Net: BGP and Internet Routing Architecture

The modern Internet is not a single, monolithic network but a vast collection of independently operated networks. For you to stream a video, send an email, or load a webpage, data must traverse multiple of these networks seamlessly. Border Gateway Protocol (BGP) is the glue that makes this possible; it is the inter-domain routing protocol that allows these disparate networks, called autonomous systems (AS), to exchange routing information and find paths across the global Internet. Without BGP, the Internet as we know it would simply not function.

How BGP Works: The Path-Vector Routing Protocol

At its core, BGP is a path-vector routing protocol. This is a critical distinction from the interior gateway protocols (IGPs) like OSPF or EIGRP that you might use within your own network. An IGP focuses on finding the best path based on metrics like bandwidth or delay within an AS. BGP’s job is to find a viable and policy-compliant path between ASes.

In a path-vector system, BGP speakers (routers running BGP) do not just advertise reachability to a network prefix (like 203.0.113.0/24). They advertise the entire AS Path—the sequence of autonomous systems that a route has traversed. For example, a route advertisement might show AS Path: 64500 64499 64498. This tells your router in AS 64501 that to reach the prefix, traffic must go through AS 64498, then 64499, then 64500. This path attribute serves two primary purposes: it prevents routing loops (a router will reject a route containing its own AS number in the path), and it becomes the primary metric for best-path selection—the shorter the AS path, the more preferable the route, all else being equal.

The BGP Decision Process: Choosing the Best Path

A BGP router often receives multiple advertisements for the same network prefix from different neighboring ASes. It must select a single best path to install in its routing table and subsequently advertise to its other BGP peers. The BGP best path selection algorithm is a deterministic, multi-step process. Understanding this sequence is essential for predicting how traffic will flow and for implementing routing policy.

The decision process evaluates route attributes in the following order:

1. Highest Local Preference: A weight assigned within an AS to influence outbound traffic. Higher is better.
2. Shortest AS Path: The fewest number of AS hops.
3. Lowest Origin Type: Prefers IGP origin (i) over EGP (e) over incomplete (?).
4. Lowest Multi-Exit Discriminator (MED): A hint to external neighbors about preferred entry points into your AS. Lower is better.
5. eBGP over iBGP Paths: Prefers paths learned from external peers.
6. Lowest IGP Metric to Next-Hop: For iBGP-learned routes, the path with the closest next-hop router inside the AS.
7. Oldest Path: For tie-breaking.
8. Lowest Router ID: A final tie-breaker.

As a network engineer, you manipulate these attributes, particularly Local Preference, AS Path (using prepending), and MED, to enforce your organization's traffic engineering and business policies.

eBGP vs. iBGP: Internal and External Peering

BGP sessions are categorized based on the relationship between the peers.

• eBGP (External BGP) runs between routers in different autonomous systems. These are typically direct physical connections between an enterprise and its Internet Service Provider (ISP), or between two large ISPs. By default, eBGP peers advertise all learned routes to each other, and the AS Path is modified (the local AS is prepended) when advertising to an eBGP peer.
• iBGP (Internal BGP) runs between routers within the same autonomous system. Its purpose is to ensure BGP routing information is consistent across all BGP speakers in the AS. A critical rule governs iBGP: a route learned from an iBGP peer is never advertised to another iBGP peer. This prevents routing loops within the AS but necessitates a full mesh of iBGP sessions or the use of a route reflector to scale the design.

When configuring these sessions, you establish a TCP connection (port 179) to a specific peer IP address. For eBGP, the peers are usually directly connected. For iBGP, they can be anywhere in the network, relying on the underlying IGP to provide reachability to the peer's IP address.

Implementing Policy: Route Filtering and Manipulation

BGP is fundamentally a policy-based protocol. Autonomous systems are not neutral; they have commercial relationships (provider-customer, peer-to-peer) and traffic goals. Implementing these requires route filtering and attribute manipulation.

• Route Filtering: You use prefix-lists, access-lists, or AS-path access-lists to control which routes you accept from a peer (import policy) and which routes you advertise to a peer (export policy). For example, an ISP will typically only advertise a customer's specific prefixes to the rest of the Internet, not a default route or routes learned from other providers.
• Policy-Based Routing: By using route-maps, you can conditionally set BGP attributes like Local Preference or AS Path. For instance, you might set a higher Local Preference for routes received from a primary ISP, making it the preferred exit path for outbound traffic. Conversely, you can prepend your AS number multiple times to a route advertisement to make your path look less attractive for inbound traffic from certain neighbors.

BGP Security Challenges: Prefix Hijacking and Mitigation

BGP’s foundational weakness is its inherent trust model. It operates on the assumption that advertisements are legitimate. This makes it vulnerable to prefix hijacking, where a malicious or misconfigured AS announces IP prefixes it does not legitimately own. This can cause widespread traffic interception, denial-of-service, or espionage.

Several major Internet outages have been caused by such hijacks. Defensive measures are therefore critical:

• Prefix Filtering: ISPs should implement strict import filters based on Internet Routing Registries (IRRs) or the Resource Public Key Infrastructure (RPKI), which cryptographically validates that an AS is authorized to announce a given IP prefix.
• AS Path Filtering: Filtering improbable AS paths (e.g., paths containing private AS numbers) can prevent some leaks.
• BGP Monitoring and Alerting: Continuous monitoring of the global BGP routing table for unexpected changes to your own prefixes is a operational necessity.

While protocols like BGPsec aim to provide a long-term cryptographic solution, widespread deployment is complex. Today, a combination of RPKI validation and meticulous operational practice forms the first line of defense.

Common Pitfalls

1. Neglecting the iBGP Full-Mesh Rule: Forgetting that iBGP routes are not re-advertised to other iBGP peers is a classic mistake. This leads to blackholes where part of your internal network cannot reach external prefixes. The solution is to implement a full iBGP mesh, use route reflectors, or deploy a BGP confederation.
2. Misconfiguring Next-Hop Self: For iBGP sessions, the next-hop IP for an external route remains the IP of the eBGP peer that advertised it. If the IGP in your AS does not have a route to that external IP, the route will be unusable. The standard fix is to use the next-hop-self command on your border routers when advertising routes to iBGP peers.
3. Overlooking Synchronization (in older contexts): While largely deprecated in modern networks, the BGP synchronization rule required that an iBGP-learned route not be used or advertised unless it was also present in the IGP. Disabling synchronization (no synchronization) is standard practice when not relying on the IGP for internal BGP next-hop reachability.
4. Inadequate Route Filtering: Accepting all routes from a peer without filters is dangerous. It can lead to route leaks, prefix hijacks propagating into your network, and unnecessary memory consumption on your routers. Always implement explicit import and export policies based on known prefixes and AS paths.

Summary

• BGP is the de facto inter-domain routing protocol of the Internet, using a path-vector algorithm to exchange routing information between autonomous systems (ASes).
• Its best path selection algorithm uses a hierarchy of attributes, with Local Preference and AS Path length being key levers for implementing routing policy.
• eBGP is used between different ASes, while iBGP distributes external routing information within an AS, requiring a full-mesh or route reflectors to scale.
• Routing policy is enforced through route filtering and the strategic manipulation of BGP attributes via route-maps.
• BGP’s major security vulnerability is prefix hijacking, mitigated by operational practices like prefix filtering based on IRR/ RPKI data and continuous route monitoring.