BGP
Use Border Gateway Protocol (BGP) communities to control BGP traffic.
FAQs
Find answers to frequently asked questions about BGP.
Customers with public ASN peerings with Deft will be required, at minimum, to maintain accurate IRR records for their AUT-NUM or AS-SET.
Deft recommends deploying RPKI ROAs for IP space for better protection against route hijacking, but it is not required currently.
Customers with private ASNs are not responsible for any updates for IRR records or RPKI ROAs.
What's the Border Gateway Protocol (BGP)?
The Border Gateway Protocol (BGP) is the primary routing protocol used on the internet to determine how data packets are forwarded between autonomous systems. It works by exchanging information about available routes and their associated attributes, enabling routers to make informed decisions about the best path for routing traffic.
What's the Internet Routing Registry (IRR)?
Internet Routing Registries (IRRs) are databases that store information about how internet traffic should be routed between different networks and autonomous systems. They play a crucial role in enhancing the accuracy and efficiency of internet routing. IRRs contain records that describe the IP address prefixes and Autonomous System Numbers (ASNs) that a network owns or controls.
These records are typically created and maintained by network administrators and Internet Service Providers (ISPs). Deft and other network operators use IRR data to create and update routing policies. By consulting IRRs, network administrators can ensure that routing decisions are based on accurate and up-to-date information, which helps prevent traffic misdirection, hijacking, and other routing anomalies. This is especially important for maintaining the stability and security of the global internet.
Customers who have public BGP peerings with Deft are required to maintain accurate IRR information for their ASN. They will need to provide either an AUT-NUM or an AS-SET. If a customer would like to update the source (AUT-NUM or AS-SET) Deft uses to update routing policies, they can contact support@deft.com.
Deft updates the prefix filters using automated tools twice a day at 8AM CT and 8PM CT.
What's Routing Public Key Infrastructure (RPKI)?
Resource Public Key Infrastructure (RPKI) is a security framework designed to enhance the trustworthiness of internet routing by tying cryptographic keys to IP address prefixes.
With RPKI, organizations can create digitally signed Route Origin Authorizations (ROAs) that assert their authority over specific IP address blocks. These ROAs are then distributed through a hierarchical system of Certificate Authorities (CAs), enabling network operators to verify the legitimacy of route announcements made over the Border Gateway Protocol (BGP). RPKI helps prevent route hijacking and IP address spoofing, two common security vulnerabilities in internet routing, by allowing routers to validate that the announced routes match the cryptographic ROAs, thus increasing the overall security and reliability of the global internet routing system.
Deft currently accepts valid route announcements. For customers who have deployed RPKI, this allows for routes to be accepted immediately by both Deft and its upstream providers without having to wait for a prefix filter update to happen. IRR information is still required to be kept up to date.
Deft does not reject invalid or unknown routes at this time. Deft will start rejecting invalid routes in early 2024 and currently has no plans to reject unknown routes before then.
What's Best Current Practice 38 (BCP38)?
BCP38, short for “Best Current Practice 38,” is a network security recommendation that encourages network operators to implement source address validation in their networks.
Specifically, BCP38 advocates for the filtering of outgoing traffic so that it only contains source IP addresses that are legitimately assigned to the network. By doing so, BCP38 helps prevent the use of spoofed or forged source IP addresses, which are commonly exploited in various types of cyberattacks, including Distributed Denial of Service (DDoS) and IP address spoofing. This practice aids in maintaining the integrity and security of the global internet by ensuring that traffic leaving a network carries accurate source information, making it harder for malicious actors to manipulate or misuse IP addresses in their network traffic.
Deft will be applying filters to customer interfaces which will allow traffic with source addresses from either a prefix which has been accepted by the BGP policy or by a prefix within each customer’s IRR AUT-NUM or AS-SET. Traffic sourced from accepted valid RPKI routes will be accepted even though the IRR information hasn’t been updated on the router.
Informational Communities
Informational Communities convey how and where a route was learned by our network.
They always have 5 digits in the second half and use the following structure:
23352:TCRPP
T – The type of relationship through which the route was learned.
C – The continent in which the route was learned.
R – The region of the continent in which the route was learned.
PP – The POP city code in which the route was learned.
| VALUE | RELATIONSHIP | CONTINENT | REGION |
|---|---|---|---|
| 0 | – | All | All |
| 1 | Transit | North America | North-West |
| 2 | Public Peer | Europe | North |
| 3 | Private Peer | Asia | North-East |
| 4 | Customer | Australia | West |
| 5 | Internet | South America | Central |
| 6 | – | Africa | East |
| 7 | – | Middle East | South-West |
| 8 | – | – | South |
| 9 | – | – | South-East |
| CITY CODE | CITY / POP IDENTIFIER | CITY STATE / PROVINCE, COUNTRY |
|---|---|---|
| 11 | IAD | Ashburn VA, United States |
| 12 | NYC | New York NY, United States |
| 13 | SJC | San Jose CA, United States |
| 14 | PAO | Palo Alto CA, United States |
| 15 | SFO | San Francisco CA, United States |
| 16 | ORD | Chicago IL, United States |
| 17 | DFW | Dallas/Forth Worth TX, United States |
| 18 | LAX | Los Angeles CA, United States |
| 19 | EWR | Newark NJ, United States |
| 20 | AMS | Amsterdam, Netherlands |
| 21 | TKO | Tokyo, Japan |
| 22 | LHR | London, United Kingdom |
| 23 | ATL | Atlanta GA, United States |
| 24 | PHX | Phoenix AZ, United States |
| 25 | MTL | Montreal QC, Canada |
| 26 | TOR | Toronto ON, Canada |
| 27 | IAH | Houston TX, United States |
| 28 | SEA | Seattle WA, United States |
| 29 | DEN | Denver CO, United States |
| 30 | MIA | Miami FL, United States |
| 31 | SLC | Salt Lake City UT, United States |
| 32 | FRA | Frankfurt, Germany |
| 33 | CDG | Paris, France |
| 34 | BOS | Boston MA, United States |
| 35 | ROT | St Leon-Rot, Baden-Württemberg, Germany |
| 36 | OTP | Bucharest, Romania |
| 41 | SYD | Sydney, New South Wales, Australia |
| 55 | GRU | São Paulo, Sa Região Sudeste, Brazil |
Action Communities
Action Communities are optional communities for controlling route attributes and how they’re exported to other networks.
Action Communities can be targeted to specific peer ASNs, locations (by continent, region, city), or classes of neighbors (transits, peers, customers). They always have 4 digits in the second half and use the following structure:
ASN:A0CR or ASN:A1PP
A – The action code to be performed
C – The target continent
R – The target region
PP – The target POP city code
| ACTION CODE | ACTION |
|---|---|
| 1 | Prepend AS-PATH with 23352 on export |
| 2 | Prepend AS-PATH with 23352 23352 on export |
| 3 | Prepend AS-PATH with 23352 23352 23352 on export |
| 4 | Prepend AS-PATH with 23352 23352 23352 23352 on export |
| 5 | Set Multi-Exit Discriminator (MED) to 0 on export |
| 6 | Do not export |
| 9 | Override a Do Not Export (action code 6) |
| TARGET ASN | MEANING |
|---|---|
| 23352 | Apply action to all neighbor ASNs |
| ##### | Apply action to a specific ASN ##### |
| 65001 | Apply action to all Transits |
| 65002 | Apply action to all Peers |
| 65003 | Apply action to all Customers |
Using Action Community tags with multiple criterea:
| TARGET ASN | MEANING |
|---|---|
| 23352 | Apply action to all neighbor ASNs |
| ##### | Apply action to a specific ASN ##### |
| 65001 | Apply action to all Transits |
| 65002 | Apply action to all Peers |
| 65003 | Apply action to all Customers |
Local Preference Communities
Local Preference Communities are values that influence the best-path selection of BGP prefixes.
Local Preference Communities are values that influence the best-path selection of BGP prefixes. The local-preference attribute only applies to path selection within Deft’s network. A value of 50 will create a backup route that’s neither used nor propagated to the rest of the Internet, only becoming active if no other route is heard.
| COMMUNITY | LOCAL PREFERENCE SETTING |
NOTES |
|---|---|---|
| 23352:50 | Set local-preference to 50 | Backup route only |
| 23352:100 | Set local-preference to 100 | Default transit route |
| 23352:150 | Set local-preference to 150 | Less than peer, more than transit |
| 23352:200 | Set local-preference to 200 | Default peer route |
| 23352:250 | Set local-preference to 250 | Less than customer, more than peer |
| 23352:300 | Set local-preference to 300 | Default customer route |
| 23352:350 | Set local-preference to 350 | Preferred above other customers |
Other Communities
These miscellaneous communities don’t fit in any other format.
| COMMUNITY | MEANING |
|---|---|
| 23352:69 | Multihomed Customer Advisory Tag (this is used to automatically indicate any known issues, such as congestion or routing problems, so that multi-homed customers can match this community and divert traffic to another path) |
| 23352:666 | Null route all traffic to this prefix (requires a pre-established session with a BGP blackhole server) |
| 23352:998 | Within the Deft network, do not export the prefix outside of the current continent |
| 23352:999 | Within the Deft network, do not export the prefix outside of the current region |
| 23352:5000 | Anycast |
