Skip to content

BGP

BGP (Border Gateway Protocol) is the routing protocol that makes the internet work. It's the only protocol designed to handle the scale and complexity of routing between different networks (Autonomous Systems) on the internet.

Unlike interior gateway protocols (OSPF, EIGRP, etc.) that use metrics like hop count or bandwidth, BGP makes routing decisions based on paths, policies, and rule-sets configured by network administrators.

Key Characteristics

  • Path-vector protocol: Makes decisions based on network policies and rulesets
  • Autonomous System based: Uses AS numbers to identify distinct networks
  • Policy-based: Routing decisions can be influenced by business relationships and preferences
  • Scalability: Designed to handle the entire internet routing table
  • TCP-based: Uses TCP port 179 for reliable communication
  • Incremental updates: Only sends changes, not full routing tables

BGP Session Types

Type Description Use Case
eBGP External BGP between different AS Internet connectivity, peering relationships
iBGP Internal BGP within same AS Sharing external routes throughout your network
Route Reflectors Special iBGP setup Avoiding full-mesh requirement in large networks
Confederations Breaking a large AS into sub-AS Simplified management of complex networks

Common BGP Attributes

BGP uses attributes to determine the best path when multiple paths exist:

Attribute Function Priority
AS_PATH Records AS path to destination Shorter paths preferred
NEXT_HOP IP address of next router Must be reachable
LOCAL_PREF Local preference value Higher values preferred (default: 100)
MED Multi-Exit Discriminator Lower values preferred
ORIGIN How route was learned IGP < EGP < Incomplete
COMMUNITY Route tagging Used for policy decisions

BGP Security

The internet was built on trust, and BGP reflects this with minimal security in its core design. This has led to numerous incidents:

  • Route leaks: Accidental advertisements of routes
  • Route hijacking: Malicious announcements claiming ownership of IP space
  • Route manipulation: Altering path attributes for various purposes

RPKI (Resource Public Key Infrastructure)

RPKI provides cryptographic verification that an AS is authorized to announce specific IP prefixes.

# RPKI validation states
Valid: Announcement matches a valid ROA
Invalid: Announcement conflicts with existing ROA
NotFound: No ROA exists for this prefix

BGP Security Best Practices

  • Implement prefix filtering with both your peers and customers
  • Use RPKI for ROV (Route Origin Validation)
  • Apply AS path filtering to prevent route manipulation
  • Implement maximum prefix limits to prevent route flooding
  • Use BGP communities for policy management
  • Monitor your BGP sessions and prefix announcements

Common BGP Configurations

Basic eBGP Configuration (Cisco IOS)

router bgp 65000
 neighbor 192.0.2.1 remote-as 65001
 neighbor 192.0.2.1 description PEER-A
 neighbor 192.0.2.1 password secure-password
 neighbor 192.0.2.1 prefix-list PEER-A-IN in
 neighbor 192.0.2.1 prefix-list PEER-A-OUT out
 network 198.51.100.0 mask 255.255.255.0

Basic eBGP Configuration (Juniper JunOS)

protocols {
    bgp {
        group external-peers {
            type external;
            description "eBGP peering";
            peer-as 65001;
            neighbor 192.0.2.1 {
                description "PEER-A";
                authentication-key "$9$secure-password";
                import PEER-A-IN;
                export PEER-A-OUT;
            }
        }
    }
}

RPKI Configuration (Bird)

protocol rpki {
    roa4 { table r4; };
    roa6 { table r6; };
    remote "rtr.rpki.example.net" port 8282;
}

protocol bgp peer1 {
    # ...regular BGP config...
    ipv4 {
        import filter {
            if roa_check(r4, net, bgp_path.last) = ROA_INVALID then reject;
            # ...rest of the filter...
        };
    };
}

Real-world Considerations

When implementing BGP, remember:

  • BGP is not a security protocol by itself
  • Proper filtering is essential (prefix lists, AS-path filters)
  • Route reflectors are necessary in larger networks to avoid full-mesh iBGP
  • BGP convergence can be slow; tune parameters for your environment
  • Communities are powerful for traffic engineering
  • Monitor your BGP sessions and know your routing table

For home or small business networks considering BGP:

  • You need a provider-independent IP allocation (your own AS and IP block)
  • Most residential ISPs don't support BGP peering
  • Consider a tunnel to a data center for BGP experimentation
  • BGP routers need sufficient memory for the full internet table (~1M routes)

BGP might seem complex at first, but it follows logical principles and is the backbone of the internet we all depend on.