Computer Networks. k-fault tolerance of the Internet AS graph

Transcription

1 Computer Networks 55 (2011) Contents lists available at ScienceDirect Computer Networks journal homepage: k-fault tolerance of the Internet AS graph Wenping Deng a,c,, Merkouris Karaliopoulos b, Wolfgang Mühlbauer c, Peidong Zhu a, Xicheng Lu a, Bernhard Plattner c a School of Computer, National University of Defense Technology, Changsha , China b Department of Informatics and Telecommunications, National and Kapodistrian University of Athens, Athens 15784, Greece c Computer Engineering and Networks Laboratory, ETH Zurich, Zurich 8092, Switzerland article info abstract Article history: Received 7 April 2010 Received in revised form 14 March 2011 Accepted 18 April 2011 Available online 27 April 2011 Responsible Editor: I.F. Akyildiz Keywords: BGP Inter-domain routing Reachability k-fault tolerance Resilience Internet disruptions such as the Northeast Blackout (2003) and the Taiwan earthquake (2006) highlight the fragility of today s Internet. Our goal in this paper is to investigate the robustness of inter-domain communication at the level of autonomous systems (ASes), taking into account both topological connectivity and compliance to routing policies. To this end, we introduce the concept of k-fault tolerance for Type-of-Relationship (ToR) graphs, which requires that any two nodes (ASes) remain reachable from each other even after removing arbitrary k nodes from the AS graph. Our main contribution is theoretical and concerns the complexity of the k-fault tolerance decision problem. Drawing on strong evidence about the hierarchical structure of the Internet AS graph, we derive sufficient and necessary conditions for determining whether the graph is k-fault tolerant or not in polynomial time. We then apply this theoretical result to study the network-wide resilience properties of AS-level topology instances, as inferred from large-scale experimental data sets. We find that even single-node failures can disconnect up to hundred of ASes and that approximately 1500 ASes do not avail any real redundancy for their global reachability despite having two or more upstream links. Augmenting AS-level graphs for 1-fault tolerance improves overall resilience to failures, but requires a considerable number of AS-level edges (>7000) to be added. Interestingly, such additional upstream links are mainly needed at stub networks rather than at transit ASes, pointing out the need for multi-homing at stub networks. Ó 2011 Elsevier B.V. All rights reserved. 1. Introduction Communication via the Internet has become an integral part of our everyday lives. Yet, this critical infrastructure is not as robust as it is widely thought. Events such as the Northeast Blackout [1] and the Taiwan earthquake [2] have resulted in large-scale disruptions of services and demonstrated that the resilience of the Internet needs to be studied from a global perspective. Corresponding author at: School of Computer, National University of Defense Technology, Changsha , China. addresses: wpdeng.nudt@gmail.com (W. Deng), mkaralio@ di.uoa.gr (M. Karaliopoulos), muehlbauer@tik.ee.ethz.ch (W. Mühlbauer), pdzhu@nudt.edu.cn (P. Zhu), xclu@nudt.edu.cn (X. Lu), plattner@ tik.ee.ethz.ch (B. Plattner). Assessing Internet-wide reachability (under potential failures) requires considering both topological connectivity and policy compliance. Much research effort, e.g., [4 8] has been devoted to studying Internet topology at different levels of granularity, including AS-level, PoP (point of presence)-level, and router-level. Yet, inter-domain reachability is controlled by diverse policies, decided locally by each AS, but acting globally across the entire system [9]. The fact that the reachability between two ASes depends on the existence of a policy-compliant rather than a purely topological path has sometimes been neglected in the past. In this paper, we study Internet resilience at the level of ASes, taking into account both topological connectivity and compliance to routing policies. To this end, we draw on the concept of k-fault tolerance, i.e., the reachability between any two nodes (ASes) even after removing arbitrary k /$ - see front matter Ó 2011 Elsevier B.V. All rights reserved. doi: /j.comnet

2 W. Deng et al. / Computer Networks 55 (2011) nodes from the graph. Earlier research work has provided ample evidences that the Internet AS graph has a strong hierarchical structure [10,11], rendering it a special case of general Type-of-Relationship (ToR) graphs [12,13]. According to this hierarchy, AS nodes can be organized into a number of Tiers with few AS nodes at Tier-1 being part of most shortest policy-compliant paths between all other non-tier-1 AS nodes. Taking advantage of these findings, we identify two conditions for deciding whether the Internet AS graph is k-fault tolerant: (a) existence of a Tier-1 full mesh; and (b) existence of at least k + 1 provider AS nodes for all non-tier-1 ASes. These two are necessary and sufficient conditions for realistic Internet ToR graphs and can be checked in polynomial time. This theoretical result adds to a series of earlier results about connectivity in general ToR graphs [12,13]. However, the theoretical value of k-fault tolerance can also give us insights to the robustness of today s Internet as a whole: how far away the current Internet is from a more resilient connectivity as well as how expensive it would be to reach such a better Internet. Based on large-scale data sets [14,15], we find that augmenting the ToR graph to k-fault tolerance not only guarantees reachability after arbitrary failures of k ASes, but also provides significantly better resilience when more than k failures occur. However, even to achieve 1-fault tolerance, a considerable number of additional AS-level links (>7000) need to be added to the original graph. The number reduces to approximately 600 if we leave aside stub AS nodes, pointing out the need for multi-homing at stub networks. Although any existing map of the AS graph is inherently incomplete [16], such numbers clearly point out that the Internet is not immune against any failures. The remainder of this paper is structured as follows: Section 2 summarizes fundamental background on Internet AS-level graphs and AS relationships. Section 3 introduces the k-fault tolerance property for general ToR graphs, maps the Internet AS-level topology to a hierarchical ToR graph, and presents our algorithm for its k-fault tolerance decision problem. Section 4 then exploits the algorithm to gain insights into the k-fault tolerance properties of Internet AS-level graphs, as inferred from real experimental traces. Section 5 iterates on assumptions of our work and the implications of our results. We position our work with respect to related research in Section 6 and conclude in Section AS relationships and AS graph model The Border Gateway Protocol (BGP) [3] is the de facto standard inter-domain routing protocol. Whenever two ASes peer with each other, they establish BGP sessions between at least two of their border routers to exchange reachability information. In contrast to intra-domain routing protocols, which are mainly designed to optimize network performance, BGP is a policy-based routing protocol. The need for routing policies stems from the economic structure of the Internet. Some ASes earn money by selling transit services to other ASes (their customers), while at the same time themselves may be customers of other provider networks. Given such economic relationships, ASes sometimes only propagate a limited set of routes to their neighbors, rather than the complete set of routes they have learned from their neighbors. Moreover, ASes may prefer certain routes over others if sending traffic over a certain peering is cheaper. AS relationships [17] are the most wide-spread of all policy models that have been suggested in the past. The business relationship between two peering ASes is implemented via routing policies that define which paths are selected for traffic forwarding and which paths are exported to neighbors [18]. While routing policies can be rather specialized [19], AS relationships classify any directed link of an AS graph into one of the following types: customer provider (c2p), peer-to-peer (p2p), or sibling (s2s). While in a c2p relationship the customer pays the provider to obtain transit through the provider s network, p2p assumes that two peering ASes share the deployment and maintenance cost for the connecting links. Siblings are peering ASes that have a mutual transit agreement, e.g., merging ISPs. Formally, topological connectivity and policy compliance can be analyzed over Type-of-Relationship (ToR) [20] graphs G =(V,E,R): the nodes V are ASes, the edges E reflect AS-level peerings, and the edges are annotated with AS relationships R ={p2c, c2p, p2p, s2s}. We will use the terms AS and node as well as edge and link interchangeably in the following sections. Under the AS relationship policy model, a common assumption is that the valley-free property [18] holds: ASes should not be used as a transit between two of its providers or peers. For this reason, routes learned from provider and peer neighbors are not propagated to other provider or peer ASes. Formally, this can be expressed as follows: let p be an AS path p =(v 1,v 2,...,v k ) from v 1 to v k.if(v i,v i+1 ) (1 6 i < k) is a p2c edge or a p2p edge, then for any j (i < j < k) the edge (v j,v j+1 ) must be of type p2c or s2s. Gao et al. [17] characterize a path as downhill (uphill) if it only contains p2c or s2s links (c2p or s2s links) and therefore any valid (valley-free) path must match one of the following patterns: (1) Pattern 1: an uphill path; (2) Pattern 2: a downhill path; (3) Pattern 3: an uphill segment followed by a downhill segment; (4) Pattern 4: an uphill segment followed by a p2p link; (5) Pattern 5: a p2p link followed by a downhill segment; (6) Pattern 6: an uphill segment followed by a p2p link, followed by a downhill segment. Existing data sets [14,15] have revealed that s2s relationships are rare in the AS topology. Previous work has sometimes tacitly ignored s2s links [22], or treated s2s links as p2p links [23]. In this paper, we adopt the latter approach and treat s2s links as p2p links in the ToR graph. Consequently, a downhill path is simply defined as a sequence of links that exclusively consists of p2c links while uphill paths only include c2p links. 3. k-fault tolerance of the Internet AS graph The ultimate objective of this paper is to devise an efficient method for assessing the resilience characteristics of AS-level Internet maps. We start with the definition of a k-

3 2494 W. Deng et al. / Computer Networks 55 (2011) fault tolerant ToR graph in Section 3.1. Then, we formally characterize the AS-level hierarchy in Section 3.2 and reachability between individual ASes in Section 3.3. Finally, we present our solution for the k-fault tolerance decision problem in Section 3.4 and quantify the number of additional links that need to be added to the Internet ToR graph to make it k-fault tolerant, see Section The k-fault tolerance decision problem: general ToR graphs We draw on the concept of k-fault tolerance for general ToR graphs, as defined in Section 2. Definition 1 (k-fault tolerant ToR graph). Let G =(V,E,R) be a ToR graph as defined in Section 2. G is k-fault tolerant if any pair of nodes can reach each other via at least one valid policy-compliant path even if any other k nodes are removed from G. To decide whether a given arbitrary ToR graph is k-fault tolerant, one would need to determine whether there exists a node pair {s,t} with minimum node-cut size of less than k + 1. This problem can be answered easily in the trivial case where one ToR graph node has connectivity degree 6k. Yet, this problem is more challenging in the general case. From Erlebach et al. in [12] we know that in general ToR graphs, it is NP-hard to find the maximum number of node-disjoint valid paths and the minimum node cut size for a given node pair {s,t}, their ratio being tightly restricted within [1/2,1]. The authors also prove that for general ToR graphs and constant k, it is NP-hard to decide whether there are k node-disjoint valid paths between given nodes {s,t}. To the best of our knowledge, there is no complexity result on the respective decision problem concerning valid node-cuts for a given node pair {s,t}; even more so for the problem of determining whether there is any node pair in the ToR graph with minimum node-cut size 6 k. Nevertheless, there is significant evidence in literature [10,11] that the AS-graph is structured hierarchically. This is a direct consequence of the business model that underlies today s Internet: ISPs pay other ISPs to forward their traffic (c2p), or two ISPs agree that connecting directly to each other would mutually benefit both (p2p) [19]. By nature, AS A will not become a customer of AS B if AS B is customer of AS C and AS C is already a provider of AS A. Such economic aspects explain why the Internet is inherently hierarchical with large providers at the top and small customer ASes at the bottom layer. This hierarchical structure renders the AS-graph a special form of ToR graphs and enables us to propose a polynomial-time algorithm for the k- fault tolerant decision problem Hierarchy of the Internet AS graph Drawing further on AS relationships, Gao and Rexford [21] state that the inter-domain topology of the Internet is inherently hierarchical: customer ASes are at lower levels in the hierarchy than their provider ASes, while at the top of the hierarchy, there are around 10 core ASes called Tier-1 ASes that have no provider and form a full mesh of AS-level peerings through p2p links [10]. The AS Internet graph hierarchy can be explicated as follows: (1) node pairs at Tier-1 form a full mesh (clique) through p2p links; (2) node pairs at the same level cannot have c2p links (a provider AS should always be at a higher level than its customer AS); (3) p2p links can exist between node pairs either at the same level or different levels of the hierarchy. Consequently, there should not be any directed cycles of c2p edges, i.e., AS A cannot be provider of AS B, if B is provider of AS C and C is provider of A. Equivalently, if we adopt the p2p substitution process in [21] and replace each p2p edge (u,v) with two directed edges {u,z} and {v,z}, where z is a new dummy vertex, the resulting purely directed graph is a directed acyclic graph. Apart from customer-provider and peerto-peer there exist also other less frequent business relationships. One example are siblings where neighboring ASes have a mutual transit agreement. Often the two ASes are merging ISPs or they adopt this scheme to obtain Internet connection backup. This hierarchy effectively classifies all ASes into three categories: core AS, transit AS, and stub AS. While core ASes are the Tier-1 ASes (in the following sections, we will use the two notions interchangeably), stub ASes are the domains that have no customer ASes and are located at the edge of the Internet. Finally, as transit ASes we denote ASes that have both upstream providers and downstream customers; therefore, they are located in the middle of the hierarchy. Throughout this paper, the term non-tier-1 ASes signifies the combined set of stub and transit ASes. Gao et al. [11] present a method to precisely construct the hierarchy of the ToR graph. In principle, their method classifies an AS as Tier-1 (level 1) if it does not have any provider. Besides, an AS node belongs to level i + 1 if it has at least one provider AS that belongs to level i and no provider that belongs to a level higher than i. For example, if AS A has two providers B and C lying at different levels, then level(a) = max{level(b), level(c)} + 1. We provide in Fig. 1 an example on how to decide the level of a node that has multiple providers: node G in Fig. 1(a) has two providers C and H. According to the hierarchy characterization, C is at level 1, and H is at level 2, hence level(g) = max{level(c),level(h)} + 1 = 3. Therefore the Internet ToR graph G =(V,E,R) can eventually be viewed as a hierarchical ToR graph G H =(V,E,R,H), where H is the mapping of nodes to hierarchy levels. Each AS node v 2 V is assigned a unique level number H(v). The set of nodes in the mth hierarchy level can be represented by V m ={vjv 2 V,H(v)=m}. In particular, V 1 is the set of the Tier-1 ASes, whereas non-tier-1 ASes are ranked at levels 2 to M. Tier-1 full mesh: According to the valley-free property, two Tier-1 ASes, say u and v, can reach each other if and only if they have a direct p2p relationship. If they had a p2c (or c2p) relationship, then one would be a provider of the other, and this would contradict the fact that Tier-1 ASes are provider-free. If they were indirectly connected via at least one middle node x, the path segment u x v inevitably violates the valley-free property. Hence, Tier-1 ASes have to form a full mesh of p2p relationships.

4 W. Deng et al. / Computer Networks 55 (2011) Fig. 1. An example for hierarchy characterization Reachability between individual ASes As discussed in Section 2, an AS path is only considered to be valid if it follows any one of six patterns (Patterns 1 6). In order to study the connectivity of individual ASes, we introduce the term Tier-1 uphill path as follows: Definition 2 (Tier-1 uphill path). Given a non-tier-1 AS n 0 and a c2p link sequence {hn 0,n 1 i,hn 1,n 2 i,...,hn i 1,n i i}, if n i is the single Tier-1 AS in {n 0,n 1,...,n i 1,n i }, then n 0 n 1 n i 1 n i is called a Tier-1 uphill path. Claim 1. Let G =(V,E,R,H) be a ToR instance of the Internet AS topology. Then, any pair of nodes m and n in G (m n) having Tier-1 uphill paths can reach each other. Proof. The proof is straightforward. By definition, there is a Tier-1 uphill path p m = m m 1 m i for m and a Tier-1 uphill path p n = n n 1 n j for n, respectively, where H(m i )=H(n j ) = 1. If p m and p n contain a common node, then there is a valid path between m and n consisting of an uphill sub-path and a downhill sub-path following Pattern 5 (e.g., valid H-I path in Fig. 2); otherwise, there is a valid path between m and n formed by the Tier-1 uphill path of m, followed by a p2p link (hm i,n j i), and the reverse (downhill) Tier-1 uphill path of n following the Pattern 6 as described in Section 2 (e.g., valid H G path in Fig. 2). h The existence of Tier-1 uphill paths is a sufficient but not necessary condition for reachability between two ASes: two ASes can also reach each other via paths that do not traverse the Tier-1 level. For example, both nodes H and I in Fig. 2 have a Tier-1 uphill path, yet there is a valid path H F I that does not include any Tier-1 AS. One may think now that an AS is always reachable after the failure of k random upstream ASes, if it has at least k + 1 upstream providers. Yet, this is not true as the example demonstrated in Fig. 3. Hence, the resilience of a single AS to node/link failures does actually depend on the number of node-/edge-disjoint Tier-1 uphill paths, explaining why assessing Internet-wide resilience is challenging and requires to study the whole Internet graph The k-fault tolerance decision problem: hierarchical ToR graphs We now state our necessary and sufficient conditions to determine the k-fault tolerance of hierarchical ToR graphs, as defined in Section 3.1. Theorem 1. Let G H = (V,E,R,H) be a hierarchical ToR graph with each non-tier-1 AS node having less than (jv 1 j k) (jv 1 j is the number of Tier-1 nodes) direct p2p links with Tier-1 ASes. G H represents a k-fault tolerant AS-level topology if and only if the following two conditions are satisfied: Fig. 2. Reachability between AS pairs that have Tier-1 uphill paths. Fig. 3. Multiple upstream links are not enough for k-fault tolerance: although both nodes K and L have multiple upstream links, K may lose all its Tier-1 uphill paths under the failure of node E, while L may lose all its Tier-1 uphill paths under failure of either node F or link hf,bi.

5 2496 W. Deng et al. / Computer Networks 55 (2011) (1) Tier-1 full mesh: all Tier-1 nodes (V 1 ) in the graph are connected via direct p2p links; (2) k + 1 UP link redundancy: for any node v 2 VnV 1, v has at least k + 1 c2p links (UP links) to different provider ASes. Proof. First, we show that the two conditions are sufficient conditions for the k-fault tolerance of the hierarchical ToR graph; then we prove that they are also necessary conditions. We consider scenarios of arbitrary k node failures. Let F ={i 1,i 2,...,i k } be the set of the k failed nodes. Since each non-tier-1 node has more than k UP links, it still has at least one c2p link connecting to a provider AS at a higher level. Therefore, for any given non-tier-1 node v in the residual graph VnF, this non-tier-1 node can always use a Tier-1 uphill path to reach a Tier-1 AS; and for any given node pair s and t, each of them holds at least one Tier-1 uphill path. According to Claim 1, nodes s and t are still reachable from each other. Therefore, the two conditions are sufficient conditions for k-fault tolerance. Now, we prove that the two conditions are necessary for k-fault tolerance: By definition, two Tier-1 ASes can only reach each other if they are connected via a direct p2p link. In principle, there exist also other options for enabling k + 1 reachability between Tier-1 ASes. Yet, none of them can satisfy the stronger requirement for direct (1-hop) paths between all pairs of Tier-1 ASes in the presence of k node failures. Hence, Tier-1 full mesh is a necessary condition. With respect to the k + 1 UP link redundancy condition, let us assume for a moment that it is not necessary. Then, there would be a k-fault tolerant AS graph with a non Tier-1 node v (v 2 VnV 1 ) having less than k + 1 providers; namely, node v has up to k (Tier-1) provider nodes. Since v has less than (jv 1 j k) direct p2p links with Tier-1 nodes, the set of Tier-1 nodes can be classified into three disjoint subsets: C 1, consisting of nodes that have direct p2p links with node v (jc 1 j 6 jv 1 j k 1); C 2, consisting of nodes that have direct c2p links with v (jc 2 j 6 k); and C 3, consisting of nodes that have no direct link with v (jc 3 j P 1 and j(c 2 + C 3 )j P k + 1 because jc 1 j 6 jv 1 j k 1). Consequently, k failures can already destroy all direct c2p links between node v and Tier-1 nodes and there is at least one Tier-1 node that has neither direct p2p nor p2c links with node v. Node v can only reach such Tier-1 nodes through two successive p2p links but this would violate the valley-free property. Hence, our initial assumption results in a contradiction and the k + 1 UP link redundancy condition is necessary. h Notice that Theorem 1 includes a supplementary restriction, i.e., each non-tier-1 AS node having less than (jv 1 j k) direct p2p links with Tier-1 ASes. Without this restriction, the two conditions are still sufficient. For example AS nodes A, B, C are at level 1, AS node D is at level 2, D has c2p edges to A and B and a p2p edge to C. Even if D loses its 2 providers A, B, it can still reach the remaining node C via its p2p edge. Namely, the non-tier-1 node D only has 2 UP links (not 3 UP links), yet the graph is in fact 2-fault tolerant: no matter which two nodes are removed, the remaining two nodes can still reach each other. However, we argue that the restriction on the number of p2p links to Tier-1 AS nodes is justifiable from a practical perspective in the Internet. For small k values, in particular, e.g., 1-fault tolerance or 2-fault tolerance, (jv 1 j k) jv 1 j. Presumably, few if any non-tier-1 nodes have p2p links with the full set of Tier-1 nodes, as we verify later in Section 4.1. k-fault tolerance to link failures: Theorem 1 states the necessary and sufficient conditions only for k-fault tolerance to node failures but not for link failures. As demonstrated in preceding sections, two Tier-1 ASes can only reach each other via a direct p2p link. Hence, the Tier-1 full mesh is vulnerable to single link failures. However, the results of [24] reveal that at least 75% of the links between adjacent Tier-1 ASes are redundant, i.e., the logical p2p link between these ASes is implemented with multiple physical links. Ignoring the link failures in the Tier-1 mesh, Theorem 1 also holds for the k-fault tolerance to link failures: if a ToR graph satisfies the two conditions, it is k-fault tolerant to failures of arbitrary k links (which are not links between Tier-1 nodes). The proof can be done in a similar way as for Theorem 1. k-fault tolerance decision: Theorem 1 provides two necessary and sufficient conditions for a hierarchical ToR graph to be k-fault tolerant. Since there exist only 10 through 20 fully meshed Tier-1 ASes, the first condition can be checked in constant time. However, for the second condition one has to iterate over all non-tier-1nodes. Hence, the overall time complexity of the decision problem is O(jVj + jej) AS-level graph augmentation for k-fault tolerance The two conditions of Thereom 1 allow to compute the number of additional links for the k-fault tolerance augmentation for the original hierarchical ToR graph. According to Condition 2, we only need to find ASes, if any, that do not avail k + 1 UP links and, add to them the missing number of UP links. k-fault tolerance augmentation: to achieve k-fault tolerance, for each non-tier-1 node with m UP links (m < k + 1), randomly select another k +1 m nodes from its upper tiers and add them as UP links (c2p). Let N i (i =0,1,2,...,k) be the number of the non-tier-1 nodes that have exactly i providers. The total number of required c2p links je extra j can be calculated as: je extra j¼ Xk i¼0 ðk þ 1 iþn i : ð1þ Fig. 4 gives an example for enhancing a given ToR graph to establish 1-fault tolerance, where each non-tier-1 node must have at least 2 UP links. Since there are 6 non-tier-1 nodes with only 1 provider, we totally need 6 additional UP links. Apparently, this task is much harder to carry out in

6 W. Deng et al. / Computer Networks 55 (2011) Fig. 4. An example for the 1-fault tolerance augmentation. practice. An AS does not have infinite freedom in adding links to other ASes due to commercial and geographical constraints. 4. Experimentation results As shown in Table 1, the CAIDA dataset reports more ASes than AquaLab, whereas the AquaLab dataset contains more AS-level links. Moreover, the number of links classified as p2p (48,216) for AquaLab is significantly higher than that for the CAIDA set (6321). The analysis we perform in the following sections generally draws on the merged data set from both sources. We admit that any measured Internet map is inherently limited in terms of its visibility [16]. Nonetheless, the two datasets are sufficient for the purpose of this section, namely to demonstrate the concepts and methods we introduced for k- fault tolerance in Section 3. For both data sets, AS relationships are inferred by using standard techniques, e.g., [18]. To extract the hierarchical structure of the AS-level topology, we first determine Tier-1 domains. Relying on a full mesh of p2p links between all provider-free ASes as a criterion for inference of Tier-1 ASes turns out to be too strict. After all, our view of the Internet is limited and likely to miss actually existing AS-level edges. For this reason, we first select nodes with connectivity degree higher than a threshold D as Tier-1 candidates, say D = 600. Nodes having p2p relationships with a large enough proportion (P) of other Tier-1 candidates (e.g., P = 80%, rather than 100%) are then classified as Tier-1 ASes. We totally obtain 14 Tier-1 ASes, including AS 174 (Cogent), 209 (Quest), 701 (UUnet), 1239 (Sprintlink), 2828 (XO Com.), 2914 (NTT-Com.), 3356 (Level3), 3549 (Gblx) and 7018 (AT&T WorldNet). We point out that our Table 1 Illustration for the data sources. Source # of ASes # of AS relationships c2p p2p (including s2s) Unclassified CAIDA 32,381 66, (30/08/2009) AquaLab 31,554 93,620 48, (28/08/2009) Combination 35, ,768 51,432 0 (neglect) inferred list of Tier-1 ASes is highly consistent with the lists provided by CAIDA, Wikipedia, and other sources. Finally, all non-tier-1 ASes can be mapped to the hierarchy using the method described in [11] Validity of Theorem 1 Before proceeding with results providing insights to the Internet k-fault tolerance properties, we deem appropriate to check the validity of the supplementary condition in Theorem 1 about the number of p2p links between Tier-1 and non-tier-1 AS nodes. Recall from Section 3 that the necessity of the two conditions of Theorem 1 is subject to the condition that each non-tier-1 AS node has less than (jv 1 j k) direct p2p links with Tier-1 ASes; otherwise, the two conditions in Theorem 1 are reduced to sufficient only. For each value of k, Table 2 lists the number of non-tier- 1 ASes having k p2p links to Tier-1 ASes. It is straightforward to see that there is only a dozen of non-tier-1 ASes having more than 6 p2p links to Tier-1 ASes. Out of them, only 1 AS (AS 2686, AT& T Global Network Services) has the maximum value of 11 p2p links with Tier-1 ASes, followed by AS 8075 (Microsoft) and AS 8220 (Colt Technology Services) with 9 p2p links. Since the number of inferred Tier-1 ASes is jv 1 j = 14 and all non-tier-1 ASes have less than 12 p2p links with Tier-1 ASes, the supplementary condition is strictly satisfied when k = {0,1,2} and violated by a single node for k = {3, 4}. Therefore, Theorem 1 practically holds for all realistic values of k. Table 2 Number of direct p2p links that non-tier-1 ASes have with Tier-1 ASes. # of p2p links Frequency of non-tier-1 ASes P12 0

7 2498 W. Deng et al. / Computer Networks 55 (2011) Fig. 5. Nodes with m upstream links could well have less than m disjoint Tier-1 uphill paths Multiple provider links do not suffice for fault-tolerance We have already discussed in Section 3.3 that the existence of multiple provider links alone does not suffice for k-fault tolerance; hereby, we elaborate further on this argument. Fig. 5 compares the numbers of upstream links and edge-/node-disjoint Tier-1 uphill paths for non-tier-1 ASes. Our results show that although 78.1% of all non- Tier-1 ASes have multiple upstream links, the percentage of ASes with multiple edge-(node-) disjoint Tier-1 uphill paths is only 74.2%( 73.6%). Hence, about 4.5% of ASes (about 1500) having more than one upstream provider link, avail no Tier-1 uphill path diversity. Each one of these ASes, could lose its single Tier-1 uphill path, hence its global reachability, under single AS node- (or even link- for most of them) failure. Likewise, an additional 2.2% of ASes have two disjoint Tier-1 uphill paths, despite availing c2p relationships with more than three provider nodes. On the other hand, to augment the graph for k-fault tolerance, each non-tier-1 AS needs k + 1 uplinks, as long as all ASes respect the conditions of Theorem 1. Given a non-tier-1 AS with n(n > k +1) UP links, the extra n k 1linkswouldbe redundant from the perspective of ensuring k-fault tolerance. In Table 3, we list the number of such redundant links. Contrasting these numbers with the statistics in Fig. 5, one may conclude that: (a) individual ASes tend to peer with more ASes than they would need, at least from a fault tolerance point of view; (b) yet this redundancy at global level is not optimally used and cannot ensure the intended fault-tolerance for all of them. More generally, the decision with how many and whom to peer may be driven by different objectives, e.g., achieving optimal performance in terms of, say, delay for the AS s customers, ensuring reachability of popular destinations in the Internet, or simply saving costs. In terms of fault tolerance, and as long as the k-fault tolerance conditions cannot be enforced at global level, the safe, but also more expensive, choice for an AS would be to ensure k + 1 links to Tier-1 domains. Table 3 Statistics on redundant links for k-fault tolerance augmentation. k # of redundant UP links Cost of AS-level graph augmentation for k-fault tolerance For a given ToR graph that is not k-fault tolerant, k failures can disrupt the reachability of ASes with less than k upstream providers. We look closer into the impact of single node failures 1 and single upstream link failures on the ASlevel resilience for k = 1. In both cases, we count how many downstream ASes will be disconnected in the worst case (removing the node that can disconnect most AS pairs) and on average. We see from Table 4 that the worst-case removal of one transit or Tier-1 AS (AS 7018) can disconnect 272 ASes from the largest connected component, whereas the worst-case removal of a single upstream link (AS-level edge ) can disconnect only 10 ASes from the largest connected component. Therefore, the addition of backup upstream links can benefit the AS-level connectivity even under the simplest failure scenarios. We will elaborate further on the achievable fault-tolerance under more complex node- and link-failure scenarios in Section Complete AS-level graph augmentation for k-fault tolerance Table 5 reports the distribution of UP links over the AS nodes, discriminating between stub and transit ASes. Using Eq. 1, we find that 7747 ( ) additional UP links 1 We ignore failures of stub ASes since the removal of a stub AS can never affect other ASes.

8 W. Deng et al. / Computer Networks 55 (2011) Table 4 Impact of single node and link failures. # of Disconnected ASes Single node failure Single upstream link failure Worst case Average need to be added to our ToR instance to achieve 1-fault tolerance. Likewise, 28,549 ( ,074) additional links are required for 2-fault tolerance. Apparently, adding such a large number of additional links would involve fundamental changes to the structure of inter-domain connectivity in today s Internet. It is questionable to what degree this overhead is justified to increase Internet resilience since adding UP links at some few critical Internet nodes may already yield significant improvements in terms of overall resilience. This conjecture is supported by the findings in the following section k-fault tolerance for transit ASes only On the one hand, we observe high costs for augmenting a complete Internet ToR graph to be k-fault tolerant. On the other hand, a failure of a stub AS never affects reachability between any other ASes. Therefore, we seek a compromise between the cost and benefits of increased resilience by Table 5 Number of non-tier-1 ASes with q UP links. q Total Percentage (%) Stub ASes Transit ASes > establishing k-fault tolerance only for transit ASes. This can guarantee the reachability between all transit AS pairs even if there are k failures. Note that a failure between a stub AS and a transit AS could only disconnect this single stub AS. Looking back at Table 5 for the number of ASes that need to increase their connectivity, we see that only 595 additional UP links are required to achieve 1-fault tolerance for transit ASes. Even for 2-fault tolerance, 2298 ( ) additional links suffice when we consider only transit ASes. This is much less than when we require k-fault tolerance for the complete graph Fault-tolerance properties of the augmented AS-level graph By definition, a k-fault tolerant graph can survive arbitrary k failures. Hence any pair of nodes can still reach each other as long as there are no more than k failures. Here, we estimate the resilience gain when making an AS graph k- fault tolerant. Considering the high cost for 2-fault tolerant graphs, we take k = 1 for our case study. In order to evaluate the resilience of the ToR graphs, we distinguish between two different scenarios: random failures and deliberate attacks. We mainly rely on two metrics: (1) percentage of reachable node pairs, P r, in the residual graph, and (2) the ratio q = size of the largest connected component/ number of remaining nodes after nodes or links have failed. Note that we determine the largest connected component as the largest set of node pairs such that every pair can reach each other via a valley-free path Fault-tolerance to node failures Random failures. In each scenario, we randomly let n nodes fail, increasing n in 100 steps from 100 to 3500, which corresponds to approximately 10% of all AS nodes. For each n we carry out multiple simulations and compute the average values of the two metrics. Fig. 6(a) plots the size of the largest connected component after the failure of n nodes for the original graph, and for ToR instances that Fig. 6. Node: random failures.

9 2500 W. Deng et al. / Computer Networks 55 (2011) have been made 1-fault tolerant. Fig. 6(b) presents the comparison of the percentage of reachable node pairs in the residual graph between the original ToR graph and the 1-fault tolerant graph. The plots reveal that the 1-fault tolerant graph exhibits significantly better resilience than the original graph. For example, after randomly removing 1000 nodes, the number of remaining nodes is 34,273 for the original graph, and the size of the largest connected component is 34,058 (215 nodes are disconnected from the main component). Yet, for the 1-fault tolerant graph, the largest connected component has 34,262 nodes (only 11 nodes are disconnected from the main component). Deliberate attacks. Contrary to the random failure scenario, the selection of nodes to fail is biased. All AS nodes are ranked according to their degrees and the top 100 are selected. The number of failed nodes n is increased from 1 to 100. Except for the selection of failed nodes, the approach is the same as for random failures. Yet, since nodes with high degrees are more important for global reachability, studying deliberate attacks can provide insights to the worst-case behavior in terms of resilience. Fig. 7(a) and (b) reveal again that the 1-fault tolerant graph exhibits significantly better resilience than the original graph. For example, after removing the top 100 nodes, for the original graph the percentage of reachable node pairs is only 53.2%, whereas for the 1-fault tolerant graph it rises to 63.4%, i.e., it experiences an increase of approximately 20% Fault-tolerance to link failures We now turn our attention to link failures. In each scenario, we randomly select n links to fail. We increase n from 100 to 3500 links in 100 steps and determine the percentage of ASes that are part of the largest connected component in the residual graph. Again, we find that the augmented 1- fault tolerant graph exhibits significantly better resilience than the original graph, see Fig. 8(a). Moreover, our graphs are more resilient to link failures compared to node failures. Fig. 7. Node failures: deliberate attacks. Fig. 8. Link failures: size of the main component/number of remaining nodes.

10 W. Deng et al. / Computer Networks 55 (2011) After removing 1000 links randomly, the largest connected component still has 35,223 nodes (only 50 nodes are disconnected) even for the original graph. We repeat this experiment, this time considering deliberate attacks. To this end, we order links by the product of the degrees of the ASes that they connect. In other words, we first remove those links that are likely to be crucial for Internet-wide reachability. Fig. 8(b) shows that the removal of the first 12 links brings the value of q down to around 94% for the 0-tolerant graph and to 98% for the 1- tolerant graph, respectively. By cross-checking we find that these 12 edges all correspond to p2p links between Tier-1 nodes. Evidently, these links in the Tier-1 layer are needed by many ASes to mutually reach each other. However, the almost horizontal line in Fig. 8(b) suggests that subsequent link removals do not cause any significant degradation of our metric. According to Table 5, we know that most transit ASes have multiple UP links (a big AS usually has several to dozens of providers). Hence, further removal of upstream links between pairs of big ASes can rarely affect Internet-wide connectivity. 5. Discussion One major contribution of this paper are the necessary and sufficient conditions for efficiently determining whether a given ToR graph is k-fault tolerant. Besides this theoretical aspect, our results suggest some practical implications for the real Internet. Yet, we point out that this paper has only studied resilience at AS level and made some assumptions about correctness and structure of AS relationships. In the following, we briefly discuss these issues and justify why we think that our insights are still valuable for the real Internet. Both our proposed methods and the performed analysis rely on AS graphs and ignore the underlying physical topology. Indeed, each AS can consist of multiple routers and each AS-level link can correspond to multiple physical peering links at different geographic sites. Evidently, such redundancy improves the resilience behavior of the Internet. Yet, we believe that a study based on the AS-level topology is still insightful. Severe problems within an AS may actually still cause the failure of a complete node in an AS-level topology, something which can be studied based on an AS graph. Moreover, past experience teaches us that complete disruption of connectivity between two ASes actually does happen [2] and is not pure speculation. Although the AS relationship policy model is widely used, the reality is more complex. Dimitropoulos et al. [25] point out that there exist AS-level links for which different relationships coexist. For example, AS A and AS B may have two physical peerings where one implements a c2p relationship while the other follows a p2p policy. However, [25] concludes that such hybrid relationships remain an exception. Therefore, AS relationships still provide a good abstraction to determine which topologically available routes are consistent with business relationships in the real Internet. A far more critical assumption for the results of our paper is the absense of directed cycles in the Internet AS graph. This assumption is extensively checked in [13], using four popular AS relationship inference algorithms over five different AS graph snapshots. No directed cycles are practically found in graphs, called type C and D in [13], which are produced by the algorithms of Subramanian et al. [17] and Gao [10], respectively. On the contrary, directed cycles are detected in the other two types of graphs, called type A and B in [13]. However, the authors admit that the detection of such cycles presumably points to misclassifications of AS relationships and even use them as guides for replacing misclassified edges in A- and B-type graphs. Certainly, individual ISPs already know about their peering partners and thus are in a position to identify whether there exist weak points in the way their network is connected to other networks. However, it is hard for an ISP to assess reachability of its network by others. Our holistic approach based on Internet-wide AS-level maps and routing policies can help such an ISP to better understand if and how the rest of the Internet can reach its own network after the failure of links or nodes. Overall, the motivation behind our proposed k-fault tolerance metric is more to shed light on resilience from an Internet-wide perspective rather than to provide a tool that helps individual ASes to assess their resilience. We are convinced that a global view of Internet resilience is needed to reveal and understand potential deficiencies such as those brought up by our analysis in Section 4.2. These insights can then motivate a rethinking of more selfish AS-centric peering policies in favor of more coordinated strategies, coupled with new architectural approaches for improved network resilience [34]. In this regard, researchers can rely on k-fault tolerance as a metric to assess the robustness of future Internet AS-level topologies, that will emerge from the adoption of novel routing schemes, e.g., locator/identifier separation [35]. 6. Related work Early 21st century research on Internet-wide resilience [7] argues that the Internet AS-level topology is a scale-free network due to the power-law distribution of node degrees. Moreover, [28 30] use general metrics and methods of graph theory and complex networks to study resilience of Internet connectivity. However, they do not take into account constraints of routing policies. Discovering the Internet topology at AS level by traceroute has been extensively studied in the literature [26]. Chen et al. [4] generate maps of the Internet AS graph annotated with AS relationships using traceroutes from P2P users. The authors of [17,25] have proposed techniques to infer AS relationships based on observed AS path information from collections of BGP routing tables. Both the number and type of inferred relationships may differ depending on the data collection method and the inference algorithm [13]; however, AS relationships remain the de facto model for capturing Internet interdomain routing policies. The mapping of inferred AS relationships to ToR graphs is the starting point for studying more systematically the Internet AS graph structure and connectivity. The authors

11 2502 W. Deng et al. / Computer Networks 55 (2011) of [11,10] analyze the hierarchical structure of the Internet based on the AS relationship model and propose several hierarchical models for the Internet. Kind et al. [27] investigate the valley-free shortest path routing problem between two ASes. Based on the valley-free path model, a transformation method is proposed to map a ToR graph with AS relationships to a dual directed graph. Several theoretical results about the connectivity properties of general ToR graphs are obtained by Erlebach et al. in [12,13].In[12] the authors prove that it is NP-hard to find the maximum number of node (link)-disjoint valid paths and the minimum node cut size for a given node pair {s,t}, whereas the respective edge cut size can be found in polynomial time. They show that the min node (link) s-t-cut size in these graphs may be up to twice the maximum number of node (link)-disjoint valid paths. 2 Whereas in [13], they improve approximation algorithms earlier proposed in [12] for these problems and assess them over AS graph topology snapshots. Our paper, effectively adds to the theoretical results of [12,13] by considering the reachability problem in the particular case of hierarchical ToR graphs with no directed cycles. On a more experimental note, Dolev et al. [31] take a further step and study the resilience of the Internet AS-level topology to random failures and deliberate attacks, also investigating the possibility of using backup p2p links to increase resilience of single-homed ASes. Wu et al. [22] analyze how the current Internet routing system reacts to failures relying on AS relationships and the valley-free path model. Yet, their main purpose is to study how network topologies and routing policies influence the resilience of networks against failures. They use basic metrics that include network reachability and impact on traffic but do not provide hints on how to improve the resilience on a global scale. 7. Conclusions Our paper investigated the robustness of inter-domain reachability, taking into account both topological connectivity and compliance to routing policies. To this end, it first introduced the property of k-fault tolerance for general ToR graphs. We then leveraged the inherent hierarchical structure of the Internet AS topology to handle it as a special hierarchical ToR graph instance and derived two necessary and sufficient conditions for its k-fault tolerance decision problem, which can be checked in polynomial time. We argue that further interesting theoretical results about the connectivity of the Internet AS-level topology can be obtained under its treatment as a hierarchical ToR graph. Notably, the way hierarchical ToR graphs are defined in this work makes them a special case of the mixed graphs of Wanke and Kötter in [36]; whereas valid paths in the ToR graph are, in their terminology, oriented paths with up to one undirected edge. Beyond the theoretical value of our result, it can yield interesting insights to the Internet-wide fault-tolerance properties. Studying large-scale data sets, we have found 2 For the sake of comparison, in typical directed and undirected graphs, both the node and link version of the two quantities are equal and can be computed efficiently using network flow techniques [32,33]. that even single node failures can disconnect up to hundreds of ASes. A non-negligible percentage of ASes does not avail any redundancy for its global reachability despite having customer-to-provider relationships to two or more other ASes. Augmenting AS-level graphs to 1-fault tolerance improves overall resilience to failures, but requires a considerable number of AS-level links (>7000) to be added. Interestingly, such additional uplinks are mainly needed at stub networks, and not at transit ASes, which apparently are more robust to failures. Under a cooperative strategy, this cost could be spread more evenly across different ASes rather than having ASes with higher redundancy in their peering relationships than needed. Acknowledgments The authors thank Xenofontas Dimitropoulos, Yanzhen Wang and Jinyao Yan for their constructive suggestions. This work is partially supported by the European Union (EU) ResumeNet project (FP ), the Marie Curie grant RETUNE (FP7-PEOPLE-2009-IEF ), the National Science and Technology Fund of China (NSF and NSF ), and the China Scholarship Council. References [1] J. Cowie, A. Ogielski, B. Premore, E. Smith, T. Underwood, Impact of the 2003 Blackouts on Internet Communications, in: Technical report, Renesys Corporation, [2] Y. Kitamura, Y. Lee, R. Sakiyama, K. Okamura, Experience with restoration of asia pacific network failures from taiwan earthquake, IEICE Transactions 90-B (11) (2007) [3] Y. Rekhter, T. Li, S. Hares, A Border Gateway Protocol 4 (BGP-4), IETF RFC4271 (2006). [4] K. Chen, D. Choffnes, R. Potharaju, Y. Chen, F. Bustamante, D. Pei, Y. Zhao, Where the sidewalk ends, in: Proc. ACM CoNEXT, [5] N. Spring, R. Mahajan, D. Wetherall, Measuring ISP topologies with rocketfuel, in: Proc. ACM SIGCOMM, [6] R. Sherwood, A. Bender, N. Spring, DisCarte: a disjunctive internet cartographer, in: Proc. ACM SIGCOMM, [7] G. Siganos, M. Faloutsos, P. Faloutsos, C. Faloutsos, Powerlaws and the AS-level Internet topology, IEEE/ACM Transactions on Networking 11 (4) (2003) [8] L. Li, D. Alderson, W. Willinger, J. Doyle, A first-principles approach to understanding the internet s router-level topology, in: Proc. ACM SIGCOMM, [9] T. Griffin, F.B. Shepherd, G. Wilfong, The stable paths problem and interdomain routing, IEEE/ACM Transactions on Networking 10 (1) (2002) [10] J.R.L. Subramanian, S. Agarwal, R. Katz, Characterizing the internet hierarchy form multiple vantage points, in: Proc. IEEE INFOCOM, [11] Z. Ge, D. Figueiredo, S. Jaiwal, L. Gao, On the hierarchical structure of the logical internet graph, in: Proc. SPIE ITCOM, [12] T. Erlebach, A. Hall, A. Panconesi, D. Vukadinovic, Cuts and disjoint paths in the valley-free path model, Internet Mathematics 3 (3) (2007) [13] T. Erlebach, L.S. Moonen, F.C.R. Spieksma, D. Vukadinovic, Connectivity measures for internet topologies on the level of autonomous systems, Operations Research 57 (4) (2009) [14] AS commercial relationship data. < [15] AquaLab. < html>. [16] R. Bush, O. Maennel, M. Roughan, S. Uhlig, Internet optometry: assessing the broken glasses in internet reachability, in: Proc. ACM IMC, [17] L. Gao, On inferring autonomous system relationships in the internet, IEEE/ACM Transactions on Networking 9 (6) (2001) [18] F. Wang, L. Gao, Inferring and characterizing internet routing policies, in: Proc. ACM IMC, [19] M. Caesar, J. Rexford, BGP routing policies in ISP networks, IEEE Network Magazine 19 (6) (2005) 5 11.

12 W. Deng et al. / Computer Networks 55 (2011) [20] G. Battista, T. Erlebach, A. Hall, M. Patrignani, M. Pizzonia, T. Schank, Computing the types of the relationships between autonomous systems, IEEE/ACM Transactions on Networking 15 (2) (2007) [21] L. Gao, J. Rexford, Stable internet routing without global coordination, IEEE/ACM Transactions on Networking 9 (6) (2001) [22] J. Wu, Y. Zhang, Z. Mao, K. Shin, Internet routing resilience to failures: analysis and implications, in: Proc. ACM CoNEXT, [23] W. Mühlbauer, A. Feldmann, O. Maennel, M. Roughan, S. Uhlig, Building an AS-topology model that captures route diversity, in: Proc. ACM SIGCOMM, [24] P. Mérindol, V.V. Schrieck, B. Donnet, O. Bonaventure, J. Pansiot, Quantifying ASes multiconnectivity using multicast information, in: Proc. ACM IMC, [25] X. Dimitropoulos, D.V. Krioukov, M. Fomenkov, B. Huffaker, Y. Hyun, K.C. Claffy, G.F. Riley, AS relationships: inference and validation, ACM CCR 7 (1) (2007) [26] Z.M. Mao, J. Rexford, J. Wang, R.H. Katz, Towards an accurate ASlevel traceroute tool, in: Proc. ACM SIGCOMM, [27] A. Kind, D. Bauer, D. Dechouniotis, X. Dimitropoulos, Valley-Free Shortest Path Method, International Business Machines Corporation, New York, [28] R. Albert, H. Jeong, A. Barabasi, Attack and error tolerance of complex networks, Nature 406 (2000) 378. [29] R. Cohen, K. Erez, D.B. Avraham, S. Havlin, Resilience of the Internet to Random Breakdowns, Physical Review Letters 4626 (2000) [30] R. Cohen, K. Erez, D.B. Avraham, S. Havlin, Breakdown of the internet under intentional attack, Physical Review Letters 86 (2001) [31] D. Dolev, S. Jamin, O.O. Mokryn, Y. Shavitt, Internet resiliency to attacks and failures under BGP policy routing, Computer Networks 50 (2006) [32] S. Khuller, J. Naor, Flow in planar graphs with vertex capacities, Algorithmica 11 (1994) 200C225. [33] J. Kleinberg, E. Tardos, Algorithm Design, Addison Wesley, [34] Resilience and Survivability for Future Networking: Framework, Mechanisms, and Experimental Evaluation (ResumeNet), EU FP7 project. < [35] D. Jen, M. Meisel, H. Yan, D. Massey, L. Wang, B. Zhang, L. Zhang. Towards a new internet routing architecture: arguments for separating edges from transit core, in: Seventh ACM Workshop on Hot Topics in Networks (HotNets-VII), [36] E. Wanke, R. Kötter, Oriented paths in mixed graphs, in: Proc. 15th International Symposium on Algorithms and Computation (ISAAC 04), LNCS 3341 (2004) Wolfgang Mühlbauer is a senior researcher in the Communication Systems Group of ETH Zurich, Switzerland, since November He received a diploma degree from the Technische Universität München, Germany, in 2005, and a Ph.D. degree in Computer Science (Informatik) from Technische Universität Berlin, Germany, in His research interests include inter-domain routing, alternative routing architectures for the future Internet, and network virtualization. Peidong Zhu is a professor with School of Computer Science of National University of Defense Technology (NUDT), China. Hereceived his Ph.D. degree in computer science from NUDT in During December 2008 and December 2009, he was the James visiting chair professor at St Francis Xavier University, Canada. His research interests include inter-domain routing, network security and architecture design of the Internet. He is a member of the IEEE. Xicheng Lu received his B.S. degree in computer science from Harbin Engineering Institute, Harbin, China, in He was a visiting scholar at the University of Massachusetts from 1982 to He is currently a professor with School of Computer Science of National University of Defense Technology (NUDT), Changsha, China. His research interests include distributed computing, computer networks, and parallel computing. He is an academician of the Chinese Academy of Engineering and a member of the IEEE. Wenping Deng received his B.S. and M.S. degrees in Computer Science from Department of Computer Science, National University of Defense Technology (NUDT), Changsha, Hunan, China, in 2004 and 2006, respectively. He is now a PhD student of NUDT. He was a visiting scholar to the Communication Systems Research Group (CSG) of ETH Zurich, Switzerland, from November 2008 to November His research interests include Internet routing, routing security, and resilient network. Bernhard Plattner is a professor of computer engineering at ETH Zurich, where he leads the Communication Systems Group. His research currently focuses on self-organizing networks and systems-oriented aspects of information security. Plattner is a member of the IEEE, ACM and the Internet Society. He served as the program or general chair of various international conferences, such as ACM SIGCOMM 1991, INET 1994, IWAN 2002, IWSOS 2009 and PAM Merkourios Karaliopoulos is a Marie Curie Fellow in the Department of Informatics and Telecommunications, National and Kapodistrian University of Athens, Greece, since September He was awarded his diploma in Electrical and Computer Engineering from Aristotle University of Thessaloniki, Greece, in 1998 and a Ph.D. degree in broadband satellite networking from the University of Surrey, UK, in His current research interests lie in the general area of wireless networking with emphasis on routing and transport protocol performance analysis and wireless network resilience to node selfishness and misbehavior.