Questions about this topic? Sign up to ask in the talk tab.


From NetSec
Jump to: navigation, search

Lesson 1

Network Discovery with BGP

BGP stands for Border Gateway Protocol, it's the underlying dynamic routing protocol of the entire Internet. Every router that runs BGP is associated with an ASN. ASN stands for Autonomous System Number. An autonomous system (AS) is a group of routers that belongs to an organization. There are many reasons why an organization would want an ASN. For example, if the company owns their own Public IP address space an ASN would allow them to peer with their upstream provider and announce their own IP space via BGP. Usually, routers within an ASN have a routing policy that differentiates from the ASN's upstream provider's routing policy. This is another primary reason that an organization would want to have their own ASN. The last and perhaps most common reason an organization would require their own ASN is that they get transit (bandwidth) from multiple upstream providers. To get an ASN, a company must contact their local registry (ARIN, APNIC, LANIC, AFRINIC, RIPE) and request an ASN. This usually costs a yearly fee, and sometimes IPv4/IPv6 space is included free with the purchase of an ASN. When an AS is connected to another AS, this is known as peering. In most cases, smaller organizations peer with large Tier 1 ISPs or smaller Tier 2 ISPs.

Often routes aren't direct, and require going through multiple ISPs. This leads to something called an AS-path. The AS-path is basically a list of the ISPs (routers) a packet needs to take to reach it's destination.

For example, the whole block belongs to MIT. MIT has an ASN of 3 (AS3), so a route to MIT would look like this:

*>                           0 12714 3549 1239 3 i

A packet destined to an IP in the block has to travel over AS12714, AS3549, AS1239, and AS3 from this source. Any AS between 0 and and the destination AS is considered a transit AS. Organizations that operate transit AS's have a lot of bandwidth that they sell to other organizations to they can access the internet. Most routers running eBGP (external BGP) receive and announce what are known as full tables; a full list of allocated IP blocks on the public internet and the AS path to reach them. There's currently around 350,000 routes in the public Internet.

Due to the "public" nature of the routing tables, they can come in use for looking up what networks belong to a certain ASN. If you have the ASN of the company or organization you are trying to find out more about, then you can easily find out all of the other netblocks it is announcing. One can obtain this information here. This list is updated every 8 hours by APNIC. The list is basically a mapping of ASN to organization; you can usually grep -i for an organization to find it's ASN. The ASN is the first number, anything after it is the description.


372 National Aeronautics and Space Administration 
377 Sandia National Laboratories 
523 Army Information Systems Command 
825 Canadian Forces Weather Services

You can find a list of which prefixes each AS is announcing here. Once you find the ASN of an organization, you can grep the data-raw-table file to find out what networks it is announcing.


grep -w ASNHERE$ data-raw-table

Lesson 2



Basically you have a group of routers you are in charge of and you assign them an ASN by your local ANS registrar. The ASN is used to configure the BGP which is used to announce their ASN numbers along with what IP address blocks they own to your BGP peers. You then use the BGP numbers to configure your router peer list. In otherwords, they are telling other routers on the internet to rotue all packets destined to a certain IP address block to.

Example BGP Configuration

router bgp 65111
bgp log-neighbor-changes
network mask
network mask
network mask
network mask
neighbor remote-as 64667
neighbor remote-as 64666
neighbor remote-as 65222
no auto-summary

Basically i am announcing all 4 of those routes to the 3 neighbors i have. Some of those neighbors have other neighbors that I am not directly connected to. The neighbor that I know will pass the route I announced to him and then he will pass that route along to the neighbors that I am not directly connected to.

Let's say, we have 3 routers, A, B and C. A is connected to B and then B is connected to C (A<->B<->C). For C to reach A, it has to know the route to A, which is given by the B router. The B router tells the C router, "I can talk to the network, route all packets destined to this network to me."

When the c router gets a packet to, it knows, "b router knows the route to this address, i should give this packet to him". C router then gives the packet to b router and b router sees that it needs to go to a router because a router knows where to send it next.

Thus, the point of BGP is to basically look at every path the packet can take and deliver it down the shortest path. The separation of the different networks is controlled by the use of an ASN.

Usually every ASN has a couple of routers under it, a couple to millions of router per ASN. For routing of the packet internally inside of an asn, an IGP is used, interior gate protocol.


You are an ASN owner, you have 100 routers, only 10 will provide access to the internet, the other 90 route data between sites. Every router controls a certin ip block or even a group of ip blocks. This is where the IGP comes in.

It's cool and all that you have and routing in your router but you also want to let the rest of your network know about them. So lets take RIP as an interior gateway protocol as it is similar to BGP in many ways.

With RIP, every router has an ID assigned between 1 and 255, the reason why RIP isn't suitable on large networks. With this ID, they tell all of the other routers what IP blocks they can route packets to.

Now, every other router(99) knows that any packets destined to are destined to router id 1 because it is inside the netblock that router 1 was announcing over RIP. RIP is also vulnerable to downgrade attacks or at least some implementations are. You can even make it send you the ripv1 2 way hash in some cases.

Every router cannot be connected to every other router because that would mean that every router would have 99 connections. Other reasons include physical connections and cost. Instead, you just lay fibre to a few buildings from each building. So that when you announce a route via RIP, it only goes to the directly attached routers.

Router 1 is telling other routers on the network to route packets destined to to it since it is connected to only 5 networks directly. It only announces that route to thos networks. Then those networks let the networks they are attached to know that it knows to send packets to to router id 1.

Every router looks at every packets ip, and looks for it on it's routing table. So lets say router 99 is connected to router 5, and router 5 is connected to router 1. Router 99 owns, router 5 owns and router 1 owns

The ip address, which is in which belongs to router 99, makes a request to The router checks it's routing table and sees that it cannot route the packet internally within the router so it checks to see if it can route it using an IGP.

It sees that is announced from router 5 because router 5 sees that router 1 is announcing it. Router 5 then checks its local routing tables, sees that it cannot locally route it, and then sends it it to router 1 because router 1 is direecty connected to router 5.


RIP (Routing Information Protocol) is a micro routing protocol. RIP routes packets between individual router in a group, while BGP routes packets between all of the different groups of routers on the internet. It can be configured to redistribute the routes in it's RIP table to the BGP table and vice versa.