk and redistributes it
into Uk+1 .
The redistributions converge, and <U1 , U2 , e1 >, <U2 , U3 , e2 >, ..., <Un , U1 , en > form a cycle
(Figure 14).
⇐ For the other direction, we want to show that if G has converged to a stable state containing
a permanent cycle, then there exists an assignment such that the Boolean expression B is true.
We suppose that G has converged and contains a cycle. The only possible cycle is composed
of the edges <U1 , U2 , e1 >, <U2 , U3 , e2 >, ..., <Un , U1 , en >.
We show that every routing instance Ck must have a stable route to P . We prove it by contra-
diction: we assume that there exists a routing instance Ci (1 ≤ i ≤ n), with no stable route to P .
This imples that none of the gj nor ¬gj (1 ≤ j ≤ 3) redistributes a stable route into Ci .
Considering router di , it runs 4 routing processes (Ci , O2 , Vi and Zi ). Because only O2 has
a stable route to P , di redistributes from O2 into Zi . (Ci does not have a stable route to P by
assumption. Consequently, because of the topology of G, Vi does not either). Then, router ei
learns a route to P from Zi and redistributes it into Wi . Independently whether Ui has a route to P
or not (e.g. from Ui−1 ), ei picks Zi as its selected routing process since ei .Zi presents the lowest
administrative distance. The edge <Ui ,Ui+1 ,ei > is not active.
This contradicts with the initial assumption that <U1 , U2 , e1 >, <U2 , U3 , e2 >, ..., <Un , U1 , en >
form a cycle. For it to be possible, ∀k ∈ [1, n], the edge <Uk , Uk+1 , ek > must be active.
20
To summarize, we have proven that ∀k ∈ [1, n], Ck has a stable route to P . In other words,
∀k ∈ [1, n], one of the gi or ¬gi announces a stable from Xi (or ¬Xi ) into Ck . By assigning the
corresponding Xi (or ¬Xi ) the value true, we obtain an assignment that satisfies B since every
clause includes a literal that has a true value.
21
originating routing
process
Instance 2 Instance 2
OSPF C OSPF
(110) (110)
C, 90 C, 90
Instance 1 Instance 1
RIP E RIP E E
(120) (120)
D
Instance 3 Instance 3
D, 90 IGRP D, 90 IGRP
(100) (100)
(a) (b)
Figure 15: The ad for C.1 and D.1 are customized to the value 90. The graph in (a) represents the
corresponding primary route redistribution graph. The graph in (b) depicts the state whereto RR
converges.
(Figure 15b) where the edges from the primary route redistribution graph are active. Figure 16
illustrates the transient and final states for an activation sequence.
The router redistribution model and the sufficient conditions allow one to perform “what if”
analysis and detect the instabilities ahead of the time. [11] introduces the concept of a robust
configuration which remains safe after node failures. Similar concept applies in route redistribution
but the details are outside the scope of this paper.
22
t=0 t=1
Instance 2 Instance 2
C OSPF C OSPF
(110) (110)
C, 90
C, 90
Instance
1
S = {C}
Instance
1
E E
E E
RIP
RIP
(120)
(120)
D
D
Instance 3 Instance 3
D, 90 IGRP D, 90 IGRP
CL = {C, D} (100) New CL = {D, E} (100)
S = {E}
t=3 t=2
Instance 2 Instance 2
C OSPF C OSPF
(110) (110)
C, 90
C, 90
Instance
1
Instance
1
E E S = {D}
E E
RIP
RIP
(120)
D
(120)
D
Instance 3 Instance 3
D, 90 IGRP D, 90 IGRP
New CL = {E} (100) New CL = {D} (100)
S = {E}
t=4 t=5
Instance 2 Instance 2
C OSPF C OSPF
(110) (110)
C, 90
C, 90
1
Instance
1
S = {C}
Instance
RIP
E E
RIP
E E
(120)
D
(120)
D
Instance 3 Instance 3
D, 90 IGRP D, 90 IGRP
New CL = {C} (100) New CL = { } (100)
Figure 16: Illustration of an activation sequence when the ad for C.1 and D.1 are customized to
the value 90. The redistributions converge to a cycle-free state.
Current RR does not satisfy monotonicity. The existing RR procedure allows the metric of
a redistributed route to be set to any value. In the absence of an explicitly configured value, the
metric is assigned a default value independently of the initial metric of the route. As such, the
redistributed route may present a lower metric than the initially received route.
23
The route tag should carry a counter that is incremented by at least one when re-injected from
a routing instance to another one. The route selection procedure needs to be upgraded to take
the route tag into consideration. When receiving multiple routes to a same destination, a router
should first consider the route tag. Routes with lower route tag value should be preferred. When
two routes, coming from two different routing processes, present the same route tag value, other
criteria (e.g., ad) can then be considered. Finally, to address the count-to-infinity problem, existing
solutions can be adopted: a maximum counter value can be defined (RIP defines the maximum
count as 16 [13]) or hold down timers [7] can be implemented.
8 Related work
Few documents address route redistribution. For example, [9] and [15] have short sections on
routing protocol interactions. They briefly describe the challenges and risks of route redistribution.
[17] is an IETF standard specifying the interaction between OSPF and BGP/IDRP. However,
the document is specific to these 3 protocols and does not deal with other routing protocols.
[4] and [3] are vendor reports presenting possible consequences of redistribution (such as sub-
optimal routing, routing loops or delayed convergence.) To prevent those undesired effects, [4]
recommends preventing information from a routing process u from being re-advertised back into
u. However, such an approach violates one of the goals of route redistribution i.e., the capability for
routing instances to back-up each other in case of failures . [3] focuses on redistribution between
multiple instances of OSPF. The report mentions that internal OSPF routes are susceptible to loop
and oscillations. A number of solutions are proposed. Some of the approaches allow partial back-
up but do not satisfy all objectives. In the event of network partitions, internal routers still loose
connectivity.
9 Conclusion
Route redistribution continues to be a popular choice for disseminating routes between routing
protocols because it is relatively easy to configure and it has the flexibility to support a large range
of policy-based scenarios. However, RR misconfigurations are also common and the consequences
include permanent routing loops and persistent route flaps.
This paper takes the position that most of the misconfigurations are due to a lack of under-
standing of the network wide RR logic and provides an analytical model to address the problem.
The model precisely defines how a RR configuration influences the route selection outcomes at
different routers and as such provides the first formal specification of the RR protocol. Detailed
applications of the model are also presented. Not only can the model be used to explain why loops
may form and routes may oscillate for certain RR configurations, it can also be used to derive
sufficient conditions for an instability-free RR configuration. The analytical results give clues in-
dicating that the current RR protocol may have fundamental weaknesses and raise the question if
it requires non-trivial changes to the protocol specification to address these weaknesses. The paper
exposes this issue and proposes a set of modifications to the current RR protocol as the first step
24
towards deriving a safe RR protocol.
References
[1] Junos internet software policy framework configuration guide 8.1.
http://www.juniper.net/techpubs/software/junos/junos81/swconfig81-policy/toc/noframes-
collapsedTOC.htm.
[3] Cisco. Ospf redistribution among different ospf processes,, January 2006.
http://www.cisco.com/warp/public/104/ospfprocesses.pdf.
[6] Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. Introduction
to Algorithms, Second Edition. The MIT Press, 2001.
[7] Jeff Doyle. OSPF and IS-IS: Choosing an IGP for Large-Scale Networks. Addison-Wesley
Professional, 2005.
[8] Lawrence H. Dwyer, Rajah Chowbay, Doris Pavlichek, Wayne W. Downing, James Son-
deregger, Tom Thomas, and Doris Pavlichek. Juniper Networks Reference Guide: JUNOS
Routing, Configuration, and Architecture. Addison-Wesley Professional, 2002.
[9] F. Baker (Editor). Requirements for ip version 4 routers, 1995. Request for Comments 1812.
[10] L. Gao and J. Rexford. Stable internet routing without global coordination. In Proc. ACM
SIGMETRICS, 2000.
[11] Timothy Griffin, F. Bruce Shepherd, and Gordon T. Wilfong. The stable paths problem and
interdomain routing. IEEE/ACM Trans. Netw., 10(2):232–243, 2002.
[12] Timothy G. Griffin and Joao Luis Sobrinho. Metarouting. In Proc. ACM SIGCOMM, 2005.
[13] C. Hedrick. Routing information protocol, 1998. Request for Comments 1058.
[14] David Maltz, Geoff Xie, Jibin Zhan, Hui Zhang, Gisli Hjalmtysson, and Albert Greenberg.
Routing design in operational networks: A look from the inside. In Proc. ACM SIGCOMM,
2004.
25
[15] John T. Moy. OSPF Anatomy of An Internet Routing Protocol. Addison-Wesley Professional,
1998.
[16] Joao Luis Sobrinho. Network routing with path vector protocols: Theory and applications.
In Proc. ACM SIGCOMM, 2003.
[17] K. Varadhan, S. Hares, and Y. Rekhter. Bgp4/idrp for ip—ospf interaction, 1994. Request
for Comments 1745.
26