Home > Articles > Networking

Overloading BGP for VPN Can Be Harmful

  • Print
  • + Share This
BGP/MPLS has become an increasingly popular proposal to provide network-based VPN service. Ruixi Yuan discusses why this approach of overloading BGP to solve VPN problems is considered harmful to both BGP and VPN. He is a co-author of Virtual Private Networks: Technologies and Solutions (Addison-Wesley, 2001, ISBN 0201702096).
From the author of

Other than TCP/IP itself, Border Gateway Protocol (BGP) is perhaps the most important protocol for the Internet. The importance of BGP to the Internet cannot be overstated; it's the ingredient that glues together all the different autonomous systems (ASs) spanning the entire globe and under various administrative authorities. Each AS is a collection of routers and network links that uses local policies for selecting and advertising routes.

From a protocol point of view, BGP is amazingly simple; there are only four message types, and its finite state machine has only six states. However, BGP has proven to be a complex protocol to implement. This is the direct result of the large number of attributes that BGP supports. The criteria for selecting routes can vary considerably, based on the policies applied. For example, the need to prevent black holes makes the injection of routes into the forwarding table and the condition for advertising routes into BGP necessarily complex. The presence of policies and absence of route-refreshing schemes forces the BGP speaker to keep separate copies for both the incoming routes and outgoing routes for each peer.

BGP has proven to be an even more complex protocol to operate. This is again the consequence of the complexity of the inter-domain routing system, which directly corresponds to the combined complexity of the network topology, the attributes of the routes, and the policies governing the route selections.

The Art of BGP

Consider the following facts about running BGP on the Internet:

  • BGP protocol is not guaranteed to converge.

  • An unfiltered Internet routing table has about 120,000 entries.

  • There are about 11,000 active ASs on the Internet, and their connectivity graph can be arbitrary based on public and private peer arrangements.

  • There are possibly several tens of BGP sessions, both internal and external, to be managed for a single router.

Because of the complexity of BGP and the dynamic nature of the Internet, the operation of BGP on an ISP backbone has long been more of an art than a science. Only the most senior backbone routing engineers are permitted to change BGP configurations for the core routers, and configurations usually are not changed until things are broken. Data from the daily CIDR report suggests that simple route aggregation could drastically reduce the size of the Internet routing table. For example, a reduction of 35% of announced routes from the top 30 ASs can be achieved.

Interestingly, although clear advantages were pointed out on the merit of simple route aggregation, little has been done to achieve it. Perhaps only the network engineering departments that manage those autonomous systems can answer this question precisely. The reasons may be twofold. First, the network environment is highly dynamic, and any gain achieved may only be transient, thus not warranting the effort to implementing it. Second, there is a lack of expertise on the BGP policy management within the organization, and thus those necessary changes cannot be implemented.

  • + Share This
  • 🔖 Save To Your Account