BGP Routing: How Border Gateway Protocol Works

BGP, or Border Gateway Protocol, is a standard protocol for exchanging routing information between autonomous networks. It acts as the GPS, guiding data packets along the most efficient paths. The goal is to ensure these packets reach their destination quickly and reliably. 

Think of BGP as a highly experienced traffic controller who has a mental map of the entire internet. It evaluates options based on factors like path attributes and policies set by network administrators. 

For example, a company might prefer certain routes over others for cost-saving reasons or due to performance considerations. Maybe they want to avoid a certain network because of past connectivity issues. BGP respects these preferences and routes traffic accordingly.

BGP is used not only for connecting different organizations but also within a company's own network. Let's say your company has multiple office locations spread across the globe. BGP can help manage how data flows between these offices efficiently. This ensures employees can access company resources smoothly, regardless of where they are located. 

Internal BGP (iBGP) vs. External BGP (eBGP)

There are two types of BGP: internal BGP (iBGP) and external BGP (eBGP). iBGP is all about managing how data flows within a single autonomous system or within the same company.

Say a team in the London office needs to send files to colleagues in Tokyo. iBGP ensures that data takes the most efficient route through the company's own lines, circumventing any need to venture out onto the public internet. This keeps things speedy and secure.

Now, step outside the company doors, and you'll find eBGP at work. It's the postal service of the internet, responsible for data that needs to travel between different autonomous systems. 

Imagine your New York office sending data to a partner in Australia. This is where eBGP shines, ensuring data leaves your network and enters another correctly. eBGP deals extensively with routing policies and path attributes, like a diplomat negotiating borders between countries. It navigates the vast labyrinth of interconnected networks, always looking for the best path, optimizing for speed and reliability.

Both iBGP and eBGP have their quirks. For instance, iBGP doesn't advertise routes learned from one internal router to another by default, avoiding the risk of loops within the network. Think of this as a tidy office desk, where everything has its place and is easily accessible. 

On the flip side, eBGP gleans routes from external networks and happily shares them with its internal counterparts, like a worldly traveler bringing tales of far-off lands into the office.

Let’s explain with real-world scenarios. If there's a fiber cut under the sea, eBGP reroutes that international data traffic smoothly, perhaps through a different provider. 

Meanwhile, iBGP ensures your company's internal communications remain unaffected, rerouting through established internal circuits. It’s this seamless interaction between iBGP and eBGP that underpins the reliable and efficient data delivery we often take for granted.

In both cases, the flexibility and control BGP offers are key. Network administrators can configure preferences for certain paths, perhaps lowering costs or increasing speeds, depending on business needs. 

With iBGP, those configurations manage internal traffic patterns, while eBGP preferences ensure your external communications are just as efficient. Together, they create a robust framework that keeps the digital world spinning.

Key concepts in BGP routing

Autonomous systems

Autonomous systems are like islands, each with its own rules and infrastructure. These ASes could be large internet service providers, like Comcast or AT&T, or smaller networks, like your company’s internal network. Each AS operates independently, much like a self-governing country.

AS numbers

AS numbers are unique identifiers assigned to each autonomous system. Think of them as a postal code for each network island that makes addressing and routing straightforward. 

For example, Google’s AS number is 15169, and Facebook’s is 32934. Just as a postal code tells us where to send a letter, an AS number tells BGP routers where to send data.

BGP peering

For autonomous systems to exchange routing information, they engage in what’s called BGP peering. This is akin to setting up trade agreements between islands, allowing data to flow efficiently from one to another. When two networks decide to exchange routing information, they set up a BGP session or a peering session. 

For instance, your company might peer with a local ISP to ensure your data can reach the broader internet. This BGP peering is established over what's called a "session," where the two ASes agree to exchange routing information, ensuring data packets know where to head next.

Consider an example where your company has offices in different countries, each with its own AS number. They would use internal peering to manage routing within each AS using iBGP. 

Meanwhile, your headquarters might establish an external peering relationship with a global backbone provider using eBGP. This ensures your data can traverse the globe, hopping seamlessly from one AS to another. 

These peering agreements can be either public or private. Public peering is usually done at internet exchange points where many networks come together, like a busy international airport. Here, multiple companies share a network infrastructure to exchange data. 

On the other hand, private peering might occur over dedicated lines between two companies to enhance security or performance. It's like having a private flight path between two exclusive destinations, far from the hustle and bustle of public routes.

BGP peering is flexible, allowing networks to set policies that determine how they route traffic. For example, a business might prioritize routes that avoid a certain AS known for congestion, ensuring smoother data flow. 

Similar to choosing a scenic highway instead of a crowded city road, this level of control allows for optimized performance and cost management, crucial for any business needing reliable internet connectivity.

How BGP routing works

At the heart of BGP are routing tables. These tables are like extensive travel guides filled with potential paths for data to take on its journey across the internet. Each BGP router maintains its own routing table, which lists all the available paths to various destinations.

When it comes to path selection, BGP is all about making informed choices. It doesn't just pick any path; it evaluates each one based on several criteria. The two most important factors are path attributes and policies set by network administrators. Imagine you're planning a road trip. 

You might prefer highways for speed, avoid toll roads to save money, or choose scenic routes for better views. BGP makes similar decisions, often prioritizing paths with fewer autonomous system (AS) hops, which usually implies a shorter and potentially faster route.

Route advertisement is another key aspect of BGP. When a BGP router decides on the best path to a destination, it advertises this path to its BGP peers. It’s like sharing the best route you found with fellow travelers. 

For instance, if a router within your company’s network learns the quickest path to reach a server in another part of the world, it spreads the word to other routers. This ensures everyone is on the same page, optimizing the overall data flow.

Propagation is how these advertisements spread through the network, much like news traveling from one town to another. When a router receives a route advertisement, it doesn’t just stop there. It considers whether the route fits its preferences and policies and, if it does, passes this information along to its peers. This chain reaction ensures that throughout the network, routers maintain up-to-date information about the best paths available.

Network administrators also have the power to influence BGP’s decisions. They might set policies to make sure traffic doesn’t traverse networks with known security issues. It’s equivalent to setting your GPS to avoid certain neighborhoods. 

For instance, if an administrator knows one AS has had reliability issues, they can configure BGP to bypass it whenever possible, ensuring data integrity and performance. In this way, BGP works quietly, adjusting to the ever-changing landscape of the internet.

BGP attributes and their role in path selection

BGP attributes help BGP decide on the best path for data to travel. These attributes are the criteria BGP uses to evaluate routes, kind of like how we might choose a route based on factors like distance, speed limits, and scenery. Here are some of the key attributes that come into play:

AS_PATH

This is like a list of road signs that tell you which highways you’ll pass through to reach your destination. AS_PATH records every autonomous system (AS) a data packet must traverse on its journey. 

Here’s how it works: shorter AS_PATHs are typically more desirable because fewer stops usually mean a quicker trip. For example, if your data can travel through just three ASes to reach a server instead of four, BGP will usually pick that shorter path as it might be faster and more efficient.

NEXT_HOP

This attribute acts as the next waypoint in your journey. It's like your GPS telling you to take the next right. For BGP, the NEXT_HOP attribute specifies the next router a data packet should reach on its way to the final destination. 

If you're managing a network and see a route with an incorrect NEXT_HOP, you’d know there’s a problem. The data wouldn't know which direction to take next, much like missing a crucial turn on a road trip.

MED (Multi-Exit Discriminator)

MED is used between neighboring autonomous systems (ASes) to indicate preferred routes when multiple entry points are available. For example, if two paths lead into a neighboring AS, the MED value helps decide which entry point the neighboring AS prefers. A lower MED value is more attractive, similar to how you might gravitate towards a route with lower tolls.

LOCAL_PREF (Local Preference)

This attribute is a bit like your personal travel preferences. It’s used within a single autonomous system to prioritize outbound routes. Picture your company having a preferred internet service provider because they offer better rates or reliability. 

You’d set a higher LOCAL_PREF for routes through your preferred provider, ensuring most of your traffic flows that way. This flexibility lets network administrators prioritize routes that align with business goals, whether that's cost-saving or ensuring better service quality.

These BGP attributes work together to create a dynamic routing strategy that adapts to the ever-changing landscape of the internet. For instance, if a major undersea cable failure occurs, affecting AS_PATHs and NEXT_HOPs, BGP would use these attributes to quickly reroute traffic to ensure continuity. Maybe your data would take a slight detour over the Atlantic instead of the Pacific. 

All the while, LOCAL_PREF and MED still guide preferences within and between autonomous systems, making certain that the chosen paths match both technical performance needs and business priorities. So, while we might not see these attributes in action, they're constantly at work, making sure our digital lives run smoothly.

Setting up BGP in company networks

#1. Make sure your network devices support BGP

It’s important that your hardware can handle the processing demands of BGP routing tables, which can be quite extensive. You'll also need a registered Autonomous System (AS) number. 

Remember, this is like having a postal code for your network, essential for identifying your AS in the vast ocean of the internet. Contact your Regional Internet Registry (RIR) to get one if you haven't already.

#2. Configure BGP

Start by establishing BGP sessions with your Internet Service Providers (ISPs). This involves defining the neighbor relationships in your router's configuration. 

For instance, if your ISP has an AS number of 65001, you'd set this up in your router as a neighbor. Enter the command lines to specify their address and AS number. It's like setting up a phone line, making sure both sides can talk. Remember to configure the BGP version, typically BGP-4, ensuring compatibility.

Configuring internal BGP (iBGP) within your company involves a similar process but stays within the bounds of your network. Say your company has offices in New York and Tokyo, each with its own routers talking iBGP. You'd set up these routers to exchange routing information. 

In your configuration, list each office's router as a neighbor. Make sure they’re all part of the same AS, yours. This keeps data flowing smoothly between them without veering out to external networks, maintaining security and efficiency.

#3. Monitor the health of your BGP sessions

Managing BGP sessions is key to ensuring route stability. This means keeping an eye on the status of each session, ensuring they're up and running. If a session drops, it could be like having a broken bridge on a highway, causing data detours. Use tools like route tracking and logging to help diagnose issues quickly.

#4. Ensure your routing tables remain current and accurate

This can include implementing route dampening to prevent flapping, where routes are frequently advertised and withdrawn, causing instability. Think of it as putting up clear road signs to prevent constant changes in directions. 

Also, fine-tune your path selection policies using BGP attributes like LOCAL_PREF or MED, aligning them with your business needs.

For example, if one ISP offers lower latency, use LOCAL_PREF to route more traffic their way. Or, if you suddenly encounter latency issues with a path, adjust MED or AS_PATH attributes to redirect traffic more efficiently. Keeping a close watch on these aspects ensures BGP runs like a well-oiled machine, guiding your data packets reliably across the digital landscape.

BGP use cases in company networks

Multi-homing for redundancy and load balancing

Multi-homing is a set-up where your company is connected to multiple ISPs, which is a great way to ensure redundancy. If one ISP goes down, BGP can reroute traffic through another, keeping your operations smooth.

If one route gets blocked, others keep you connected. Additionally, BGP can balance the load across these connections, optimizing for speed and reliability. It’s like distributing office mail through different couriers to prevent delays.

Traffic engineering

This is another powerful BGP use case. Let's say your digital marketing team is running a big campaign, leading to lots of traffic from certain regions. You can use BGP to prioritize these traffic flows, ensuring these packets take the most efficient routes. 

Tuning BGP attributes like AS_PATH or LOCAL_PREF means you can shape how traffic enters and exits your network, aligning with business priorities or cost considerations.

Disaster recovery

Suppose your company’s headquarters face a natural disaster. With BGP, you can swiftly reroute traffic to backup locations without affecting the user experience. It’s similar to having a remote office ready to step in and take over at a moment’s notice. BGP’s flexibility allows you to maintain service continuity, ensuring your business stays resilient in the face of unexpected events.

Common threats and vulnerabilities with BGP routing

BGP hijacking

This occurs when an unauthorized network masquerades as another. Think of it as someone setting up a fake post office and diverting mail meant for your address. 

In 2018, for instance, there was an incident where traffic intended for major brands like Google was wrongly rerouted through a small Russian telecom company. It caused a lot of stir because the diverted traffic could have been intercepted or analyzed.

Route leaks

This happens when a network improperly advertises routes it shouldn't. It's similar to sharing a secret shortcut with everyone, unintentionally causing a traffic jam. 

In a notable case back in 2010, a large telecom inadvertently leaked its internal routes to the rest of the internet. This leak caused disruptions, slowing down data traffic on a global scale.

DDoS (Distributed Denial of Service) attacks

Malicious actors can exploit BGP to amplify traffic, overwhelming networks. Picture a scenario where someone floods your inbox with emails—you can’t discern the important ones from the spam, making it hard to function normally. In a BGP context, attackers can amplify traffic by misconfiguring routes, causing congestion and server downtime.

The protocol’s lack of built-in security is a fundamental issue. BGP was designed in a time when security wasn't as critical a concern as it is today. This means the protocol itself doesn't inherently verify the legitimacy of routing announcements. 

It’s like not having a way to check if a passport is real at a border crossing. Without proper checks, incorrect routing information can easily spread, potentially causing vast areas of the internet to become unreachable.

Misconfigurations

Sometimes, errors happen, like entering the wrong AS number or accidentally adjusting a BGP policy. These mistakes can lead to significant routing issues, much like directing traffic the wrong way on a one-way street. They can disrupt services, create vulnerabilities, and require quick fixes to prevent broader impacts.

Man-in-the-middle attacks

These involve intercepting communication between BGP peers, allowing attackers to eavesdrop or alter data. It’s akin to someone tapping into your phone call and listening in without your knowledge. This poses a severe privacy and data integrity risk.

Best practices for securing BGP sessions

Route filtering and prefix lists

Route filtering is where you apply filters to block unwanted or incorrect route announcements. If a peer suddenly advertises a route to a network you know they shouldn't have, the filter steps in and blocks it, keeping your routing tables clean and accurate. 

Prefix lists are your handy tool for this. They let you define which IP prefixes you expect to receive from your peers. So, if you're peering with an ISP, you might specify only to accept routes for their customer networks, not every network on the internet. 

For example, if your prefix list allows only the 192.168.1.0/24 network, and the ISP advertises the 10.0.0.0/8 network, the prefix list blocks it. It's like having a guest list at a party—if your name isn’t on it, you’re not getting in. This approach helps prevent route leaks and hijacks, keeping your sessions secure and stable.

BGP authentication using MD5

Imagine it as a secret handshake between BGP peers. When two routers want to establish a BGP session, they exchange MD5 hashes that act like passwords. If the hashes match, the session is established. If not, the session is rejected, preventing unauthorized or malicious users from forming connections.

Enabling MD5 authentication is straightforward but effective. It involves configuring both ends of a BGP session with the same password. Let's say you're setting up a session between your company router and an ISP. You'd configure an MD5 password on both routers. 

If someone tries to impersonate one of these routers but doesn't have the correct password, the BGP session won't establish. It’s like trying to enter a locked room without the key—no entry unless you have the right credentials.

For instance, if your router is named "OfficeRouter" and you're connecting to an ISP named "ISPNetwork," both sides need to set up the following: `password bgp-md5 mySecurePassword123`. This configuration ensures that only routers with the correct password can establish a BGP session, adding an extra layer of security.

Tools and techniques for monitoring BGP performance

Nagios

Nagios allows you to set up alerts and visualize data traffic patterns. With Nagios, you can configure it to send alerts if a BGP session goes down or if there’s unusual activity in the routing tables. This is like having a vigilant security camera that notifies you whenever something suspicious happens.

BGPmon

This open-source BGP monitoring platform listens to BGP announcements and can help identify route hijacks or leaks. For example, if there’s a sudden increase in advertised routes or if paths to a certain destination change unexpectedly, BGPmon will alert me. 

Bgpmon is similar to having a GPS that warns you when there’s a sudden road closure along your usual route. By continuously analyzing data, BGPmon helps maintain route stability and integrity.

Wireshark

With Wireshark, you can capture real-time BGP packet data. This allows you to see the nitty-gritty details of BGP sessions, from handshake processes to the specific routes advertised. 

If there's ever an issue with session establishment, Wireshark will let you dig deep and troubleshoot accurately. It’s akin to having a magnifying glass to inspect the fine print of a document, offering granular insight that might otherwise be missed.

Some BGP routers come equipped with built-in diagnostics tools, such as logging capabilities and command-line interfaces (CLI) for debugging. Cisco routers, for example, provide CLI tools like `show ip bgp` and `show ip bgp summary`, which allow you to inspect the health of BGP sessions and the status of routing tables. 

Those commands help to check which routes are being selected and if there are any anomalies. Using the `show ip bgp summary` command, you can quickly see active BGP sessions and any that might be in an error state, like "Idle" or "Active."

Another technique you can rely on is setting threshold alerts for specific BGP attributes. For instance, you can set up an alert if the number of Autonomous System (AS) path changes exceeds a certain threshold within a given timeframe. 

This acts like a traffic light, warning you when there might be congestion or unexpected changes in routing paths. If too many AS path changes occur, it might indicate instability or a potential attack, signaling you to investigate further.

By combining these tools and techniques, I ensure a continuous watch over my BGP network. This proactive approach helps in identifying problems early, allowing for prompt action to maintain network efficiency and security.

Common BGP issues 

BGP neighbor establishment

If a neighbor relationship isn't forming, the first thing to check is the BGP configuration. Ensure the IP address and AS numbers match on both sides. A mismatch here often causes neighbors to stay stuck in the idle state. 

For example, you may have an issue where the AS number configured on one of your routers is off by a single digit, keeping the session in an idle state. Correcting that typo solves the problem swiftly.

Routes missing from the routing table

When this happens, you must verify that the network statements under BGP configuration are correct. Say you can't see specific routes in the table because you have forgotten to include a necessary network statement on your router. A quick addition of the correct command, `network 192.168.10.0 mask 255.255.255.0`, will do the trick.

Troubleshooting BGP issues

Troubleshooting multihoming inbound can also be tricky. Sometimes, traffic isn’t taking the expected path, leading to inefficiencies. In these cases, you check our BGP attributes, such as LOCAL_PREF or MED, to ensure they're set correctly. 

Say your MED is set too high, causing traffic to prefer a suboptimal route through a slower ISP. Adjusting the MED value helps balance the load properly, optimizing traffic flow.

BGP route advertisement problems can be a headache, too. Let’s say you are struggling to get your routes announced to a new ISP. You may discover that your router wasn’t advertising the necessary prefixes because they weren’t in the routing table. 

A quick fix is using the `redistribute static` command to ensure your static routes are included in BGP advertisements. It's essential to ensure everything you want advertised is effectively included.

Multihoming outbound issues can also arise. You may face scenarios where BGP isn’t balancing outbound traffic across multiple ISPs as expected. This is usually due to incorrect settings for BGP path selection attributes like AS_PATH or LOCAL_PREF. Adjusting these to reflect our intended traffic flow resolved this, ensuring that no single ISP link was overburdened while others were underutilized.

During troubleshooting, tools and commands like `show ip bgp summary` and `debug ip bgp` are invaluable for real-time insights into what's happening. Using such diagnostics, you can quickly pinpoint what might be causing disruptions, whether it’s a configuration error or a more complex routing policy issue. Overall, patience and a systematic approach help unravel these common BGP issues.

How Netmaker Enhances the Efficiency and Reliability of BGP Routing

Netmaker offers a robust solution for managing virtual overlay networks, which can significantly enhance the efficiency and reliability of BGP routing in corporate network environments. By utilizing Netmaker's Egress Gateway feature, companies can streamline their network traffic across multiple autonomous systems. This is essential for businesses operating in different geographical locations that require consistent and efficient data flow. 

The Egress Gateway allows designated nodes to access specified subnet ranges, ensuring that traffic between internal and external networks is optimally routed, similar to how BGP manages traffic between autonomous systems. This setup enhances redundancy and load balancing, mitigating the risks associated with network outages or maintenance issues.

Additionally, Netmaker's ability to create a flat, secure network across various machines and locations aligns well with the needs of BGP's path selection and routing capabilities. The Netmaker Remote Access Client (RAC) facilitates seamless connectivity for offsite machines, which is crucial for maintaining efficient internal communications through iBGP. This ensures that data is routed through the most efficient internal paths without necessitating additional software installations on each device. 

Moreover, Netmaker Professional offers advanced metrics and integration with tools like Prometheus/Grafana, enabling administrators to monitor connectivity, latency, and data transfer between nodes. This visibility aids in fine-tuning BGP attributes such as LOCAL_PREF and MED, further optimizing network performance. 

Sign up here to start leveraging all of Netmaker’s capabilities in your corporate network.