Would Diversity Really Increase the Robustness of the Routing Infrastructure Against Software Defects?

Today’s Internet routing infrastructure exhibits high homogeneity. This constitutes a serious threat to the resilience of the network, since a bug or security vulnerability in an implementation could make all routers running that implementation become simultaneously unusable. This situation could arise as a result of a defective software upgrade or a denial-of-service attack. Diversity has been proposed as a solution to increase resilience to software defects, but the benefits have not been clearly studied. In this paper, we use a graph theoretic approach to study the benefits of diversity for the robustness of a network, where robustness is the property of a network staying connected under a software failure. We address three fundamental questions: 1) How do we measure the robustness of a network under such failures? 2) How much diversity is needed to guarantee a certain degree of robust- ness? 3) Is there enough diversity already in the network or do we need to introduce more? We find that a small degree of diversity can provide good robustness. In particular, for a Tier-1 ISP network, five implementations suffice: two for the backbone routers and three for the access routers. We learn that some networks may already have enough diversity, but the diversity is not adequately used for robustness. We observe that the best way to apply diversity is to partition the network into contiguous regions using the same implementation, separating backbone and access routers and taking into account if a router is replicated. We evaluate our approach on multiple real ISP topologies, including the topology of a Tier-1 ISP.