BGP message format analysis

Types of BGP packets:

Since BGP is a protocol carried on top of TCP, a standard TCP three-way handshake must be established before a BGP peer is established, and a connection to port 179 must be opened on the target end. TCP can provide a reliable transmission method and can perform Retransmission, confirmation and sequencing functions. BGP does not need to develop confirmation messages, because all confirmations are provided by the TCP layer, which can reduce the number of BGP messages. All BGP messages are sent in unicast mode, so neighbors cannot be automatically discovered.

The operation of BGP is driven by messages. There are five message types: Open, Update, Notification, Keepalive, and Route-Refresh:

1. Open message: It is the first message sent after the TCP connection is established, and is used to establish the connection relationship between BGP peers. After the peer receives the Open message and negotiates successfully, it will send a Keepalive message to confirm and maintain the validity of the connection. After confirmation, the peers can exchange Update, Notification, Keepalive and Route-Refresh messages.
2. Update message: used to exchange routing information between peers. An Update message can publish multiple pieces of reachable routing information with the same attributes, and can also cancel multiple pieces of unreachable routing information.
   • An Update message can advertise multiple reachable routes with the same routing attributes, and these routes can share a set of routing attributes. All routing attributes contained in a given Update message are applicable to all destinations (indicated by IP prefix) in the NLRI (Network Layer Reachability Information) field of the Update message.
   • One Update message can revoke multiple unreachable routes. Each route passes the destination (indicated by IP prefix), clearly defining the previously advertised route between BGP speakers.
   • An Update message can only be used to withdraw the route, so there is no need to include path attributes or NLRI. On the contrary, it can also only be used to advertise reachable routes, and there is no need to carry de-route information.
3. Keepalive messages: BGP will periodically send Keepalive messages to peers to maintain the validity of the connection.
4. Notification message: When BGP detects an error state, it sends a Notification message to the peer, and the BGP connection is immediately interrupted.
5. Route-Refresh message: OPEN message is used to inform BGP peers of local support for route-refresh capability (Route-Refresh capability). When the Route-Refresh capability is enabled on all BGP routers, if the ingress routing policy of BGP changes, the local BGP router will advertise Route-Refresh messages to the peers, and the peers that receive this message will send their routing information Reissue to the local BGP router. In this way, the BGP routing table can be dynamically refreshed and new routing policies can be applied without interrupting the BGP connection.

BGP header:

Every BGP message has a general BGP header, and then encapsulates other content:

1. Marker (marker): 16 bytes, fixed to 1.
2. Length: Two-byte unsigned integer. The full length of the message is specified, including the header.
3. Type: 1 byte, indicating the message type:
   • Open
   • Update
   • Keepalive
   • Notification
   • Route-Refresh

The capture information is as follows:

1. Open message structure:

The Open message follows the BGP header:

1. Version: BGP version number. For BGPv4, the value is 4.
2. My Autonomous System: local AS number. By comparing the AS numbers at both ends, you can determine whether it is an EBGP connection or an IBGP connection.
3. Hold Time: When establishing a peer relationship, both ends need to negotiate the hold time and keep the same. If the Hold time configured at the two ends is different, BGP will choose a smaller value as the result of the negotiation. If the Keepalive message from the peer is not received within this time, the BGP connection is considered interrupted. If the hold time is 0, it indicates that the Keepalive message is not sent. The default hold time is 3 times the Keepalive Time, 180s.
4. BGP Identifier: The Router ID of the BGP router, expressed in the form of IP address, used to identify the BGP router.
5. Opt Parm Len (Optional Parameters Length): The length of optional parameters. If it is 0, there are no optional parameters.
6. Optional Parameters: is an optional parameter used for BGP verification or Multiprotocol Extensions and other functions. Each parameter is a (Parameter Type-Parameter Length-Parameter Value) triplet, which is actually a TLV field. This field is used to announce the support of some optional functions, such as multi-protocol extension capability (which is why it is called MP-BGP), route refresh capability, four-byte AS number and other capabilities. For details, please refer to the following table:
   

The packet capture is as follows:

2. Update message structure:

Specific fields:

1. Withdrawn Routes Length: (2-byte unsigned integer) Unreachable route length, indicating the data length of the Withdrawn Routes field. If the value of the Withdrawn Routes Length field is 0, it means that the Withdrawn Routes field has no data and will not be displayed in the UPDATE message.
2. Withdrawn Routes: (variable length) Withdrawn routes. This field includes a series of IP address prefix information, expressed in the format of <length, prefix>, for example, <19,198.18.160.0> indicates a 198.18.160.0 255.255.224.0 network.
3. Path Attribute Length: (2-byte unsigned integer) The length of the route attribute, indicating the data length of the Path Attribute field. If the Path Attribute Length value is 0, it means that the Path Attribute field does not have any data and will not be displayed in the UPDATE message.
4. Path Attributes: Variable length field, lists attributes related to the following NLRL (Network Layer Reachability Information, routing information), each path attribute is composed of variable length triples (attribute type, attribute length, attribute value) , To provide BGP with the information for selecting the shortest path, checking routing loops, and determining routing strategies, as shown in the figure. The attribute type is a 2Byte
   field, including 1Byte attribute mark and 1Byte attribute type code field:
   
   From the first two mark fields of the format of the field, the attributes can be divided into four combinations, namely, generally recognized as mandatory, generally recognized as arbitrary , Optional transition, optional non-transition:
   • The 0th bit of the attribute indicates whether the attribute is recognized or optional (0: recognized, 1: optional).
   • The first bit of the attribute indicates whether the attribute is transitional or non-transitional (0: non-transition, 1: transition). It is recognized that the attribute is always transitionable, so the first bit is always set to 1.
   • The second bit of the attribute indicates whether the information in the optional transition attribute is complete or partial (0: complete, 1: partial).
   • The third bit of the attribute indicates the length of the attribute (0: one byte, 1: two bytes).
   • Bits 4 to 7 are not used and are always 0.
   • The 8th to 15th digits are the codes of the attribute types. See the table below for the specific comparison table:
   
5. Network Layer Reachability Information: (variable length) Network reachability information. Includes a series of IP address prefixes. The format is the same as the undo route field <length, prefix>.

The route update information is as follows: the

route withdrawal information is as follows:

3. Keepalive message structure:

1. The composition of a Keepalive packet only includes a BGP data header.
2. By default, the interval for sending KeepAlive is 60 seconds, which is 1/3 of the Hold Time timer, and is used to detect whether the TCP connection is normal. Each time a KeepAlive message is received from the neighbor, the Hold Time timer will be reset. If the Hold Time timer expires, the peer is considered Down.
3. Keepalive information cannot be less than 1s. If the hold time is negotiated to be 0, then the Keepalive message will not be sent. In the time interval of sending messages, if BGP has sent Update messages, it will suppress the sending of Keepalive messages.

The capture is as follows:

4. Notifaction message structure:

Specific fields:

1. Errorcode: Error code. 1-byte long field. Each different error is represented by a unique code, and each error code can have one or more error subcodes, but if there are no error subcodes for some error codes, the error subcode field is 0 means.
2. Errsubcode: Error subcode.
3. Data: Variable-length field, contains data related to the error, used to diagnose the cause of the error, such as illegal AS number, authentication failure, etc.

The following table lists the possible error codes and error

subcodes: Packet capture: a notification message sent when the other party cancels the connection

5. Refresh message structure

Specific fields:

1. AF1: 2 bytes, representing the address family id, the same as the definition in the UPDATE message, 1 represents IPv4.
2. Res.: 1 byte, all should be all zeros, this bit is ignored when receiving a message.
3. SAFI: 1 byte, the same as the definition in the UPDATE message.

By setting a specific address family and refreshing the packets of the corresponding address family, the local BGP router can manually trigger to release Route-refresh messages to the peers, and the peers that receive this message will re-send their routing information to Local BGP router. In this way, the BGP connection can be uninterrupted. This method is also called soft reset.

Huawei device command: refresh bgp xxx import

Note: A soft reset will not disconnect the BGP connection, and a hard reset will (reset).

Packet capture: IPv4 unicast as an example

Reference materials: Huawei hedex document, "HCIE Routing Exchange Learning Guide"