Real-time BGP Visualisation with BGPlay
Note: The following article is Massimo Candela's personal initiative and does not necessarily represent the views or commitments of the RIPE NCC.
BGPlay is a web application that allows you to visualise changes in BGP routes associated with an Internet number resource (IP prefix or origin AS). It provides a graphical representation of the links across all AS paths between the BGP collection points and the target resource(s).
Without a tool like BGPlay, understanding the AS level topology from data repositories is extremely complex. The situation is even worse if the topology changes in time, like in a real inter-domain routing context. With BGPlay, you can accurately check the evolution of routing through an easy interface that allows you to analyse the topology variations introduced by BGP updates step by step.
There has always been the need for operators to understand and respond quickly to BGP issues. For this reason, v arious BGP data collection projects are moving more and more to close to real-time solutions. In addition, an evolution of the analysis and visualisation tools was also needed.
After several years, I'm happy to announce a new milestone release of the well-known BGPlay web application, which can now receive BGP messages by means of WebSocket and update the visualisation on the fly, directly in the user's browser.
Figure 1 shows the main view of the real-time release of BGPlay. The interface remained basically the same to facilitate a transparent transition to the new version. The only difference is a new icon in the control panel on the top right. This new icon enables/disables updates of the graph with the new events coming from the streaming.
Figure 1: Main view of the new BGPlay release
The main objective of this new version of the tool is that an operator can embed it in a wall-mounted monitor to see in real time the evolution of the visibility of his prefixes. In addition to that, many projects have alerting functions (e.g. for hijack auto-detection) and BGPlay real-time can enrich these reports and drastically decrease operators' reaction time.
The graphic metaphor remains the same. The origin ASes are represented as red nodes; ASes peering directly with the route collectors are the "leaf" nodes, represented in blue; any other traversed AS is shown in black. When a BGP announcement occurs, the creation of a new path connecting a set of nodes is animated. Each event involving that path triggers an animation, specific to the event type, resembling the transition to the new status. Dashed lines represent paths that have not yet been involved in any routing change (i.e., passing the same set of ASes). As soon as a path is involved in a routing change, it will switch to a coloured straight line. This approach highlights the separation between what is stable and what is changing.
There are two timelines under the main graph. The first shows the number of events over time. The second shows individual events sorted by time. In the real-time case, both timelines start empty and are filled with new samples as they come in from the streaming. The current instant is marked by the red cursor. It can be moved by clicking on one of the timelines; the graph consequently converges to the new status.
For more information about the classic BGPlay visualisation and interface, please refer to the RIPE Labs article BGPlay Integrated in RIPEstat .
When the user stops the animation of streamed events, all the new events are collected in the background. When the user starts the streaming again , the events will appear and the new BGP situation applied. The initial dump, resembling the BGP situation at start time, can be retrieved from a REST API or directly through WebSocket.
For more information about how to stream your data to BGPlay or about how to embed the widget in your HTML page, refer to the section Project Information and Source Code, below.
Demo: A hijack simulation
For a practical demonstration of the potential of this new feature of BGPlay, in collaboration with the team of the Isolario project , we simulated – and visualised, in real-time – a BGP hijacking.
You can find the video of the experiment below.
The experiment is described in the following steps:
- The monitored prefix, 10.10.10.0/24, is announced by AS 65103 and is completely visible from the various BGP collection points. All paths are stable up to now, so they are represented by dashed lines. The timelines are empty since we are not receiving BGP events yet.
- When I trigger the hijack, AS65666 starts announcing the same prefix, 10.10.10.0/24. So AS65666 will appear on the scene and some of the paths will became dynamic and start converging on that AS instead of AS 65103. The BGP events received will appear in the timelines.
- To re-establish the visibility of AS65103, I will make it announce the two more specific prefixes, 10.10.10.0/25 and 10.10.10.128/25. As a result, all the paths will converge again to AS65103.
If you want to see this version of BGPlay in action, you can log-in as a guest in the Isolario website . For now, the integration is a prototype and its stability is not guaranteed. Due to its real-time nature and the current small number of route collectors, I suggest you try one of the most active prefixes according to potaroo.net, e.g. the prefix 184.108.40.206/24 (as of 30 September 2015) .
Project Information and Source Code
BGPlay.js is an open-source project I originally developed as part of the Computer Network Research Group of Roma Tre University (Italy) in collaboration with the RIPE NCC . I'm still maintaining it in my free time and as a part of my job for the integrated version in RIPEstat .
The real-time BGPlay is totally compatible with the previous version – it just requires an upgrade of the files. Both the REST and the WebSocket solutions are easily adaptable to your dataset.
Documentation and other information about this (and other projects based on BGPlay.js) is available here .
You can embed this tool in your service for free, or share instances/screenshots, but please use proper acknowledgment as described here.