NetFlow and BGP

BGP AS PATH Attribute for Network Path Visibility

BGP routing information provides full Internet path visibility. With a simple check of a routing table, network operators can determine the source and target ASes and all transit ASes through which the packet moves on its way to the destination. When a BGP router sends out an update to a neighbor in a different AS (i.e., an external or eBGP neighbor), it adds its own AS number to the front (left side) of the AS path. So the AS path lists all the ASes that need to be traversed to reach the location where the prefix that the path is attached to is advertised from. Let’s check how the AS_PATH attribute is built when a prefix 70.36.1.0/24 originated on the router AS1 is sent in a BGP update message and received by the router AS5 (Picture 1).

Picture 1: Network Topology with 5 eBGP Neighbors

The BGP router in AS 1 sends a BGP update message to its eBGP neighbor with its own AS number (ASN) 1. The neighbor in AS 2 adds its ASN 2 to the front (left) side of the AS path in a BGP update. The AS_PATH attribute is now 2 1. The neighbor in AS 3 prepends the AS_PATH with its own ASN 3. The AS_PATH is now 3 2 1. And again, when the router AS4 receives the BGP update message with the AS_PATH 3 2 1 from AS3, it adds its ASN 4 to the front of the AS_PATH. The AS_PATH attribute received by the router AS5 in a BGP update from the peer AS 4 is 4 3 2 1 for NLRI 70.36.0.0/24 (Picture 2).

Picture 2: AS_PATH for NLRI 70.36.1.0/24 on AS5

NetFlow and Network Path Utilization

BGP does a great job in providing visibility of network paths so we have a clear picture of how traffic is forwarded between ASses. However, BGP alone says nothing about how these paths are utilized. NetFlow, on the other hand, can report how much traffic is traversing the paths in real-time. It provides complete traffic statistic including Layer2 (VLAN headers, MAC addresses), Layer3 (IP addresses, protocol) Layer4 (TCP/UDP ports) information, timestamps VRF IDs, etc.  The nature of NetFlow makes it a valuable tool for investigation of the inbound traffic for a certain pattern matching. As we explained in our previous blog posts, NetFlow analysis plays an important part in DDoS amplification attacks, web application and SSH compromise attack detection.

BGP Support in NetFlow

Although, NetFlow reports the amount of traffic on any given path, its ability to report on how the traffic gets into the AS is limited. As a matter of fact, it merely depends on BGP support in different NetFlow versions.

BGP in NetFlow v5

NetFlow v5 reports the source and destination ASes, peer ASses and BGP next-hop. Let’s explain it using a network topology depicted on Picture 1. The AS3 router is configured with the legacy NetFlow v5 in ingress direction for the interface Gi0/0. Traffic is sent from AS5 to AS1 and AS collection is included in NetFlow export with the option orgin-as. In this case, NetFlow reports ASN5 as source and ASN1 as destination ASes, with the BGP next-hop 12.0.1.2. If an option peer-as is used instead of origin-as, the ASN4 and ASN2 are exported instead, along with the next-hop 12.0.1.2. In both cases, only origin or peer ASN information is exported in flows.

BGP in NetFlow v9

NetFlow v9 allows us to collect both origin-as and peers-as simultaneously as you can see from the last four lines under the flow record configuration. If traffic is sent from AS5 to AS1, Netflow reports ASN5 and ASN1 as a source and destination ASes and AS4 and AS2 as peer ASes, with the BGP next-hop 12.0.1.2 (Picture 3). Thanks to it, network operators can plan outbound traffic accordingly, carefully selecting an appropriate exit point. For instance, they can increase the weight (Cisco only) or LOCAL_PREF per neighbor or prefix basis to prefer a certain exit router to the others.

flow record BGP-record
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 match ipv4 protocol
 collect counter packets
 collect counter bytes
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
 collect routing next-hop address ipv4 bgp
 collect routing source as
 collect routing destination as
 collect routing source as peer
 collect routing destination as peer

flow monitor BGP-monitor
 record BGP-record

Picture 3: NetFlow v9 Record with Both Origin-as and Peers-as Information

While BGP implementation in NetFlow v9 provides higher AS path visibility when compared to the legacy v5, it is still limited to a partial AS view only. For instance, if we add the AS6 into the topology depicted on Picture 1 between the routers AS4 and AS5, NetFlow configured on AS3 will not report the AS6. In order to provide full BGP path visibility and path utilization, BGP must be bundled with NetFlow.

Conclusion:

BGP gives us an ability to understand how network traffic is forwarded between ASes on the Internet. BGP in conjunction with NetFlow provides information about the type and amount of traffic on the paths interconnecting ASes. However, it is only possible if BGP attributes such as AS_PATH, are extracted from the BGP table and correlated with NetFlow records.