Understanding BGP NetFlow Analysis: A Tutorial
Analyzing NetFlow with BGP Insights
Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information for connecting autonomous systems (AS is a term that is used to indicate a fully operational, independent network) to the Internet. BGP is what is used for routing on the Internet. BGP has visibility to all Internet networks, mapping them out as Autonomous Systems and which Autonomous Systems a packet flow has to go through as it makes its way from source to destination IP addresses.
The paths or routes between Autonomous Systems are composed of the ASN identifier of every AS in the route to a given destination AS. The BGP routing protocol is used by border routers to “advertise” these routes to and from an AS to other systems that need them in order to deliver traffic to another network.
The advertising of routes helps a network operator in two ways that are critical to efficiently managing traffic flows across their networks. The first is to make informed routing decisions concerning the best path for a particular route to take outbound from a network. Otherwise border routers would default to the same route for all traffic flows destined for transit providers. Secondly, operators can advertise their routes to those transit providers, for them to make available to peering routers and external transit routers for their use.
BGP Traffic Analysis with NetFlow
Analyzing BGP paths is a very effective way to understand how network traffic is traversing the Internet. BGP routing information alone, however, does not provide visibility to how much traffic is on any given path. In order to do this, the BGP data needs to be correlated with NetFlow data so that not only the paths available in the network are shown, but also what paths are actually being used and the traffic volume on each path between autonomous systems.
Support for BGP fields starting in NetFlow v5 enabled the export of source AS, destination AS, and BGP next hop information. BGP next hop data provided the possibility for network engineers to know which BGP peer, and hence which neighbor AS, outbound traffic was flowing through. More recently, traffic flow analysis solutions have used BGP passive peerings to gather routing updates directly from the protocol.
This enables various use cases for network monitoring and peering analysis:
- Quickly notice AS path, peering, or traffic engineering anomalies
- Pick a specific peer, customer, or site and see a complete view of where the traffic is coming from, passing through, and exiting
- See in a snapshot which countries/regions/cities traffic is going to or coming from
- View traffic on a single BGP path and see how it changed over time
- Determine least cost path routing depending on traffic volumes and paths
This analysis can be used by network operators to answer fundamental questions about their network including:
- Who is my traffic going to? Which AS paths is it taking? Which country or region does it terminate in?
- Whom should I connect (peer) to? Which transit provider is the most cost effective?
- How much is traffic costing me for a particular server, customer, or peer?
- Should I add more circuit capacity to my network? What paths?
- Do I need new peering agreements to reduce traffic costs?
BGP NetFlow Analysis correlates NetFlow records with BGP routing info to not only visualize AS paths but see how much traffic is traversing these paths in real-time. BGP-based peering analysis can be performed on this data in real-time using different filters without building a presentation dataset from scratch. Real-time analysis of the full dataset means that the number of operationally relevant use cases explodes, because the number of different questions that you can ask is never limited by predefined reporting tables that you’ve had to populate in advance. In this approach, the combination of filters on which you can run a query in real time is nearly infinite. And because you can ask what you want when you want, it’s possible to enable a completely interactive — and therefore far more intuitive — presentation of BGP traffic paths.
To get other expert perspectives and details on BGP and NetFlow Analysis see these blog posts…