Computer NetworksInterior vs Exterior

Interior vs Exterior: Understanding IGP and EGP

LevelIntermediate

Duration60 mins

TopicInterior vs Exterior

1 / 5

Autonomous Systems

The Internet's Organizational Unit

Consider a remarkable fact: the Internet connects over 5 billion users, hundreds of millions of servers, and billions of IoT devices across every continent—yet no single organization controls it. No master routing table exists that knows every path to every destination. No central authority decides how packets travel from Tokyo to Toronto or from São Paulo to Sydney.

How does this work?

The answer lies in a brilliant organizational principle called the Autonomous System (AS)—the fundamental administrative and routing domain of the Internet. Understanding Autonomous Systems is essential for grasping how the Internet's global routing infrastructure operates, why routing protocols are divided into interior and exterior categories, and how networks of vastly different sizes and purposes coexist harmoniously.

What You Will Learn

By the end of this page, you will understand what Autonomous Systems are, why they exist, how they are identified globally, the different types of AS architectures, and why this concept is foundational to the Internet's routing hierarchy. This knowledge is essential for network engineers, system administrators, and anyone seeking to understand how the Internet really works.

Defining Autonomous Systems

An Autonomous System (AS) is a collection of IP networks and routers under the control of a single organization or entity that presents a common, clearly defined routing policy to the Internet. More formally, RFC 1930 defines an AS as:

"A connected group of one or more IP prefixes run by one or more network operators which has a SINGLE and CLEARLY DEFINED routing policy."

Let's break this definition into its essential components:

Key Characteristics of an Autonomous System

•Single Administrative Control — An AS is managed by one organization (though large organizations may have multiple ASes). This could be an Internet Service Provider (ISP), a large enterprise, a university, a government agency, or a cloud provider.
•Connected IP Prefixes — The networks within an AS are interconnected. This doesn't mean every router connects to every other router, but there must be internal connectivity so traffic can flow between all parts of the AS.
•Unified Routing Policy — Perhaps most critically, an AS appears to the outside world as a coherent entity with a single routing policy. Internal routing decisions are invisible to external networks; only the aggregate behavior matters.
•Unique Global Identifier — Each AS is assigned a globally unique number called an Autonomous System Number (ASN), which identifies it in inter-domain routing protocols like BGP.

The City-State Analogy

Think of Autonomous Systems like city-states in the ancient world. Each city-state (AS) has its own internal governance, roads, and infrastructure. Citizens within a city-state follow local rules. But when trading or communicating with other city-states, diplomats (exterior routing protocols) handle negotiations, and the internal complexity is hidden behind a unified external policy. Just as ancient trade routes connected city-states into a global economy, BGP connects ASes into the global Internet.

Why Not One Big Network?

You might wonder: why not just have one massive interconnected network? The answer involves multiple dimensions:

Administrative Reality — The Internet grew organically from thousands of independent networks. No single entity owns or can feasibly manage the entire infrastructure.
Scalability — A flat global routing table tracking every individual network would be impossibly large. Grouping networks into ASes enables route aggregation and manageable table sizes.
Policy Independence — Different organizations have different needs. An ISP prioritizes traffic differently than a bank, university, or content provider. AS boundaries enable policy autonomy.
Fault Isolation — Problems within one AS (configuration errors, hardware failures, attacks) are contained and don't cascade globally.
Business Relationships — ASes are often commercial entities. The AS abstraction enables peering agreements, transit relationships, and the economic model of the Internet.

Autonomous System Numbers (ASNs)

Every Autonomous System that participates in external routing must have a globally unique identifier called an Autonomous System Number (ASN). This number is essential for inter-domain routing protocols (particularly BGP) to identify source, path, and destination networks.

ASN Structure and Allocation:

Originally, ASNs were 16-bit numbers (0–65,535). As the Internet grew and ASNs became scarce, the IETF introduced 32-bit ASNs (RFC 4893, RFC 6793), expanding the space to over 4 billion possible values.

ASN Allocation Ranges
Range	Type	Description
0	Reserved	Not valid for use in routing
1 – 64,495	Public 16-bit	Globally unique ASNs assigned by Regional Internet Registries (RIRs)
64,496 – 64,511	Documentation	Reserved for documentation and examples (RFC 5398)
64,512 – 65,534	Private 16-bit	For private use within an organization, not routed externally
65,535	Reserved	Reserved, not valid for use
65,536 – 4,199,999,999	Public 32-bit	Extended ASN space for global assignment
4,200,000,000 – 4,294,967,294	Private 32-bit	Extended private ASN range
4,294,967,295	Reserved	Reserved, not valid for use

Who Assigns ASNs?

Autonomous System Numbers are allocated hierarchically:

IANA (Internet Assigned Numbers Authority) — Allocates large blocks of ASNs to Regional Internet Registries.
Regional Internet Registries (RIRs) — Five RIRs serve different geographic regions:
- ARIN — North America
- RIPE NCC — Europe, Middle East, Central Asia
- APNIC — Asia-Pacific
- LACNIC — Latin America and Caribbean
- AFRINIC — Africa
Local/National Internet Registries (LIRs/NIRs) — In some regions, national registries handle local allocations.

Organizations requesting an ASN must demonstrate a legitimate need—typically, they need to connect to multiple upstream providers with distinct routing policies, or they need to participate in an Internet Exchange Point (IXP).

Private ASNs in Practice

Private ASNs (64,512–65,534 for 16-bit, 4,200,000,000–4,294,967,294 for 32-bit) are used when an AS needs to run BGP internally or with a single provider but doesn't need to be globally unique. Enterprise networks often use private ASNs with their ISP, who then strips the private ASN before advertising routes to the Internet. This is similar to how RFC 1918 private IP addresses work.

Notable ASNs:

Some ASNs are well-known in the networking community:

ASN	Organization	Significance
AS7922	Comcast	One of the largest US ISPs
AS15169	Google	Major content provider and cloud services
AS32934	Facebook/Meta	Social media giant
AS16509	Amazon/AWS	Dominant cloud provider
AS8075	Microsoft	Azure cloud and enterprise services
AS13335	Cloudflare	Major CDN and security provider
AS3356	Lumen/CenturyLink	One of the largest backbone providers
AS174	Cogent	Major Tier 1 backbone provider
AS6939	Hurricane Electric	Large global network with extensive IPv6

These ASNs appear frequently in traceroutes, BGP feeds, and network analysis, making them familiar landmarks in the Internet's topology.

Types of Autonomous Systems by Connectivity

Autonomous Systems can be classified by their connectivity patterns and role in the Internet topology. Understanding these types is crucial for network design, troubleshooting, and understanding routing behavior.

Primary AS Classifications

•Stub AS (Single-homed) — Connected to exactly one other AS. All traffic enters and exits through a single point. Most enterprise networks and small organizations fall into this category. Stub ASes typically don't need a public ASN because they don't make independent routing decisions visible externally.
•Multihomed AS (Non-transit) — Connected to multiple ASes for redundancy or performance, but does NOT allow traffic from one AS to transit through to another. This is common for enterprises that want backup connectivity but don't want to be part of the transit infrastructure.
•Transit AS — Allows traffic from one connected AS to pass through to reach another AS. Transit ASes are the "highways" of the Internet. Internet Service Providers are typically transit ASes—they carry traffic not just to/from their own customers but between other networks.
•**Internet Exchange Point (IXP) ** — Technically not an AS type but a critical infrastructure where multiple ASes interconnect. Major IXPs like DE-CIX, AMS-IX, and Equinix facilitate peering between hundreds of networks.

Converting Mermaid diagram...

The ISP Tier System:

Transit ASes are often categorized into tiers based on their position in the Internet hierarchy:

Tier 1 ISPs:

Can reach any destination on the Internet without paying for transit
Peer with all other Tier 1 networks (settlement-free peering)
Examples: Lumen (AS3356), Cogent (AS174), NTT (AS2914), Telia (AS1299)
There are approximately 15-20 Tier 1 networks globally

Tier 2 ISPs:

Purchase transit from at least one Tier 1 provider
Also engage in peering with other networks
May sell transit to smaller networks
Most large regional and national ISPs are Tier 2

Tier 3 ISPs:

Purely purchase transit from upstream providers
Don't engage in significant peering
Local or specialized service providers

This hierarchical structure creates a scalable architecture where routing complexity is concentrated at higher tiers, while lower tiers can operate with simpler configurations.

Transit vs. Peering Economics

The distinction between transit (paying for access) and peering (typically settlement-free exchange) drives much Internet economics. Large content providers like Google and Netflix peer aggressively to reduce transit costs, while ISPs negotiate peering agreements based on traffic ratios and mutual benefit. Understanding these relationships is essential for network architects making connectivity decisions.

Internal Structure of an Autonomous System

While an AS presents a unified face to the outside world, internally it can be arbitrarily complex. Large ASes may span multiple continents, contain thousands of routers, and carry petabytes of traffic daily. Understanding internal AS architecture is essential for network design and operation.

Core Components

•Core/Backbone Routers — High-capacity routers that form the AS's internal backbone, moving traffic between regions
•Edge/Access Routers — Connect customers or peers to the AS, applying ingress and egress policies
•Border Routers (ASBR) — AS Boundary Routers connecting to external ASes, running BGP externally
•Route Reflectors — Reduce iBGP mesh complexity by reflecting routes between internal BGP peers
•Distribution Routers — Aggregate traffic from access layer before sending to core

Design Considerations

•Redundancy — Multiple paths between any two points to handle failures
•Scalability — Architecture that grows gracefully with traffic and nodes
•Latency — Minimizing hop count and distance for time-sensitive traffic
•Cost — Balancing performance against infrastructure and transit costs
•Security — Filtering, access control, and DDoS mitigation at boundaries

Interior vs. Exterior Routing within an AS:

Inside an AS, Interior Gateway Protocols (IGPs) like OSPF, IS-IS, or EIGRP determine how traffic moves between internal routers. These protocols optimize for metrics like hop count, bandwidth, or delay.

At AS boundaries, Exterior Gateway Protocols (EGPs)—specifically BGP in the modern Internet—handle inter-domain routing. Border routers run both IGP (to communicate with internal routers) and BGP (to communicate with external ASes).

Internal BGP (iBGP):

Within a single AS, BGP is also used to distribute external routes learned from other ASes. This is called internal BGP (iBGP), and it ensures all border routers have consistent knowledge of external destinations. However, iBGP has special rules:

iBGP peers don't advertise routes learned from other iBGP peers (loop prevention)
This means iBGP requires either a full mesh of peerings or route reflectors
iBGP uses the IGP to determine the next-hop reachability

This separation—IGP for internal reachability, iBGP for external route distribution—is fundamental to scalable AS design.

Route Reflectors and Confederation

In large ASes, a full mesh of iBGP sessions becomes impractical. With 100 routers, you'd need 4,950 sessions! Route reflectors solve this by allowing a subset of routers to reflect routes to others, dramatically reducing session count. Alternatively, AS confederation subdivides an AS into internal sub-ASes, each with its own iBGP domain. Both techniques are essential for scaling BGP in major networks.

Autonomous Systems in the Real World

To ground these concepts, let's examine how Autonomous Systems manifest in real Internet operations and why network engineers care deeply about AS topology.

Looking Up ASN Information:

Several tools and databases provide AS information:

WHOIS databases — RIRs maintain WHOIS servers with ASN ownership information
BGP Looking Glass servers — Show live BGP routes and AS paths from various vantage points
PeeringDB — Community database of interconnection information
Hurricane Electric BGP Toolkit — Comprehensive AS information and statistics
RIPE RIS and RouteViews — BGP route collection projects for research and monitoring

AS Path Lookup Example
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Use 'whois' to look up an ASN
$ whois -h whois.radb.net AS15169
 
# Sample output:
aut-num:    AS15169
as-name:    GOOGLE
org:        ORG-GOOGLE
descr:      Google LLC
admin-c:    GOGL
tech-c:     GOGL
import:     from AS-ANY accept ANY
export:     to AS-ANY announce AS-GOOGLE
remarks:    Peering information: https://peering.google.com
 
# Traceroute showing AS path
$ traceroute -A google.com
 1  192.168.1.1 (AS0)           1.2 ms
 2  10.0.0.1 [AS7922]           5.3 ms    # Comcast
 3  68.85.x.x [AS7922]          8.1 ms    # Comcast core
 4  96.110.x.x [AS7922]        12.4 ms    # Comcast edge
 5  72.14.x.x [AS15169]        15.2 ms    # Enter Google
 6  142.251.x.x [AS15169]      16.8 ms    # Google destination

BGP AS_PATH Attribute:

When BGP advertises a route, it includes the AS_PATH—a list of all ASes the route has traversed. This serves multiple purposes:

Loop Detection — If a router sees its own ASN in the AS_PATH, it rejects the route (it has already seen this route)
Path Selection — Shorter AS_PATHs are generally preferred (though other attributes can override this)
Troubleshooting — The AS_PATH reveals the Internet path between any two points
Policy Implementation — Networks can filter or prefer routes based on which ASes they traverse

Example AS_PATH: AS174 AS3356 AS15169

This route entered our network from AS174 (Cogent)
Originally came from AS3356 (Lumen)
And originates from AS15169 (Google)

AS Path Analysis Example
AS Number	Organization	Role in Path
AS15169	Google	Origin AS — where the prefix is advertised from
AS3356	Lumen/CenturyLink	Transit AS — received from Google, passed to Cogent
AS174	Cogent	Transit AS — received from Lumen, passed to our network
AS64500 (ours)	Our Organization	Destination AS — where we receive the route

Internet Mapping Projects

Organizations like CAIDA (Center for Applied Internet Data Analysis) continuously map AS-level Internet topology using BGP data, traceroutes, and inference techniques. These maps reveal the Internet's structure, identify critical paths and potential single points of failure, and help researchers understand Internet resilience and evolution.

Autonomous Systems and Routing Security

Autonomous Systems are not just organizational units; they're also security boundaries. Understanding AS-level security is increasingly critical as routing attacks become more sophisticated.

Common AS-Level Security Concerns

•BGP Hijacking — A malicious or misconfigured AS announces prefixes it doesn't own, redirecting traffic. Famous incidents include Pakistan Telecom (AS17557) hijacking YouTube in 2008, or more recently nation-state actors redirecting cryptocurrency traffic.
•Route Leaks — An AS incorrectly announces routes learned from one peer to another, often because of missing filters. In 2019, a small ISP (AS396531) leaked routes through Verizon, causing widespread outages.
•AS Path Manipulation — Attackers insert fake ASNs into paths to bypass filters or hide their identity.
•Traffic Analysis — Adversaries study AS paths to identify surveillance opportunities or attack vectors.
•Sub-prefix Hijacking — Announcing more specific prefixes than legitimate owners to attract traffic (more specific routes are preferred in BGP).

Securing the Routing System:

The Internet community has developed several mechanisms to improve routing security:

RPKI (Resource Public Key Infrastructure):

Cryptographically binds ASNs to the prefixes they're authorized to announce
Route Origin Authorizations (ROAs) are signed attestations that a specific AS can originate specific prefixes
Routers can validate incoming routes against RPKI and reject unauthorized announcements
Adoption has grown significantly, with major networks now performing RPKI validation

BGPsec:

Extends RPKI to cryptographically sign AS_PATH, preventing path manipulation
Still in early deployment due to computational overhead and operational complexity

IRR (Internet Routing Registry):

Databases where ASes document their routing policies
Used to generate prefix filters and validate route announcements
Less secure than RPKI (not cryptographic) but widely used

BGP Community Best Practices:

Using BGP communities to tag routes and implement consistent filtering
MANRS (Mutually Agreed Norms for Routing Security) promotes coordinated security practices

Real-World Impact of AS Security Failures

In April 2018, attackers briefly hijacked Amazon's Route 53 DNS service by announcing its IP prefixes from a different AS, redirecting cryptocurrency users to phishing sites. In 2020, large-scale BGP anomalies attributed to state actors highlighted the ongoing vulnerability of inter-domain routing. As network engineers, understanding AS security isn't optional—it's essential.

When Do You Need an ASN?

Not every organization needs its own ASN. Understanding when an ASN is necessary (vs. when simpler solutions suffice) is an important practical skill for network architects.

You Likely NEED an ASN When:

•Connecting to multiple ISPs with distinct routing policies (true multihoming)
•Participating in an Internet Exchange Point (IXP)
•Operating as an Internet Service Provider yourself
•Requiring traffic engineering control over inbound routes from multiple sources
•Running a Content Delivery Network or large-scale web infrastructure
•Needing to announce your own IP space independently from any single provider

You DON'T Need an ASN When:

•Single-homed to one ISP only
•Using provider-assigned (PA) IP addresses from your ISP
•Multi-ISP redundancy is handled by your provider (cloud providers, managed services)
•Running a small/medium business with basic Internet connectivity needs
•Content is primarily accessed via CDN (they handle the routing complexity)
•SD-WAN or overlay solutions provide the redundancy you need at higher layers

The Process of Obtaining an ASN:

Determine eligibility — You generally need to demonstrate that you'll be multihomed and have a legitimate routing policy need
Apply through your RIR — Contact ARIN, RIPE, APNIC, LACNIC, or AFRINIC depending on your location
Provide documentation — Existing network information, justification for the ASN, and technical contacts
Pay applicable fees — RIRs charge annual fees for ASN maintenance (and often for IP allocation)
Configure BGP — Once assigned, configure your routers to use the ASN in BGP sessions

For organizations that need BGP but not a globally unique ASN, private ASNs can be used with upstream providers who strip them before advertising routes to the Internet. This is common in enterprise environments with single or limited provider connectivity.

Cost-Benefit Analysis

Obtaining and maintaining an ASN involves both direct costs (RIR fees, typically hundreds to thousands of dollars annually) and operational complexity (BGP expertise, monitoring, security). For many organizations, using provider-managed services or private ASNs with a single provider is more practical. Reserve public ASNs for situations where true multi-homing and routing control are business-critical.

Summary: The Foundation of Internet Routing

We've explored the foundational concept that makes the Internet's global routing architecture possible. Let's consolidate the key insights:

Key Takeaways

•An Autonomous System is the Internet's unit of independent routing — A collection of networks under unified administrative control presenting a coherent routing policy to the world.
•ASNs uniquely identify each AS globally — 16-bit (legacy) and 32-bit ASNs enable BGP to track routes across the Internet's AS topology.
•ASes come in different types — Stub (single-homed), multihomed (non-transit), and transit ASes play different roles in the Internet hierarchy.
•Internal AS structure can be complex — Large ASes use core/edge architecture, route reflectors, and sophisticated designs to scale.
•AS boundaries are security boundaries — BGP hijacking, route leaks, and path manipulation are real threats; RPKI and other tools help mitigate them.
•Not everyone needs a public ASN — Private ASNs and provider-managed solutions cover many use cases without the complexity of independent Internet routing.

What's Next:

With a solid understanding of Autonomous Systems, we're now ready to explore IGP protocols—the interior gateway protocols that govern routing within an AS. Understanding how OSPF, IS-IS, and EIGRP work internally prepares us to see why they're fundamentally different from exterior protocols like BGP, and why both categories exist.

Page Complete

You now understand Autonomous Systems—the Internet's fundamental organizational and routing domain. This knowledge is essential for everything that follows: IGP versus EGP distinctions, protocol selection decisions, and understanding how packets traverse the global Internet. Next, we'll delve into IGP protocols that handle routing within an AS.

1 / 5

Loading learning content...

Computer NetworksInterior vs Exterior

Interior vs Exterior: Understanding IGP and EGP

LevelIntermediate

Duration60 mins

TopicInterior vs Exterior

1 / 5

Autonomous Systems

The Internet's Organizational Unit

How does this work?

What You Will Learn

Defining Autonomous Systems

"A connected group of one or more IP prefixes run by one or more network operators which has a SINGLE and CLEARLY DEFINED routing policy."

Let's break this definition into its essential components:

Key Characteristics of an Autonomous System

•Single Administrative Control — An AS is managed by one organization (though large organizations may have multiple ASes). This could be an Internet Service Provider (ISP), a large enterprise, a university, a government agency, or a cloud provider.
•Connected IP Prefixes — The networks within an AS are interconnected. This doesn't mean every router connects to every other router, but there must be internal connectivity so traffic can flow between all parts of the AS.
•Unified Routing Policy — Perhaps most critically, an AS appears to the outside world as a coherent entity with a single routing policy. Internal routing decisions are invisible to external networks; only the aggregate behavior matters.
•Unique Global Identifier — Each AS is assigned a globally unique number called an Autonomous System Number (ASN), which identifies it in inter-domain routing protocols like BGP.

The City-State Analogy

Why Not One Big Network?

You might wonder: why not just have one massive interconnected network? The answer involves multiple dimensions:

Administrative Reality — The Internet grew organically from thousands of independent networks. No single entity owns or can feasibly manage the entire infrastructure.
Scalability — A flat global routing table tracking every individual network would be impossibly large. Grouping networks into ASes enables route aggregation and manageable table sizes.
Policy Independence — Different organizations have different needs. An ISP prioritizes traffic differently than a bank, university, or content provider. AS boundaries enable policy autonomy.
Fault Isolation — Problems within one AS (configuration errors, hardware failures, attacks) are contained and don't cascade globally.
Business Relationships — ASes are often commercial entities. The AS abstraction enables peering agreements, transit relationships, and the economic model of the Internet.

Autonomous System Numbers (ASNs)

ASN Structure and Allocation:

ASN Allocation Ranges
Range	Type	Description
0	Reserved	Not valid for use in routing
1 – 64,495	Public 16-bit	Globally unique ASNs assigned by Regional Internet Registries (RIRs)
64,496 – 64,511	Documentation	Reserved for documentation and examples (RFC 5398)
64,512 – 65,534	Private 16-bit	For private use within an organization, not routed externally
65,535	Reserved	Reserved, not valid for use
65,536 – 4,199,999,999	Public 32-bit	Extended ASN space for global assignment
4,200,000,000 – 4,294,967,294	Private 32-bit	Extended private ASN range
4,294,967,295	Reserved	Reserved, not valid for use

Who Assigns ASNs?

Autonomous System Numbers are allocated hierarchically:

IANA (Internet Assigned Numbers Authority) — Allocates large blocks of ASNs to Regional Internet Registries.
Regional Internet Registries (RIRs) — Five RIRs serve different geographic regions:
- ARIN — North America
- RIPE NCC — Europe, Middle East, Central Asia
- APNIC — Asia-Pacific
- LACNIC — Latin America and Caribbean
- AFRINIC — Africa
Local/National Internet Registries (LIRs/NIRs) — In some regions, national registries handle local allocations.

Private ASNs in Practice

Notable ASNs:

Some ASNs are well-known in the networking community:

ASN	Organization	Significance
AS7922	Comcast	One of the largest US ISPs
AS15169	Google	Major content provider and cloud services
AS32934	Facebook/Meta	Social media giant
AS16509	Amazon/AWS	Dominant cloud provider
AS8075	Microsoft	Azure cloud and enterprise services
AS13335	Cloudflare	Major CDN and security provider
AS3356	Lumen/CenturyLink	One of the largest backbone providers
AS174	Cogent	Major Tier 1 backbone provider
AS6939	Hurricane Electric	Large global network with extensive IPv6

These ASNs appear frequently in traceroutes, BGP feeds, and network analysis, making them familiar landmarks in the Internet's topology.

Types of Autonomous Systems by Connectivity

Primary AS Classifications

•Stub AS (Single-homed) — Connected to exactly one other AS. All traffic enters and exits through a single point. Most enterprise networks and small organizations fall into this category. Stub ASes typically don't need a public ASN because they don't make independent routing decisions visible externally.
•Multihomed AS (Non-transit) — Connected to multiple ASes for redundancy or performance, but does NOT allow traffic from one AS to transit through to another. This is common for enterprises that want backup connectivity but don't want to be part of the transit infrastructure.
•Transit AS — Allows traffic from one connected AS to pass through to reach another AS. Transit ASes are the "highways" of the Internet. Internet Service Providers are typically transit ASes—they carry traffic not just to/from their own customers but between other networks.
•**Internet Exchange Point (IXP) ** — Technically not an AS type but a critical infrastructure where multiple ASes interconnect. Major IXPs like DE-CIX, AMS-IX, and Equinix facilitate peering between hundreds of networks.

Converting Mermaid diagram...

The ISP Tier System:

Transit ASes are often categorized into tiers based on their position in the Internet hierarchy:

Tier 1 ISPs:

Can reach any destination on the Internet without paying for transit
Peer with all other Tier 1 networks (settlement-free peering)
Examples: Lumen (AS3356), Cogent (AS174), NTT (AS2914), Telia (AS1299)
There are approximately 15-20 Tier 1 networks globally

Tier 2 ISPs:

Purchase transit from at least one Tier 1 provider
Also engage in peering with other networks
May sell transit to smaller networks
Most large regional and national ISPs are Tier 2

Tier 3 ISPs:

Purely purchase transit from upstream providers
Don't engage in significant peering
Local or specialized service providers

This hierarchical structure creates a scalable architecture where routing complexity is concentrated at higher tiers, while lower tiers can operate with simpler configurations.

Transit vs. Peering Economics

Internal Structure of an Autonomous System

Core Components

•Core/Backbone Routers — High-capacity routers that form the AS's internal backbone, moving traffic between regions
•Edge/Access Routers — Connect customers or peers to the AS, applying ingress and egress policies
•Border Routers (ASBR) — AS Boundary Routers connecting to external ASes, running BGP externally
•Route Reflectors — Reduce iBGP mesh complexity by reflecting routes between internal BGP peers
•Distribution Routers — Aggregate traffic from access layer before sending to core

Design Considerations

•Redundancy — Multiple paths between any two points to handle failures
•Scalability — Architecture that grows gracefully with traffic and nodes
•Latency — Minimizing hop count and distance for time-sensitive traffic
•Cost — Balancing performance against infrastructure and transit costs
•Security — Filtering, access control, and DDoS mitigation at boundaries

Interior vs. Exterior Routing within an AS:

Internal BGP (iBGP):

iBGP peers don't advertise routes learned from other iBGP peers (loop prevention)
This means iBGP requires either a full mesh of peerings or route reflectors
iBGP uses the IGP to determine the next-hop reachability

This separation—IGP for internal reachability, iBGP for external route distribution—is fundamental to scalable AS design.

Route Reflectors and Confederation

Autonomous Systems in the Real World

To ground these concepts, let's examine how Autonomous Systems manifest in real Internet operations and why network engineers care deeply about AS topology.

Looking Up ASN Information:

Several tools and databases provide AS information:

WHOIS databases — RIRs maintain WHOIS servers with ASN ownership information
BGP Looking Glass servers — Show live BGP routes and AS paths from various vantage points
PeeringDB — Community database of interconnection information
Hurricane Electric BGP Toolkit — Comprehensive AS information and statistics
RIPE RIS and RouteViews — BGP route collection projects for research and monitoring

AS Path Lookup Example
Bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Use 'whois' to look up an ASN
$ whois -h whois.radb.net AS15169
 
# Sample output:
aut-num:    AS15169
as-name:    GOOGLE
org:        ORG-GOOGLE
descr:      Google LLC
admin-c:    GOGL
tech-c:     GOGL
import:     from AS-ANY accept ANY
export:     to AS-ANY announce AS-GOOGLE
remarks:    Peering information: https://peering.google.com
 
# Traceroute showing AS path
$ traceroute -A google.com
 1  192.168.1.1 (AS0)           1.2 ms
 2  10.0.0.1 [AS7922]           5.3 ms    # Comcast
 3  68.85.x.x [AS7922]          8.1 ms    # Comcast core
 4  96.110.x.x [AS7922]        12.4 ms    # Comcast edge
 5  72.14.x.x [AS15169]        15.2 ms    # Enter Google
 6  142.251.x.x [AS15169]      16.8 ms    # Google destination

BGP AS_PATH Attribute:

When BGP advertises a route, it includes the AS_PATH—a list of all ASes the route has traversed. This serves multiple purposes:

Loop Detection — If a router sees its own ASN in the AS_PATH, it rejects the route (it has already seen this route)
Path Selection — Shorter AS_PATHs are generally preferred (though other attributes can override this)
Troubleshooting — The AS_PATH reveals the Internet path between any two points
Policy Implementation — Networks can filter or prefer routes based on which ASes they traverse

Example AS_PATH: AS174 AS3356 AS15169

This route entered our network from AS174 (Cogent)
Originally came from AS3356 (Lumen)
And originates from AS15169 (Google)

AS Path Analysis Example
AS Number	Organization	Role in Path
AS15169	Google	Origin AS — where the prefix is advertised from
AS3356	Lumen/CenturyLink	Transit AS — received from Google, passed to Cogent
AS174	Cogent	Transit AS — received from Lumen, passed to our network
AS64500 (ours)	Our Organization	Destination AS — where we receive the route

Internet Mapping Projects

Autonomous Systems and Routing Security

Autonomous Systems are not just organizational units; they're also security boundaries. Understanding AS-level security is increasingly critical as routing attacks become more sophisticated.

Common AS-Level Security Concerns

•BGP Hijacking — A malicious or misconfigured AS announces prefixes it doesn't own, redirecting traffic. Famous incidents include Pakistan Telecom (AS17557) hijacking YouTube in 2008, or more recently nation-state actors redirecting cryptocurrency traffic.
•Route Leaks — An AS incorrectly announces routes learned from one peer to another, often because of missing filters. In 2019, a small ISP (AS396531) leaked routes through Verizon, causing widespread outages.
•AS Path Manipulation — Attackers insert fake ASNs into paths to bypass filters or hide their identity.
•Traffic Analysis — Adversaries study AS paths to identify surveillance opportunities or attack vectors.
•Sub-prefix Hijacking — Announcing more specific prefixes than legitimate owners to attract traffic (more specific routes are preferred in BGP).

Securing the Routing System:

The Internet community has developed several mechanisms to improve routing security:

RPKI (Resource Public Key Infrastructure):

Cryptographically binds ASNs to the prefixes they're authorized to announce
Route Origin Authorizations (ROAs) are signed attestations that a specific AS can originate specific prefixes
Routers can validate incoming routes against RPKI and reject unauthorized announcements
Adoption has grown significantly, with major networks now performing RPKI validation

BGPsec:

Extends RPKI to cryptographically sign AS_PATH, preventing path manipulation
Still in early deployment due to computational overhead and operational complexity

IRR (Internet Routing Registry):

Databases where ASes document their routing policies
Used to generate prefix filters and validate route announcements
Less secure than RPKI (not cryptographic) but widely used

BGP Community Best Practices:

Using BGP communities to tag routes and implement consistent filtering
MANRS (Mutually Agreed Norms for Routing Security) promotes coordinated security practices

Real-World Impact of AS Security Failures

When Do You Need an ASN?

Not every organization needs its own ASN. Understanding when an ASN is necessary (vs. when simpler solutions suffice) is an important practical skill for network architects.

You Likely NEED an ASN When:

•Connecting to multiple ISPs with distinct routing policies (true multihoming)
•Participating in an Internet Exchange Point (IXP)
•Operating as an Internet Service Provider yourself
•Requiring traffic engineering control over inbound routes from multiple sources
•Running a Content Delivery Network or large-scale web infrastructure
•Needing to announce your own IP space independently from any single provider

You DON'T Need an ASN When:

•Single-homed to one ISP only
•Using provider-assigned (PA) IP addresses from your ISP
•Multi-ISP redundancy is handled by your provider (cloud providers, managed services)
•Running a small/medium business with basic Internet connectivity needs
•Content is primarily accessed via CDN (they handle the routing complexity)
•SD-WAN or overlay solutions provide the redundancy you need at higher layers

The Process of Obtaining an ASN:

Determine eligibility — You generally need to demonstrate that you'll be multihomed and have a legitimate routing policy need
Apply through your RIR — Contact ARIN, RIPE, APNIC, LACNIC, or AFRINIC depending on your location
Provide documentation — Existing network information, justification for the ASN, and technical contacts
Pay applicable fees — RIRs charge annual fees for ASN maintenance (and often for IP allocation)
Configure BGP — Once assigned, configure your routers to use the ASN in BGP sessions

Cost-Benefit Analysis

Summary: The Foundation of Internet Routing

We've explored the foundational concept that makes the Internet's global routing architecture possible. Let's consolidate the key insights:

Key Takeaways

•An Autonomous System is the Internet's unit of independent routing — A collection of networks under unified administrative control presenting a coherent routing policy to the world.
•ASNs uniquely identify each AS globally — 16-bit (legacy) and 32-bit ASNs enable BGP to track routes across the Internet's AS topology.
•ASes come in different types — Stub (single-homed), multihomed (non-transit), and transit ASes play different roles in the Internet hierarchy.
•Internal AS structure can be complex — Large ASes use core/edge architecture, route reflectors, and sophisticated designs to scale.
•AS boundaries are security boundaries — BGP hijacking, route leaks, and path manipulation are real threats; RPKI and other tools help mitigate them.
•Not everyone needs a public ASN — Private ASNs and provider-managed solutions cover many use cases without the complexity of independent Internet routing.

What's Next:

Page Complete

1 / 5