Академический Документы
Профессиональный Документы
Культура Документы
Abstract—We introduce the Game-Theoretic Stochastic Routing (GTSR) framework, a proactive alternative to today’s reactive
approaches to route repair. GTSR minimizes the impact of link and router failure by 1) computing multiple paths between source and
destination and 2) selecting among these paths randomly to forward packets. Besides improving fault tolerance, the fact that GTSR
makes packets take random paths from source to destination also improves security. In particular, it makes connection eavesdropping
attacks maximally difficult as the attacker would have to listen on all possible routes. The approaches developed are suitable for
network layer routing, as well as for application layer overlay routing and multipath transport protocols such as the Stream Control
Transmission Protocol (SCTP). Through simulations, we validate our theoretical results and show how the resulting routing algorithms
perform in terms of the security/fault-tolerant/delay/throughput trade-off. We also show that a beneficial side effect of these algorithms
is an increase in throughput, as they make use of multiple paths.
Index Terms—Multipath routing, stochastic routing, game theory, network security, fault tolerance.
1 INTRODUCTION
especially difficult to detect and routing often takes 1. delivery, that is, all packets reach their desired
considerable time to recover from them. In addition, destination with probability one,
although some link-state algorithms can find alternate 2. timeliness, that is, the delay is acceptable, and
paths relatively quickly, distance-vector algorithms may 3. statistical flooding is achieved, that is, all paths are
require considerably more time in large, poorly connected explored by the packet ensemble.
networks. In either case, during the detection of the cut/ With respect to item 3, some network elements may be
failure and the search for a new route, the connection more susceptible to failures/attacks than others and, there-
remains broken. fore, it may be desirable to have nonuniform statistical
Selective faults/attacks are especially challenging. Sup- flooding. For example, as a fault/attack detector starts to
pose, for example, that a node of the network is compromised suspect that a particular element is compromised, it can
and that it selectively intercepts packets from specific end-to- adjust the next-hop probabilities to start avoiding that
end connections. If routing hello packets are not intercepted,
element. With GTSR, this can be done progressively, which
other nodes do not compute new routes to exclude the
allows for a measured response and provides additional
compromised node. This means that application or transport-
layer retransmissions will keep following the same route and flexibility in addressing the trade-off between the false
will continue to be subject to interception. A more “active” alarm rate and detection speed (cf., [4] for a discussion on
form of attack exploiting compromised nodes is to have them this trade-off).
generate spurious routing updates, each reporting very low
1.3 Scope
costs to all or some destinations. As a result, other nodes will
funnel packets to these compromised nodes. One question to ask is “where can the GTSR methodology
Privacy and integrity techniques (for example, end-to- be effectively applied in today’s networks?” Clearly, GTSR
end encryption, Virtual Private Networks (VPNs), and will only be effective if there are multiple paths to explore.
secure tunnels) are effective in protecting against eaves- At the network layer, we see at least two domains in which
dropping and some forms of interception (for example, this technique may prove useful:
selective interception). However, if an encryption key is
1. Inside Internet service providers (ISPs), where there
stolen or when defending against attackers with inside
are often multiple independent paths to the exit
information, these techniques lose much of their effective-
point for that ISP. GTSR would be part of the suite of
ness. Furthermore, man-in-the-middle attacks may still be
tools that the ISP utilizes to provide secure network-
possible. To protect a data transmission network against a
ing to its clients.
wide range of attacks, one needs a suite of mechanisms
2. Inside an organization that builds multipath redun-
spanning several layers of the protocol stack. In particular, dancy in its network to improve security (and also to
end-to-end security mechanisms (for example, end-to-end augment throughput). An organization may utilize
encryption for privacy and message authentication for multiple connections to a single ISP or even use
integrity/authenticity) should be complemented by security multiple ISPs to connect to the outside network and
mechanisms at other layers(for example, link-layer encryp- employ GTSR to spread data across independent
tion). GTSR is one such mechanism and complements paths provided by distinct ISPs.
security measures taken at other layers.
Although GTSR can also be used for interdomain
1.2 Exploring Multiple Paths routing, it has been noted that Autonomous Systems
(Deterministic) flooding—that is, sending each packet along (ASs) typically have limited information about the network
every possible path—is the simplest form of multipath topology and may have different (and often conflicting)
routing and provides a routing mechanism that is extremely path-selection goals [5]. This can limit the viability of GTSR
robust with respect to link/node failures. However, this for interdomain routing.
type of routing is not practical because it greatly increases At application layer overlay networks, the applicability
overhead. Flooding also significantly simplifies packet of GTSR depends on the degree to which links in the
eavesdropping. We propose exploring multiple paths overlay network are truly independent (that is, do not share
through statistical flooding. In statistical flooding, packets any physical links/nodes). Although the presence of
are sent through all available paths, but, generally, no dependent paths does not affect the applicability of GTSR,
packet is sent more than once (except for the possibility that if there are no independent paths at the network layer, then
error control at the transport layer may require a packet to GTSR may not significantly increase security/reliability. On
be resent). Flooding thus occurs “on the average” and is the other hand, if attacks target application layer routers
randomized to minimize predictability. instead of packet transmission (that is, if the risk is that end
Stochastic routing is the mechanism used to achieve hosts taking part in the forwarding may be compromised),
statistical flooding. In this type of routing, nodes select the then GTSR can increase reliability and security as long as
next hop to which to forward a packet in a random fashion. the overlay network has multiple distinct paths between the
The next-hop probabilities—that is, the probabilities of source and the destination.
selecting particular next-hop destinations—are design At the transport layer, protocols such as SCTP allow data
parameters and determining these probabilities is the streams to be split over several paths. Again, the utility of
subject of this paper. Our main challenge is determining splitting the flow depends on whether the different physical
next-hop probabilities that ensure paths are distinct.
BOHACEK ET AL.: GAME THEORETIC STOCHASTIC ROUTING FOR FAULT TOLERANCE AND SECURITY IN COMPUTER NETWORKS 1229
1.4 Outline send their request not directly to the server but to random
The remainder of this paper is organized as follows: In users in the group. Each user can then forward the request
Section 2, we review related work. Section 3 develops either to the server or to another member of the group. In
techniques for designing “optimal” stochastic routing poli- GTSR, randomization is applied at the network layer with
cies. Simulations of these stochastic routing policies are the goal of protecting the data packet not from the
presented in Section 4. Finally, Section 5 provides concluding destination but from intermediate attackers.
remarks and points toward future research. Detailed deriva- Equal-Cost Multipath (ECMP) [12] and Open Shortest
tions of the results in Section 4 are included in the Appendix. Path First Protocol (OSPF) Optimized Multipath (OSPF-
A subset of the results in this paper was presented in the OMP) [13] are, in a way, multipath routing algorithms.
Proceedings of the 11th IEEE International Conference on While these methods insist that the alternative paths be of
Computer Communications and Networks [6]. equal cost, MPLS allows different paths besides shortest
paths to be utilized. However, none of these methods is
stochastic; rather, routers employ techniques to ensure that
2 RELATED WORK a connection will utilize a single path.1 Hence, a link failure
2.1 Network Robustness and Security will result in cut connections and eavesdropping at a single
VPNs [7] have been used as a way to securely interconnect a link will expose connections going through that link.
(typically small) number of sites. While private networks Furthermore, these algorithms were developed to increase
use dedicated lines, VPNs try to implement private throughput, but not to make routing robust to attacks or
networks atop a publicly accessible communication infra- failures. Hence, there is no mechanism in place to avoid
structure like the Internet. VPNs typically employ some links that may have been compromised or have been subject
combination of encryption, authentication, and access to high failure rates. In short, these, as well as other load
control techniques to allow participating sites to commu- balancing techniques, seek to optimize performance metrics
nicate securely. such as bit rate and delay, whereas, in GTSR, we optimize
The emergence of Internet Protocol security (IPsec) [8] as fault tolerance and security.
an Internet Engineering Task Force (IETF) standardized 2.2 Game Theoretical Approaches to Network
protocol has prompted VPN solutions to use IPsec as the Routing
underlying network-layer protocol. As in any encryption-
Game theoretical approaches have been proposed for many
based mechanism, the key challenge in IPsec is that secret resource allocation problems in computer networks, but
keys must remain secret. As previously discussed, if an none is very closely related to GTSR. We review the most
attacker is able to infiltrate a node or has “inside” relevant results in routing and refer the reader to the survey
information, shared and/or private keys may be compro- in [14] for applications of game theory to other networking
mised and the corresponding communication channels problems such as bandwidth allocation, congestion control,
become insecure. power control in wireless networks, and medium access
Onion routing [9] is another approach to security that control.
focuses on hiding the identities of the communicators. It Economides and Silvester [15] consider the selection of
uses several layers of encryption, where each layer is used one among L parallel queuing systems to transport (or
to encrypt the transmission between routers on each end of process) data. Two classes of packets need to be processed:
a link. Because of the many layers of encryption, routers are The -class packets can be queued, whereas the -class
unable to decrypt the data or even the source and packets are always blocked when the server is busy. The
destination addresses. All that a router can decipher is the problem is formulated as a game played between two
next-hop information. Although onion routing is very players P and P , each one controlling the fraction of
effective for anonymity, it is computationally heavy: Each packets of a particular class that go through each of the
connection must be built and torn down, routers must L queues. This problem has a unique Nash equilibrium
encode and decode packets, and memory-intensive source (NE) when P minimizes the queuing delay and P
routing is used. The Secure Border Gateway Protocol (S- minimizes the blocking probability.
BGP) [10] makes use of public key and an authorization The paper by Yamaoka and Sakai [16] considers a
infrastructure, as well as IPsec to verify the authenticity and network with arbitrary topology in which every link has
authorization of control traffic generated by the Border two queues with different priorities. Both queues are first in
Gateway Protocol. first out (FIFO), but transmission of packets from the low-
Another related effort is the RON project [2] whose goal priority queue only takes place when the high-priority
is to improve the performance and robustness of network- queue becomes empty. An independent nonzero-sum game
layer routing. RON nodes monitor current routing paths is played at each node of the network, where one player
and decide whether to choose other routes (by selecting (router) decides which outgoing link to use and the other
alternate application-layer paths through other RON nodes) player (network) decides whether the packet should be
in order to meet application-specific performance require- placed in the high or the low-priority queue. The authors
ments. GTSR could be implemented in such networks to show by simulation that the resulting routing algorithm
improve security and fault tolerance.
The approach developed here is, in some ways, similar to 1. One reason that a connection is restricted to a single path is that many
of today’s implementations of TCP do not work well under persistent
that presented in [11], where members of a group cooperate packet reordering. However, as is discussed in Section 4, advancements in
to maintain their anonymity to the server. Specifically, users TCP have relieved this limitation.
1230 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 9, SEPTEMBER 2007
decreases the overall number of packets that are dropped Stochastic routing utilizes a distinct concept called next-
by time-out. hop probabilities, which map each possible destination IP
In [17], a group of nodes in a sensor network wants to with a probability distribution of the next hop. Packets are
construct a routing tree rooted at a destination node. This forwarded by selecting the next hop at random but
problem is formulated as a nonzero-sum game in which according to the next-hop probability distribution. From
every node is viewed as a player that independently an end-to-end perspective, this results in data packets
decides its next hop to maximize an estimate of end-to- following random paths. The main challenge in stochastic
end path reliability from which it subtracts a next-hop routing is the determination of next-hop probabilities that
communication cost. For each candidate next-hop node, the ensure delivery, timeliness, and statistical flooding.
path-reliability estimate depends on the reliability of the The key technical insight explored here is to formalize
next-hop node and the probability that the link between the the stochastic routing problem as an abstract game between
two nodes will fail. It turns out that computing the NE for two players: the designer of the routing algorithm, which is
this game is NP-hard. represented by routers, and an attacker that attempts to
Orda et al. [18] study the uniqueness of NE for the intercept packets. In practice, minimizing the impact of an
“selfish routing” problem, where a number of players share attack is equivalent to minimizing the impact of a worst-
a network. Each player generates data at a fixed rate and case failure.
needs to decide how to split its transmission among a set of We consider zero-sum games in which routers target at
alternative end-to-end paths. The players are selfish in the minimizing the time it takes for a packet to be safely
sense that each one attempts to minimize its own objective transmitted, whereas the attacker’s goal is to maximize this
function, which depends on the overall distribution of flows time. It is well known from the game theory literature that
through the shared network. Under a similar problem the solution to such games requires the use of mixed
setup, [19] and [20] investigate how far the noncooperative (randomized) policies (cf., for example, [26]). In practice, the
NE is from the cooperative social optimum. Under mixed solution of the minimax problem provides the
appropriate simplifying assumptions on the network probability distributions needed for the next-hop probabil-
structure and the cost functions, these papers establish the ities. By formalizing the problem as an optimization with a
worst-case bounds for the ratio between the noncooperative time cost, we achieve both delivery and timeliness.
and the cooperative solutions. This line of research was Statistical flooding is a consequence of the saddle solution.
further extended in [21] to the framework of repeated There are several alternatives to formalize a game that
games, where the routing game is played repeatedly with a
results in adequate routing policies. In this paper, we
discounting factor. While the abovementioned papers are
consider two alternatives: offline routing games and online
focused on theoretical studies, Qui et al. [22] present an
games.
extensive simulation study showing that selfish routing can
In offline games, the attacker starts by selecting one link
achieve close to optimal average latency in Internet-like
or one physical interface at a particular node that she will
environments.
scan for packets. This choice is made before routing starts,
The paper by Feigenbaum et al. [23] considers incentive-
but is not conveyed to the router, whose task is to design the
based routing in which interdomain lowest cost paths are
next-hop probabilities to minimize the overall probability
computed based on per-packet costs reported by a network of
that the packet will be intercepted, assuming that the
ASs. The game aspect derives from the fact that the ASs may
attacker made an intelligent choice. This setup can be
not report true costs in an attempt to engineer the flows so as
generalized to attacks at nodes and even mixed attacks at
to maximize their own profits. It is shown that a Vickrey-
Clarke-Groves (VCG) mechanism produces “strategy-proof” both nodes and links. We shall see that the computation of
prices to be paid to each AS for forwarding packets in transit. routing policies for offline games amounts to solving a
Strategy-proof essentially means that the ASs have no linear program, requiring information about the overall
incentive for lying about their costs and should therefore network topology as in link-state routing.
report true values. However, Afergan [24] later showed that In online games, the attacker is not forced to select a
the VCG mechanism is not strategy-proof in the context of single link/node before routing starts. Instead, the attacker
repeated games, which they argue that have more practical is allowed to scan one physical interface at every node.
significance. Blanc et al. [25] also consider the issue of However, she will not be able to catch all packets that travel
avoiding selfish behavior in routing. They propose a through the interface selected, only a fraction of these. For
reputation-based scheme to prevent some nodes from highly secure nodes, this fraction would be zero, whereas it
refusing to carry other node’s traffic (the “free-loader’s” would have high values for less-secure nodes. The
problem). computation of the routing policies that arise from this
game can be done using dynamic programming, amenable
to distributed computation as in distance-vector routing.
3 ROUTING GAMES It is important to emphasize that the abstract games
Within each deterministic router, there exists a routing table described above are not intended to represent realistic attack
that associates each possible destination IP address with the scenarios; they mostly intend to capture the facts that
address and physical interface of a next-hop router. The goal 1) simultaneous failures in multiple links/nodes are
is to, at every hop, get “one step closer” to the destination or, unlikely and, therefore, one should optimize routing for
in case the final destination is in the local subnet, the address robustness against a finite number of worst-case faults and
and physical interface of the host. that 2) an attacker will (hopefully!) have a finite set of
BOHACEK ET AL.: GAME THEORETIC STOCHASTIC ROUTING FOR FAULT TOLERANCE AND SECURITY IN COMPUTER NETWORKS 1231
In the above equation, the subscripts on the expected value 3.2.1 Heterogeneous Attacks
E emphasize the fact that the expectation depends on the By choosing distinct percentages pk for different nodes, we
routing/attack policies. The choice of a routing policy R can take into account the fact that some nodes may be more
for which (3) holds guarantees the best possible timeliness secure than others. In practice, by choosing high values for
(smallest T ), assuming an intelligent attacker that does her best pk , we are implicitly assuming that the node k is less secure.
One can also encode in the pk external information about
to prevent this. This is achieved by statistical flooding as not
where an attack is more likely to occur and/or succeed. This
fully exploring the available paths would be used by the information could be obtained, for example, from intrusion
attacker to her advantage. detection sensors that provide indications of where an
The computation of the optimal routing and attack policies attack may be occurring. In this case, the routing algorithm
can be done using dynamic programming. To this effect, for could actually adapt to the changing perception as the
each node k 2 N , we denote by Vk the optimal cost-to-go from intrusion detection sensors gain more confidence about
node k, which is the average time it takes to send a packet from which hosts have been compromised.
node k to node nend using optimal policies for each player. The percentages pk can also be viewed as design
Once the optimal cost-to-go has been computed for all nodes, parameters that allow a traffic engineer to shape the
the optimal routing policy can be computed as follows: For amount of data sent that goes through different sections
each node k, the next-hop routing distribution fr‘ : ‘ 2 L½kg of the network. For example, by increasing the values of the
pk , one can obtain routing policies that avoid links that are
over the set of links L½k that exit node k is the solution to the
especially costly or that are somehow undesirable. To some
following minimization:
extent, the percentages pk can play the role of link costs in
X
arg min max rki~akj~ mijk ; the shortest path routing.
P
r‘ :‘2L½k P
a ‘ :‘2L½k
~ ~
a ¼1 ki;kj2L½k
r ¼1
‘ ‘ ‘ ‘ 3.2.2 Computational Issues
8
ð4Þ As mentioned above, the optimal routing policies can be
< Vi þ ki~
> i 6¼ j; k 6¼ nend
mijk :¼ Vi þ ki~ þ pk Tki~ i ¼ j; k ¼ 6 nend obtained from (4) as soon as the vector of optimal cost-to-go
>
: V :¼ ½V1 V2 VN is available. According to Statement 2
0 k ¼ nend :
of Theorem 1, one can obtain V using an iteration of the
The optimal cost-to-go, Vk , can be computed with the help form
of the following function T that transforms a vector of cost-
V ðt þ 1Þ ¼ T V ðtÞ ; ð6Þ
to-go V :¼ ½V1 V2 VN into another vector of cost-to-go
V 0 :¼ ½V10 V20 VN0 ¼ T ð½V1 V2 VN Þ, where the kth ele- where T is defined by (5) and the initial vector V ð0Þ can be
anything (for example, equal to zeros for every node). In
ment of V 0 is given by
general, V is only obtained as t ! 1, but one can usually
X
Vk0 ¼ min max rki~akj~ mijk stop the iteration after a finite number of steps at the
Pr‘ :‘2L½k
P
a‘ :‘2L½k
~ ~
ki;kj2L½k
expense of getting a slightly suboptimal policy. Typically,
r ¼1 a ¼1
‘ ‘ ‘ ‘
8 the iteration is stopped when there is a small change in V ðtÞ.
ð5Þ
< Vi þ ki~
> i 6¼ j; k 6¼ nend The number of steps needed is usually on the order of the
mijk :¼ Vi þ ki~ þ pk Tki~ i ¼ j; k ¼ 6 nend maximum diameter of the graph.
>
: To compute each iteration of (6), we need to solve the
0 k ¼ nend :
minimax optimization that appears in the definition (5) of
We defer to Section 3.2.2 how these optimizations can be the operator T . This can be done using the following linear
performed and proceed to state several important proper- program:
ties of the policies just defined (refer to the Appendix for X
1
their proofs). ¼ max r~ki~
Vk0 ~
ki2L½k
Theorem 1. Assume that all of the ‘ > 0, ‘ 2 L. Then: X ð7Þ
subject to r~ki~ 0; ~ 2 L½k;
r~ki~mijk 1; 8kj
1. The vector V :¼ ½V1 V2 VN of optimal cost-to-go ~
ki2L½k
is the unique fixed point of the function T defined by (5).
2. For any (not necessarily optimal) vector of cost-to-go from which one obtains Vk0 , which is the kth element of T ðV Þ
V ð0Þ, the optimal cost-to-go can be obtained using [26, Section 2.3]. The constants mijk that appear in (7) are
defined in (5). Once the optimal cost-to-go V has been
V ¼ lim T ðT ð ðT ðV ð0ÞÞÞ Þ: obtained, the optimal next-hop routing distribution fr‘ : ‘ 2
i!1 |fflfflfflfflfflfflffl{zfflfflfflfflfflfflffl}
i times L½kg over the set of links that exit node k can be obtained
from
3. The stochastic routing policy R 2 Rsto defined by (4) r~ki~
and the stochastic attacker policy A 2 Rsto defined by rki~ ¼ P ;
~ r~kj~
a similar expression with the min and max inter- kj2L½k
changed form a saddle point pair for the game, that is, where the r~ki~ are the solutions to a linear program like (7),
(3) holds. but with the mijk replaced by the mijk that appear in (4).
BOHACEK ET AL.: GAME THEORETIC STOCHASTIC ROUTING FOR FAULT TOLERANCE AND SECURITY IN COMPUTER NETWORKS 1233
In the construction of C and s, we should exclude all links that Fig. 3. Converting a node attack to a link attack. An attack on (a) node 1
enter the source node nsrc and exit the end node nend as these is transformed into an attack on (b) link 1.
links will never be used in cycle-free routing policies. The
order in which the links are associated with the rows/
columns of C and s must be consistent. The following result, 1. Given any R 2 Rnocycle , there exists an x 2 X for
proved in the Appendix, allows one to explicitly compute the which
value of ER;A ½
.
P x ¼ ð1 þ Þ diag½RCx þ diag½Rs ð13Þ
Lemma 2. Given 0, R 2 Rnocycle , A :¼ fa‘ : ‘ a‘ ¼
1; ‘ 2 Lg 2 A and the norms of the vectors x 2 X can be bounded by
a constant that is independent of R 2 Rnocycle .
ER;A ½
¼ row½A x; ð10Þ 2. Given any x :¼ fx‘ 0 : ‘ 2 Lg 2 X that is cycle-free
where row½A denotes a row vector with one entry per link and in the sense that there is no sequence of links (2) with
p‘ a‘ in the entry corresponding to the link ‘ 2 L; x is the x‘ > 0, 8‘ 2 S, there exists an R :¼ fr‘ : l 2 Lg 2
unique solution to Rnocycle for which (13) holds, which is given by
x‘
x ¼ ð1 þ Þ diag½RCx þ diag½Rs ð11Þ r‘ :¼ P ; 8‘ 2 L; ð14Þ
‘0 2L½‘ x‘0
and diag½R is a square diagonal matrix with the r‘ in the
main diagonal. t
u where the summation is over the set L½‘ of links that
exit from the same node as ‘.
The main difficulty in solving the routing game (9) is that Equation (12) can be interpreted as the flow-conservation
the cost (10) is generally not convex on R 2 Rnocycle . law, which states that the incoming flow to a node is equal
However, the relation specified by (11) between the vectors to the outgoing flow from the same node, possibly
x and policies R is in some sense one-to-one and will allow amplified by ð1 þ Þ when > 0. Because of this, we call
us to “convexify” the cost (10) by searching for “optimal” the elements of X flow vectors.
vectors x instead of policies R. To this effect, let Cout and Cin We are now ready to state the main result of this section
be matrices with one row per node and one column per link (proved in the Appendix), which provides the solution to
such that the entry of Cout corresponding to the node k and offline routing games. We defer to Section 3.3.2 details on
link ‘ is equal to one if link ‘ exits node k and zero the computation of the optimal polices.
otherwise, and the entry of Cin corresponding to the node k Theorem 4. For every 0, the routing game (9) has saddle-
and link ‘ is equal to one if link ‘ enters node k, and this is
point policies. Moreover, the flow game defined by
not the destination node nend and equal to zero otherwise,
that is, Cout :¼ ½ck;‘ and Cin :¼ ½dk;‘ with row½A x ¼ min maxðrow½AxÞ
x2X A2A
( ð15Þ
1 9i 2 N : ‘ ¼ ki ~ ¼ max minðrow½AxÞ
ck;‘ :¼ A2A x2X
0 otherwise;
( always has a saddle point ðx ; A Þ 2 X
A with x cycle-free,
1 9i 2 N : ‘ ¼ ik; ~ k 6¼ nend from which we can construct a saddle point ðR ; A Þ 2
dk;‘ :¼
0 otherwise: Rnocycle
A to the original routing game (9) by using (14) to
compute R from x .
We further define ssrc to be a column vector with one entry per
node such that the entry corresponding to the source node nsrc
is equal to one and all others are equal to zero, that is 3.3.1 Node-Attack Variations
Although, so far, we focused our discussion on link attacks,
1 k ¼ nsrc one can easily solve the node attack problem by a suitable
ssrc :¼ sk :¼ :
0 otherwise k2N transformation of the network graph. When one wants to
In the construction of these matrices, we should exclude all consider the possibility that one node can be attacked, one
links that enter the source node nsrc and exit the end node nend . simply expands the graph by unfolding the original node
The following lemma establishes a one-to-one relation into two nodes, one that is fed by all the incoming links and
between the set of cycle-free stochastic policies (which is not another from which all outgoing links exit. The two new
convex in general) and a convex set. This will be the basis to nodes are connected by a single link from the former to the
find a solution to the routing game (9). latter that will carry all packets that pass through the
original node (cf., Fig. 3). An attack on the thus created
Lemma 3. Let X denote the convex set of vectors x :¼ fx‘ 0 : “bottleneck” link in the new graph is equivalent to an attack
‘ 2 Lg that satisfy to the node in the original graph. By choosing a suitable
percentage of packets scanned p‘ in the new link, we
Cout x ¼ ð1 þ ÞCin x þ ssrc : ð12Þ
effectively select the percentage of packets that can be
BOHACEK ET AL.: GAME THEORETIC STOCHASTIC ROUTING FOR FAULT TOLERANCE AND SECURITY IN COMPUTER NETWORKS 1235
5 CONCLUSIONS
We proposed GTSR and demonstrated through simulations
that it improves routing security. By proactively forcing
packets to probabilistically take alternate paths, stochastic
routing mitigates the effects of interception, eavesdropping,
and improves fault tolerance. The routing policies proposed
proved efficient in achieving statistical flooding at the
expense of some increase in average packet delay. A
beneficial side effect of these policies is an increase in
throughput, as they explore multiple paths. The algorithms
developed are applicable not only to the network layer, but
also to application layer overlay networks and multipath
transport protocols such as SCTP. However, when used at
the network layer, a transport layer that is robust to out-of-
Fig. 8. (a) Transmission rate and (b) drop rate of TCP-SACK and TCP- order packets such as TCP-PR [34] must be employed.
PR for different security levels . For < 10, the TCP-SACK flow We presented two alternative techniques to generate
experienced no drops. The point ¼ 0 is indicated with a triangle on top
multipath routing tables. Routing based on offline games
of the y-axis.
maximizes the spread of packets across the network, but
requires link-state information and generally results in
called TCP-PR (hash marks), both operating under GTSR.
routing matrices. Alternatively, routing based on online
For TCP-SACK, the throughput for ¼ 100 (essentially
games does not achieve the same degree of statistical
minimum-hop routing) is roughly six times larger than that
flooding, but the routing computation can be distributed as
for any other value of . This is because packets sent
through longer paths are often assumed dropped by TCP as in distance-vector algorithms.
A direction for future investigation is the development of
they only arrived after several packets that were sent later,
scalable algorithms to compute next-hop probabilities. One
but traveled through shorter paths. Because fast retransmit
is only triggered when three duplicate acknowledgments promising approach is to make use of hierarchical decom-
are received, TCP-SACK is able to handle some degree of position of routing. Since this type of approach generally
out-of-order packets. However, in all of our simulations, yields suboptimal routing policies, its impact on the GTSR
this proved insufficient to handle packets traveling through performance requires further investigation. Preliminary
paths with distinct propagation times. The fact that results on the use of a hierarchical approach to compute
standard TCP performs poorly when used in conjunction routing tables based on offline games appeared recently in
with multipath routing has been observed in [13], [33]. [36]. Alternatively, online games can be implemented under
TCP-PR was proposed in [34] and is one of several distance-vector routing and are scalable. For these algorithms,
transport layers capable of coping with out-of-order packet questions related to convergence need to be investigated.
delivery [35]. TCP-PR does not assume a packet is dropped
when out-of-order sequence numbers are observed but only APPENDIX A
when a time-out occurs. Fig. 8a shows that, for ¼ 0, the
throughput of TCP-PR is larger than all other configura- DERIVATIONS FOR ONLINE GAMES
tions. That is, the maximum-security posture actually Proof of Theorem 1. The routing of a packet can be regarded
increases throughput as a by-product because it explores as a controlled Markov chain whose state qt 2 N is a
all alternative paths and, hence, uses all available band- random variable denoting the node where the packet is
width between the source and destination. Fig. 8b shows before the hop t 2 f0; 1; 2; . . .g. For a given routing policy
the drop rate for the different TCP implementations and R :¼ fr‘ : ‘ 2 Lg 2 Rsto and attack policy A :¼ fa‘ : ‘ 2
different . Lg 2 Rsto , the transition probability function for the
A complete discussion of TCP-PR is beyond the scope of Markov chain is given by P ðqtþ1 ¼ k0 j qt ¼ kÞ ¼ rkk~0 ,
this paper. However, it was shown in [34] that TCP-PR and 8t 0. Without loss of generality, we assume that the final
TCP-SACK compete fairly over a network that does not node nend is an absorbing state, that is, that P ðqtþ1 ¼ nend j
implement multipath routing. Hence, it is possible to qt ¼ nend Þ ¼ 1, 8t 0. The
cost to be optimized can be
P1
maintain a single transport layer that is compatible with written as ER;A ½T ¼ ER;A t¼0 cðqt Þ , where
1238 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 9, SEPTEMBER 2007
X
cðkÞ ¼ rki~akj~ mijk ; Since the probability that a packet is intercepted at time t
~ kj2L½k
ki; ~
8 is given by row½AxðtÞ, we can write
>
< ki~ i 6¼ j; k 6¼ nend
X
1
mijk :¼ ki~ þ pk Tki~ i ¼ j; k 6¼ nend ER;A ½
¼ ð1 þ Þt1 row½AxðtÞ:
>
:
0 k ¼ nend : t¼1
xð1Þ ¼ diag½R s; ð22Þ Note also that, because the number of nonzero terms in
the series is always smaller than n and the R are
xðt þ 1Þ ¼ diag½RCðI diag½AÞxðtÞ; 8t > 1; ð23Þ bounded, one can construct a bound on the vectors x
where diag½R and diag½A denote diagonal matrices whose defined by (25), which is independent of R 2 Rnocycle .
To prove 2 of Lemma 3, note that the division in (14)
main diagonal contains the r‘ and the a‘ p‘ , respectively.
guarantees that the normalization condition (1) holds
From (22)-(23), we conclude that, for every t 1,
and, therefore, that R 2 Rsto . Moreover, this definition
t1 guarantees that if x is cycle free, then R is also cycle free.
xðtÞ ¼ diag½RCðI diag½AÞ diag½R s: ð24Þ
To finish the proof, it remains to show that (13) holds. To
BOHACEK ET AL.: GAME THEORETIC STOCHASTIC ROUTING FOR FAULT TOLERANCE AND SECURITY IN COMPUTER NETWORKS 1239
this effect, note that, from the definition of R, for every [3] L. Ong and J. Yoakum, An Introduction to the Stream Control
Transmission Protocol (SCTP), RFC 3286, 2002.
‘ 2 L, we have that [4] R. Blazek, H. Kim, B. Rozovskii, and A. Tartakovsky, “A Novel
X Approach to Detection of “Denial-of-Service” Attacks via Adap-
x‘ ¼ r ‘ x‘0 ¼ r‘ Cout ½kx; tive Sequential and Batch-Sequential Change Point Detection
‘0 2L½k Methods,” Proc. Systems, Man, and Cybernetics Information Assur-
ance and Security Workshop, June 2000.
where L½k denotes the set of links that exit from node k [5] W. Xu and J. Rexford, “MIRO: Multi-Path Interdomain Routing,”
from which ‘ exits and Cout ½k denotes the row of Cout Proc. ACM SIGCOMM ’06, Sept. 2006.
[6] S. Bohacek, J.P. Hespanha, K. Obraczka, J. Lee, and C. Lim,
corresponding to node k. However, since x 2 X , we then “Enhancing Security via Stochastic Routing,” Proc. 11th IEEE Int’l
have Conf. Computer Comm. and Networks, May 2002.
[7] A. Emmett, “VPNs,” Am. Networks, May 1998.
x‘ ¼ ð1 þ Þr‘ Cin ½kx þ r‘ k;nsrc ; ð27Þ [8] S. Kent, Security Architecture for the Internet Protocol, RFC 2401,
1998.
where Cin ½k denotes the rows of Cin corresponding to the [9] P.F. Syverson, M.G. Reed, and D.M. Goldschlag, “Onion Routing
node k and k;nsrc is equal to one if k ¼ nsrc and zero Access Configurations,” Proc. DARPA Information Survivability
Conf. and Exposition (DISCEX ’00), vol. I, pp. 34-40, Jan. 2000.
otherwise. This finishes the proof because (13) is a vector
[10] S. Kent, C. Lynn, J. Mikkelson, and K. Seo, “Secure Border
version of (27). u
t Gateway Protocol (s-BGP)—Real World Performance and Deploy-
Proof of Theorem 4. First, we can conclude from von ment Issues,” Proc. Network and Distributed System Security Symp.
(NDSS ’00), 2000.
Neumann’s Theorem [26] that the flow game (15) always [11] M.K. Reiter and A.D. Rubin, “Crowds: Anonymity for Web
has a saddle point ðx ; A Þ 2 X
A because the cost of Transactions,” ACM Trans. Information and System Security, vol. 1,
the game is bilinear on the policies x and A, which take pp. 66-92, 1998.
[12] C. Hopps, Analysis of an Equal-Cost Multi-Path Algorithm, RFC
values in compact convex sets. Moreover, since remov- 2992, Nov. 2000.
ing cycles from a policy never increases the cost, x can [13] C. Villamizar, “OSPF Optimized Multipath (OSPF-OMP),” Inter-
be assumed cycle free. The set X is actually not bounded net Draft (draft-ietf-ospf-omp-03), Internet Eng. Task Force, June
and therefore not compact. However, in view of 1 in 1999.
[14] E. Altman, T. Boulogne, R. El-Azouzi, T. Jiménez, and L. Wynter,
Lemma 3, we can restrict our attention to a bounded “A Survey on Networking Games in Telecommunications,”
subset of X . Computers and Operations Research, vol. 33, no. 2, pp. 286-311, 2006.
Then, let ðx ; A Þ 2 X
A be the saddle point whose [15] A. Economides and J.A. Silvester, “Multi-Objective Routing in
existence was just proved. We show next that ðR ; A Þ 2 Integrated Services Networks: A Game Theory Approach,” Proc.
IEEE INFOCOM, 1991.
Rnocycle
A, with R constructed from x using (14), is a [16] K. Yamaoka and Y. Sakai, “A Packet Routing Based on Game
saddle point for the routing game (9). To this effect, we Theory,” Trans. Inst. of Electronics, Information, and Comm. Eng., B-I,
need to show that pp. 73-79, 1996.
[17] R. Kannan, S. Sarangi, and S.S. Iyengar, “Sensor-Centric Energy-
ER ;A ½
ER ;A ½
ER;A ½
ð28Þ Constrained Reliable Query Routing for Wireless Sensor Net-
works,” J. Parallel and Distributed Computing, vol. 64, no. 7, pp. 839-
for every R 2 Rnocycle and every A 2 A. Because of (10), 852, 2004.
[18] A. Orda, R. Rom, and N. Shimkin, “Competitive Routing in
(28) is actually equivalent to Multiuser Communication Networks,” IEEE/ACM Trans. Network-
ing, vol. 1, no. 5, pp. 510-521, 1993.
row½Ax row½A x row½A x; ð29Þ [19] E. Koutsoupias and C. Papadimitriou, “Worst-Case Equilibria,”
Proc. 16th Ann. Symp. Theoretical Aspects of Computer Science,
where x is the unique solution to (11). To verify that x pp. 404-413, 1999.
belongs to X note that, left multiplying (11) by Cout , we [20] T. Roughgarden and E. Tardos, “How Bad Is Selfish Routing,”
obtain (12) because of (26). This means that (29) must hold J. ACM, vol. 49, no. 2, pp. 236-259, 2002.
because ðx ; A Þ is a saddle point of the flow game (15). t
u [21] R. La and V. Anantharam, “Optimal Routing Control: Repeated
Game Approach,” IEEE Trans. Automatic Control, Mar. 2002.
[22] L. Qiu, Y.R. Yang, Y. Zhang, and S. Shenker, “On Selfish Routing
in Internet-Like Environments,” Proc. ACM SIGCOMM ’03,
pp. 151-162, 2003.
ACKNOWLEDGMENTS [23] J. Feigenbaum, C. Papadimitriou, R. Sami, and S. Shenker, “A
BGP-Based Mechanism for Lowest-Cost Routing,” Proc. 21st Ann.
The authors thank the reviewers for several comments that Symp. Principles of Distributed Computing (PODC ’02), pp. 173-182,
significantly improved this paper. This material is based 2002.
upon work partially supported by the US National Science [24] M. Afergan, “Using Repeated Games to Design Incentive-Based
Foundation (NSF) under Grant No. ANI-0322476 and by the Routing Systems,” Proc. IEEE INFOCOM, 2006.
[25] A. Blanc, Y.-K. Liu, and A. Vahdal, “Designing Incentives for
Institute for Collaborative Biotechnologies through grant Peer-to-Peer Routing,” Proc. IEEE INFOCOM, 2005.
DAAD19-03-D-0004 from the US Army Research Office. [26] T. Başar and G.J. Olsder, Dynamic Noncooperative Game Theory.
Professor Obraczka has also been partially supported by the Academic Press, 1995.
US Army Research Office under grant W911NF-05-1-0246. [27] D.P. Bertsekas, Network Optimization: Continuous and Discrete
Models. Athena Scientific, 1998.
[28] A.V. Goldberg and R.E. Tarjan, “A New Approach to the
Maximum-Flow Problem,” J. ACM, vol. 35, pp. 921-940, 1988.
REFERENCES [29] D.P. Bertsekas, “An Auction Algorithm for the Max-Flow
[1] S. Bengio, G. Brassard, Y. Desmedt, C. Goutier, and J. Quisquater, Problem,” J. Optimization Theory and Applications, vol. 87, pp. 69-
“Secure Implementation of Identification Systems,” J. Cryptology, 101, 1995.
vol. 4, pp. 175-183, 1991. [30] D.B. Johnson, D.A. Maltz, and J. Broch, “DSR: The Dynamic
[2] D.G. Andersen, H. Balakrishnan, M.F. Kaashoek, and R. Morris, Source Routing Protocol for Multi-Hop Wireless Ad Hoc Net-
“Resilient Overlay Networks,” Proc. 18th ACM Symp. Operating works,” Ad Hoc Networking, C.E. Perkins, ed., pp. 139-172,
Systems Principles (SOSP ’01), 2001. Addison-Wesley, 2001.
1240 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 9, SEPTEMBER 2007
[31] R. Perlman, “Network Layer Protocols with Byzantine Robust- Junsoo Lee received the BS and MS degrees in
ness,” PhD dissertation, Massachusetts Inst. of Technology, 1988. computer science from Seoul National Univer-
[32] “The VINT Project, a Collaboration between UC Berkeley, LBL, sity, Seoul, and the PhD degree in computer
USC/ISI, and Xerox PARC,” The ns Manual (formerly ns Notes and science from the University of Southern Califor-
Documentation), Oct. 2000. nia, Los Angeles, in 2004. He is currently an
[33] D. Thaler and C. Hopps, Multipath Issues in Unicast and Multicast assistant professor of computer science at
Next-Hop Selection, RFC 2991, Nov. 2000. Sookmyung Women’s University of Seoul. Be-
[34] S. Bohacek, J.P. Hespanha, J. Lee, C. Lim, and K. Obraczka, “TCP- fore joining Sookmyung Women’s University, he
PR: TCP for Persistent Packet Reordering,” Proc. IEEE 23rd Int’l was a postdoctoral scholar at the University of
Conf. Distributed Computing Systems, pp. 222-231, May 2003. California, Santa Barbara, and the University of
[35] E. Blanton and M. Allman, “On Making TCP More Robust to California, Santa Cruz. He also worked for Samsung Electronics as a
Packet Reordering,” ACM Computer Comm. Rev., vol. 32, 2002. senior researcher at the Network and Computer Division before
[36] C. Lim, S. Bohacek, J.P. Hespanha, and K. Obraczka, “Hierarchical pursuing the PhD degree. He is a member of the IEEE.
Max-Flow Routing,” Proc. IEEE Global Telecomm. Conf. (GLOBE-
COM ’05), Nov. 2005. Chansook Lim received the PhD degree in
[37] S.D. Patek and D.P. Bertsekas, “Stochastic Shortest Path Games,” computer science from the University of South-
SIAM J. Control and Optimization, vol. 37, no. 3, pp. 804-824, 1999. ern California in 2006. She joined the faculty at
[38] R.A. Horn and C.R. Johnson, Matrix Analysis. Cambridge Univ. Hongik University of Korea in 2007. Her re-
Press, 1993. search interests include routing for wired and
wireless networks, network measurement, and
Stephan Bohacek received the BS degree in network dependability. She is a member of the
electrical engineering from the University of IEEE.
California, Berkeley, in 1989 and the PhD
degree in electrical engineering from the Uni-
versity of Southern California in 1999. He is
currently an assistant professor in the Depart-
ment of Electrical and Computer Engineering at Katia Obraczka received the PhD degree in
the University of Delaware. His research inter- computer science from the University of South-
ests include design, analysis, and control of data ern California (USC) in 1994. She is currently an
networks. His current interests include conges- associate professor of computer engineering at
tion control and routing for wireless and wireline networks, modeling the University of California, Santa Cruz (UCSC).
mobile wireless networks, and cross-layer design for wireless networks. Before joining UCSC, she held a research
He is a member of the IEEE. scientist position at USC’s Information Sciences
Institute and a research faculty appointment at
João P. Hespanha received the PhD degrees in USC’s Computer Science Department. Her
electrical engineering and applied science from research interests include computer networks,
Yale University in 1998. He is currently a more specifically, network protocol design and evaluation in wireline, as
professor of electrical and computer engineering well as wireless (in particular, multihop ad hoc) networks, distributed
at the University of California, Santa Barbara. systems, and Internet information systems. More information on her
His current research interests include hybrid and research can be found at http://www.soe.ucsc.edu/~katia. She is a
switched systems, the modeling and control of member of the IEEE.
communication networks, distributed control
over communication networks, stochastic mod-
eling in biology, and game theory. More informa- . For more information on this or any other computing topic,
tion about his research can be found at http://www.ece.ucsb.edu/ please visit our Digital Library at www.computer.org/publications/dlib.
~hespanha. He is a senior member of the IEEE.