BGP: Border Gateway Protocol

{«Give me hope in better time \\ with open eyes but no borders...»} Pooh

How BGP works

Border Gateway Protocol (BGP) is an EGP-type routing protocol (see the routing classification in figure routing-protocols on page routing-protocols ) used to connect multiple routers belonging to distinct autonomous systems. It is therefore an inter-AS routing protocol, although it can also be used among routers belonging to the same AS (in which case it is indicated by the iBGP name, Interior Border Gateway Protocol), or among connected routers via an additional AS that separates them (eBGP, External Border Gateway Protocol). BGP is the main routing protocol that currently connects the Internet in a decentralized way, not dependent on a single node. This protocol only exchanges routing information, does not show the network topology and is used to exchange routing information among large networks (AS) as described in figure bgp-network .

A BGP network.

bgp-network

The choice of routing is based on the most specific prefix and on the shortest distance (AS path). RouterOS supports BGPv4 as defined in RFC 1771. We can say that the BGP protocol is the "language" with the AS we talked to each other exchanging routing information and making all destinations reachable. It works by managing a table of prefixes (IP networks), which provide information on the reachability of different networks among multiple autonomous systems. It is a path-indicating protocol that does not use technical metrics (for example, it does not consider bandwidths) but makes routing decisions based on specific policies. The motivation that drives an organization to use the BGP protocol to exchange its routes on the internet is the need to have a multihomed network. A multihomed network means a network that purchases transit to the internet from multiple top level providers (or even multiple links with the same provider) and that must guarantee accessibility from the outside of its services, through a set of public IP addresses. In fact, in a standard situation without the use of the BGP protocol, every link to the internet will be equipped with its IP addressing class, which cannot be shared with other links (see figure multihomed-network-wo-bgp ). It is therefore clear that by publishing a service, for example a server hosting a website, on the IP address that can be reached directly from the specific link, when the link falls, that service will be unreachable by other networks.

Multihomed network without BGP.

multihomed-network-wo-bgp

Instead, using the BGP protocol to propagate its own class of IP addresses on the Internet, the addresses themselves will be reachable via any link to which the routes have been propagated (see figure multihomed-network-w-bgp ).

Multihomed network with BGP.

multihomed-network-w-bgp

In the BGP protocol the adjacent ASs, called peers, establish route exchange sessions through an appropriate router configuration. Sessions use the TCP protocol to exchange information. It is important to note that all routers within an AS that participate in routing via BGP must be connected according to a fully connected topology (full-mesh); that is, each router must be a peer of all the others. This poses problems relating to the ability to be skilled, so solutions such as route-reflections and confederations can be implemented. The topic will not be discussed here, as it is necessary only in large AS. As mentioned before, BGP is a protocol based on path-vector, which means that the best path to reach a given destination is mainly based on the number of AS among source and destination. For example, in choosing between the following two paths, the first one will be chosen even if with a smaller bandwidth prepend:

• AS100 → AS 200 → AS 300 → AS 400
• AS100 → AS 105 → AS 106 → AS 107 → AS 400

However, it is possible to use some tricks to determine the preferred route. An example is the so-called "AS prepending", which basically consists of injecting the AS number several times into the AS path. Going back to the previous routes, if the number 2 link has greater transmission capacity, I can "force" the transit through it by announcing my AS (400) several times. Note therefore that link 1 is longer than 2, so it will be used as a second choice.

• AS100 → AS 200 → AS 300 → AS 400 → AS 400 → AS 400
• AS100 → AS 105 → AS 106 → AS 107 → AS 400

This "trick" will be used in lab bgp-lab2 on page bgp-lab2 . It is important to note that the protocol does not pay attention to the transmission channels so it requires the use of channels that are as similar as possible. It is added that the BGP protocol is valid both for IPv4 routing and for IPv6 routing.

What you can do with BGP

They range from a simple multi-homed network to two providers to networks peering with other partners or customer networks, through a private peering or through a public peering at an IXP (Internet Exchange Point) (ex: MIX-IT). Obviously, thanks to the selection of the vector path link, each customer who has to reach the provided services will use the path with the shortest length. An example:

• provider A provides internet services and buys internet transit from B and C;
• provider A acquires customer Z, which connects to the internet via D and needs very low latency times to service A.
• It is evident in this case that a direct peering with D would considerably shorten the path of the packets between A and Z.

What can't be done with BGP

Precisely because the protocol is link-vector, the physical media on which the packets will pass cannot be considered in any way.

Criticalities and requirements

To propagate your routes on the internet via BGP, you need to be a recognized Autonomous System (from RIPE in the European case) and have your own class of public IP addresses. The lowest purchasable allocation is one / 24, or 256 IP addresses, called PI (Provider Indipendent). However, it is very difficult to obtain the allocation of a class of this type, as it is necessary to meet certain requirements that are difficult to complete. It is much easier to get larger networks, such as one / 22 (4 networks / 24), called PA (Provider Allocatable). This is because in the various internet routers we prefer to avoid propagating routes that have a prefix greater than or equal to 24, as they would too much fragment the routing table of the various routers. It is then extremely easy to obtain the allocation of a class / 32 of IPv6 addresses (which is 128 bits long: there would therefore be a huge number of allocable subnets). Note that it is possible to propagate Ipv6 routes only if the transit providers support Ipv6 itself.

BGP with Mikrotik RouterOS

At MUM 2013 in Zagreb, Wardner Maia gave a talk entitled "BGP Filtering with RouterOS", whose slides can be found at the link http://bit.ly/2VpYf14 . In the first part of his speech he made a valid introduction to the BGP protocol useful for those wishing to further investigate the protocol. In the following pages we will discuss only two simple basic configurations through the laboratories.

Lab

Two routers and two PCs are required for this laboratory.

Simple BGP communication between two ASs.

The goal of this laboratory is to create a simple configuration in which two routers belonging to different AS communicate the routes of their knowledge to each other.

Simple BGP communication between two ASs.

bgp-lab1

1. Connect the routers as shown in fig bgp-lab1 .
2. We configure the R1 router :
   [admin@MikroTik] > /system identity set name=R1
   [admin@R1] > /ip address add interface=ether1 address=192.168.1.1/29
   [admin@R1] > ip dhcp-server setup
   Select interface to run DHCP server on
   dhcp server interface: ether1 Select network for DHCP addresses dhcp address space: 192.168.1.0/29 Select gateway for given network gateway for dhcp network: 192.168.1.1 Select pool of ip addresses given out by DHCP server addresses to give out: 192.168.1.2-192.168.1.6 Select DNS servers dns servers: Select lease time lease time: 10m
3. We check that the PC-1 has obtained a valid ip address and is able to communicate with R1:
   PC-1> ping 192.168.1.1
   84 bytes from 192.168.1.1 icmp_seq=1 ttl=64 time=2.637 ms
   84 bytes from 192.168.1.1 icmp_seq=2 ttl=64 time=0.503 ms
   84 bytes from 192.168.1.1 icmp_seq=3 ttl=64 time=0.418 ms
   84 bytes from 192.168.1.1 icmp_seq=4 ttl=64 time=0.360 ms
   84 bytes from 192.168.1.1 icmp_seq=5 ttl=64 time=0.401 ms
   
4. We also proceed with the R2 configuration:
   [admin@MikroTik] > /system identity set name=R2
   [admin@R2] > /ip address add interface=ether1 address=192.168.2.1/29
   [admin@R2] > ip dhcp-server setup
   Select interface to run DHCP server on
   dhcp server interface: ether1
   Select network for DHCP addresses
   
   dhcp address space: 192.168.2.0/29
   Select gateway for given network
   
   gateway for dhcp network: 192.168.2.1
   Select pool of ip addresses given out by DHCP server
   
   addresses to give out: 192.168.2.2-192.168.2.6
   Select DNS servers
   
   dns servers:
   Select lease time
   
   lease time: 10m
   
5. Also in this case we check the ip address correct assignment to PC-2 and the communication with R2:
   PC-2> ping 192.168.2.1
   84 bytes from 192.168.2.1 icmp_seq=1 ttl=64 time=2.416 ms
   84 bytes from 192.168.2.1 icmp_seq=2 ttl=64 time=0.417 ms
   84 bytes from 192.168.2.1 icmp_seq=3 ttl=64 time=2.128 ms
   84 bytes from 192.168.2.1 icmp_seq=4 ttl=64 time=0.401 ms
   84 bytes from 192.168.2.1 icmp_seq=5 ttl=64 time=0.354 ms
   
6. Now let's configure the connection that allows the two routers to communicate with each other:
   [admin@R1] > /ip address add interface=ether2 address=192.168.100.1/30
   
   [admin@R2] > /ip address add interface=ether2 address=192.168.100.2/30
   
7. From R2 we control communication with R1:
   [admin@R2] > /ping 192.168.100.1
     SEQ HOST                                     SIZE TTL TIME  STATUS
       0 192.168.100.1                              56  64 10ms
       1 192.168.100.1                              56  64 2ms
       2 192.168.100.1                              56  64 0ms
       3 192.168.100.1                              56  64 1ms
       4 192.168.100.1                              56  64 0ms
       5 192.168.100.1                              56  64 0ms
       6 192.168.100.1                              56  64 0ms
       7 192.168.100.1                              56  64 1ms
       8 192.168.100.1                              56  64 0ms
   
8. Now we have connected all the infrastructure but clearly PC-1 cannot reach the 192.168.2.0/30 subnet:
   PC-1> ping 192.168.2.6
   *192.168.1.1 (ICMP type:3, code:0, Destination network unreachable)
   *192.168.1.1 (ICMP type:3, code:0, Destination network unreachable)
   *192.168.1.1 (ICMP type:3, code:0, Destination network unreachable)
   *192.168.1.1 (ICMP type:3, code:0, Destination network unreachable)
   
9. Let's go on to configure BGP on R1 :
   [admin@R1] > routing bgp instance set 0 router-id=1.1.1.1 as=111
   [admin@R1] > routing bgp peer add remote-address=192.168.100.2 \
                remote-as=222
   
10. We expose the known network and verify the routing table:
    [admin@R1] > routing bgp network add network=192.168.1.0/29
    
    [admin@R1] > ip route print
    Flags: X - disabled, A - active, D - dynamic,
    C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
    B - blackhole, U - unreachable, P - prohibit
     #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
     0 ADC  192.168.1.0/29     192.168.1.1     ether1                    0
     1 ADC  192.168.100.0/30   192.168.100.1   ether2                    0
    
11. Let's go on to configure BGP on R1:
    [admin@R2] > routing bgp instance set 0 router-id=2.2.2.2 as=222
    [admin@R2] > routing bgp peer add remote-address=192.168.100.1 \
                 remote-as=111
    [admin@R2] > routing bgp network add network=192.168.2.0/29
    
12. We expose the known network and verify the routing table:
    [admin@R1] > ip route print interval=1s
    Flags: X - disabled, A - active, D - dynamic,
    C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
    B - blackhole, U - unreachable, P - prohibit
     #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
     0 ADC  192.168.1.0/29     192.168.1.1     ether1                    0
     2 ADb  192.168.2.0/29                     192.168.100.2            20
     1 ADC  192.168.100.0/30   192.168.100.1   ether2                    0
    
13. As you can see, the route known from AS111 has been transferred via BGP.
14. Similarly the AS111 received the routes known and exhibited by the AS222:
    [admin@R2] > ip route print
     Flags: X - disabled, A - active, D - dynamic,
     C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
     B - blackhole, U - unreachable, P - prohibit
      #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
      0 ADb  192.168.1.0/29                     192.168.100.1            20
      1 ADC  192.168.2.0/29     192.168.2.1     ether1                    0
      2 ADC  192.168.100.0/30   192.168.100.2   ether2                    0
    
15. Now the routers are aware of the entire infrastructure and the ping from PC-1, which had previously failed in step 8., now reaches the goal:
    PC-1> ping 192.168.2.6
    84 bytes from 192.168.2.6 icmp_seq=1 ttl=62 time=6.653 ms
    84 bytes from 192.168.2.6 icmp_seq=2 ttl=62 time=1.085 ms
    84 bytes from 192.168.2.6 icmp_seq=3 ttl=62 time=0.947 ms
    84 bytes from 192.168.2.6 icmp_seq=5 ttl=62 time=1.078 ms
    
    Lab
    bgp-lab2
    Three routers and a PC are required for this laboratory.
    Simple multihomed BGP infrastructure.

    The goal of this laboratory is to create this configuration that can be used for sharing the load between ISPs or an ISP as the main and other ISPs as backup links.
    

    Simple multihomed BGP infrastructure.

    bgp-lab2
    Suppose the local Internet registry has two networks / 24: 10.1.1.0/24 and 10.1.2.0/24 and our AS is 30. The first network will have been used for workstations on our corporate network. Part of the other network will also be used for workstations and another part will be reserved for servers. At present our company has only one server with address 10.1.2.130 The goal is to announce our networks assigned to BGP peers and use only one provider as the main link, the ISP2 connection is for backup only.
    1. Connect the routers as shown in fig bgp-lab2 .
    2. We load the basic configuration without BGP operations into the R1, R2 and R3 routers :
       {R1}
       /system identity set name=R1
       /ip address
       add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
       
       {R2}
       /system identity set name=R2
       /ip address
       add address=192.168.2.1/24 interface=ether1 network=192.168.2.0
       
       {R3}
       /system identity set name=R3
       /ip pool
       add name=dhcp_pool0 ranges=10.1.1.2-10.1.1.254
       add name=dhcp_pool1 ranges=10.1.2.2-10.1.2.126
       add name=dhcp_pool2 ranges=10.1.2.130-10.1.2.254
       /ip dhcp-server
       add address-pool=dhcp_pool0 disabled=no interface=ether3 name=dhcp1
       add address-pool=dhcp_pool1 disabled=no interface=ether4 name=dhcp2
       add address-pool=dhcp_pool2 disabled=no interface=ether5 name=dhcp3
       /ip address
       add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
       add address=192.168.2.2/24 interface=ether2 network=192.168.2.0
       add address=10.1.1.1/24 interface=ether3 network=10.1.1.0
       add address=10.1.2.1/25 interface=ether4 network=10.1.2.0
       add address=10.1.2.129/25 interface=ether5 network=10.1.2.128
       /ip dhcp-server network
       add address=10.1.1.0/24 gateway=10.1.1.1
       add address=10.1.2.0/25 gateway=10.1.2.1
       add address=10.1.2.128/25 gateway=10.1.2.129
       
    3. Let's go on to configure BGP on R1:
       [admin@R1] > routing bgp instance set 0 as=10
       [admin@R1] > routing bgp peer add remote-address=192.168.1.2 remote-as=30
       
    4. Let's go on to configure BGP on R2:
       [admin@R2] > routing bgp instance set 0 as=20
       [admin@R2] > routing bgp peer add remote-address=192.168.2.2 remote-as=30
       
    5. Let's go on to configure BGP on R3 :
       [admin@R3] > routing bgp instance set 0 as=30
       [admin@R3] > routing bgp peer add remote-address=192.168.1.1 \
                    remote-as=10 name=isp1
       [admin@R3] > routing bgp peer add remote-address=192.168.2.1 \
                    remote-as=20 name=isp2
       
    6. We show the known networks:
       [admin@R3] > routing bgp network add network=10.1.1.0/24 synchronize=no
       [admin@R3] > routing bgp network add network=10.1.2.0/24 synchronize=no
       
    7. We verify the routing table on R1 and R2:
       [admin@R1] > ip route print
       Flags: X - disabled, A - active, D - dynamic,
       C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
       B - blackhole, U - unreachable, P - prohibit
       #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
       0 ADb  10.1.1.0/24                        192.168.1.2              20
       4 ADb  10.1.2.0/24                        192.168.1.2              20
       1 ADC  192.168.1.0/24     192.168.1.1     ether1                    0
       
       [admin@R2] > /ip route print
       Flags: X - disabled, A - active, D - dynamic,
       C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
       B - blackhole, U - unreachable, P - prohibit
       #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
       0 ADb  10.1.1.0/24                        192.168.2.2              20
       4 ADb  10.1.2.0/24                        192.168.2.2              20
       1 ADC  192.168.2.0/24     192.168.2.1     ether1                    0
       
    8. Now we will always act on R3 router. The next step is to specify which routing filter chains will be used, in fact we want to exclude all the routes not included in our AS:
       /routing bgp peer
       set isp1 in-filter=isp1-in out-filter=isp1-out
       set isp2 in-filter=isp2-in out-filter=isp2-out
       
       in-filter is for input prefixes (reception) while out-filter is for advertised prefixes.
    9. After the chains have been specified, we accept the networks and throw away everything else because we are not transit suppliers.
       As known, one of the BGP attributes that influence the best route selection is the length of the AS path, the shorter the more preferred AS path. So we want ISP2 to be just backup, we will use BGP to increase the length of the AS path to force incoming traffic through ISP1. Output filters to ISP1:
       /routing filter
       # We accept our networks
       add chain=isp1-out prefix=10.1.1.0/24 action=accept
       add chain=isp1-out prefix=10.1.2.0/24 action=accept
       # We discard everything else
       add chain=isp1-out action=discard
       
       Output filters to ISP2 (note the increase in the path as described on page prepend ):
       /routing filter
       # We accept our networks and prefix the AS route three times
       add chain=isp2-out prefix=10.1.1.0/24 action=accept set-bgp-prepend=3
       add chain=isp2-out prefix=10.1.2.0/24 action=accept set-bgp-prepend=3
       # We discard everything else
       add chain=isp2-out action=discard
       
    10. Furthermore, we do not need ISP1 routes because the default route is to use outbound traffic via ISP1 and leave ISP2 as a backup:
        /routing filter
        add chain=isp1-in action=discard
        add chain=isp2-in action=discard
        
        /ip route
        add gateway=192.168.1.1 check-gateway=ping
        add gateway=192.168.2.1 distance=30 check-gateway=ping
        
    Useful links
    For more laboratories on the BGP protocol the following links can be consulted: