DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

SBOMs are essential to circumventing software supply chain attacks, and they provide visibility into various software components.

Related

  • What Is IoT Gateway? Is It Important
  • Where Does Cybersecurity Go From Here?
  • 4 Types of JDBC Drivers [video]
  • The Comprehensive IT Guide to Diagnosing and Fixing Packet Loss

Trending

  • How My AI Agents Learned to Talk to Each Other With A2A
  • 11 Best Practices for Developing Secure Web Applications
  • Exploring Data Redaction Enhancements in Oracle Database 23ai
  • Top 5 Trends in Big Data Quality and Governance in 2025
  1. DZone
  2. Culture and Methodologies
  3. Career Development
  4. A BGP Guide for the Non-Network Engineer

A BGP Guide for the Non-Network Engineer

This article focuses on the basics of BGP (Border Gateway Protocol) for the non-network engineer.

By 
Mehdi Daoudi user avatar
Mehdi Daoudi
·
Aug. 11, 22 · Analysis
Likes (1)
Comment
Save
Tweet
Share
6.9K Views

Join the DZone community and get the full member experience.

Join For Free

What Is BGP?

Border Gateway Protocol (BGP) is the Internet’s primary routing protocol. It has been described as the protocol that “makes the Internet work” because it plays such an important role in allowing traffic to move quickly and efficiently.

The original function of BGP was to carry internet reachability information between edge routers (it is sometimes described as a reachability protocol). It has since expanded to also carry routes for VPNs, IPv6, Multicast, and a range of other data. BGP provides network stability as it guarantees routers can rapidly adapt to send packets via a different connection if one Internet pathway goes down. It does this by exchanging routing information across the Internet, through the use of BGP-speaking routers and routing tables.

Internet routing is made up of two different types:

  1. Interior Gateway Protocols (IGP): used for routing within an autonomous system (AS), such as EIGRP, OSPFF and RIP
  2. Exterior Gateway Protocols (EGP): the Border Gateway Protocol is currently the de-facto standard EGP routing protocol used in inter-domain routing.

BGP was originally proposed as a stopgap solution to replace the existing EGP. Fast-forward 30 years, and it remains one of the central pillars of the internet. We are currently on version 4 (BGP4 or BGP-4).

How Does BGP Work?

BGP specifies a TCP-based communications method to help autonomous systems exchange routing information over the Internet. An AS is a collection of routers run by a common administration, such as a large enterprise or university, which control a range of IP addresses. Each AS is assigned an Autonomous System Number (ASN).

BGP determines routing decisions based on paths, rules, and/or network policies set by a network administrator. Each AS manages a routing table that contains every known route to other networks, which is then shared with neighboring networks, also known as peers. The BGP decision process enables the AS to select the most efficient route available by analyzing the path attributes of each candidate, applying a set of criteria (including weight, local preference, shortest AS Path, and so on). This means that BGP might direct traffic along one path to reach its destination and along a different path on its return trip, leading to asymmetric routing.

The focus of BGP design and implementation has always been security and scalability, making it more difficult to configure than other routing protocols; it is also more complex, making it one of the slowest converging routing protocols.

A Little Bit of History

Some background is required to better understand the crucial role that BGP played in the history of the internet. In 1989, the internet as we perceive it today was just moving its first steps. The commercial use of the internet was still forbidden but commercial ISPs were sprouting and offering network access to end users, and the commercial use of the internet was no longer a taboo topic.

When BGP was first standardized in June 1989, the long-running ARPANET was just being decommissioned (February 28, 1989), TCP/IP was being used to interconnect different networks from remote countries, and the internet was about to move from its centric architecture to a more distributed architecture, without a clearly defined backbone. 

Up until then, the so-called internet gateways were exchanging net-reachability information via the Exterior Gateway Protocol (EGP). EGP was conceived for an internet composed by a core AS and multiple other smaller AS’s directly connected to that core, and it totally relied on having a tree-structured topology of AS’s, without cycles.

Although these limitations were bearable in an early stage internet where stub gateways were talking to each other via its ARPANET backbone, with the advent of commercial entities and multiple backbones (such as NSFNET), its inadequacies became more and more pronounced — not to mention the impossibility to create policy-based routing, which is the key of success of BGP.

The Vulnerabilities Inherent in BGP

The very qualities that make BGP so successful also leave it extremely vulnerable to human error and malicious attack.

There is very little oversight of the large number of AS’s that comprise the modern internet, and almost no oversight for how each configuration of each AS peering filter should happen. This makes is a highly flexible protocol; however, if a new, bogus route is announced, whether accidental or deliberate, traffic will be sent to the wrong network, and as we have seen recently, the problem can rapidly propagate across the rest of the net.

There are two main types of vulnerabilities:

BGP Leaks 

Route leaks involve the unintentional creation of false routing information, thereby misdirecting traffic and leaving it vulnerable to misuse. Route leaks are usually the result of human error due to filter misconfiguration, leading to the illegitimate advertisement of prefixes and blocks of IP addresses, which spread across networks and result in suboptimal or incorrect routing.

BGP Hijacking 

Route hijacking involves the deliberate takeover of collections of IP addresses through the corruption of internet routing tables. If the injected announcement is more efficient than the real one, the traffic will be rerouted to the injected announcement. BGP hijacking is not always easy to detect as activity can be hidden behind other AS’s, or may involve the announcement of unused blocks of IP prefixes, which are unlikely to be noticed. As a result, Internet traffic can be sent the wrong way, covertly monitored, or intercepted. Spammers can also use BGP hijacking to spoof legitimate IPs and send users to bogus websites.

The Impact on End Users and Business

Both types of vulnerability leave the end-user subject to problems. These range from the inconvenient, such as slow page loading times due to traffic taking an unnecessarily long route to the highly serious, such as traffic interception or black holing of an entire network. This kind of attack can lead to the kind of blanket outages that we see with DDoS attacks. Attackers can also censor specific sources of information by only black holing specific networks.

The man-in-the-middle nature of rerouting also allows attackers to eavesdrop on certain parts of the communications, or even alter the traffic itself. They can redirect traffic from your legitimate site to malicious sites pretending to be part of your network. This can lead to the theft of sensitive information or credentials, or even delivery of corrupt malware. We saw this in action last year when hijackers attacked AWS’s DNS service to steal Bitcoin. Spammers can also damage the reputation of a business by abusing your ASN’s reputation to carry out spam runs.

While businesses can’t entirely prevent BGP misconfiguration or deliberate misuse of BGP, they can monitor what is going on. By monitoring the BGP routes that relate to your AS, you can gain visibility into any kind of BGP vulnerability that might be underway, and can carry out an incident response plan.

Engineer Internet (web browser) Network Protocol (object-oriented programming)

Published at DZone with permission of Mehdi Daoudi, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • What Is IoT Gateway? Is It Important
  • Where Does Cybersecurity Go From Here?
  • 4 Types of JDBC Drivers [video]
  • The Comprehensive IT Guide to Diagnosing and Fixing Packet Loss

Partner Resources

×

Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • [email protected]

Let's be friends: