Border Gateway Protocol

The Border Gateway Protocol ( BGP) is the routing protocol used in the Internet and connects autonomous systems (AS) together. These autonomous systems are usually formed by Internet providers. BGP is commonly referred to as Exterior Gateway Protocol ( EGP) and path vector protocol and used for routing decisions both strategic as well as technical and metric criteria, which in practice usually economic aspects are taken into account. Within Autonomous Systems Interior Gateway Protocols ( IGP) such as OSPF are used.

  • 3.1 BGP protocol
  • 3.2 types of BGP messages
  • 3.3 Connection status with BGP
  • 4.1 attributes
  • 4.2 Path Selection
  • 4.3 interaction of IBGP with the IGP
  • 5.1 routing loops
  • 5.2 Route Aggregation
  • 5.3 Link State
  • 5.4 hop length
  • 6.1 General
  • 6.2 Growth of routing tables
  • 6.3 Load Balancing
  • 6.4 Security
  • 6.5 Route Flap
  • 6.6 update bursts
  • 7.1 YouTube blockade
  • 7.2 Fehlkonfigurierter BGP router
  • 7.3 Revolution in Egypt 2011

Protocol Description

BGP is described in RFC 1163. In the currently used version 4 is described in RFC 4271. The BGP routers use TCP port 179

In 1991, the Border Gateway Protocol (Version 3) MIB was published in RFC 1269. This MIB enables management of devices using SNMP, which support the BGP protocol as Autonomous System Routing Protocol.

In February 1998, the BGPv4 in RFC 2283 has been provided with so-called Multiprotocol Extensions. The current version can be found in RFC 4760th This BGPv4 is no longer pure IPv4 - specific, but also supports routing with other network layer protocols. Among others is the exchange of MPLS labels possible, this was a prerequisite for the deployment of BGP / MPLS IP VPNs (RFC 4364 ).

Scope

EBGP

BGP, which is currently only used Exterior Gateway Protocol, is a protocol for routing between autonomous systems (AS). One speaks in this use of External BGP ( EBGP ).

IBGP

BGP can be used within an autonomous system. Typically, this is done in order to propagate the learned from EBGP routers routes to the other routers of its own autonomous system. This use is referred to as Internal BGP ( IBGP ). All IBGP routers that exchange routes together, use the same AS number.

Full meshing

When used within an autonomous system BGP connections between all routers in the AS must be set up so that a complete meshing arises. So Contains an autonomous system n router, this results in BGP connections. Because of the resultant scaling issues a so-called Route Reflector (RR ) is used in larger networks.

The reason for a complete meshing is that at the receiving IBGP IBGP router gives the impression within an autonomous system with the same AS number in the AS path, if it were routing loops. Thus, this router would not propagate routes to other IBGP router. (see section on routing loops )

Route Reflector

To solve the problem of complete meshing of complex networks, a BGP router can be configured as a route reflector in one AS. So each EBGP router sends its via EBGP learned routes via IBGP only to a specific router ( the route reflector ), who gathers and turn distributed via IBGP to the other routers in the AS. Now, since each BGP router must keep only one BGP connection to Route Reflector, falling a total of only n connections. This topology is used for example in the German Internet Exchange DE- CIX to facilitate peering between networks. All border router that convey to the connected networks send their routes to the routing server, so the route reflector, from which all other routers can relate these routes again. Thus, a network peer with a handle, with almost all of the connected networks.

A single route reflector provides a single point of failure; For reliability can therefore several of these routers are connected together as a cluster. To each of the cluster router must be produced by the respective routers IBGP connection. For n routers arise, for example when two routers as route reflector n · 2 compounds.

Confederation

By Confederation, an autonomous system (AS) turn into autonomous systems (sub -AS) are divided. These sub -AS assigned different private AS numbers (ASN ), reserved for a range 64512-65535 and is freely available. There is a need for the use of AS numbers no registration for example at the RIPE NCC. The AS numbers from these private sector are not forwarded by routers with EBGP public AS numbers to other EBGP router. Thus different AS numbers are used within the AS, a public EBGP router but only the external AS number is presented. Between the sub -AS EBGP route is for the exchange used. On the one hand can be simplified through the use of Confederation managing large AS and on the other the interconnection complexity can be reduced by the full intermeshing of all IBGP routers.

In the graph represent AS100 AS200 and public autonomous systems (AS) that exchange routes via EBGP. AS100 divided by Confederation two private autonomous system AS65050 AS65100 and on. The two private AS communicate to each other their routes via EBGP. Within both private AS a BGP router as a route reflector (RR ) is configured respectively. All other BGP routers within a private AS exchange with the Route Reflector via IBGP their routes from each other.

Loopback

Usually, the reliability loopback addresses are defined on the IBGP routers reasons. The IBGP routers are then connected to each other with each other through their loopback addresses. However, since the loopback address can not be propagated without an existing IBGP connection as a route, an underlying Interior Gateway Protocol ( IGP), for example, OSPF required. That is, that on each IBGP router also an IGP router process is configured. Since each IBGP router has at least two physical network cards, the IGP will know several possible paths between the loopback addresses. Then, if a physical network interface, an IBGP router, then on IGP an alternative path propagated. As long as at least one physical interface is reachable, even the loopback address configured on the router is reachable.

Without the loopback IBGP router would be bonded to each other to physical interfaces. Upon failure of such an interface, the connection would be disconnected and no longer ensured a consistent distribution of routes within the autonomous system.

Log Summary

The direct links between neighboring routers can be specified manually. Routers that want to exchange routing information with each other via BGP, first build up a TCP connection via which then the BGP messages are sent. This compound is called a BGP session.

BGP protocol

  • Markers: All bits of the first 16 bytes are set for compatibility to "1".
  • Message Length: total size of the BGP message
  • Message Type: Type of BGP message
  • Message: When a route update in this area, the routes are specified, which were added or deleted.

Types of BGP messages

BGP uses four different types of messages in the log:

OPEN Sending only the beginning of a connection, and must be answered with a KEEPALIVE message. In the OPEN message, the parameters BGP version, AS number, hold timer, BGP identifier and optional parameters are enclosed. After that, the route information between routers to be replaced.

UPDATE Tells a path change. It can simultaneously add multiple paths per UPDATE message and a number to be removed. UPDATE messages are the core of BGP.

NOTIFICATION Terminates a connection and returns error or status code to. All paths that were received on this terminated connection, must now be deleted. About a BGP update would then be spread that this route is no longer available.

KEEPALIVE Confirms the OPEN request. For regular checking whether the router is still connected online, or if the connection is broken and the paths through the connected router have thus become invalid. The routers which have just set up a BGP session, send each other at regular intervals, a KEEPALIVE message. This consists of only the message header. In the attribute hold time an OPEN message, the maximum time is specified, in which a BGP router expects a KEEPALIVE message from BGP partner of the session. Comes within the Hold Time no KEEPALIVE message, the BGP session is terminated with a NOTIFICATION.

Connection status with BGP

The graph shows the different states of a BGP connection are displayed. In practice, it is important to know that when the status Active will be displayed in a router configuration, no routing entries to be replaced. This status means that an attempt is made to establish a connection. Only when the status Established been achieved, there is a working connection between the BGP routers.

More detailed description

Core of BGP UPDATE message, over which BGP routers announce the existence of new routes ( Announcement) or the elimination of existing routes ( Withdrawal ). The receiver of an UPDATE message decides based on its routing policies if he converts his routing ( and then itself must send UPDATE messages ), the message simply forwards (eg via IBGP ) or simply ignored.

Attributes

A route into BGP has several attributes. The most important are explained.

  • The AS Path tells about the various autonomous systems, the specified destination ( a CIDR prefix) can be achieved. The autonomous systems are hereby identified by its AS number (ASN ). Although in the AS path must occur no loop; However, it is allowed that an AS repeatedly enters and extends the AS path artificially so as, if the route is available, but to make unattractive (AS Path prepending ).
  • IGP metric describes the cost by the own network to reach the exit point to the next on the AS AS path.
  • The Multi- Exit Discriminator (MED ) is used to prioritize different parallel connections to the same neighboring AS, preferably, the lowest value is. This attribute is used between EBGP peers.
  • Communities are routing tags based on which updates or transmitted prefixes to other BGP peers can be marked. A BGP community is a 32 -bit value that can be used by other BGP routers as a filter criterion. In addition to standard communities called Extended communities can be freely used in the notation 12345:12345 or as a decimal number.
  • Local Preference shall submit by the next higher value of one preferred path from multiple paths within the same AS. If there are multiple routes to the same destination prefix with equally long AS- paths, then you can prefer on Local Preference certain routes; see "Path Selection".
  • Next Hop is to specify the IP address of the next hop router to a prefix. The next- hop router is the one gateway router, which connects the own AS to the next AS in the AS path.
  • Weight is a local attribute ( proprietary); see "Path Selection".
  • Origin indicates the source of a prefix: IGP, EGP, or Incomplete.

Path Selection

Very often it happens that a router different routes to the same destination gets communicated. The selection of the route for which he ultimately decides is known as BGP Path Selection Process. The network operator can control and influence the path - selection in the router by using appropriate rules in the router.

Basically, the BGP Path Selection Process runs according to the following rules:

Interaction of IBGP with the IGP

Thus, a router can forward a packet to another network, to which he has no direct connection, is usually a combination of IBGP and IGP ( the intra -domain routing protocol, so for example, OSPF, IS -IS, EIGRP / IGRP, RIP ) necessary, which is required in order to forward packets to the appropriate gateway router. For this purpose, serves the BGP next hop attribute.

Example: A router R1 in AS1 will forward your packet to the destination address 10.1.2.3. He has experienced before, that the destination network 10.0.0.0 / 8 is reachable via the neighbor -AS 4711 By IBGP update message. However, R1 has no direct link to AS4711; this connection exists only on another router R2 (gateway router). By the BGP next-hop attribute knows the IP address, however, R1 R2. Based on the information from the IGP knows R1 the shortest path within AS1 to R2 and so it knows to which neighboring router Rx, they should send the package so that it arrives at the gateway router R2, which may eventually pass in AS4711.

Special features of BGP

Routing loops

BGP is a path vector protocol. Its operation is very similar to distance vector algorithms and protocols such as Routing Information Protocol (RIP), however, found there the problem of routing loops is effectively prevented. A routing loop occurs when an IP packet passes through on its way through the Internet are one and the same AS several times. A BGP router uses when sending routing information ( update ) the communication partner with not only that he can reach a particular section of the internet, but also the complete list of autonomous systems (AS Path), the IP packets to this section must pass ( his own AS comes first, the target PLC in last place ). Noted the communication partner now that the AS to which he himself belongs, already in this list is present, it discards this update, thus avoiding that a routing loop.

Route aggregation

In BGP, each router can summarize common routes. In contrast, for example, OSPF, on the routers, a routing summary can be carried out only at the area border routers.

Link State

Different link speeds are not considered. The routes are mainly exported to the length ( AS Path) and selected according to strategic aspects.

Hop length

The hop length is ignored - only the number of autonomous systems is important (apart from attribute IGP metric ).

Problems with BGP

Generally

BGP has inherently a number of weaknesses that can result in a minimum configuration. The weaknesses are, however, compensated by the rule that the prioritization of paths routing policies is subject to the controls of the respective network operator.

Growth of routing tables

Since each BGP router using route information of others, particularly the neighboring BGP routers has, each BGP router a database for the routes to all reachable autonomous systems is based on. The size of the table with the route information was in April 2012 at around 411,000 entries with more than 40,900 autonomous systems.

The growth of the routing tables can be counteracted within limits by route aggregation.

In the development of IPv6 is also the problem of the growth of the routing tables in IPv4 has been considered. So the use of much less IPv6 routing entries are to be expected. Currently not use all IPv6 Internet provider and therefore the following statistics can not be compared directly with the table above on the IPv4 routing entries.

Load distribution

BGP brings by default with no load balancing methods. Selected is always only one possible route. However, there are proprietary extensions that allow configuration for load balancing. These extensions allow, in contrast for example to OSPF load balancing across different weighted connections.

Security

In the basic configuration, a BGP router is vulnerable to spoofing attacks, manipulate routes through the attacker. Through the use of authentication with a between the BGP peers individually specified password (based on MD5 hashes ), the data exchange between the BGP routers can be secured. This makes spoofing attacks strong but is particularly dependent on the security of MD5, which is now considered by cryptographers no longer considered secure.

In addition, we provide various other security mechanisms for BGP are proposed; However, it would be nearly impossible even with nationwide use proposed method to completely prevent attacks, which intend to redirect traffic flows.

Route Flap

Route flap caused by routes which over long periods of time repeatedly to and fro, advertised and withdrawn again. As a countermeasure, offer modern BGP implementations, a process called Route Flap Damping, however, which can lead to undesirably long delays in the forwarding of route changes under certain conditions.

Update bursts

Update bursts are sudden large amounts of UPDATE messages, often closer to each other correlated objectives.

Special Events

YouTube blockade

In February 2008, Pakistan Telecom was forced by a court order to block YouTube traffic in Pakistan. Technically, this was implemented by an incorrect route to the network of YouTube was fed into IBGP. Due to a configuration error, this incorrect route, however, was used not only in Pakistan but mistakenly distributed via EBGP to other Internet provider, which in Asia led to several hours of blockages from YouTube in particular.

Fehlkonfigurierter BGP router

In February 2009, was passed via a Czech BGP routers too long AS paths to public BGP routers. Some BGP routers had problems in the processing of these long AS paths, so that there was no distortion of the Internet traffic. Administrators to a configuration in which the maximum length of the accepted AS- path is limited to counteract such a problem.

Revolution in Egypt 2011

During the revolution in Egypt about 3,500 routes of all Egyptian Internet providers were in January 2011 via BGP in a few minutes back so that almost the whole of Egypt was disconnected from the Internet. Also, mobile services and social networks were no longer accessible. This seems to be the first case in the history of the Internet, in which, for political reasons, an entire country was isolated from the Internet.

Free software implementations

  • ( Set development ) GNU Zebra
  • Quagga ( development of Zebra)
  • OpenBGPD
Management Information Base Simple Network Management Protocol Quagga (Software) XORP Looking Glass servers Institute of Electrical and Electronics Engineers Association for Computing Machinery
123321
de