If you work at an ISP company, you probably had the chance to appreciate the functional flexibility of BGP and its available security tools. This protocol is aimed at ensuring the interoperability of networks, lacking unified administration, and is perfectly suited for providing internet access.
If your organization uses a single Internet connection, you may not even need to know decrypting abbreviations of BGP, not to mention the protocol operational procedure. You can get everything you need by using the default route (through which all external traffic is directed to ISP), and entrusting ISP with further routing of your packets. However, if you are planning to add another Internet connection with a second ISP for redundancy or load balancing on your servers, this article will provide useful tips on the subject. We strongly recommend working closely with your service provider, while experimenting with the BGP routing, whose influence goes beyond your network.
BGP protocol is the only widespread Exterior Gateway Protocol (EGP). It was described for the first time in the RFC 1105 specification in 1989. BGP version 4 is reflected in RFC 1654, published in 1994 and significantly improved in RFC 1771 (the latest specification is found in 4271 RFC). A series of documented extensions for this version of the protocol was adopted in the following years. The most significant achievement of BGP4 protocol is the use of Classless Inter-Domain Routing (CIDR) mechanism, which allows to aggregate route update messages, received from multiple adjacent routers, in a single routing table entry. BGP routing protocol was implemented when extensive routing tables started to significantly slow down the routers’ operation. Classless routing technique (CIDR) eliminates many bottlenecks and increases the stability of the Internet. It considerably reduces the risk of network address space exhaustion due to the provision of more efficient allocation of IP addresses.
Once configured on your router, BGP starts establishing relationships with all BGP enabled neighboring routers – so called neighbors. Unlike OSPF (Open Shortest Path First) and EIGRP (Enhanced Interior Gateway Routing Protocol), which automatically detect neighbors, BGP is able to support the routing tables exchange between two neighbors after both routers configure the IP address and AS number (Autonomous System Numbers – ASN) of each other. Upon completion of configuration procedure, routers become BGP peers.
Neighboring routers exchange small messages, confirming their activity at a given time (keep-alive messages). If the neighbor is no longer receiving such messages for a predetermined amount of time (hold time), it adjusts its routing table to reflect the loss of some of the available routes. In addition, BGP protocol sends out partial changes when certain routes are unavailable. Thus, the exchange of complete routing tables occurs only when two adjacent routers establish peer relationships for the first time, or when the peer relationship must be reestablished.
BGP routing protocol – a path vector protocol, similar to distance vector protocol, but with one very important distinction. Distance vector protocol chooses the best route based on the number of “transits” (hops) and channel speed. In contrast, the BGP4 protocol selects the route that passes through the smallest number of Autonomous Systems (AS). When the update message, carrying routing information, passes through gateway of another AS, BGP adds the ASN (Autonomous System Number) of the current AS, to the ASN chain of the other autonomous systems through which the message passed. Route with the smallest number of ASNs is stored in the routing table as the optimal path to the destination network by default. One AS may include many internal routers; therefore, the actual number of transitions is always greater than that, indicated in the addresses of autonomous systems line.
However, routes received by default can be further optimized by using the high flexibility of BGP routing protocol. For example, you can control the route selection for the traffic leaving your AS. BGP identifies path through the least number of autonomous systems as an optimal by default. However, when evaluating the routes, this protocol takes into account neither channel bandwidth nor network load on them, consequently the shortest route may not be optimal.
The problem can be solved by the Local-Pref BGP attribute, which allows selecting a specific path for the next hop from a multitude of existing routes. The system administrator assigns a higher value of Local-Pref attribute to all routes (or even a separate group) announced for one of the interfaces on your router, than to the same routes announced for another interface. Since the values of these weighting coefficients are always taken into account before the calculated path length, expressed in the number of transit Autonomous Systems, the selected route will pass through the interface with the highest value of Local-Pref.
It is much more difficult to control traffic, entering the network. Taking into account the different geographical location of computer networks, when one of the connections to an ISP may be much closer to any part of your AS than the other one, you may have to use the MED (MultiExit Discriminator) attribute. This attribute is used to set the route for the incoming external network traffic, destined for one of your internal networks. Although the approach of using MED attribute to control the incoming traffic is rather simple, it works only in case when both internet connections belong to the same ISP. This is due to the fact that the MED is local to provider’s AS and its influence does not extend beyond AS boundaries. Another method of incoming traffic control involves tracking of transits’ number (prepending).
BGP routing protocol can also be controlled via Community attribute that allows assigning a predefined code to group or community (community) of routes. The router, through which these routes pass, carries out this action on them, correlated with the value of the code. The code can be user-defined, however in the majority of cases the reserved and popular among users community, called No-Export is the most frequently used. When a BGP router meets the route with No-Export attribute, it does not include it in the route update messages that are sent outside their own AS. This is quite handy for incoming traffic balancing.
Use the route map
Implementation of any of the above-mentioned schemes requires the use of the route map. Route maps define how to use the attributes of BGP routing protocol for specific routes, received or announced by your routers. Moreover, route maps can be used to filter the received or announced routes.
Proper rout map configuration can prevent your router from announcing routes, obtained from the Internet back to it. Otherwise, unauthorized users can use your network and connection to your ISP as a springboard for accessing another network. You can use route maps to filter your routing updates messages in order to preserve in them only the information, regarding routes belonging to your AS. However, there is a high probability that ISP also uses filters to ensure reception of routing updates only from your network. You will benefit from doing this on a regular basis.
In most cases, BGP routing is used when there are multiple connections to the Internet. In case you only require the effective distribution of the network load, it is recommended to choose a single service provider as ISP. Existence of redundant connections to the Internet translates into necessity to work with two ISP, leading to considerable difficulties in the process of load balancing.
In case you have a connection with only one ISP and your autonomous system is connected to it through a router, an even distribution of outbound traffic will be a simple task. This provides maximum control over the routes, through which your packets are distributed. Moreover, if both interfaces, connecting your network with the ISP, belong to the same router in your AS, you can achieve this without BGP routing. For example, Cisco routers allow load balancing between two static routes. It is quite likely that your ISP is able to balance your inbound traffic using the same static routes.
As it was mentioned above, in case both connections come to the same AS, MED attribute can be used to control the incoming traffic to your network. If both connections belong to the same ISP, it is likely they belong to the same autonomous system as well. As for outbound traffic, leaving your network, Local-Pref attribute can be used to control outgoing packets.
In case of failures, BGP4 can automatically switch traffic from one ISP to another, and thus provide redundancy by default. However, load balancing between multiple service providers requires a lot of effort and ingenuity. The best solution in this case is to use the default BGP routing settings and monitor incoming and outgoing traffic. Local-Pref must be used in case you have already managed to gather statistics. This will allow establishing an accurate control of the traffic, outgoing from your network to a specific external network or autonomous system. There exist about 60,000 networks in Internet, which is why you should only configure routes for networks with very high traffic. If the response time of the connection causes complaints from users, you can try changing the routes used for the transmission of the most important traffic, from one provider to the other.
Perhaps you require effective distribution of incoming traffic between the available connections. As it was mentioned above, the easiest way to achieve this consists of adding extra AS addresses to routing update messages. This approach can be considered the most suitable, if the autonomous system has several internal networks. In such a case, you can adjust the route advertisement messages so that for some of the networks, they are identified as more preferred than others, and thereby ensure passing of incoming traffic through the corresponding ISP.
Another approach for load balancing of the incoming traffic consists of using one ISP for traffic coming from this ISP (and all of its subscribers), while using a connection with other provider to deliver the remaining of the traffic. This approach works well when a big part of the traffic comes from the subscribers of one of your ISPs, as well as in case VPNs (Virtual Private Networks) are used for communication with affiliates or partners. No-Export community can be used to prevent information about your networks from leaving the AS of your ISP. Local-Pref attribute can be used to control your outbound traffic, given that it is addressed to the AS of your ISP. The disadvantage of this approach lies in the fact that you will have to sacrifice a part of your redundant connections to the internet. If the connection to the ISP, connecting you to the global network fails, your other connection will not take over its traffic, until you disable No-Export attribute in the update messages.
BGP routing protocol provides many options for managing Internet traffic routing. Work closely with your ISP using multiple options. Make sure that a deeper level of interaction with the global network is not creating additional difficulties to you or to its community. If you are going to receive routes from the Internet, you will have to allocate funds for increasing RAM and obtaining powerful processors for your routers. If you plan to accept a complete routing table from one ISP, you will need at least 64 MB of RAM. In case you will be accepting complete routing tables from two suppliers of services to one router, you will require twice as much RAM. Before you sign a contract with your ISP, keep in mind that there is no guarantee that the provider will announce each network belonging to another provider’s autonomous system. Apart from that, make sure that the new ISP can provide redundancy and load sharing on the connection lines to the extent that you require.