BGP guide for a quick and easy start
BGP.cat Internet Protocol Border Gateway Protocol

BGP Guide

Preface

This guide will help you get started and expand your Border Gateway Protocol (BGP) network. We explain how to create a user account with the RIPE NCC . In addition, we show you how to create a maintainer, a role or person, and an organization in the RIPE database . These will be needed later for ordering an Autonomous System Number (ASN) , as well as IP assignments (IP subnets). Furthermore, we will show you how to order and administer your own IPv4 and IPv6 subnets (addresses).

You will also learn how to create and edit route objects in the RIPE database. We will also cover the topic of security and explain how you can easily protect yourself against prefix hijacking using RPKI (ROA). We will then finish the basic installation by setting up the IP Transit service using BGP session.

In the following steps we will explain the advantages of Internet exchange points and how to extend your network quickly and easily with our IX-Server offers . We will also show you the advantages of the PeeringDB website. In addition, you will learn how to create a domain object in the RIPE database to set up Reverse DNS (resolution of IP addresses to DNS names) for your network.

RIPE Objects

In order to be assigned Internet resources such as Autonomous System Numbers (ASNs) and IP subnets (IPv4 & IPv6 ), you must create an organization (ORG) in the RIPE NNC database. To be able to administer objects (like your ORG) in the RIPE database, you need a maintainer (MNT), because all objects in the RIPE database can only be edited by maintainers. RIPE user accounts are assigned to a maintainer (SSO). Alternatively, you could also store a password for the MNT.

Create RIPE NCC user account

First create a RIPE NCC user account (SSO) by clicking here .

Now fill in all the fields to create a new user account with RIPE NNC. You will then receive a verification link via email. Confirm your email address by clicking on the link.

Your user account is now activated and you can log in now

Create maintainer

Now create a role and maintainer pair by clicking here . Now choose a name for your maintainer. Note that this must end with -MNT. We use JOHNDOE-MNT.

Now give your role a meaningful name. Alternatively, you can create a person instead of a role. We have created a role with the name John Doe NOC (Network Operations Center). Enter your address, as well as e-mail address or for person objects, your phone number.

Now you can submit the data.

After you have successfully created the objects, the identifiers of the objects are displayed, nic-hdl for roles and mntner for supervisors. It is best to make a note of these identifiers, as you will need them later.

Create organization

As mentioned earlier, Autonomous Systems and IP subnets are assigned to an organization. This has several advantages, firstly you will receive Abuse requests to your stored email address and secondly you can track which Internet resources are used by your organization.

Now create an organization by creating a new object in the RIPE NCC database or by clicking here .

In the first field, specify the maintainers (maintainer) who are allowed to manage your organization. Your maintainer (MNT) has already been entered automatically. Additional maintainers are usually not required. Note that maintainers (MNT) who are entered in the mnt-by field can edit and also delete them. Therefore, only enter maintainers (MNT) that you trust.

Now enter the name of your company or your name in org-name. Note that this name must match the name on the commercial register excerpt or identity card. Enter the address, i.e. your postal address. A contact e-mail address is also required.

At abuse-c you have to enter your Abuse-Handle. Since you have not yet created an Abuse handle, click the bell icon on the right to create a new Abuse contact. Enter your Abuse email address in the field and click submit.

In the mnt-ref field, maintainers (MNT) are entered which are allowed to refer to your organization. This is required, for example, to assign IPv4 and IPv6 subnets to your organization. Enter your maintainer (MNT) and our maintainer SBMT by clicking on the arrow icon at the right side of mnt-ref to duplicate the line. You now create your organization by clicking Submit.

RIPE Objects

Maintainer MNT JOHNDOE-MNT
Role Role JDN61-RIPE
Organisation ORG ORG-JD109-RIPE

Autonomous System

What is an Autonomous System (AS)?

The Internet is a network that consists of several networks. Autonomous Systems are the large networks that make up the Internet and have a unified routing policy. Every device or computer connected to the Internet is in an Autonomous System (AS).

A autonomous system can be compared to a post office. Mail is routed from post office to post office until it reaches the correct post office. The appropriate post office then delivers the mail to the appropriate address.

Data packets similarly traverse the Internet by being routed from autonomous system to autonomous system until they reach the autonomous system (AS) that contains the destination IP address.

Autonomous System Number

Offers

ASN 16bit IPv6 /44 BundleASN 32bit IPv6 /44 Bundle
Price 75.00 CHFAnnually 75.00 CHFAnnually
Setup 5,000.00 CHFOne-off 60.00 CHFOne-off
Availability5m5m
IPv6 /44 /44
RPKI
Region RIPE RIPE

What is an Autonomous System Number?

An autonomous system number is a unique identifier (number) that is globally available and allows the autonomous system to exchange routing information with other systems.

AS numbers (ASNs), are unique 16 bit numbers between 1 and 65534 or 32 bit numbers between 131072 and 4294967294..

What is an AS routing policy?

An AS routing policy is a list of the IP address space that the autonomous system controls and a list of the other autonomous systems to which it is connected. This information is required for routing packets to the correct networks. This information is advertised by autonomous systems to the Internet via the Border Gateway Protocol (BGP).

How is the assignment process?

1. Order

Choose the right product for your needs from our portfolio.
Autonomous System Number
IPv4 Prefixes
IPv6 Prefixes

2. Agreement

After you complete the order and payment process, you will automatically receive an email containing the End User Assignment Agreement (EUAA) PDF document.

3. Signature

Please read, sign and return the End User Assignment Agreement PDF document with a copy of your ID card or passport.

4. Verification

Once we receive all the required documents, we will review them and submit them to RIPE NCC via a secure connection.

5. Processing

Subsequently, your request will be verified and processed at RIPE. This process usually takes two to three business days. Please note that we have no influence on this processing time.

6. Clarify questions

In special cases (usually with Provider Independent address space) RIPE still has some questions. In this case we will contact you by e-mail to clarify these open questions.

7. Allocation

As soon as all questions have been answered and documents have been submitted and RIPE has accepted your application, you will be assigned the corresponding Internet resource and confirmed by e-mail.

8. Administration

You can manage your Internet resources at any time via the web interface or the RIPE database.

Cloud Manager
RIPE Database

IPv4 & IPv6 Prefixes

Every network needs IP addresses, of course. Bevor Sie sich ein Subnetz mieten, sollten Sie ungefähr wissen, für welchen Zweck Sie dieses verwenden möchten. This is important to determine the size of the network. For example, if you want to operate multiple sites, you must expect at least one 24 for IPv4 and one 48 for IPv6 per site. Smaller subnets (larger network macs) are filtered by most ISPs and thus will not be routed on the Internet. If your sites are interconnected, you can of course use smaller subnets and route them internally.

A good network design is therefore very important. Here's an example:
Let's say you want to build an anycast network to run a content delivery network (CDN) and domain name services (DNS). This means you need at least a /48 IPv6 and /24 IPv4 subnet. You have virtual, dedicated or whole colocation racks in 4 locations (Switzerland, Germany, Netherlands and the United States). So you need one /48 IPv6 and/or one /24 IPv4 per site. So you need at least 5 subnets:

Size Country Usage
/48Anycast
/48Switzerland Infrastructure
/48Germany Infrastructure
/48Netherlands Infrastructure
/48United States Infrastructure
/48Reserved

In this case, you need at least one /45 IPv6 or /21 IPv4 subnet. However, you will have only one /48 IPv6 available for the future and would have to rent another subnet in case of greater demand. Therefore we recommend our customers to rent at least one /44 IPv6 subnet. A /44 IPv6 sunnet can be divided into 16 /48 subnets. For the calculation of IPv4 and IPv6 subnets, we recommend our subnet calculator .

Offers

IPv4 Prefixes

IPv4 Prefixes

We lease IPv4 PA subnets to organizations that need IPv4 addresses immediately and take too long to allocate IPv4 addresses under the current waiting list policy.

Details
IPv6 Prefixes

IPv6 Prefixes

We rent IPv6 PA subnets and support you with the registration of IPv6 PI subnets, which are assigned directly by the RIPE NCC. With us you can choose your IPv6 PA by yourself.

Details

Difference between PA and PI IP address space

For both IPv4 and IPv6, there are two different types of allocations. PI (Provider Independent), and PA (Provider Aggregatable). The main difference is in the assignment and usage. PI address allocations are assigned directly by the RIPE NCC to end users. With PA address allocations, a larger address space (usually 29 or 32) is allocated to the provider (LIR) . This provider in turn assigns them to end users. PI addresses may only be used by the end user and may not be assigned or rented to other users. For PA addresses, the provider decides for which purpose you may use these addresses. Usually there are no special requirements or restrictions here. One disadvantage of PA addresses may be that you cannot easily change providers without changing your IP addresses. However, IPv4 PI address assignments are no longer assigned due to IPv4 runout.

Description Provider Aggregatable (PA) Provider Independent (PI)
OwnershipService ProviderCustomer
Address Block Size/29 - /128/32 - /48
IP Address AssignmentLocal Internet RegistryRIPE NCC
Transfer
Pricefrom 15.00 CHF Annuallyfrom 150.00 CHF Annually

Order IPv4 or IPv6 subnet

To help you remember your IPv6 subnets, we offer our customers the option to select the parent subnet themselves. This way your new IPv6 address range will be assigned automatically from the selected subnet. Let's say you order a /44 subnet and select the subnet 2001:db8::/32, then you will get the next free address range, for example 2001:db8:d40::/44.

Then enter a network name (Netname) for your IPv4 or IPv6 subnet. This must not contain any spaces or special characters. An example would be EU-JOHNDOE-20241106, where EU corresponds to the country code ISO 3166 Alpha 2.

You can select a free text as description. This attribute is also used as a network name by some tools, like the BGP Toolkit .

Select the country in which you want to use your subnet. If you use your subnet in several countries, it is recommended to select EU as the country and then later create a smaller /48 subnet with the corresponding country for the individual locations.

Now specify your RIPE objects, which you have already created before. Use the nic-hdl of your role or person object as Admin-C and Tech-C. Click Next to add your subnet to the shopping cart.

Order IPv4 or IPv6 subnet
Order IPv4 or IPv6 subnet

Administer IPv4 or IPv6 assignment

To read this guide in full, you must be a customer and logged in with your user account. If you are already a customer, you can sign in here.
Administer IPv4 or IPv6 assignment
Administer IPv4 or IPv6 assignment

Divide IPv4 and IPv6 subnets

To read this guide in full, you must be a customer and logged in with your user account. If you are already a customer, you can sign in here.
Administer IPv4 or IPv6 assignment
Administer IPv4 or IPv6 assignment

Administer IPv4 or IPv6 assignment

Route Objects

To read this guide in full, you must be a customer and logged in with your user account. If you are already a customer, you can sign in here.
RADbcommercial
ALTDBfree of charge
NTTCOMNTT customers only
Please note that some ISPs do not support these databases due to abuse. These databases can also be misused to associate IPv4 and IPv6 assignments with an Autonomous System Number, although they are not authorized to do so.
Securebit AG only uses the IRR databases of the RIRs. You should therefore register your assignments in the IRR databases if possible. If this is not possible, please contact our support and send us a Letter of Authorization. We will then manually add your assignments to our filter lists.
To read this guide in full, you must be a customer and logged in with your user account. If you are already a customer, you can sign in here.

Create Route and Route6 objects

The route and route6 attributes describe the network address for IPv4 or IPv6, and the origin attribute describes the Autonomous System that is authorized to announce the assignment. To create the route objects, follow the links to the RIPE NCC database:

To read this guide in full, you must be a customer and logged in with your user account. If you are already a customer, you can sign in here.
Create Route and Route6 objects
Create Route and Route6 objects

Route Origin Authorisation

Resource Public Key Infrastructure (RPKI) is a cryptographic method for signing route objects that associate the announcement of a BGP route with the original AS number. RPKI is defined in RFC6480 . To counter prefix hijacking abuse, the Resource Public Key Infrastructure was developed. This public key infrastructure is based on X.509 certificates and is specifically designed to secure Internet routing. Each Local Internet Registry (LIR) can have a resource certificate issued that lists all the Internet resources (AS numbers and IP prefixes) assigned to it. This certificate can then in turn be used to generate Route Origin Authorizations, which make it possible to cryptographically verify the validity of an announcement.

Create RPKI (ROA)

To read this guide in full, you must be a customer and logged in with your user account. If you are already a customer, you can sign in here.
Create RPKI (ROA)
Create RPKI (ROA)
Create RPKI (ROA)

IP-Transit

In order to announce routes using BGP, you need an upstream provider to establish a BGP session and exchange routes. This service is called IP transit. We offer IP-Transit with our virtual and dedicated servers, as well as our Internet tunnels:

VPS ZUR Internet Tunnel VPS FRE
Price 16.50 CHFMonthly 15.00 CHFMonthly 27.50 CHFMonthly
Setup 10.00 CHFOne-off 50.00 CHFOne-off 10.00 CHFOne-off
Availability15m15m15m
IP-Transit
Country

On our website you will find a complete list of our virtual servers (VPS) , as well as Internet Exchange (IX) Server and Internet Tunnel offerings. These are available at the following locations:

Country Region Virtual Server IX Server Internet Tunnel
Switzerland Zurich
Germany Dusseldorf
Germany Frankfurt
Netherlands Amsterdam
United Kingdom London
United States Fremont

Internet Tunnel

We offer the right solution for every requirement. Do you want to use your IPv4/IPv6 addresses on an existing private or business internet connection? Then an internet tunnel is the best choice. You enter your public IP address of your route when ordering and we create a tunnel for you, as well as the desired BGP sessions (IPv4/IPv6). Afterwards you will receive the tunnel and BGP information by e-mail.

Virtual Server

You have a DS-Lite internet connection or you want to create several tunnels by yourself? Then we recommend you a virtual server. You will receive a public IPv4 and IPv6 address with our virtual server. In addition, you will receive two BGP addresses (IPv4 and IPv6) to announce your IP assignments. You can also deploy any services, such as a web or DNS server, on your virtual server and connect them to the Internet using your own IP addresses.

IP-Transit (Webinterface)

We offer our IP-Transit customers a clear and simple web interface. No matter if you rent a virtual server or internet tunnel from us. You can immediately see the status of your BGP session and the number of routes. With a click on the line of the BGP session, it will be expanded and you will see all IPv4 or IPv6 routes and their status (accepted/filtered).

Create RPKI (ROA)

Internet Exchange

Internet Exchange (IX), also called Internet Exchange Point (IXP), are Internet exchange points where all connected members can exchange data packets. This saves costs for connections to individual providers, since an Internet Exchange (IX) can establish BGP sessions to several Internet service providers with only one physical connection.

As a rule, Internet Exchanges provide so-called route servers. With these route servers all members can connect via BGP and exchange their routes. The advantage is that you don't have to set up and establish a BGP session with every Internet service provider, because you get it from the route servers. Of course, you can also establish a direct BGP session with the members and exchange routes.

We offer virtual servers with Internet Exchange Port. You will receive a virtual server with two or more network cards. The first one will be used for normal internet traffic like all virtual servers. You will also get IP transit through it. The second one (and others, depending on the offer), are directly connected to the Internet Exchange peering network. Thus, you only need to set up your IPv6 and optionally your IPv4 address on the additional network interface. Then you can connect to the IX Route servers and exchange routes.

Country Region Internet Exchange Price Details
Zurich 4IXP
SBIX
from 16.50 CHF Monthly
10.00 CHF Setup fee

Amsterdam
London
VIXP from 0.00 CHF Monthly
5.00 CHF Setup fee

Frankfurt
Dusseldorf
DE-CIX (Frankfurt, Dusseldorf, Munich, Hamburg) from 0.00 CHF Monthly
5.00 CHF Setup fee

If you don't have any experience with the administration of virtual servers as BGP routers yet, have a look at the instructions on our website. They will explain you how to order a server, install the necessary software and configure BGP. If you have any further questions or need assistance, please do not hesitate to contact our support team.

There are also Internet Exchange Points that offer tunnels. Note that tunnel connections are more prone to failures as you do not have a direct connection to the remote peer and your data packets are routed through multiple ISPs via your local Internet connection. However, this is perfectly adequate for getting started and for small amounts of data.

Country Region Internet Exchange Price Details




Amsterdam
London
Helsinki
Fremont
Vaduz
IXP.cat Free of charge IXP.cat
Zurich 4IXP Free of charge 4IXP

PeeringDB

PeeringDB is a freely available, user-maintained, database of networks, and the go-to location for interconnection data. The database facilitates the global interconnection of networks at Internet Exchange Points (IXPs), data centers, and other interconnection facilities, and is the first stop in making interconnection decisions.

User account with PeeringDB

Registration with PeeringDB is optional. We recommend that you register with PeeringDB, create an organization, and place your Autonomous System number there. In the settings of your Autonomous System Number (ASN) you can specify the number of IPv4 and IPv6 routes. These fields are used by some providers for the prefix limit in BGP sessions. This limits the number of routes (prefixes) that your peering partners allow you to announce in their BGP session. If you exceed this limit, your BGP session is automatically shut down. This is a layer of protection against route leaks. It's best to start with a route limit of 20, which will safely cover a /44 subnet.

ARPA (RDNS)

To be able to set up reverse DNS records for your IPv4 and IPv6 assignments, you need at least two DNS servers. If you do not provide your own DNS servers, we can of course provide a suitable solution for this as well. We operate our own Anycast network in more than 20 locations on 6 continents (North America, South America, Europe, Asia, Africa and Australia), for a fast and secure resolution of your IPv4 and IPv6 addresses into DNS names. With a large number of DNS cluster servers in major cities around the world, we can guarantee low response times.

Anycast
Price5.00 CHFMonthly
Setup15.00 CHFOne-off
Availability60s
Webinterface
DDoS protection
IPv4
IPv6
Cloud Manager DNS Anycast Webinterface
DNS zones (domains)

In our Cloud Manager web interface, you can quickly and easily create new DNS zones (domains). These will be synchronized with all nodes in our Anycast Network within minutes.

Offer Webinterface Network

Create ARPA domain object

In order for your IPv4 and IPv6 addresses to be resolved into DNS names by the DNS servers, you need to store them in the RIPE database. First you should create the DNS zone for your IPv6 subnet in Cloud Manager (Webinterface) . Our ARPA tool will help you figure out the correct zone name. Let's say you have been assigned the IP subnet 2001:db8:120::/44. Then enter the network address at IPv6 address and click convert. You will now see a list of all common subnet sizes. From the list you can now see that your zone must be 2.1.0.8.b.d.0.1.0.2.ip6.arpa.

After you have created your zone in Cloud Manager, you can now create a new domain object in the RIPE database. Enter your IPv4 or IPv6 subnet and as DNS server your DNS servers. If you are using our DNS service, they are as follows:

  • a.any-cast.net
  • b.any-cast.net
  • c.any-cast.net
  • d.any-cast.net

If you see the Server is not authoritative for 2.1.0.8.b.d.0.1.0.0.2.ip6.arpa message, try saving the zone again in Cloud Manager by clicking the disk icon. Wait a few minutes and try again. If you still see the message, please create a ticket in our Cloud Manager web interface. Once you see the message Server is authoritative for 2.1.0.8.b.d.0.1.0.0.2.ip6.arpa for all DNS servers, you can save the domain object by clicking Submit.

Looking Glass

The Securebit Network Looking Glass provides you with information relative to network efficiency, backbone routing and offers you the same transparency that our customers receive in network.

The information provided by and the support of this service are on a best effort basis. You can select here some of our routers at the core locations within our network.

Looking Glass (ASNs.info)

IP-Transit

In order to announce routes using BGP, you need an upstream provider to establish a BGP session and exchange routes. This service is called IP transit. We offer IP-Transit with our virtual and dedicated servers, as well as our Internet tunnels: