--">
Classroom Glossary Public page

NET-201 Week 4 -- Routing II: BGP Attributes, Prefix Hijacking, and RPKI

1,695 words

"The Internet's routing system has no global authority. Every AS believes whatever it is told. That is simultaneously its greatest strength and its most dangerous property." -- Tony Kapela and Alex Pilosov, DefCon 16, 2008 (first public demonstration of silent BGP hijacking)

Lecture (50 min)

4.1 BGP Attribute Deep-Dive

Week 3 introduced the BGP decision process as an ordered list of criteria. This week examines the most important attributes in depth, including how operators manipulate them for traffic engineering.

LOCAL_PREF: Exit-point selection within an AS

LOCAL_PREF is set by the ingress router when a route arrives from an eBGP peer. It propagates to all iBGP routers within the AS. The router with the highest LOCAL_PREF wins.

Practical use: an AS with two upstream providers (AS 65002 and AS 65003) can prefer AS 65002 for all traffic by setting LOCAL_PREF 200 on routes received from AS 65002 and LOCAL_PREF 100 on routes received from AS 65003.

! On R1, applying route-map to eBGP peer AS 65002
route-map PREFER_65002 permit 10
 set local-preference 200
!
router bgp 65001
 neighbor 10.1.1.2 remote-as 65002
 neighbor 10.1.1.2 route-map PREFER_65002 in

AS_PATH: Loop prevention and traffic engineering

Every AS prepends its own ASN to the AS_PATH when advertising a route outbound. A router receiving an UPDATE containing its own ASN in the path discards it -- the fundamental BGP loop prevention mechanism.

AS_PATH manipulation for inbound traffic engineering: an AS can artificially lengthen its AS_PATH to make itself appear farther away and attract less inbound traffic from that direction. This is called AS_PATH prepending:

route-map PREPEND_OUT permit 10
 set as-path prepend 65001 65001 65001
!
router bgp 65001
 neighbor 10.2.2.2 remote-as 65003
 neighbor 10.2.2.2 route-map PREPEND_OUT out

AS 65003 now sees an AS_PATH of "65001 65001 65001 65001" via this path versus a shorter path via another peer. It will prefer the shorter path. Used to shift inbound traffic when a site has multiple upstream connections with different capacity.

MED: Influencing inbound traffic from a single AS

MED (Multi-Exit Discriminator) is an optional, non-transitive attribute. It only affects routing decisions within a single neighboring AS. If your AS connects to AS 65002 at two locations, MED tells AS 65002 which of your entry points to prefer.

MED is lower-is-preferred (opposite of LOCAL_PREF). MED comparison only happens between routes from the same neighboring AS by default (the always-compare-med option removes this restriction).

COMMUNITY: Policy tagging

BGP communities are 32-bit values attached to routes, used for policy signaling between ASes. Two important well-known communities:

  • NO_EXPORT (0xFFFFFF01): do not advertise this route to eBGP peers
  • NO_ADVERTISE (0xFFFFFF02): do not advertise this route to any peer

Internet service providers publish community strings that customers can attach to routes to trigger specific actions -- for example, 65002:300 might mean "prepend my route three times before advertising to European peers." These are published in each ISP's routing policy database (IRR, accessible via whois -h whois.radb.net).

4.2 BGP Prefix Hijacking

A BGP prefix hijack occurs when an AS advertises IP prefixes it does not own. Because BGP has no built-in authentication mechanism, neighboring ASes may accept and propagate the fraudulent route.

Mechanics of a hijack:

  1. Victim AS 65010 legitimately originates prefix 192.0.2.0/24
  2. Attacker AS 65099 advertises 192.0.2.0/24 with AS_PATH "65099" (one hop shorter than legitimate path from many vantage points)
  3. Other ASes, following BGP's AS_PATH shortest-path preference, install the attacker's route
  4. Traffic destined for 192.0.2.0/24 is diverted to AS 65099

More-specific hijack: even if AS 65099 cannot beat the AS_PATH length for the /24, it can advertise 192.0.2.0/25 and 192.0.2.128/25. BGP (and all routing protocols) prefer more-specific prefixes (longer prefix length). Traffic to hosts in those /25s routes to the attacker regardless of the legitimate /24 route's presence.

Notable real-world incidents:

  • Pakistan Telecom (2008): AS 17557 advertised YouTube's 208.65.153.0/24 as a /24 and 208.65.153.0/25, /128. YouTube was unreachable globally for approximately 2 hours.
  • MyEtherWallet (2018): A BGP hijack redirected Amazon Route 53 name servers; DNS queries were answered by an attacker-controlled resolver; cryptocurrency wallets drained.
  • Russia Rostelecom (2020): AS 12389 briefly hijacked routes for Google, AWS, Cloudflare, and Akamai -- approximately 8,000 prefixes. Lasted ~20 minutes.

These incidents are observable via Cloudflare Radar's BGP Anomaly Detection (radar.cloudflare.com/routing) and the RIPE Routing Information Service (ris.ripe.net).

4.3 RPKI: Route Origin Validation

RPKI (Resource Public Key Infrastructure, RFC 6480) is the cryptographic defense against BGP prefix hijacking. It creates a cryptographic binding between an IP prefix and the AS authorized to originate it.

Components:

  • ROA (Route Origin Authorization): a signed object stating "prefix P may be originated by ASN X, up to prefix length Y." Created by the prefix owner; stored in RPKI repositories at the five RIRs (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC).
  • RPKI Validator: software (e.g., Routinator, OctoRPKI) that fetches ROAs from RIR repositories and builds a locally validated cache.
  • BGPsec / Route Origin Validation (ROV): a BGP router queries its RPKI validator for each received prefix. Result is Valid, Invalid, or NotFound.

Operator actions on ROV results:

  • Valid: keep the route; may prefer it slightly
  • NotFound: treat as normal (most Internet prefixes are still not covered by ROAs as of 2026)
  • Invalid: the route's origin AS is not authorized for this prefix; typically drop the route

FRRouting supports RPKI via a Routinator integration:

! FRR rpki configuration
router bgp 65001
 rpki
  rpki server 127.0.0.1 port 3323 preference 1
  exit
 !
 address-family ipv4 unicast
  neighbor 10.1.1.2 route-map RPKI_FILTER in
 exit-address-family
!
route-map RPKI_FILTER deny 10
 match rpki invalid
!
route-map RPKI_FILTER permit 20

RPKI adoption: as of 2026, approximately 40-45% of IPv4 routes in the global table have a matching ROA. Major transit providers (AT&T, NTT, Telia, Lumen) now perform ROV at their edge routers. A valid RPKI ROA does not prevent more-specific hijacks of uncovered sub-prefixes; full BGPsec (path validation) remains largely undeployed.

4.4 RIP: Historical Context

RIP (Routing Information Protocol, RFC 2453 for RIPv2) is a distance-vector IGP. It predates OSPF in deployment, is still found in small legacy networks, and appears in textbooks as the canonical distance-vector example.

RIP mechanics:

  • Metric: hop count; maximum useful metric = 15; metric 16 = unreachable ("infinity")
  • Updates: broadcast/multicast every 30 seconds; routes time out after 180 seconds; hold-down 120 seconds
  • No concept of topology: routers advertise vectors (destination, metric) to neighbors; no link information, no Dijkstra
  • Loop prevention: split horizon (do not advertise a route back out the interface it was learned on); poison reverse (advertise with metric 16 instead of suppressing)

Counting to infinity: if a link fails, split horizon prevents immediate loops, but convergence can still take many update cycles to propagate the failure (especially in networks with redundant paths). This is why OSPF's link-state approach replaced RIP in any network where convergence time matters.

RIPng (RFC 2080): the IPv6 version; same mechanics; uses UDP port 521; multicast group FF02::9.

RIP's value in this course: it is the simplest routing protocol to reason about algorithmically, and its failure modes (counting to infinity) illustrate exactly why link-state protocols were invented.

4.5 BGP in the Data Center: EBGP Unnumbered

Modern hyperscale data centers run eBGP as the underlay routing protocol -- replacing OSPF. Each Top-of-Rack (ToR) switch is a separate AS. Facebook, Microsoft, and Google have published architectures using this pattern (RFC 7938: "Use of BGP for Routing in Large-Scale Data Centers").

Advantages: BGP's policy control is more granular than OSPF for traffic engineering; failure domain boundaries are explicit (AS boundaries); BGP's path selection is more controllable than OSPF's metric-based SPF.

eBGP unnumbered (RFC 5549) allows eBGP sessions to use link-local IPv6 addresses (FE80::/10) for the peering session, eliminating the need to allocate numbered IP addresses to every point-to-point link in the fabric.

This is covered operationally in Week 12 (Cloud Networking / VXLAN-EVPN). It appears here for context: BGP is not only an inter-AS Internet protocol.

Lab Preview

Lab 2 (BGP multi-AS topology, first configured in Week 3) continues this week with:

  • BGP community manipulation: tag outbound routes from AS 65001 with NO_EXPORT; verify the route does not propagate beyond AS 65002
  • AS_PATH prepending: make AS 65001's prefix less preferred via AS 65002; observe traffic shift to AS 65003 path
  • Sandboxed prefix hijack: configure AS 65003 to announce AS 65001's prefix (192.168.10.0/24); observe which AS wins in the RIB at the route-reflector; understand the more-specific hijack variant
  • RPKI simulation: install Routinator on the lab host; create a test ROA using a dummy trust anchor; configure FRR to drop BGP routes marked Invalid

Homework

Reading (45 min): Doyle-Carroll Vol. 1 Ch 9 (BGP Attributes and Policy). Focus on LOCAL_PREF mechanics, AS_PATH manipulation, and MED comparison rules. Supplement with the RPKI overview at rpki.net (read the "Why RPKI?" introduction and the ROA explainer; both are publicly accessible).

Hands-on (60 min): Deploy Routinator (the NLnet Labs RPKI validator) locally and query it for a sample prefix:

# Install Routinator
cargo install routinator
routinator init
routinator server --rtr 127.0.0.1:3323 --http 127.0.0.1:9556

# After initial sync (~5 min), check a prefix
curl "http://127.0.0.1:9556/api/v1/validity/AS13335/1.1.1.0%2F24"
# Should report "valid" for Cloudflare's 1.1.1.0/24 (AS 13335)

# Check a hijackable case
curl "http://127.0.0.1:9556/api/v1/validity/AS12389/1.1.1.0%2F24"
# Should report "invalid" (Rostelecom is not authorized for this prefix)

Document the RPKI validation result structure (JSON fields: origin_asn, prefix, validity state, VRPs).

Toolchain Diary Entry

Deepen this week: BGP operational commands + RPKI tooling

show ip bgp: full BGP RIB table; > marks best-path for each prefix; i = iBGP-learned, e = eBGP-learned.

show ip bgp 192.0.2.0/24: detail view for a specific prefix -- shows all paths, attributes (LOCAL_PREF, MED, AS_PATH, ORIGIN), and which path is selected and why.

show ip bgp summary: session summary -- peers, session state, prefixes received.

show ip bgp neighbors 10.1.1.2 advertised-routes: what this router is actually advertising to that peer (after route-map filtering).

show ip bgp neighbors 10.1.1.2 received-routes: what was received before any filtering (requires neighbor X soft-reconfiguration inbound).

clear ip bgp 10.1.1.2 soft: trigger a soft-reset (re-advertise + re-evaluate routes) without tearing down the TCP session. Use in or out qualifier.

routinator validate --prefix 1.1.1.0/24 --asn 13335: standalone RPKI ROA validation from the Routinator CLI.

Key Terms

  • COMMUNITY: BGP optional transitive attribute; 32-bit tag attached to routes for policy signaling; well-known: NO_EXPORT (0xFFFFFF01), NO_ADVERTISE (0xFFFFFF02)
  • BGP hijack: unauthorized origin of a prefix in BGP UPDATE messages; exploits the absence of cryptographic authentication in base BGP (RFC 4271)
  • More-specific hijack: advertising a longer-prefix-length subnet of a victim's aggregate; wins over the aggregate due to longest-prefix-match
  • RPKI: Resource Public Key Infrastructure; binds IP prefixes to authorized origin ASes via signed ROA objects; enables route origin validation (ROV)
  • ROA: Route Origin Authorization; signed RPKI object stating an AS is authorized to originate a specific prefix up to a maximum length
  • Routinator: NLnet Labs open-source RPKI validator; fetches and validates ROAs from all five RIR repositories; exposes RTR protocol (RFC 8210) for router integration
  • RIP: Routing Information Protocol; distance-vector IGP; hop-count metric; max 15 hops; loop-prone; convergence via counting-to-infinity; replaced by OSPF/IS-IS in production networks
  • AS_PATH prepending: deliberately repeating your own ASN in outbound BGP advertisements to make a path appear longer and less preferred by remote ASes; inbound traffic engineering tool