Table of Contents
This blog post assumes that you have read / know about the topics mentioned in the previous blog post. If you have not taken a look at the previous post, you can do so here.
The internet is a network of network consisting of over 50,000 Autonomous Systems (AS) that connect to each other using IXPs and Peering.
Within each AS, they make use of intra-domain routing protocols such as OSPF and BGP to route traffic within their own network. The networks within each AS are usually small. As a result, intra-domain routing protocols usually send large information about each router to each other to route traffic between them.
Between ASes, they make use of inter-domain routing protocols such as BGP to route traffic between each other. There are a large number of routes advertised by each AS. Using intra-domain routing protocols for inter-domain routing would be inefficient and would require large amounts of memory within each router.
Challenges of Inter-Domain routing #
There are 3 main factors that make inter-domain routing challenging:
- Around the world, there are millions of routers and over 200,000 prefixes
- 35,000+ self operated networks and 50,000 Autonomous Systems
- ASes do not want to expose internal topologies or business relations with neighbors
- There is no internet wide notion of a link cost metric
- Each AS controls where it sends traffic and who can send traffic through it
Types of Routing algorithms #
Routing algorithms can be classified into 2 main categories:
- Link State Algorithms
- Distance Vector Algorithms
Link state algorithms #
Link state algorithms send complete topology and link cost information over the network. The information is then centralized within each router and the shortest distance to each node is computed using Dijkstra’s Algorithm An example of this is the intra-domain routing protocol Open Shortest Path First (OSPF).
However, there are some limitations of Link-State routing
- Topology information is flooded
- This incurs high bandwidth and storage overhead
- Nodes also sends sensitive information
- Entire path is computed locally per node
- This results in a high processing overhead when the network is large
- Minimize notion of total cost
- This only works of the policy is shared and uniform among all the routers running the protocol.
Distance Vector Algorithms #
Distance Vector Algorithms send known neighbors and link cost information over the network. They make use of decentralized algorithms to compute the shortest distance to each node (Bellman Ford Algorithm). An example of this is the intra-domain routing protocol Routing Information Protocol (RIP).
Some benefits of this approach include:
- Hides details of the network topology
- Only next hop is determined per node
However, there are some limitations of Distance Vector routing
- It minimizes the notion of total distance
- The time taken to converge is also very long
Path-Vector Routing #
Based on the above, a possible solution for inter-domain routing is by extending the Distance Vector Algorithm approach.
By extending the distance vector routing, path-vector routing routing is born.
The key idea is to advertise the entire path taken to reach a destination instead of just the next hop. Information about the distance metric per destination and the entire path for each destination is sent between routers.
This allows for many advantages:
- Faster loop
- To detect loops, a single node can check if the next hop consists of itself
- If such a path is found, the advertisement is discarded
- Flexible routing policies
- Each router can decide how to route traffic based on the path advertised
Border Gateway Protocol (BGP) #
Border Gateway Protocol (BGP) is an inter-domain routing protocol that is used to exchange routing information between ASes. It is the de facto standard for inter-domain routing.
It allows subnets to advertise its existence to the rest of the internet while also allowing ASes to determine good routes to other networks based on reachability and policies.
2 Types of BGP #
There are 2 types of BGP:
- Interior BGP (iBGP)
- Exterior BGP (eBGP)
Interior BGP (iBGP) #
iBGP propagates reachability information across the backbone of an AS. It carries the ISP’s own customer prefixes.
This is used when the neighboring router is within the same AS. It does not require the routers to be directly connected. Intra-domain routing protocols such as OSPF and RIP are used to take care of internal BGP connectivity.
iBGP peers must be full meshed (logically). In other words, they must have an intra-domain routing protocol to connect to each other (Or each router is physically connected to all other routers in the AS). iBGP then run on top of the Intra-domain routing protocol to distribute reachability information from external ASes to each of the individual routers. A similar analogy will be how UDP runs on top of Ethernet.
Exterior BGP (eBGP) #
eBGP exchange reachability information from neighboring ASes and implement routing policies. This happens between BGP Speakers from different ASes which are directly connected.
AS A advertises a prefix to
AS A is promising that it will forward the packet towards that prefix.
ASes can aggregate prefixes in its advertisements.
To make things clearer, we will make use of the diagram above and the table below to explain their differences.
|IGP (OSPF, RIP, IS-IS)||Distribute internal routes to one another||When Advertising Router B to Router A & Router A to Router B|
|iBGP||Distribute external routes to internal routers (Using IGP)||When Advertising Router C to Router B|
|eBGP||Distribute routes from 1 AS to another||When Advertising Router A & B to C and Router C to Router A|
How does BGP work? #
BGP Message Format #
A BGP message consists of the following:
|Marker||16 bytes of all 1s||For compatibility with old BGP versions with no semantic in the current BGP version|
|Length||2 bytes||Length of the message|
|Type||1 byte||Type of the message|
Depending on the type, the message will have different fields.
BGP Messages #
There are 4 types of messages sent by BGP
|1||Open||Opens a TCP connection to the peer and authenticates sender|
|2||Update||Sends routing information to the peer (Advertise new paths / withdraw old paths)|
|3||Notification||Sends a notification to the peer and reports errors in the previous message, also used to close connections (e.g. Malformed Message)|
|4||Keep Alive||Sends a keep alive message to the peer to keep the TCP connection alive (Also acts as ACK for OPEN)|
One interesting thing to note is that paths have no timeout in BGP, they are actively withdrawn or replaced.
BGP Flow #
The diagram above shows the states of a BGP session between 2 routers.
- This is the first state where BGP waits for a start event
- Sets up ConnectRetry timer
- Connects to remote BGP neighbor to establish a connection
- Listens for a connection from the remote BGP neighbor
- BGP waits for a TCP handshake
- If it is successful it moves to the OpenSent State.
- If it fails, it goes to the active state
- If the ConnectRetry times out, it stays in this state
- Else, it goes to the Idle state
- BGP will try a second TCP Handshake
- If successful, it moves to the OpenSent State
- If ConnectRetry Timer expires, goes back to connect state
- Listens for incoming connection.
- Else, goes to Idle state
- BGP waits for an open message from the remote BGP neighbor.
- If there are errors in the message, it responds with a BGP notification msg and goes to idle
- This is the section where BGP decides if they are using eBGP or iBGP.
- If everything is ok, BGP sends keep alive messages and the lower value of keep alive is used
- If the TCP session fails, BGP goes back to active state
- If there are any other errors, BGP sends notification msg with the error code and goes to idle.
- Once everything is sent, BGP goes to the OpenConfirm state
- OpenConfirm State
- BGP waits for a keep alive message
- When we receive the keep alive message, we move to the established state
- Timer is reset
- If a BGP notification is received, go to idle
- The BGP neighbor adjacency is complete. BGP routers will send update packets to exchange routing information.
- Every time a keep alive or update message is received, the timer is reset.
- If a BGP notification message is received, go to idle
BGP Path Attributes #
BGP uses a list of path attributes which describes the path to the destination.
They fall into 4 categories
- Well-Known Mandatory
- Well-Known Discretionary
- Optional Transitive
- Optional Non-Transitive
There are also implementation rules that goes with this categories
- Implementations must recognize all well-known attributes
- Mandatory attributes must be included within UPDATE messages that contain Network Layer Reachability Information (NLRI)
- Once a BGP peer updates well-known attributes, they must pass them on to other peers
Common Path Attributes #
|Origin||Well-Known Mandatory||Conveys the origin of the prefix. Either (i) IGP, (e) EGP, or (?) Incomplete or Unknown Source.|
|AS_PATH||Well-Known Mandatory||Contains the ASes which NLRI has passed through.|
|NEXT_HOP||Well-Known Mandatory||Indicates the IP address of the router in the next hop|
|LOCAL_PREF||Well-Known Discretionary||This is used to select external BGP path preferences for a route. The higher the local preference, the more preferred the path becomes|
|ATOMIC_AGGREGATE||Well-Known Discretionary||Used to notify downstream BGP routers of suppressed routes|
|COMMUNITY||Optional Transitive||Community tags are used to group multiple destinations together. This is very useful in applying policies within and between ASes.|
|MULTI_EXIT_DISC (MED)||Optional Transitive||Used to identify multiple entry points to a neighboring AS to control inbound traffic. If received over eBGP, it will not be propagated to other ASes|
Entries in forwarding tables #
- Routers are first aware of the destination prefix (Through BGP advertisements)
- Router then determines the output port for the IP prefix (Choose best inter-as route, use IGP to determine the best intra-as route & identify port number for best route)
- Router enters the prefix-port pair in the forwarding table
There might be multiple entries for the same prefix in the forwarding table. The router will make a decision on which route to use.
When a packet is received, the router looks up the forwarding table to see where the packet should be forwarded to.
Hot Potato routing #
By default, BGP routers will use Hot Potato routing to route packets.
What is Hot Potato Routing? #
Hot Potato routing is a routing protocol where the router will forward the packet to the closest route outside the current AS.
An analogy is passing a hot potato among a group of friends. Everyone will want to pass it on to the next person as soon as possible. Similarly, an AS will find the shortest route out of the AS into another external AS as soon as possible.
Note: This may sometimes lead to longer paths from source to destination as the closest path out of the AS might not be the lowest cost for sending the packet from source to destination.
BGP Decision making process #
As shown in the diagram above, when there is an inbound advertisement, it is first filtered by the import policies before being handed over to the Adjacent Routing Information Base (RIB) in.
The router then selects the best path to be installed within the local RIB. The paths from the local RIBs will then pass through a set of export policies to the Adjacent RIB out before the update is sent out to other peers.
BGP Policies #
There are 2 sets of policies in BGP:
- Import policies
- Export policies
There are 3 different attributes that routers can make use of to tune their BGP policy
- Preferences: Add / Delete / Modify Attributes
- Filtering: inbound/outbound filtering
- Tagging: Adding community attributes
Import policies #
Import policies serve the following roles
- Filter unwanted routes from neighbors (EG: Prefixes not owned bu customers)
- User to prioritize routes
- Influence path selection
Export policies #
Export policies serve the following purpose
- Filter routes that you do not want to tell your neighbors (EG: Export only customers routes so others don’t route traffic through you)
- Manipulate attributes to control what others see (EG: Make routes look longer)
BGP Policies in practice #
In practice, BGP policies are used by ISPs to:
- Fulfill bilateral agreements with other ISPs
- Minimize Monetary costs (Maximize Revenue)
- Ensure good performance for customers
We will now examine each relation and see how policies can be applied to maintain the relationship.
Customer-Provider Relation #
Customers pay the Provider for access to the internet.
In terms of policies, this translates to:
- Export customer routes to everyone
- Customer exports provider routes to their customers
Peer-to-Peer Relation #
Peers exchange traffic between their customers
In terms of policies, this translates to:
- Peers Exports only customer routes to each other
- Peers export their other peer’s routes to customers
Attacks on BGP #
We will be discussing 2 main attacks on the BGP protocol
- BGP Prefix Hijacking
- BGP Sub prefix Hijacking
BGP Prefix Hijacking #
This happens when an attacker router advertises the same route as the origin router. Traffic which is closer to the attacker router will be redirected to the attacker router.
BGP Sub prefix Hijacking #
This happens when an attacker router advertises a more specific prefix. Every AS picks the bogus route for that prefix as the longest matching prefix is used.
Traffic is redirected away from the origin AS.
Follow up on hijacking #
After Hijacking the IP address, the attacker can do one or more of the following.
|Black hole||Data for the traffic is discarded||This results in the loss of the service to affected customers|
|Snooping||Data is inspected before it is redirected to the origin server||Traffic can be captured and information might be sniffed|
|Impersonation||Attacker replies the message||The attacker replies the message as per usual and fake replies are sent to the user.|
Preventing Hijacking #
A common practice to prevent hijacking is to filter routes announced by its customers based on the prefixes that the customer owns. This prevents them from advertising prefixes which they do not own.
However, some routes do not implement this practice as it is hard to filter routes which are very far away from the origin. As a result, BGP is still vulnerable to hijacks.
There are up and coming technology used to stop hijacking:
- Route Origin Authentication (ROA)
- Resource Public Key Infrastructure (RPKI)
We will not be going through them in this blog post. (Maybe in a future blog post?)