2024-10-07 Autonomous System

An overview of ASN and internet routing

TL;DR -- I am currently maintain an AS216049 for my homelab. This article gives an overview of internet routing and how to be a BGP player. I hope this would encourage you to become a BGP player, run your personal ASN and eager to know how the internet works.

Autonomous System

On the internet, traffics were originally routed by a single internet service provider (so called the ISP). An autonomous system (AS) is a collection of routing prefixes of internet protocol (IP) resources. Mostly, the AS is a network entity for using in exterior gateway protocol (EGP), especially the standardized Border Gateway Protocol (BGP). Later in late 90's, there are several organizations can run BGP with private AS number or ASN.

How to get an ASN

Even there has packs of private ASN, you need a public ASN to be routable through the internet. Currently, an ASN is assigned to end-user from the Internet Assigned Numbers Authority (IANA) through the Local Internet Registries (LIRs) or Regional Internet Registries (RIRs).

For an individual, you should ask your RIR to get an ASN for personally purposes. By the way, it is cheaper to get sponsored ASN from an RIR or LIR.

You will be asked several questions related to the uses of such assignment. Many recommendations suggest to apply an ASN for multi-homed own IP address prefixes, which I also agreed it is the most reasonable.

Firstly, you should register and create a maintainer object (mntner), a person object (person) and an organisation object (organisation) on your RIR database.

The maintainer and person objects are mostly created at the same time. You should provide the object ID, fullname, address and phone number (for instance, e29qwg-mnt and KC3459-RIPE).

mntner:         e29qwg-mnt
admin-c:        KC3459-RIPE

person:         Kullawat Chaowanawatee
address:        P.O. Box 22 Kathu Post Office, Kathu, Phuket, Thailand, 83120TH
phone:          +66937806783
nic-hdl:        KC3459-RIPE
mnt-by:         e29qwg-mnt

Optionally, an abuse contact role object might be also created (see ACRO54475-RIPE)

role:           Abuse contact role object
address:        P.O. Box 22 Kathu Post Office, Kathu, Phuket, Thailand, 83120TH
abuse-mailbox:  abuse@e29qwg.tech
nic-hdl:        ACRO54475-RIPE
mnt-by:         e29qwg-mnt

Another is the organisation object (see ORG-ET91-RIPE).

organisation:   ORG-ET91-RIPE
org-name:       Kullawat Chaowanawatee
country:        TH
org-type:       OTHER
address:        P.O. Box 22 Kathu Post Office, Kathu, Phuket, Thailand, 83120TH
admin-c:        KC3459-RIPE
abuse-c:        ACRO54475-RIPE
mnt-ref:        e29qwg-mnt
mnt-ref:        SBMT
mnt-by:         e29qwg-mnt

The mntner object of the sponsoring organisation should be added as mnt-ref of the object as above. This makes it possible to create and assign autonomous number object to you.

Later, you shall contact your LIR or RIR for ASN allocation. You will be demanded to sign an End User Assignment Agreement (EUAA) and have a (virtual) route server ready, an invoice is also acceptable by some LIR. If you are dealing directly to an RIR, you will be also needed to provide an organization registration letter. Lastly, you should discuss and follow the instructions from the LIR/RIR. You will eventually assigned to an autonomous number object (autnum) on your RIR database, and that means you just get an ASN number.

Point of Presence

Most of RIR require you to accomodate in their responsible region. For example if you are in Japan, the Japan Network Information Center (JPNIC) is trusted as a National Internet Registry (NIR) by the Asia Pacific Network Information Centre (APNIC) which is an RIR.

For any country which does not has their own NIR, the ASN application must be directly sent to the corresponding RIR. For example Thailand, ISPs and BGP players should apply directly to APNIC.

By the way, for some region like RIPE NCC, you only need to have a route server or route originated in its responsible region (at the time I wrote this article). So, it is possible to ask out to an LIR in RIPE NCC even you are outside of the RIPE region.

IP Address and Subnet Allocation

If you interest to be a BGP player, you will need at least a /24 IPv4 prefix or a /48 IPv6 prefix. I would recommend to earlier get the IP prefix(es) before applying for an ASN. This is because it is more reasonable to announce prefixes already allocated to you.

You can find an IPv4/IPv6 marketplace where you could bid/buy/rent/lease around the internet. Nowadays, a /24 IPv4 prefix is expensive as IPv4 is mostly depleted. I would suggest you to get a sponsored provider aggregate (PA) IPv6 prefix from your LIR, altogether with an ASN.

In case you are an amateur radio, the Amateur Radio Digital Communications (ARDC) could provide you IPv4/IPv6 prefixes base on uses. Visit a 44Net Wiki Page for more information

At this point, you should have an internet number (inetnum for an IPv4 prefix and inet6num for an IPv6 prefix). In case you rent or being sponsored a subnet, this object is managed by the subnet owner. Unless you buy or own a subnet, you have to create it on your own just like this subnet.

inet6num:       2a0e:97c0:be0::/44
netname:        EU-KULLAWATCHAOWANAWATEE-20231031
country:        EU
org:            ORG-ET91-RIPE
admin-c:        KC3459-RIPE
status:         ALLOCATED-BY-LIR
mnt-by:         e29qwg-mnt
mnt-lower:      e29qwg-mnt
mnt-routes:     e29qwg-mnt
mnt-domains:    e29qwg-mnt

Additionally, a route (or route6) object should be created to tell the internet which ASN is the origin of corresponding subnet (see route6 object).

route6:         2a0e:97c0:be0::/44
origin:         AS216049
mnt-by:         e29qwg-mnt

Border Gateway Protocol

BGP is a routing protocol for the internet. It is connecting many autonomous systems (ASes) together around the globe. Data are passing through ASes in the path from source to destination where the BGP makes decision where what path to go. There are attributes in BGP that can be set by a network engineer for specifying preferences of the path.

BGP Peering

After you got both ASN and internet resources, you have to peer with other ASes to annouce your prefixes. Normally, this is the internet exchange (IX) decided when you were picking to install a (virtual) route server. For example, the route server going to peer with Vultr should be installed at Vultr. As I said it should be, but not limited to, because you still could peer through a tunnel or VPN.

When making a BGP session with another AS, it is called as an exterior BGP (eBGP).

There are multiple types of peering.

• Upstream or Transit Peering is a peer that you want the traffic to transit for everywhere on the internet
• Downstream or Customer Peering is a peering you make with your customer. This means you are a transit provider.
• Public Peering is used to let both parties exchange traffic via an Internet Exchange Peering Point (IXP). There are recurring IXP connectivity and transport cost. Sometimes you might find that transit is cheaper.
• Private Peering is a direct link peering to let another party knows the routes originated in their own and their customers' networks. For more information, please visit a blog post on BGP Help about BGP Types of Peering | BGP Help.

If you want your prefixes to be routable by the internet, you will need at least 1 upstream. Actually, two or more upstreams are preferable to just one. The reason behind that is the redundancy.

Just in case you do not know where to find a peer, I would suggest the peeringdb.

After you managed to get an eBGP peer, you have to modify your autnum object by telling how you import or export routes. For example, me (AS216049) peering with Vultr (AS20473) would be as below.

remarks:        * Vultr
import:         from AS20473 accept ANY
export:         to AS20473 announce AS216049
mp-import:      afi ipv6.unicast from AS20473 accept ANY
mp-export:      afi ipv6.unicast to AS20473 announce AS216049

That means I am importing any route from Vultr and announce my prefixes to Vultr. The mp- is for multiple protocols defined in RFC4012.

Another scenario is when you are a transit provider and have many customers. You might create an as-set object for your downstream (including you). For example, Vultr created an as-set for its downstream customers (see AS20473:AS-VULTR). So, now you can announce from an as-set (let say AS216049:CUSTOMERS) likes export: to AS20473 announce AS216049:CUSTOMERS.

From now on, you have to configure you route server to establish a BGP session with the peer.

Hardening BGP

At least, you should prevent leaking of bogon addresses and should not announce resources you did not own.

There are flaws on BGP, for example, blackholing, BGP hijacking, route leakage, and more. So I encourage you to protect not only yourself but the internet by implementing Resource Public Key Infrastructure (RPKI).

Additionally, you could join the BGP communities to prevent some DDoS attacks, for example, TeamCymru.