Inherently safe backup routing with BGP

The Internet consists of a large number of autonomous systems (ASes) that exchange routing information using the border gateway protocol (BGP). Each AS applies local policies for selecting routes and propagating routes to others, with important implications for the reliability and stability of the global system. In and of itself, BGP does not ensure that every pair of hosts can communicate. In addition, routing policies are not guaranteed be safe, and may cause protocol divergence. Backup routing is often used to increase the reliability of the network under link and router failures, at the possible expense of safety. This paper presents a general model for backup routing that increases network reliability while allowing each AS to apply local routing policies that are consistent with the commercial relationships it has with its neighbors. In addition, our model is inherently safe in the sense that the global system remains safe under any combination of link and router failures. Our model and the proof of inherent safety are cast in terms of the stable paths problem, a static formalism that captures the semantics of interdomain routing policies. Then, we describe how to realize our model in BGP with locally-implementable routing policies. To simplify the specification of local policies, we propose a new BGP attribute that conveys the avoidance level of a route. We also describe how to realize these policies without modification to BGP by using the BGP community attribute.