BGP

Use Border Gateway Protocol (BGP) communities to control BGP traffic.

FAQs

Find answers to frequently asked questions about BGP.

Customers with public ASN peerings with Deft will be required, at minimum, to maintain accurate IRR records for their AUT-NUM or AS-SET.

Deft recommends deploying RPKI ROAs for IP space for better protection against route hijacking, but it is not required currently.

Customers with private ASNs are not responsible for any updates for IRR records or RPKI ROAs.

What's the Border Gateway Protocol (BGP)?

The Border Gateway Protocol (BGP) is the primary routing protocol used on the internet to determine how data packets are forwarded between autonomous systems. It works by exchanging information about available routes and their associated attributes, enabling routers to make informed decisions about the best path for routing traffic.

What's the Internet Routing Registry (IRR)?

Internet Routing Registries (IRRs) are databases that store information about how internet traffic should be routed between different networks and autonomous systems. They play a crucial role in enhancing the accuracy and efficiency of internet routing. IRRs contain records that describe the IP address prefixes and Autonomous System Numbers (ASNs) that a network owns or controls.

These records are typically created and maintained by network administrators and Internet Service Providers (ISPs). Deft and other network operators use IRR data to create and update routing policies. By consulting IRRs, network administrators can ensure that routing decisions are based on accurate and up-to-date information, which helps prevent traffic misdirection, hijacking, and other routing anomalies. This is especially important for maintaining the stability and security of the global internet.

Customers who have public BGP peerings with Deft are required to maintain accurate IRR information for their ASN. They will need to provide either an AUT-NUM or an AS-SET. If a customer would like to update the source (AUT-NUM or AS-SET) Deft uses to update routing policies, they can contact support@deft.com.

Deft updates the prefix filters using automated tools twice a day at 8AM CT and 8PM CT.

What's Routing Public Key Infrastructure (RPKI)?

Resource Public Key Infrastructure (RPKI) is a security framework designed to enhance the trustworthiness of internet routing by tying cryptographic keys to IP address prefixes.

With RPKI, organizations can create digitally signed Route Origin Authorizations (ROAs) that assert their authority over specific IP address blocks. These ROAs are then distributed through a hierarchical system of Certificate Authorities (CAs), enabling network operators to verify the legitimacy of route announcements made over the Border Gateway Protocol (BGP). RPKI helps prevent route hijacking and IP address spoofing, two common security vulnerabilities in internet routing, by allowing routers to validate that the announced routes match the cryptographic ROAs, thus increasing the overall security and reliability of the global internet routing system.

Deft currently accepts valid route announcements. For customers who have deployed RPKI, this allows for routes to be accepted immediately by both Deft and its upstream providers without having to wait for a prefix filter update to happen. IRR information is still required to be kept up to date.

Deft does not reject invalid or unknown routes at this time. Deft will start rejecting invalid routes in early 2024 and currently has no plans to reject unknown routes before then.

What's Best Current Practice 38 (BCP38)?

BCP38, short for “Best Current Practice 38,” is a network security recommendation that encourages network operators to implement source address validation in their networks.

Specifically, BCP38 advocates for the filtering of outgoing traffic so that it only contains source IP addresses that are legitimately assigned to the network. By doing so, BCP38 helps prevent the use of spoofed or forged source IP addresses, which are commonly exploited in various types of cyberattacks, including Distributed Denial of Service (DDoS) and IP address spoofing. This practice aids in maintaining the integrity and security of the global internet by ensuring that traffic leaving a network carries accurate source information, making it harder for malicious actors to manipulate or misuse IP addresses in their network traffic.

Deft will be applying filters to customer interfaces which will allow traffic with source addresses from either a prefix which has been accepted by the BGP policy or by a prefix within each customer’s IRR AUT-NUM or AS-SET. Traffic sourced from accepted valid RPKI routes will be accepted even though the IRR information hasn’t been updated on the router.

Informational Communities

Informational Communities convey how and where a route was learned by our network.

They always have 5 digits in the second half and use the following structure:

23352:TCRPP

T – The type of relationship through which the route was learned.
C – The continent in which the route was learned.
R – The region of the continent in which the route was learned.
PP – The POP city code in which the route was learned.

VALUE RELATIONSHIP CONTINENT REGION
0 All All
1 Transit North America North-West
2 Public Peer Europe North
3 Private Peer Asia North-East
4 Customer Australia West
5 Internet South America Central
6 Africa East
7 Middle East South-West
8 South
9 South-East
CITY CODE CITY / POP IDENTIFIER CITY STATE / PROVINCE, COUNTRY
11 IAD Ashburn VA, United States
12 NYC New York NY, United States
13 SJC San Jose CA, United States
14 PAO Palo Alto CA, United States
15 SFO San Francisco CA, United States
16 ORD Chicago IL, United States
17 DFW Dallas/Forth Worth TX, United States
18 LAX Los Angeles CA, United States
19 EWR Newark NJ, United States
20 AMS Amsterdam, Netherlands
21 TKO Tokyo, Japan
22 LHR London, United Kingdom
23 ATL Atlanta GA, United States
24 PHX Phoenix AZ, United States
25 MTL Montreal QC, Canada
26 TOR Toronto ON, Canada
27 IAH Houston TX, United States
28 SEA Seattle WA, United States
29 DEN Denver CO, United States
30 MIA Miami FL, United States
31 SLC Salt Lake City UT, United States
32 FRA Frankfurt, Germany
33 CDG Paris, France
34 BOS Boston MA, United States
35 ROT St Leon-Rot, Baden-Württemberg, Germany
36 OTP Bucharest, Romania
41 SYD Sydney, New South Wales, Australia
55 GRU São Paulo, Sa Região Sudeste, Brazil
Action Communities

Action Communities are optional communities for controlling route attributes and how they’re exported to other networks.

Action Communities can be targeted to specific peer ASNs, locations (by continent, region, city), or classes of neighbors (transits, peers, customers). They always have 4 digits in the second half and use the following structure:

ASN:A0CR or ASN:A1PP

A – The action code to be performed
C – The target continent
R – The target region
PP – The target POP city code

ACTION CODE ACTION
1 Prepend AS-PATH with 23352 on export
2 Prepend AS-PATH with 23352 23352 on export
3 Prepend AS-PATH with 23352 23352 23352 on export
4 Prepend AS-PATH with 23352 23352 23352 23352 on export
5 Set Multi-Exit Discriminator (MED) to 0 on export
6 Do not export
9 Override a Do Not Export (action code 6)
TARGET ASN MEANING
23352 Apply action to all neighbor ASNs
##### Apply action to a specific ASN #####
65001 Apply action to all Transits
65002 Apply action to all Peers
65003 Apply action to all Customers

Using Action Community tags with multiple criterea:

TARGET ASN MEANING
23352 Apply action to all neighbor ASNs
##### Apply action to a specific ASN #####
65001 Apply action to all Transits
65002 Apply action to all Peers
65003 Apply action to all Customers
Local Preference Communities

Local Preference Communities are values that influence the best-path selection of BGP prefixes.

The local-preference attribute only applies to path selection within Deft’s network. A value of 50 will create a backup route that’s neither used nor propagated to the rest of the Internet, only becoming active if no other route is heard.

Local Preference Communities are values that influence the best-path selection of BGP prefixes. The local-preference attribute only applies to path selection within Deft’s network. A value of 50 will create a backup route that’s neither used nor propagated to the rest of the Internet, only becoming active if no other route is heard.

COMMUNITY LOCAL PREFERENCE SETTING
NOTES
23352:50 Set local-preference to 50 Backup route only
23352:100 Set local-preference to 100 Default transit route
23352:150 Set local-preference to 150 Less than peer, more than transit
23352:200 Set local-preference to 200 Default peer route
23352:250 Set local-preference to 250 Less than customer, more than peer
23352:300 Set local-preference to 300 Default customer route
23352:350 Set local-preference to 350 Preferred above other customers
Other Communities

These miscellaneous communities don’t fit in any other format.

COMMUNITY MEANING
23352:69 Multihomed Customer Advisory Tag (this is used to automatically indicate any known issues, such as congestion or routing problems, so that multi-homed customers can match this community and divert traffic to another path)
23352:666 Null route all traffic to this prefix (requires a pre-established session with a BGP blackhole server)
23352:998 Within the Deft network, do not export the prefix outside of the current continent
23352:999 Within the Deft network, do not export the prefix outside of the current region
23352:5000 Anycast
Deft, a Summit company

Deft, a Summit company
2200 Busse Rd.
Elk Grove Village, IL 60007
+1 (312) 829-1111