The implementation of BGP in Kentik Detect is covered in the following topics:
This topic provides the following general information about using BGP in Kentik Detect.
Border Gateway Protocol (BGP) is a Layer 4 protocol that facilitates the interconnection of autonomous systems (AS) in order to route traffic across the Internet. The BGP specification describes a dynamically updated path-vector protocol that uses an AS Path attribute to provide routing information. A path is made up of a list of AS numbers (ASNs) that define a route to a destination network. If connected over TCP (port 179) and configured to peer, BGP-enabled routers will become “neighbors” and exchange routing information. BGP prevents looping because routers will not import routes that contain their own ASN.
Note: The current standard for BGP is defined in RFP 4271.
Kentik Detect is able to collect BGP routing information and associate that data with individual flows as they are ingested into the Kentik Data Engine (KDE) datastore, thereby enabling queries that encompass flow routing. As KDE receives flow data (NetFlow, etc.), src/dst IP flow data can be correlated to BGP prefix information in order to extract source and destination AS Path and community information on a per-flow basis. This information is then stored in the KDE. Specifically:
- For each row of flow in the KDE, the src_as and dst_as values are calculated from the routing table of the router sending the flow. If that information isn’t present in the table then those values are taken from a Kentik-provided global (generic) routing table.
- For each row of flow in the KDE, the source and destination _bgp_aspath, _bgp_community, and _nexthop_as fields are derived from the route associated with the src and dst IPs.
The correlation of flow and BGP information is primarily of value to Kentik Detect customers interested in the following use cases:
- To create tags based on BGP routing.
- To enable filtering that can make query results more customer-specific than using BGP data from Kentik’s global routing table, which is not specific to any one customer.
- To enable BGP-correlated traffic analysis.
- To enable sophisticated peering analytics (see Peering Analytics).
The following sections cover the BGP features currently implemented in the Kentik Detect portal:
The Device List on the portal’s Devices page provides the following columns with information about BGP activity for each listed device:
- BGP Enabled: Indicates whether BGP Peering is (checkmark icon) or is not (no icon) enabled in the settings for the device.
- BGP Routes last 5m: Number of routes currently (last 5 minutes) in the BGP routing table.
- BGP updates last 24h: Number of routing table updates in last 24 hours.
The collection of BGP data by Kentik Detect allows incoming flows to be assigned tags (see Tag Settings) that match communities and AS paths or partial paths. Tags are applied (separately for source and destination) at the time that flow is ingested into the KDE (for further information see Flow Overview). You can then use tags to narrow query results by applying them using src and dst filter functions in the Data Explorer and Query Builder pages of the Kentik Detect portal.
Note: A given tag is applied only to flows arriving after that tag was created.
For both AS Path tags and BGP community tags, matches are made on substrings:
- BGP AS path tags: Entering “10” in the as-path field will match any path that includes “10”, “100”, “010”, etc. A subset of standard regex (see table below) is supported, however, meaning that a value of “_10_” will match only paths that include ASN 10, including “10 “, “ 10”, and “ 10 “. Also allowed are tags where as-path is specified as, for example, “_10 100_”.
- BGP community tags: Tags on communities are similar to tags on AS paths except that they also support the use of periods. This allows you to specify, for example, “2000:1....” to find any flow with community 2000:1xxxx in it.
The following table shows the regex special characters that are supported when specifying the BGP AS Path and BGP Community:
|start of string
end of string
“ “ (space)
||Any single character, including white space
||The characters, or a range of characters separated by a hyphen, contained within square brackets.
||The character or null string at the beginning of an input string.
||Zero or one occurrence of the pattern containing the question mark.
||End of string
||Zero or more sequences of the preceding character. Also acts as a wildcard for matching any number of characters.
||One or more sequences of the preceding character.
||Used for nesting of expressions.
Note: For BGP community and AS path tags, any spaces at the beginning or end of the input field and also before and after each comma will be removed.
BGP data can be used for both grouping and filtering in the Data Explorer in the Kentik Portal:
- BGP grouping: The use of BGP data for grouping (SQL GROUP BY clause) is enabled with the BGP-related options on the Group by Metric drop-down menu.
- BGP filtering: The use of BGP data to filter query results (effectively SQL WHERE clauses) in ANDed or ORed groups is enabled with the Filters sidebar.
The following types of BGP-related data are supported in grouping and filtering for both source path and destination path:
- Route Prefix
- Route LEN
- BGP AS_PATH
- BGP Community
- Next Hop IP/CIDR
- Next Hop AS Number
- Next Hop AS Name
- 2nd BGP_Hop AS Number
- 2nd BGP_Hop AS Name
- 3rd BGP_Hop AS Number
- 3rd BGP_Hop AS Name
The BGP data collected by Kentik Detect may be used for sophisticated analytics in the Kentik Portal, including peering analysis that can show you, using diagrams and tables, the Autonomous Systems that traffic leaving your network passes through on the way to its destination. For further information please refer to Peering Analytics.