A Dive into the BGP protocol

(If you want to read this article in italian you can check this link)

9 min readApr 27, 2022

This article describes the operation of the BGP protocol (Border Gateway Protocol) which allows two routers belonging to different autonomous systems to communicate with each other.

Use of the BGP

As already mentioned, BGP is a routing protocol, which allows communication between two routers belonging to two different autonomous systems.

An example of an autonomous system can be the one that distinguishes the users of a single provider (Vodafone, TIM, Fastweb, etc.) or, on a smaller scale, the one that constitutes the internal network of a company.

What is an A.S.?

An autonomous system (or AS) is defined as a group of routers and networks under the control of a single and well-defined administrative authority.

Within an autonomous system, the individual routers communicate with each other, to exchange information relating to the creation of routing tables, through a specific IGP protocol (Interior Gateway Protocol).

The main IGP routing protocols for IPv4 are RIP, OSPF, IS-IS, and EIGRP.

The exchange of information between routers belonging to different autonomous systems takes place through an EGP (Exterior Gateway Protocol) protocol and physical interchange points between the different systems (NAP or IXP).

Internet Exchange Point (IXP)

There are two ways for ASs to communicate with each other:

By establishing a direct relationship between the two parties involved (private peering).
Through a physical infrastructure known as the Internet Exchange Point (IXP).

Most providers use the IXP as a network infrastructure for exchanging data.

IXPs have the primary goal of enabling information sharing in the network by acting as a hub that connects numerous ASs (often the major ISPs) without requiring data to pass through additional providers.

The utilization of IXPs has numerous benefits, including a reduction in internet traffic, resulting in a net gain in speed and efficiency.

Furthermore, because peering agreements (public peering) between ASs linked to an IXP are often free, and because the pathways are shorter, the expenses are significantly decreased.

An IXP’s generic architecture comprises of one or more switches to which participating AS routers are linked.

Since 1993–94, ethernet has been the most widely utilized switch type throughout practically the entire market (about 95%).

After each router has been properly setup, the connected ISPs will be able to share Internet traffic.

Main Internet Exchange Points in Italy:

NAMEX — Rome
MIX — Milan
TOP-IX — Turin
VS-IX — Padua

MIX (Milan Internet eXchange) is the main Italian public IXP at the moment.

Spine and Leaf Architecture

Although IXPs generally follow a similar architectural model, topologies can vary.

For example, let’s take the Spine and Leaf model (architecture adopted by NAMEX).

In the Spine and Leaf architecture, there are 2 “levels” of switches: Spine and Leaf.

The Spine Switches link all of the Leaf Switches together, resulting in a full-mesh architecture (topology in which each node is connected directly to each other node).
The Leaf Switches, serve as access switches, connecting end devices (such as servers) to the Spine Switches.

This architecture was created in order to solve the drawbacks of Three-Tier Architecture.

Spine and Leaf offers various benefits in addition to overcoming the faults of the prior model, including:

Minimal latency.
Large bandwidth.
Cost savings.
Improved redundancy.
Improved scalability.
Low energy usage.

However, there are some issues with that as well:

A significant number of cables will be necessary because each Spine Switch must be connected to all Leaf Switches.
There may be a limit in terms of connected devices because the number of ports on the Spine Switches is directly proportional to the number of supported hosts.

A comparison of 3 Tier Architecture and Spine and Leaf

EGP protocols

Unlike the IGP protocols that allow you to communicate within an AS, the EGP allows communication between devices belonging to different ASs.

This protocol is no longer in use today, however over time its name has been generalized to the general term for the class of routing protocols described above.

EGP is similar to a distance vector algorithm, but instead of the concept of cost it only specifies whether the destination is reachable or not. This prevents it from functioning on mesh network topologies.

The limitations of EGP are many and serious: EGP does not have a metric associated with the lines and therefore bases its decisions solely on reachability.

The successor to the original EGP is the Border Gateway Protocol (BGP), which is still in use today.

How BGP works in detail

BGP works by managing a table of IP networks, or prefixes, which provide information on the reachability of different networks between multiple ASs.

Unlike its predecessor, BGP is able to perform route optimization on the basis of existing EGP data and thus minimize wasted time when establishing new routes.

The connection that allows communication and exchange of information between two routers belonging to different ASs is called peering.

Both routers involved must be configured properly to establish a peering link.

Each peering must be statically configured by the system administrator, the connected routers communicate with each other to receive new information as in the IGP protocols.

To build its own BGP table, each router receives the routes stored in the tables of the routers connected through a peering and from other border routers present in the AS.

The BGP algorithm performs various checks that allow you to:

Find the best route for a specific AS among those in the router’s memory.
Analyze whether a route is valid or not.

Lastly, the router shares its updated BGP table with its neighbors.

Application example with Cisco Packet Tracer

Here is how to create a simple BGP configuration on Cisco Packet Tracer.

For a complete and more detailed explanation, you can check out this video.

The configuration to be used for each border router in the ASs is illustrated below.
N.B: the highlighted pieces of code refer to IPs of networks or prefixes, which vary according to the network configuration.

Activate the BGP protocol, create and enter a BGP instance with the specified autonomous system number using the router bgp command.

router bgp AS_NUMBER

Use the neighbor… remote as… command to add an entry to the BGP table

neighbor NEIGHBOR_IP remote-as NEIGHBOR_AS_NUMBER

To specify the networks that need to be advertised by the Border Gateway Protocol and multiprotocol BGP routing processes, use the network command.

network NETWORK_ADDRESS mask NETWORK_SUBNETS

To end the configuration use the end command.

end

Simulazione Packet Tracer.mp4

Edit description

drive.google.com

Further Developments

Although the BGP protocol was created to solve the problems of its predecessor EGP, This is not to say that it is without flaws.

In fact for a lot of time we relied on the “Transport Layer Security” (that allow encryption at the ISO / OSI model’s presentation level) and the “Domain Name System Security Extensions” The Internet Engineering Task Force (IETF) has developed a set of extension specifications for protecting data transferred in DNS systems on Internet Protocol (IP) networks.

However, this is insufficient, because in these years we are facing a new problem. We are talking about BGP Hijacking.

This happens when attackers reroute Internet traffic intentionally.

Attackers accomplish this by falsely claiming ownership of groups of IP addresses known as IP prefixes that they don’t own, control, or route to.

This problem occours because BGP cannot check if the interconnected networks are the actual owner of these IP addresses, BGP hijacking seems nearly impossible to stop.

BGP hijack requires attackers to control or breach a BGP-enabled router that connects one autonomous system (AS) to another one, so it’s not something that just anybody can do.

However, if this occurs, an Internet outage will occur due to an unreachable IP address.

BGP has included security enhancements over the years. The most prominent security addition is the Resource Public Key Infrastructure (RPKI), a routing security framework that, despite its usefulness, has yet to be widely deployed.

RPKI basically provides origin validation, so basically the router checks if autonomous systems has RPKI authorization.

But unfortunally thats not enough, in fact an AS can still advertise a wrong route to an AS he is not connected to.

BGP hijacking can cause Internet traffic to be routed incorrectly, monitored, or intercepted:

Be “black holed” the traffic is sent to a “black hole in the network” and therefore lost.
Be directed to fake websites as part of an “on-path attack”.

In the best-case situation, users may experience increased latency or be unable to traverse the web due to lost packets; under the worst case, an attacker may launch a routing assault or redirect clients to bogus websites in order to obtain their identities.

Users and networks can’t do much to protect themselves from BGP hijacking:

In addition to regular inspection of how Internet traffic is forwarded, other viable solutions include network checks for hijacking and IP prefix blocking/filtering.

The only possible option would be to improve the security of the current BGP protocol by implementing safer routing solutions such as BGPsec.

BGPsec

Whenever a BGP router injects a prefix, it adds to an AS PATH property just the local AS number. When a router sends a BGP update to a BGP neighbor in another AS, it inserts the local AS number to the AS PATH. This allows routers to evaluate whether an update has already been noticed by the local AS in this case the router refuse it due to a routing loop.

Several prefixes can share the same AS PATH and other path attributes in a BGP update. So whenever needs to be send an update to the members of a peer group, it just creates the update once and delivers copies to all members of the group.

The BGPsec Path is created in the same way as the AS PATH, with the difference that the router adds the AS number to which the update is being delivered to the BGPsec-path, then the information it added to the AS route is then encrypted with a cryptographic signature.

To ensure the integrity of these signatures, routers can no longer combine several prefixes together into a single update, and each neighbor will receive a separate update because their AS number is included in the update

Even if this seems perfect, BGPsec implementation isn’t easy, indeed due to the protocol’s resource requirements, processing the updates will be much more CPU intensive and memory demanding. Signatures and accompanying information are included, so BGP updates will be larger. They will also be more frequent because each update can only have one prefix.

But even if a higher cost of performance and complexity this would make the internet more secure.