More than 200 countries around the world have internet access. There are many complex structures used to control internet networks and transfer data accurately. BGP is an important internet routing protocol. Just like physical mail services, BGP chooses the most efficient routes in internet traffic to keep things running. Now let’s take a look at the BGP technique in detail.
What is BGP?
Border Gateway Protocol (BGP) is used as an internet-based electronic messaging service. If we give an example over the physical mail service that continues to be used today; The postal service chooses a fast and efficient route to deliver the sent letter to its recipient. Similarly, when someone sends data over the internet, BGP checks all available paths the data can take and is responsible for choosing the best route, often switching between autonomous systems.
What is an Autonomous System?
The Internet is a general network ecosystem made up of countless networks. It is divided into hundreds of thousands of small networks known as autonomous systems. Each of these networks is actually a large pool of routers operated by a single organization.
At this point, we can think of BGP as the mail service of the internet network. Autonomous systems are like individual post office branches. A town may have hundreds of mailboxes, but mail in these boxes must pass through the local post office before being forwarded to another destination. Internal routers within the autonomous system are like mailboxes. Outgoing data is transmitted to these systems, and autonomous systems use BGP routing to deliver these messages to their destination.
The diagram below shows a simplified version of BGP. The image shows six autonomous systems on the internet. If AS1 (autonomous system 1) needs to forward a packet to AS3, there are two different options:
- Switching to AS2 and then to AS3: AS2 → AS3
- Another way is to switch to AS6, then AS5, AS4, and finally AS3: AS6 → AS5 → AS4 → AS3
According to this model, the AS2 route is faster than the AS6 route. In other words, when this way is used, things will be carried out more efficiently. Now imagine that there are hundreds of thousands of autonomous systems and the number of passes is just one part of a complex route selection algorithm. In other words, we are talking about BGP routing over the internet here.
The structure of the Internet is constantly changing, new systems are emerging and existing systems are becoming unusable. As a matter of fact, every system needs to be kept up-to-date with relevant information about old routes as well as new routes. This is done through pairing sessions, where each autonomous system connects to neighboring systems via a TCP/IP connection to share routing information. As a result, each system becomes equipped to correctly direct incoming and outgoing data transmissions.
Unlike post offices, autonomous systems are not all part of the same organization. They are often even owned by competing businesses. Therefore, commercial considerations are also important when it comes to BGP routes. Autonomous systems often charge each other to transfer data over the network.
Who Operates BGP Autonomous Systems?
Autonomous systems are mostly owned by internet service providers (ISPs), as well as other large organizations such as technology companies, universities, government agencies, and scientific institutions. Every system that wants to exchange routing information must have a registered autonomous system number (ASN).
The Internet Assigned Numbers Authority (IANA) assigns autonomous system numbers (ASN) to Regional Internet Registries (RIR). They also allocate them to internet service providers and networks. ASNs consist of 16-bit numbers from 1 to 65534 and 32-bit numbers from 131072 to 4294967294. As of 2018, there are approximately 64,000 ASNs in use worldwide, and these ASNs are only required for external BGP.
What’s the Difference Between External BGP and Internal BGP?
Data in traffic is transmitted over the internet using external BGP (eBGP) while routing is exchanged. Autonomous systems can also use an internal version of BGP to route over internal networks known as internal BGP (iBGP). It is worth noting that using internal BGP is not a requirement for using external BGP. These systems can choose from a range of internal protocols to connect the routers in their internal networks.
External BGP is like international shipping service. There are certain standards and guidelines that must be followed when sending a mail to a different country. Once mail arrives in the destination country, it must be in the hands of the country’s local postal service to be delivered to its final destination. Each country has its own internal postal service, and the rules of this service may vary by country. Similarly, each autonomous system can have its own internal routing protocol for routing data within its own network.
Defects of the BGP Service
In 2008, a Pakistani internet service provider tried to use a BGP route to block Pakistani users from visiting YouTube. The provider’s move later spread to autonomous systems in neighboring countries and globally to the internet’s BGP network. Afterwards, millions of users trying to access YouTube experienced problems and the site could not be accessed for several hours.
Additionally, BGP hassle is not always accidental. Attackers deliberately created malicious BGP routes to redirect traffic to Amazon’s DNS service in April 2018. These people managed to steal $100,000 worth of crypto assets by redirecting traffic to them.
The route sharing functionality of BGP is based on trust and is generally managed by large businesses, organizations. However, there is still the possibility of such events occurring. When the parties change the wrong route information (intentionally or not), the traffic flows to the side where it should not be, and bad pictures can arise.
Fortunately, some progress has been made on BGP security. Most importantly, a security system called Resource Public Key Infrastructure (RPKI) was introduced in 2008. Using BGP, RPKI uses cryptographically signed records called Route Origin Authorization (ROA) to verify the network operator that allows an organization to share IP addresses.
Unfortunately, RPKI alone is not enough. If large networks do not use RPKI, they can spread large-scale theft attacks. Currently, over 50% of leading internet providers offer some degree of RPKI support. But a larger majority is needed to make BGP completely secure. Network operators can protect their networks by implementing RPKI and using network alerting technologies such as Cloudflare Route Leak Detection. This feature helps prevent BGP attacks by notifying customers that it is advertised by unauthorized parties.