BGP local-as, dual-as and replace-as

On Cisco routers running BGP, the command local-as can be used to tweak the AS number announced to BGP peers. This can be handy in some situations to overcome (mostly political) obstacles, but it can be harmful if not thoroughly thought out.

Under normal conditions, a BGP router will advertise routes which originate within its autonomous system (AS) with an AS path length of one, listing only its own AS number specified under BGP process configuration (e.g.router bgp 65001). Contrary to what might be assumed, the local-as command does not replace the AS number advertised to peers. Rather, it prepends it to the actual AS number, resulting in an AS path length of two. Routes advertised to neighbors with a local AS configured will appear to arrive via the specified AS, but will still be known to have originated from the actual AS.

When might this be of concern? Suppose we were to establish BGP adjacencies between three spoke routers and a central hub router, illustrated below. The hub site is AS 65000, and the three spoke sites are to be AS 65001, 65002, and 65003.

Unfortunately, the third spoke router has been misconfigured as AS 65002. The hub router expects to peer with us as AS 65003, and duly complains that something is wrong using a BGP notification. Note that 0xFDEA is the hexadecimal equivalent of the decimal AS number 65002.

%BGP-3-NOTIFICATION: received from neighbor 172.16.0.9 2/2 (peer in wrong AS) 2 bytes FDEA

There are two ways to rectify this error. The preferred way would be to reconfigure the spoke router's BGP process with the correct AS number. Unfortunately, this requires tearing down and restoring the entire BGP configuration. This might not be immediately feasible, particularly if other adjacencies have already been established using the incorrect AS number.

The other, presumably more convenient option, is to associate a local AS with the hub router adjacency using thelocal-as parameter. The relevant configuration would look like this:

router bgp 65002
 neighbor 172.16.0.9 remote-as 65000
 neighbor 172.16.0.9 local-as 65003
 !
 address-family ipv4
  neighbor 172.16.0.9 activate
 exit-address-family

From the hub router, it appears that R3 is advertising the 192.168.3.0/24 network as AS 65003, but the route appears to have originated in AS 65002:

Hub# show ip bgp 192.168.0.0 255.255.0.0 longer-prefixes
BGP table version is 10, local router ID is 172.16.0.9
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.1.0      172.16.0.2               0             0 65001 ?
*> 192.168.2.0      172.16.0.6               0             0 65002 ?
*> 192.168.3.0      172.16.0.10              0             0 65003 65002 ?

While this hack is effective in establishing the BGP adjacency, it prevents the networks behind R2 and R3 from communicating with one another. This is because BGP routers don't install routes advertised with their own AS in the path. In fact, the hub router, knowing this rule, doesn't even propagate the networks advertised by R3 to R2:

R2# show ip bgp neighbors 172.16.0.5 received-routes
BGP table version is 5, local router ID is 192.168.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.0.0/30    172.16.0.5                             0 65000 65001 ?
*> 192.168.1.0      172.16.0.5                             0 65000 65001 ?

Total number of prefixes 2 

The reverse is also true for routes advertised from R2 toward R3. Thus, the networks behind R2 and R3 can both talk to the networks behind R1, but not to one another. Only when R3 is reconfigured with the proper BGP AS will full communication be established.

router bgp 65003
 neighbor 172.16.0.9 remote-as 65000
 !
 address-family ipv4
  neighbor 172.16.0.9 activate
 exit-address-family

R2# show ip bgp neighbors 172.16.0.5 received-routes
BGP table version is 11, local router ID is 192.168.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network          Next Hop            Metric LocPrf Weight Path
*> 172.16.0.0/30    172.16.0.5                             0 65000 65001 ?
*> 172.16.0.8/30    172.16.0.5                             0 65000 65003 ?
*> 192.168.1.0      172.16.0.5                             0 65000 65001 ?
*> 192.168.3.0      172.16.0.5                             0 65000 65003 ?

Total number of prefixes 4 

---------------------------------------------

… making your network appear as a set of nested autonomous systems:There are two reasons for the weird AS path:

R1 inserts local-as into inbound EBGP updates
R2 (configured like R1) inserts local-as as well as its real AS (65001) in outbound EBGRP update

To fix the AS path, you need the BGP Support for Dual AS Configuration introduced in IOS release 12.3T. This feature adds two options to the local-as configuration command:

no-prepend disables local-as prepending on incoming EBGP updates;
replace-as replaces router's own AS with local-as on outgoing EBGP updates.

When the configuration on R1 and R2 includes these two keywords …:
router bgp 65001
 neighbor 10.1.0.2 remote-as 10
 neighbor 10.1.0.2 local-as 20 no-prepend replace-as
 neighbor 10.1.0.2 description EBGP to AS 10
… the path propagated through AS 65001/AS 20 looks as expected:
AS30#show ip bgp | include 20
*> 172.16.0.0     10.1.0.5     0 20 10 i

BGP 4-byte ASN

Prior to January 2009, BGP autonomous system numbers that were allocated to companies were 2-octet numbers in the range from 1 to 65535 as described in RFC 4271, A Border Gateway Protocol 4 (BGP-4). Due to increased demand for autonomous system numbers, the Internet Assigned Number Authority (IANA) will start in January 2009 to allocate four-octet autonomous system numbers in the range from 65536 to 4294967295. RFC 5396, Textual Representation of Autonomous System (AS) Numbers, documents three methods of representing autonomous system numbers. Cisco has implemented the following two methods:

•  Asplain--Decimal value notation where both 2-byte and 4-byte autonomous system numbers are represented by their decimal value. For example, 65526 is a 2-byte autonomous system number and 234567 is a 4-byte autonomous system number.
•  Asdot--Autonomous system dot notation where 2-byte autonomous system numbers are represented by their decimal value and 4-byte autonomous system numbers are represented by a dot notation. For example, 65526 is a 2-byte autonomous system number and 1.169031 is a 4-byte autonomous system number (this is dot notation for the 234567 decimal number).

Formula to calculate ASN 4bytes(quotient.remainder):
Example for AS 769672:

quotient => 769672 / 65536 = 11
remainder = 769672 - (11*65536) = 48776
Result: AS 11.48776 

 BGP TTL Security

By default, IOS sends BGP messages to EBGP neighbors with an IP time-to-live (TTL) of 1. (This can be adjusted with ebgp-multihop attached to the desired neighbor or peer group under BGP configuration.) Sending BGP messages with a TTL of one requires that the peer be directly connected, or the packets will expire in transit. Likewise, a BGP router will only accept incoming BGP messages with a TTL of 1 (or whatever value is specified byebgp-multihop), which can help mitigate spoofing attacks.

However, there is an inherent vulnerability to this approach: it is trivial for a remote attacker to adjust the TTL of sent packets so that they appear to originating from a directly-connected peer.

By spoofing legitimate-looking packets toward a BGP router at high volume, a denial of service (DoS) attack may be accomplished.

A very simple solution to this, as discussed in RFC 5082, is to invert the direction in which the TTL is counted. The maximum value of the 8-bit TTL field in an IP packet is 255; instead of accepting only packets with a TTL set to 1, we can accept only packets with a TTL of 255 to ensure the originator really is exactly one hop away. This is accomplished on IOS with the TTL security feature, by appending ttl-security hops <count> to the BGP peer statement.

Only BGP messages with an IP TTL greater than or equal to 255 minus the specified hop count will be accepted. TTL security and EBGP multihop are mutually exclusive; ebgp-multihop is no longer needed when TTL security is in use.

BGP Disable-Connected-Check vs eBGP Multihop

Disable-connected-check enables a directly connected eBGP neighbor to peer using a loopback address without adjusting the default TTL of 1. What normally happens for eBGP neighbor statements, is that a check is done on the router to confirm that the neighbor is listed as being directly connected in the routing table. If eBGP neighbors are peering using loopbacks then the address of the neighbor will not listed as being directly connected in the routing table, and it is therefore not possible to complete this check. However with disable-connected-check, this particular check is not enforced. However, the default TTL of 1 still applies.  So it is compulsory that the neighbor is only ever a maximum of one hop away.  The difference with eBGP multihop, is that you can specify how many hops away a neighbor is allowed to be. You are actually adjusting the TTL instead.

In the diagram below, I’m going to start by configuring BGP between R1 & R2 using loopbacks over their directly connected fa0/0 interfaces with #disable-connected-check.

R1(config-router)#neighbor 2.2.2.2 remote-as 2
R1(config-router)#neighbor 2.2.2.2 update-source lo0
R1(config-router)#neighbor 2.2.2.2 disable-connected-check
R1(config-router)#ip route 2.2.2.2 255.255.255.255 12.12.12.2
R1(config)#
*Mar 1 00:17:22.095: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Up

R2(config)#router bgp 2
R2(config-router)#neighbor 1.1.1.1 remote-as 1
R2(config-router)#neighbor 1.1.1.1 update-source lo0
R2(config-router)#neighbor 1.1.1.1 disable-connected-check
R2(config-router)#ip route 1.1.1.1 255.255.255.255 12.12.12.1
R2(config)#
*Mar 1 00:17:22.083: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

As you can see, the neighbors came straight up. If I now try and use the path via R1-R3-R4-R2, i.e. a path that is not directly connected, the neighbors will not establish a session because the ttl will only be set to 1, and therefore cause a reachability problem. This is shown below.

R2(config)#int fa0/0
R2(config-if)#shut
R2(config-if)#no ip route 1.1.1.1 255.255.255.255 12.12.12.1
R2(config-if)#ip route 1.1.1.1 255.255.255.255 24.24.24.2
//Note that 24.24.24.2 = R4//
R2(config)#end

R1(config)#int fa0/0
R1(config-if)#shut
R1(config-if)#no ip route 2.2.2.2 255.255.255.255 12.12.12.2
R1(config-if)#ip route 2.2.2.2 255.255.255.255 13.13.13.2
//Note that 13.13.13.2 = R3//
R1(config-if)#do ping 2.2.2.2 so lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/80 ms

R1(config-if)#
R1(config-if)#
*Mar 1 00:25:23.763: %BGP-5-ADJCHANGE: neighbor 2.2.2.2 Down BGP Notification sent
R1(config-if)#
*Mar  1 00:25:23.763: %BGP-3-NOTIFICATION: sent to neighbor 2.2.2.2 4/0 (hold time expired) 0 bytes

R1#sh ip bgp sum
BGP router identifier 1.1.1.1, local AS number 1
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2.2.2.2         4     2       8      12        0    0    0 00:04:33 Active

So because the neighbor is no longer 1 hop away (regarding disable-connected-check) the session drops, a notification is sent, and the hold time expires. However if I use ebgp-multihop instead of the disable-connected check, the session will form (because we increased the TTL). This is shown below.

R1(config)#router bgp 1
R1(config-router)#no neighbor 2.2.2.2 disable-connected-check
R1(config-router)#neighbor 2.2.2.2 ebgp-multihop 3

R2(config)#router bgp 2
R2(config-router)#no neighbor 1.1.1.1 disable-connected-check
R2(config-router)#neighbor 1.1.1.1 ebgp-multihop 3

*Mar 1 00:41:45.159: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up

R2#sh ip bgp sum
BGP router identifier 2.2.2.2, local AS number 2
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
1.1.1.1         4     1      27      31        1    0    0 00:15:02      0

In conclusion, if you want to use the disable-connected-check feature, then ensure the neighbor is directly connected. Otherwise, you need to use ebgp-multihop, or ttl-security to establish the session.