BGP on a shoestring – The definitive guide

By | 5th December 2018

Virtually every address on the internet is connected with each other with a protocol called as the Border Gateway Protocol(BGP), which dynamically routes traffic on the internet to the closest network. This guide will show you how you can be part of the internet for the cheapest possible cost. This guide is intended for sysadmins and network engineers, as such will not attempt to explain intricacies involved.

There are various reasons why you may want to do this, including better control over traffic routing, cleaner IP range for things like running mail servers, more publicly routable IPs to use etc. So let’s get started!

Creating maintainer objects

Maintainer objects will help you to manage objects(AS numbers and IP blocks) that you will be acquiring.

Function of maintainer objects. Source: RIPE

For this you will need to create an account on one of the Regional Internet Registry(RIR) that you want the resources with, which should be the primary region that you will be using the resources in or the region where you live. Also some RIRs like RIPE will allow you to easily create an account to manage resources, while others like APNIC will need you pay a hefty annual fee just to manage resources; which can get annoying as you will need to ask your Local Internet Registry(LIR) to make changes if needed, instead of doing them yourself. The list of RIRs are:

  • APNIC Asia Pacific region.
  • AFRINIC Africa region.
  • LACNIC Latin America region.
  • RIPEEurope region.
  • ARINNorth America region.
How my created maintainer objects look like

Note that some LIRs and IP leasing services won’t readily assign maintainers and would prefer to host the services themselves, which was fine for me as I didn’t have to update resources frequently.

Cost: Free.

Apply for an ASN

ASN(Autonomous system number) is an unique number given to IP networks on the internet, with the network having a clearly defined routing policy. You can do BGP with a private ASN and ask the upstream to filter out the ASN before announcing to upstream, but I decided to get my own so that I can be identifiable on the internet.

To get an ASN, you will need to be sponsored by a LIR. The LIR should be a member of one of the Regional Internet Registry(RIR) in which you intend to apply for. Do keep in mind that some RIRs may want you to be multi-homed(have more than one transits or be present in multiple regions). 

The best way to get a list of LIRs which can sponsor you on the linked excel sheet or the follow this LowEndTalk thread. I would highly recommend getting IP space from the same company which offered sponsored your ASN request.

Make sure the WHOIS of the resources(ASN, IP blocks) reflects your info

Make sure the WHOIS reflects the correct information, including your email ID. RADB has a nice WHOIS tool. This would be required later to setup BGP peering. Do note that it is better to get your resources from a reputed LIR, or better yet directly from the RIR if you will be using the IP space for anything professional.

Cost: Around 35 USD once. Could vary heavily depending on sponsoring LIR and region.

Lease IPv4/IPv6 space

You will need IP addresses that you can “announce” on the internet and hence claim to be yours. These can either be bought and transferred to you or you can lease them off an owner of the IP range. Since we are talking about doing BGP on a shoestring, leasing is the only model that works for us. Make sure the IP leasing service assigns the proper maintainer object or assigns proper ROAs, adds the correct WHOIS entry and rDNS.

You will need a minimum of /48 for IPv6 and /24 for IPv4. I ended up skipping IPv4 since it was way too cost prohibitive. Just one IPv4 address given by my host is enough for me.

Cost: Around 10-20 USD/year for a /48 IPv6 block, 60-70 USD/month for a /24 IPv4 block.

Select a transit/VPS provider

There is an awesome spreadsheet which lists all known VPS providers which will do BGP for you for free or for a nominal cost. Many of them are quite happy to do custom things that you may want like connection to an Internet Exchange(IXP) or BGP communities or announcements to selective upstreams. You can also buy IP transit directly for more industrial applications. I’ve heard Hurricane Electric even gives free IPv6 transit at certain locations. I couldn’t confirm if this is true.

Do keep in mind that you will need to have matching upstreams or control routing with BGP communities incase you are planning to do IP anycast. Also you will need enough memory to hold the full internet routing table if you are requesting one. Otherwise you could just ask for the default route.

I decided to go for Vultr and First Root

The awesome thing about Vultr is that they do BGP for even the lowest plan and the whole process is very automated. First Root is recommended as well since they have attractive pricing and great support.

Cost: 5-10 USD/month depending on the resources you want.

Setting up BGP

To announce BGP, you will first need to validate your resources and write a Letter of Authorisation(LOA) to authorise that you own the resources and that you give the host permission to announce them.

This will depend on each particular host, but most hosts ask you to send a LOA from the email on the WHOIS for the resources. Something like this would work.


11 November 2018

To whom it may concern,

This letter serves as authorization for COMPANY NAME with ASXXXXX to announce the following IP address blocks:

2401:f9c0:1111::/48 – AS132383

As the owner of the subnet and ASN, I hereby declare that I’m authorized to represent and sign for this LOA.

Should you have questions about this request, email me at me@varupriolkar.com, or call: +91XXXXXXXXXX.

From,

Varun Priolkar
me@varunpriolkar.com
+91XXXXXXXXXX

After this, the host should setup BGP for you and give you details like which IP to connect to. You would also need to pick if you want the full BGP table or just the default route. Typically the default route should be fine.

To setup BGP, I installed bird and bird-bgp packages on Ubuntu. A basic setup should look like this. Vultr has a nice guide for configuring BGP.

router id 193.25.100.229;

filter out_filter {
    if net = 2a0a:b707:1111::/48 then accept;
    else reject;
}

protocol bgp froot
{
    local as 132383;
    source address 2001:67c:12a0:8010:0:0:0:2;
    import filter all;
    export filter out_filter;
    graceful restart on;
    neighbor 2001:67c:12a0:8010:0:0:0:1 as 41108;
    next hop self;
}

protocol static
{
    route 2a0a:b707:1111::/48 via 2001:67c:12a0:8010:0:0:0:2;
}

protocol device
{
    scan time 5;
}

protocol kernel {
	scan time 20;		# Scan kernel routing table every 20 seconds
	import all;		# Default is import all
	export all;		# Default is export none
}

Then all you have to do is run systemctl start bird/bird6. You will also need to open TCP/179 port on your firewall. There’s a useful guide on NLNOG website for setting up more BGP filters.

Confirming it all works

You will have to use looking glass from the transit providers to check if your prefix is getting propagated correctly. I used Hurricane Electric’s Looking Glass. You can also use Oregan Route Views project to get a more complete picture.

HE’s looking glass output

Hurrican Electric also has a nice BGP view tool through which you can check the route propagation.

Route propagation as viewed from HE’s BGP tool

 Then all you have to do is simply assign an IP to an interface and see if it pings.

Reverse DNS

Reverse DNS zone will need to point to your name servers. You can either set this up yourself or host it on DNS providers like Amazon’s Route 53 or DNS Made Easy. Reverse DNS zone will be the IP in the inverted format followed by the appropriate suffix. For eg. for the IPv4 prefix 1.2.3.0/24 the reverse zone will be 3.2.1.in-addr.arpa. and for the IPv6 address 2401:f9c0:1111::/48 the zone will be 1.1.1.1.0.c.9.f.1.0.4.2.ip6.arpa. You will also need to configure the appropriate PTR record. For IPv4 address this will be 1.3.2.1.in-addr-arpa. for the IPv4 address 1.2.3.4 and 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.1.0.c.9.f.1.0.4.2.ip6.arpa. for the IPv6 address 2401:f9c0:1111::1. It is preferable that the reverse record matches the forward as well.

It can be difficult to set the reverse record for a huge range of IPv6 addresses. I found this project useful for that.

Cost: 1 USD per hosted zone on Route 53, free if you are self hosting.

Monitoring

 BGPMon is really useful for this and free for monitoring upto five prefixes. It will also send you email alerts incase it notices any flaps/prefix withdrawal. 

BGPMon is excellent for monitoring your announcements

It also has a project called PeerMon which can allow you to peer with BGPMon routers and share your routes with it for it to detect any routing changes. I wouldn’t try it out because they had some capacity issues at the time of writing.

Cost: Free for upto 5 prefixes.

Total costs

To recap the total costs should be:

VM: 5-10 USD/month for VMs
IP blocks: 1-2 USD/month for IPv6 blocks, 60-70 USD for IPv6 blocks
ASN: 35 USD once.
rDNS hosting: 1-2 USD/month, free if self hosting.
Total: 35 USD once, 7-15 USD/month recurring for IPv6, 65-80 USD/month for IPv4.

Useful resources

Hope you found this post useful. Don’t forget to subscribe, comment if you did. I’ll have more advanced BGP and internet related posts coming up, which includes IP anycast, BGP communities, building CDNs 🙂

7 thoughts on “BGP on a shoestring – The definitive guide

  1. Vineeth Penugonda

    Interesting post. Why didn’t you go for RIPE? APNIC is pretty expensive.

    Reply
  2. Vineeth Penugonda

    “After this, the host should setup BGP for you and give you details like which IP to connect to. ”

    How long does Vultr take to do this?!

    Reply
  3. Aditya

    Hi,
    Nice write up!
    Which RIR did you use to register ASN? I am looking at irinn prices and they are eye watering!

    Reply
  4. Anon

    Wow this is so insane, thank you so much for this detailed write up !

    Note there is a typo at the end, 60-70 USD for IPv6 blocks <– should be IPv4

    Reply

Leave a Reply to Vineeth PenugondaCancel reply