BGP Notes


Introduction

In this doc, we do a deep dive into BGP; we go over neighborship workflow, troubleshooting peering down, troubleshooting flapping peer, best path selection, troubleshooting missing routes, multipath, confederation, route-reflector, securing the connection and a more 


Pre-requisite

  • A good understanding of routing
  • Knowledge in BGP

Neighborship workflow

  • Establish TCP transport
  • Uses TCP port 179
  • BGP peers must agree
    • AS number
    • Source Address
    • Address Family: IPv4 unicast, L2VPN, EVPN ...
    • Sec: authentication, TTL security ...
  • Negotiate address family
  • Advertise NLRI
  • Apply BGP policy

 

Troubleshooting

BGP peering down
  • Configuration
    • check AS Number, Network, Neighbor IP, Multi-Hope, TTL-Security
    • BGP authentication, ACLs
  • Reachability
    • Check the ICMP ping source
    • verify port 179 is open: Telnet /source-interface
Flapping BGP peer
  • Stuck in IDLE
    • no connected route to the peer ( interface down ... )
  • Stuck in Active
    • network is not in the routing table
    • connection error
    • update source
  • Flapping Active/IDLE
    • TCP established, but BGP negotiation fails (missing configured AS ...)
  • Flapping IDLE/Established
    • Bad update, TCP problem (MSS size in multi-hope) (MTU) you can Verify MTU by ping with DFbit
Missing routes Troubleshooting
  • Check Well-known communities (No-Export, No-advertise, Local-AS)
  • Check Privet communities
  • Check the routing table
    • Verify next hop is in the routing table
    • Check BGP table
  • Verify that routes are being advertised
  • Verify soft-reconfiguration if possible

Path selection

Best path selection
  1. Weight
    • local significant
    • highest wins
  2. Local Preference
    • within the same AS
    • highest wins
  3. locally originated
    • Network or Redistribute command preferred over local aggregates (aggregate-address command)
  4. AS_PATH
    • Shortest path win
  5. ORIGIN
    • IGP < EGP < Incomplete (lowest wins)
    • IGP: network layer reachability information (NLRI) is interior to the AS of origination This normally happens when you issue the bop network command or set it in a route-map
    • EGP: NLRI is learned via exterior gateway protocol (EGP)
    • INCOMPLETE: NLRI is unknot or learned via some other means Usually occurs when you redistribute routes from other routing protocols to BGP
  6. MED
    • Metric is a hint to external neighbours about the path preference into an AS
    • A lower metric is preferred
    • Metrics are one-hop only
    • SP and enterprises can agree on a uniform policy on how to set the MED
    • Smallest wins
  • Community
    • it is like a tag, but we have some well-known community
    • your community can be additive like an as-path; you can also remove all others and replace
    • well-known community
      • NO-EXPORT: do not advertise to EBGP peers (keep within AS )
      • NO-ADVERTISE: do not advertise to any peer, internal or external
      • INTERNET: advertise this route to the internet community any route belonging to this community
      • local-as: use in confederation scenarios to prevent the transmission of packets outside the local-as
BGP multipath
  • IBGP multipath: route reflector reflects only a single best path even with multiple IBGP best paths installed in the routing table, route reflector reflects only a single best path.
  • EBGP multipath: multipath feature works only when you have multiple homed connections to a single AS - if a prefix is learnt via a different provider AS's, then the multipath functionality doesn't work, but we can use it in such scenarios using the command
  • EIbgp multipath
    • The existing BGP path selection algorithm prefers eBGP paths over iBGP paths; this prevents having both the iBGP and the ebgp multipath prefixes from getting installed in the routing table at the same time
    • configuration to modify the algorithm to allow load-sharing among both iBGP and EBGP paths - Usually configured for MPLS VPN deployments, this is configured on a per-VRF instance and not for VPNV4 address-family
    • PS: verify the routing. You can easily cause a ROUTING LOOP

 

Advertise IBGP

Confederation

A BGP confederation divides our AS into sub-AS's which reduces the number of required IBGP peerings. You will often use private AS numbers (64512 – 65535).

Route-Reflector(RR)
- Cluster
  • An AS can have more than one RR. in this situation, an RR treats other RRs just like any other IBGP speaker. Other RR can belong to the same cluster (client group) or to other clusters. You can divide the AS into multiple clusters. You can configure each RR with other RRs as non-client peers in a fully meshed topology
  • BestPractice: the client should not peer with IBGP speakers outside the client cluster
- Forwarding of Routes:
  • Routes from non-client peers - reflects all the clients within the cluster.
  • Routes from a client peer - reflect all the non-client peers and the client peers.
  • Routes from EBGP peer - send the update to all client and non-client peers.
  • Only advertise best routes: RRs reflect only the best route in its own BGP table.
  • Originator-id: The routers list the RID of the first iBGP peer to advertise the route into the AS. If a router sees its own BGP ID as the ORIGINATOR_ID in a received route, it does not use or propagate the route.
  • Cluster-list ID: Cluster- ID is configured on all RRs in the same cluster. So that an RR can recognize updates from RRs in the same cluster. A cluster list is a sequence of cluster IDs that the route has passed. When an RR reflects a route from the RR clients to nonclients outside of the cluster, the RR appends the local cluster ID to the cluster list. If this update has an empty cluster list, the RR creates one. With this attribute, an RR can identify if the routing information has looped back to the same cluster due to poor configuration. If the local cluster ID is found in the cluster list, the advertisement is ignored.

 

Securing BGP

Securing BGP connection

  • Neighbors Authentication
  • ACL on incoming interface no need for unauthorized traffic to reach the CPU
  • Enabling control plane policing (CoPP)
  • Time to Live Security Check
  • Limit the maximum BGP Prefix per neighbor
  • Prefixes Filtering
  • Prefix Filtering with Autonomous System (AS) Path Access Lists
  • BGP traffic using IPSec Tunnels
  • BGP peering over IPv6 link-local address
  • Enabling logging

Securing Inter-Domain routing

  • Understanding Prefix Hijacking
    • Any AS can source/announce incorrect prefixes within BGP Either by mistake (most cases) Or with a malicious intent
    • In either case, AS can hijack prefixes owned by other AS has an impact on end-to-end data forwarding
    • BGP prefix can be hijacked by
      • sourcing a prefix with a better bgp metric that is owned by some other AS
      • sourcing a more specific for a prefix that owned by some other AS
  • Solution The RPKI is a database
    • RPKI database is a set of ROA objects aggregated from the different RPKI cache to whish the router is connected. ROA objects provide a mapping between a BGP prefix block and the AS nunber authorized to originate that block. An RPKI cache can send any number of ROAs to the router
    • The ASBRs simply mark the eBGP paths with an Origin-AS validity state:
      • Valid: There are database prefix set in RPKI data that covers prefix and one of them has origin-AS number
      • Invalid: There are database prefix set in RPKI data that covers prefix and none of them has origin-AS number
      • Unknown: There are no matching or covering prefixes in RPKI data
  • Good RPKI Docs

Preventing BGP DDOS attacks

  • BGP Remotely triggered black hole (RTBH) filtering is a security technique used to mitigate or overcome DDOS attacks
  • The best approach to prevent such network-wide impact is to black hole undesirable traffics
  • RTBH solution:
    • Destination based protection used for traffic going for an internal network server
    • Source based protection used for traffic that is the source of the unwanted traffic
  • BGP Flow spec
    • A Flow spec is said to be n-tuple because there are multiple match criteria that can be defined and all the match criteria should be matched traffic will not match the flow spec entry if all the tuples are not matched

 

Other

  • Route Flap Dampening :
    Route dampening is a mechanism to minimize the instability that route flapping causes. Route dampening also reduces oscillation over the network.
  • BGP Fast-External-Fall over:
    - this feature is enable by default for EBGP #bgp fast-external-fall over
    - this feature will remove the session when the link goes down
    - to enable this feature for IBGP
  • Graceful Restart:
    capability exchanged between routing protocol speakers to indicate ability to do NSF
  • Non-stop forwarding:
    Ability for a router with independent control and forwarding planes to forward traffic across a control plane restart FIB preserves routes/forwarding info
  • Non-stop routing:
    Feature where routing protocol explicitly checkpoint state from that active RP to the standby RP to maintain routing information across a switchover

 

Good Read

NSA BGP Best practices
Cisco page for BGP Best Path Selection Algorithm
Cisco page for BGP Case Studies
Cisco page for Troubleshooting BGP

List of titles