What, exactly, are ASNs?

By on 18 Mar 2021

Category: Tech matters

Tags: , ,

Blog home

What does it ‘mean’ to be an Autonomous System number (ASN)?

It is a unique assigned identifier, used for routing in the Border Gateway Protocol (BGP).

The concept is quite simple, but also remarkably undefined, occurring almost by accident inside other RFCs about routing. The original BGP-4 RFC 1771 from 1995 defined what an Autonomous System (AS) is — a single locus of control for the routing of a collection of prefixes. It defined a bit field in a packet as the ASN. It then defines this as a 16-bit field in a BGP message packet like this:

   In addition to the fixed-size BGP header, the OPEN message contains
   the following fields:

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       |    Version    |
       |     My Autonomous System      |

So, there you have it: a 16-bit number. Laid out, in all its glory in ASCII art. That ‘My Autonomous System’ field is what we now call an ASN.

Meaning is everything: what does an ASN mean?

The key word in the AS concept is ‘autonomous’. The ASN denotes a BGP speaker (something participating in BGP), which is a single, integral, self-managed entity. In BGP terms, it’s a single routing policy.

You can expect an AS to represent all the public states of its routing that the AS holder wants to share across a boundary. Importantly, it does not have to say the same things to all other BGP systems it speaks to, so you can build up your model of what the given ASN is to you, in terms of reaching Internet addresses. But, it won’t be the same as somebody else’s model necessarily.

The role of ASNs inside BGP is to construct the map of how to find things. That’s what routing is. ASNs have two roles in BGP. They can be originators (hence ‘origin-AS’) or they can be on the path.

AS as origin

An originator says, ‘I am the origin, the source of this announcement regarding some Internet addresses’ and so is the endpoint of the routing decision. They have declared, as the origin-AS, that they can successfully handle all the traffic for those addresses and can be sent traffic.

The B in BGP is Border — it’s the Border Gateway Protocol. A border is a boundary between two things. In this case, ‘inside’ the border is what the AS is, it is all the internal routing of Internet addresses that it autonomously decides how to use. Outside, is the rest of the Internet.

The G is for Gateway: it’s the place where decisions are made about which way to send things.

The P is for Protocol: it’s a structured decision process between parties, talking across this boundary.

So, does an ASN actually originate the traffic?

You can’t always tell! They should, but one of the recurring problems of BGP and Internet routing is that things don’t always do what you think. BGP only says that you can send things to the origin-AS, it doesn’t have to say that’s the only source of these things you can see. Assuming BGP is working (ignoring route filtering), the overall intention is that everyone sees the same origin-AS declarations across all of the parts of BGP, which doesn’t depend on other information for routing. Because of route filtering, and complex peering, this isn’t always true. But it’s generally the basic state: if you announce you are the origin-AS for some addresses, you expect everyone in the Internet, speaking BGP, to see it eventually.

Are you guaranteed to be the only origin-AS?

No. Nothing in BGP says you can be the only origin-AS, and this is a problem. The lack of validity checks in BGP is why we have RPKI and why we sign Route Origin Authorizations (ROA). We do so to provide some legitimacy over which origin-AS you believe and trust.

AS as path

Figure 1  —  Path as a floor plan. The hops are green. The path is dotted.
Figure 1 — Path as a floor plan. The hops are green. The path is dotted.

Path is a simple context. It’s the trail of places between you, and somewhere else. The path to my front door from the kitchen goes through the living room, the corridor, and the hall. So, in ‘path’ terms I have three ‘hops’ along the path (THE FLOOR IS LAVA!), from the kitchen (my origin), through the living-room, corridor, and hall, to the front door (my destination). Viewed from the front door, the path is the reverse: front door, hall, corridor, living room, and kitchen (the origin of me, George). That’s a path.

Interestingly, the only thing that really matters to me, is the immediate next place. From the front door, it’s the hall. From the kitchen, it’s the living room. This is the ‘next-hop’, or neighbour. What happens beyond there, is not my primary concern, except for two questions:

  1. How long is this path? Is this the best path, or do I have some alternatives? (These are different aspects of much the same question).
  2. Is this path a loop?

Being ‘on the path’ is interesting, because there isn’t one global path that’s true all the time, everywhere in BGP. Path is a function of where you are in BGP terms and which other AS you connect to, to speak BGP. Each one of these other BGP speakers is a neighbour. So, your path consists of the chain(s) of neighbours between you, and some other origin-AS.

My house is pretty small but the one I lived in before had two paths from the kitchen to the living room, one via a corridor, the other via a corridor and another room. The paths were not the same length but, depending on blockages, I might prefer the longer one. ‘Best’ path is very much dependent on circumstance at the time. In the absence of any other rule, best path means shortest path: the least number of ASes between you and the origin.

The BGP’s default decision, when faced with more than one path to an origin, is to pick the shortest. The role of BGP path, and AS paths, is to decide which origin to favour, sending (or forwarding) a packet. It is also the prevention of loops. AS paths exist, so you can detect when a BGP speaker is offering you a path that forms a loop. You don’t want to use them!

Securing path is a knotty problem, which isn’t solved by ROAs, and is the subject of other activities, such as BGPSec, AS-Cones, and ASPA

What does it mean to be an ASN?

It means having autonomy of routing and speaking BGP.

There you have it. The role of an ASN is to identify you in the world of BGP speakers, and to declare your autonomy in making routing decisions over some addresses. It is identity, and it is used to define origin, path, and to detect loops. An ASN’s only purpose is to be unique amongst other ASNs. It was once a 16-bit, 65,000 range number field, now it’s one of 4 billion values in a 32-bit field.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *