101
0/228
Loading content...
Every BGP route carries a story—the complete history of every Autonomous System it has traversed on its journey across the Internet. This story is encoded in the AS_PATH attribute, arguably the most important attribute in all of BGP.
AS_PATH is what makes BGP a path vector protocol. It enables loop prevention, influences best path selection, provides visibility for policy decisions, and serves as a fundamental tool for traffic engineering. Understanding AS_PATH deeply is essential for anyone working with BGP, whether configuring enterprise networks, operating ISP infrastructure, or designing cloud architectures.
By the end of this page, you will understand the complete structure of AS_PATH including segment types, how AS_PATH provides automatic loop prevention, how AS_PATH length influences best path selection, AS_PATH manipulation techniques for traffic engineering, and the relationship between AS_PATH and route aggregation.
The AS_PATH is a well-known mandatory attribute in BGP, meaning every BGP route must include it. Its structure is more nuanced than a simple list of AS numbers.
Attribute Basics:
| Property | Value |
|---|---|
| Type Code | 2 |
| Attribute Flags | Well-known, Mandatory, Transitive |
| Encoding | Variable length, sequence of path segments |
Path Segment Types:
AS_PATH is not just a flat list. It consists of path segments, each with a type:
| Segment Type | Code | Description |
|---|---|---|
| AS_SET | 1 | Unordered set of ASNs (used in aggregation) |
| AS_SEQUENCE | 2 | Ordered sequence of ASNs (normal path) |
| AS_CONFED_SEQUENCE | 3 | Ordered sequence within a confederation |
| AS_CONFED_SET | 4 | Unordered set within a confederation |
Most AS_PATHs you encounter consist of a single AS_SEQUENCE segment listing the ASNs in order from most recent (leftmost) to origin (rightmost).
AS_PATH Attribute Structure:+---------------------------+| Attribute Flags (1 byte) | 0x40 = well-known, transitive+---------------------------+| Attribute Type (1 byte) | 0x02 = AS_PATH+---------------------------+| Attribute Length (1-2 B) | Depends on Extended Length flag+---------------------------+| Path Segments (variable) |+---------------------------+ Path Segment Structure:+---------------------------+| Segment Type (1 byte) | AS_SEQUENCE=2, AS_SET=1+---------------------------+| Segment Length (1 byte) | Number of ASNs in segment+---------------------------+| AS Numbers (2 or 4 bytes | Each ASN in order| each, depending on 2/4 || byte AS number support) |+---------------------------+ Example: AS_PATH = 65003 65002 65001 Encoded as: Path Segment 1: Type: AS_SEQUENCE (2) Length: 3 ASNs: 65003, 65002, 65001 Reading order: 65003 is most recent; 65001 is origin2-Byte vs 4-Byte AS Numbers:
Historically, AS numbers were 16 bits (0-65535). As the Internet grew, 32-bit AS numbers (0-4,294,967,295) were introduced via RFC 6793.
BGP speakers negotiate AS number size support via the 4-byte AS Number capability in OPEN messages. When a 4-byte speaker sends to a 2-byte speaker, 4-byte ASNs are replaced with the reserved value 23456 (AS_TRANS).
AS_PATH Length Calculation:
For the BGP decision process, AS_PATH length is calculated as:
This means aggregated routes (with AS_SETs) appear shorter than they actually are—a deliberate choice to encourage aggregation.
AS_PATH is read left-to-right, with the leftmost (first) AS being the most recent/closest and the rightmost (last) being the origin. When your router advertises a route, it prepends its own AS to the left of the existing path.
AS_PATH's most critical function is automatic loop prevention. Unlike distance vector protocols that require complex mechanisms like split horizon and poison reverse, BGP's loop prevention is elegant and foolproof.
The Loop Prevention Rule:
When a BGP router receives a route, if its own AS number appears anywhere in the AS_PATH, the route is immediately discarded.
This simple rule prevents routing loops at the AS level. If AS 65002 advertises a route to AS 65003, which then somehow advertises it back toward AS 65002, the router in AS 65002 will see its own ASN in the path and reject the route.
Loop Prevention Walkthrough:
In the diagram:
No loop is formed. The cycle is broken immediately.
Why This Works So Well:
Some configurations allow routes containing your own AS using the 'allowas-in' feature. This is used in specific scenarios like hub-and-spoke VPN topologies where a customer AS appears on multiple PE routers. Using allowas-in carelessly can create loops—use with extreme caution and only when architecturally necessary.
Loop Detection vs. Loop Prevention:
It's worth distinguishing between prevention and detection:
| Approach | Mechanism | When It Acts |
|---|---|---|
| Loop Prevention | AS_PATH checking | Before route is accepted |
| Loop Detection | TTL expiry | After packets start looping |
BGP's AS_PATH provides prevention—routes that would create loops are never installed. IP's TTL mechanism provides detection—if a loop somehow forms (e.g., during convergence), TTL expiry will eventually stop the packets. Prevention is far better; TTL detection means congestion and packet loss before the problem is caught.
When a BGP router receives multiple paths to the same destination prefix, it must select the best one. AS_PATH length is a key factor in this decision, though not the most important.
The BGP Decision Process:
The complete BGP best path algorithm (simplified) considers these factors in order:
AS_PATH length is step 4—important, but overridden by weight and local preference.
AS_PATH Length Example:
Consider a router in AS 65004 receiving these paths to 10.0.0.0/8:
| Path | AS_PATH | Length | Selected? |
|---|---|---|---|
| A | 65003 65002 65001 | 3 | No |
| B | 65005 65001 | 2 | Yes |
| C | 65006 65007 65008 65001 | 4 | No |
Assuming equal weight and local preference, Path B wins because its AS_PATH is shortest.
Why Shorter Isn't Always Better:
AS_PATH length is a rough proxy for network distance, but it has significant limitations:
This is why operators use local preference (step 2) to override AS_PATH length when they have better information about path quality.
# Router receives two paths to 203.0.113.0/24 Path 1 (via ISP-A): AS_PATH: 64501 64500 Local-Pref: 100 Next-Hop: 192.0.2.1 Path 2 (via ISP-B): AS_PATH: 64502 64503 64500 Local-Pref: 150 Next-Hop: 192.0.2.2 # Decision Process:# Step 1 - Weight: Both default (0), continue# Step 2 - Local Preference: 150 > 100, Path 2 WINS# # AS_PATH length (step 4) is never evaluated because# Local Preference already determined the winner.## Even though Path 1 has shorter AS_PATH (2 vs 3),# Path 2 is selected due to higher Local Preference.## This is intentional: Local-Pref encodes operator policy,# which takes precedence over automatic AS_PATH selection.Local preference affects how your AS selects among paths you receive (inbound policy). AS_PATH manipulation (prepending) affects how other ASes view your routes (outbound traffic engineering). Remember this distinction when designing BGP policies.
AS_PATH prepending is a technique where an AS artificially lengthens the AS_PATH to make a route less attractive. This is the primary tool for influencing inbound traffic—how traffic from the Internet reaches your network.
How Prepending Works:
When advertising a route, instead of prepending your AS once (the normal behavior), you prepend it multiple times:
| Normal | Prepended |
|---|---|
| AS_PATH: 65001 | AS_PATH: 65001 65001 65001 65001 |
| Length: 1 | Length: 4 |
The receiving AS sees a longer path and, all else being equal, will prefer alternative shorter paths.
Traffic Engineering Scenario:
An enterprise with two ISP uplinks wants most inbound traffic through ISP-A (higher capacity) with ISP-B as backup:
When Internet ASes receive both advertisements:
They will prefer the shorter path through ISP-A. The enterprise's inbound traffic flows primarily through ISP-A.
Prepending Limitations:
# Cisco IOS Configuration Example # Route-map to prepend AS_PATH when advertising to backup ISProute-map BACKUP-ISP-OUT permit 10 match ip address prefix-list MY-PREFIXES set as-path prepend 65001 65001 65001 # Apply to BGP neighborrouter bgp 65001 neighbor 192.0.2.1 remote-as 65200 neighbor 192.0.2.1 route-map BACKUP-ISP-OUT out # Result: Routes advertised to 65200 will have AS_PATH:# Original: 65001# After prepend: 65001 65001 65001 65001# (your AS appears 4 times) # Best Practice: Only prepend 2-4 times# More is rarely effective and has security downsidesPrepending is a blunt instrument. Before deploying, use BGP looking glasses and route servers to verify that your intended effect will occur. If upstream ASes already have strong policies favoring one path, prepending the other won't change behavior.
When BGP aggregates multiple prefixes into a single summary route, AS_PATH handling becomes interesting. The aggregate may combine routes from different origin ASes, so the AS_PATHs of the component routes may differ.
The Aggregation Challenge:
Consider an ISP (AS 65100) that has customers in AS 65001 and AS 65002, each announcing a /24:
The ISP wants to aggregate these into 192.0.2.0/23. What should the AS_PATH be?
AS_SET Solution:
BGP uses the AS_SET segment type to represent unordered sets of ASNs that contributed to an aggregate:
# Before Aggregation:Route 1: 192.0.2.0/24, AS_PATH: 65001Route 2: 192.0.3.0/24, AS_PATH: 65002 # After Aggregation at AS 65100:Aggregate: 192.0.2.0/23, AS_PATH: 65100 {65001, 65002} # The AS_PATH has two segments:# Segment 1: AS_SEQUENCE [65100] - the aggregator# Segment 2: AS_SET {65001, 65002} - the originators # AS_SET properties:# - Unordered (no sequence implied)# - Counts as length 1 in path selection# - Preserves loop prevention (both 65001 and 65002 can detect) # If AS 65001 receives this aggregate, it will reject it because# its ASN (65001) appears in the AS_SET portion of the AS_PATH.AS_SET Counting:
For best path selection, an AS_SET counts as length 1, regardless of how many ASNs it contains:
| AS_PATH | Components | Length |
|---|---|---|
| 65100 65001 | [65100], [65001] | 2 |
| 65100 {65001, 65002} | [65100], {65001, 65002} | 2 |
| 65100 {65001, 65002, 65003, 65004} | [65100], {4 ASNs} | 2 |
This encourages aggregation by not penalizing aggregated routes.
The ATOMIC_AGGREGATE Attribute:
When creating an aggregate, the router should set the ATOMIC_AGGREGATE attribute. This signals to downstream routers that the aggregate has lost information—specific AS_PATH details have been compressed into an AS_SET.
The AGGREGATOR attribute is also set, recording:
These attributes help trace aggregates back to their source when troubleshooting.
AS_SET complicates route validation for RPKI (Resource Public Key Infrastructure). Since AS_SETs can contain multiple origin ASes, validating the origin becomes ambiguous. Many operators now filter routes with AS_SETs (RFC 6472 recommendation). Consider whether aggregation is worth the filtering consequences in your network design.
AS_PATH is a powerful tool for route filtering and security. By examining the AS_PATH, routers can enforce policies about which routes to accept or reject.
AS_PATH Access Lists:
Most BGP implementations support filtering based on AS_PATH regular expressions. Common patterns:
| Regex | Matches | Use Case |
|---|---|---|
| ^$ | Empty AS_PATH (locally originated) | Accept only my own routes |
| ^65001$ | AS_PATH = exactly [65001] | Accept only direct customer routes |
| 65001 | Any path containing 65001 | Filter routes via competitor |
| ^65001_ | Paths starting with 65001 | Accept routes from direct peer 65001 |
| _65001$ | Paths ending with 65001 (origin) | Routes originated by AS 65001 |
| 65001 | 65001 anywhere (with boundaries) | Any path transiting 65001 |
| ^[0-9]+$ | Single-AS path | Accept only direct customer routes |
| ^[0-9]+ [0-9]+$ | Two-AS path | Accept customers one hop away |
# Cisco IOS AS_PATH Access List Examples # Deny routes containing private AS numbers (64512-65535, 4200000000-4294967295)ip as-path access-list 10 deny _(6451[2-9]|645[2-9][0-9]|64[6-9][0-9]{2}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])_ip as-path access-list 10 permit .* # Accept only routes from direct customer (single-hop AS_PATH)ip as-path access-list 20 permit ^[0-9]+$ # Reject routes through known-bogon AS ip as-path access-list 30 deny _12345_ip as-path access-list 30 permit .* # Accept routes originated by specific AS (regardless of path)ip as-path access-list 40 permit _65001$ # Reject routes with excessive AS_PATH length (likely leak or attack)# This is done via route-map, checking AS_PATH length attribute # Apply to neighborrouter bgp 65000 neighbor 192.0.2.1 filter-list 10 inSecurity Applications:
AS_PATH filtering is a frontline defense against various routing threats:
1. Prefix Leaks When an AS accidentally advertises routes it shouldn't:
2. Prefix Hijacks When an AS maliciously claims ownership of another's prefixes:
3. Path Manipulation When an AS manipulates AS_PATH to attract traffic:
4. Private AS Leakage When private AS numbers (64512-65534, etc.) appear in public AS_PATH:
RPKI (Resource Public Key Infrastructure) cryptographically validates route origins. Route Origin Authorizations (ROAs) specify which ASes are authorized to originate which prefixes. When a route arrives with an AS_PATH origin that doesn't match a valid ROA, it can be marked as invalid and filtered. RPKI adoption has grown significantly since 2019 and is increasingly expected by major networks.
AS_PATH analysis is fundamental to diagnosing BGP routing problems. Here's how to use AS_PATH information effectively.
Reading AS_PATH Output:
# Example: show ip bgp 8.8.8.0/24 BGP routing table entry for 8.8.8.0/24, version 1234Paths: (3 available, best #1, table default) Advertised to update-groups: 1 2 Path 1 (best): AS_PATH: 65100 15169 Next-Hop: 192.0.2.1 Origin: IGP, localpref 100, valid, external, best Community: 65100:100 Path 2: AS_PATH: 65200 3356 15169 Next-Hop: 192.0.2.2 Origin: IGP, localpref 100, valid, external Path 3: AS_PATH: 65300 6939 15169 Next-Hop: 192.0.2.3 Origin: IGP, localpref 100, valid, external # Analysis:# - Destination AS is 15169 (Google) - rightmost in all paths# - Path 1 is best (shortest: 2 ASes)# - Path 2 goes via 3356 (Lumen) - 3 ASes# - Path 3 goes via 6939 (Hurricane Electric) - 3 ASes# - All paths have same local-pref, so AS_PATH length decidedCommon AS_PATH Problems:
| Symptom | Possible Cause | Investigation |
|---|---|---|
| Route rejected unexpectedly | Own AS in path (loop detection) | Check AS_PATH for your own ASN; check allowas-in setting |
| Suboptimal path selected | Policy override (local-pref) | Compare local-pref values; AS_PATH length is step 4 |
| Route missing after aggregation | Filtered due to AS_SET | Check if downstream filters AS_SET routes (RFC 6472) |
| Traffic not shifting after prepend | Upstream policy override | Use looking glasses to verify path from other ASes |
| Unexpected route instability | Excessive prepending amplifies churn | Reduce prepend count; verify dampening not triggered |
| Route shows private ASN | Failed AS removal by provider | Contact provider; filter private ASNs inbound |
Using Looking Glasses:
BGP Looking Glass servers allow you to see routes from other networks' perspectives. When troubleshooting AS_PATH issues:
Popular looking glass resources:
For critical prefixes, maintain documentation of expected AS_PATHs from key peers. When problems occur, comparing current AS_PATH against expected AS_PATH immediately highlights the anomaly—whether it's a hijack, a leak, or normal topology change.
AS_PATH is the attribute that makes BGP a path vector protocol. Let's consolidate what we've learned:
What's Next:
In the next page, we explore BGP Attributes comprehensively. Beyond AS_PATH, BGP carries many other path attributes that influence routing decisions. You will learn about ORIGIN, NEXT_HOP, LOCAL_PREF, MED, COMMUNITY, and more—understanding how they interact in the BGP decision process.
You now have deep understanding of AS_PATH—its structure, loop prevention role, influence on path selection, manipulation via prepending, handling in aggregation, and use in filtering. This knowledge is fundamental for configuring, troubleshooting, and securing BGP deployments. Next, we examine the full complement of BGP path attributes.