Active BGP Probing

Last update: Sun 26 Jan 2019


Relevant Documents

For in-depth information, please read the following documents.

Latest results

2005-06-24: Diffusion of large AS-sets in the Internet.

Description of our techniques

What we do

Existing topology discovery techniques are good at discovering topology but bad at discovering policy. However, to predict the effect of network faults, perform effective traffic engineering, develop peering strategies, and evaluate the quality of upstreams, it would be useful for ISPs to to know how their announcements can be propagated and how the policies of other ASes in the Internet affect their prefixes. No operational tools exist to do this.

The principle is the following: an AS using our probing techniques can announce one of its prefixes with AS-paths including the numbers of other ASes. Due to loop detection, these "prohibited" ASes will not use or propagate the announcement. To avoid influencing AS-path length, the prohibited ASes are placed in an AS-set at the end of the path.

Thus, to stop its announcement from being propagated by ASes 1, 2, and 3, an AS (say AS12654) might announce one of its prefixes with an AS-path of 12654 {1,2,3}. This allows AS 12654 to discover who propagates its announcements, find backup paths, and deduce the policies of other ASes with respect to its prefixes.

To collect data it is possible to the RIS or ORV route collectors. However, since our methods operate in steady state, the results are visible from any looking glass on the Internet.

Why it is safe

We are confident that such announcements are safe, provided that the length of the AS-set announced is limited. We say this based on:
  1. Equipment tests
  2. IPv6 tests
  3. Observation

Why it doesn't impact routers

Route flap dampening limits our probing to the order of one update per hour. This is negligible compared to the over 15,000 updates/hour a typical Tier-1 router might receive. As regards impact on memory, the amount of RAM to store a 100-element AS-set for one prefix is of the order of hundreds of bytes, which is irrelevant for core routers which are already using tens of megabytes of memory for BGP.

Why it doesn't hamper debugging

Prepending other AS numbers is to a certain extent already done today. Our techniques are similar, but foreign ASes are only in the AS-set at the end of the path, so it's immediately obvious which path the announcement has taken. Due to the size of the AS-set, we doubt that anyone seeing such an announcement would believe it was due to one of the ASes in the set, but would probably look at the first AS before the set. Furthermore, the prefix immediately identifies the source of the announcements. Finally, the routes can also be tagged with communities to help identify them.


Router behaviour in the presence of long AS-paths

Note: the RIPE 50 presentation says that Juniper and old Cisco routers reset the BGP session when they received an AS-path with more than 125 ASes. Further testing has shown that this is incorrect: