Border Gateway Protocol (BGP) is a standardized gateway protocol that exchanges routing information across autonomous systems (AS) on the Internet.
Border Gateway Protocol is the protocol that makes the Internet work. Networks or autonomous systems that need to interact with each other do so through peering, which is made possible with BGP.
When one network router is connected to other networks it cannot determine which network is the best network to send its data to by itself. Border Gateway Protocol considers all peering partners that a router has and sends traffic to the router that is closest to the data’s destination. This communication is possible because, at boot, BGP allows peers to communicate their routing information and then stores that information in a Routing Information Base (RIB).
Border Gateway Protocol was originally created in 1989 as a quick fix for the Internet but it has remained the primary protocol for long distance traffic. Since then, however, cyber threats have evolved and BGP has not kept up.
Border Gateway Protocol abuse is called BGP hijacking which is possible because the protocol relies on trusting advertised routes. There have been multiple attempts at making a more secure version of BGP but implementation is extremely problematic. Most of the new versions are unable to communicate with standard BGP which means that every AS across the world would have to adopt the new protocol simultaneously.
A few BGP incidents that have taken place in the past include:
The previous section covers how Border Gateway Protocol allows autonomous systems to interact; this section will give a small insight into how to actually implement the protocol and create peering relationships.
One of the most popular networking equipment companies in the world is Cisco. The command line example below shows how to enable BGP and configure a peer on a Cisco Nexus 7000 series switch.
[enter configuration mode]
switch# configure terminal
[enable BGP and assign the ASN 64496]
switch(config)# router bgp 64496
[configure the IP and ASN for a peer]
switch(config-router)# neighbor 184.108.40.206 remote-as 64497
[add a description for the peer]
switch(config-router-neighbor)# description Peer Router B
[enter the neighbor address family configuration mode]
switch(config-router-neighbor)# address-family ipv4 unicast
[save configuration changes]
switch(config-router-neighbor-af) copy running-config startup-config
Another popular vendor is Juniper Networks which has its own operating system called Junos OS. The operating system’s command line varies slightly from Cisco’s. To configure a peering relationship that is the same as the example above you would issue the following commands:
[enable BGP and assign the ASN 64496]
set routing-options autonomous-system 64496
[define the external-peers group and type]
set protocols bgp group external-peers type external
[add a neighbor to external-peers]
set protocols bgp group external-peers neighbor 220.127.116.11 peer-as 64497
Border Gateway Protocol use cases can be found anywhere that two networks need to exchange traffic such as internet exchange points (IXPs). They can also be found within a single meshed network where routers need to communicate information to forward traffic.
Up to this point we’ve primarily focused on external peers, meaning that the communicating autonomous systems have different autonomous system numbers (ASNs). Internal peering, however, is when a BGP session runs between two devices with the same ASN.
The methods that external BGP (eBGP) and internal BGP (iBGP) use to send and interpret messages differ slightly so many people consider them to be two separate protocols.
The purpose of iBGP is to allow eBGP route advertisements to be forwarded throughout an entire network—not just to a single piece of equipment. For example, you may have an external peering relationship set up at an IXP in New York. When traffic is passed to your network with eBGP, iBGP picks up and determines where the traffic needs to go next within your network.
Generally, the loopback interface is used to establish a connection between iBGP peers. This method of connection provides fault tolerance because if the device is up, the loopback interface will always be available. Internal neighbors do not need to be directly connected like external ones; however, they do need to be fully meshed to avoid routing loops, meaning that each device must be logically connected to every other device through peering relationships.