BGP Messages

BGP uses a variety of messages for establishing the connection, exchanging

routing information, checking if the remote BGP neighbor is still there and/or
notifying the remote side if any errors occur.
To do all of this, BGP uses 4 messages:

Open Message

Update Message

Keepalive Message

Notification Message

All of these BGP messages use a fixed-size header, it includes a type field
that indicates what type of message it is.
To explain these BGP messages I will show you some Wireshark captures. I
will use the following topology for this:

Open Message
Once two BGP routers have completed a TCP 3-way handshake they will
attempt to establish a BGP session, this is done using open messages. In the
open message you will find some information about the BGP router, these
have to be negotiated and accepted by both routers before we can exchange
any routing information. Here are some of the items you will find in the open
message:

Version: this includes the BGP version that the router is using. The current
version of BGP is version 4 which is described in RFC 4271. Two BGP routers

will try to negotiate a compatible version, when there is a mismatch then

there will be no BGP session.

My AS: this includes the AS number of the BGP router, the routers will have
to agree on the AS number(s) and it also defines if they will be running iBGP
or eBGP.

Hold Time: if BGP doesnt receive any keepalive or update messages from
the other side for the duration of the hold time then it will declare the other
side dead and it will tear down the BGP session. By default the hold time is
set to 180 seconds on Cisco IOS routers, the keepalive message is sent every
60 seconds. Both routers have to agree on the hold time or there wont be a
BGP session.

BGP Identifier: this is the local BGP router ID which is elected just like OSPF
does:

Use the router-ID that was configured manually with the bgp router-id
command.

Use the highest IP address on a loopback interface.

Use the highest IP address on a physical interface.

Optional Parameters: here you will find some optional capabilities of the
BGP router. This field has been added so that new features could be added to
BGP without having to create a new version.Things you might find here are:
o

support for MP-BGP (Multi Protocol BGP).

support for Route Refresh.

support for 4-octet AS numbers.

Heres an example of a wireshark capture of an open message between R1

and R2:

Above you can see the open message from R1 to R2. You can see the things
that we discussed, the BGP version, AS number, hold time, BGP ID and the
optional parameters (MP-BGP and route refresh). The marker field on top is
used to indicate if we use MD5 authentication or not. When its filled with 1s
then we are not using authentication.

Update Message
Once two routers have become BGP neighbors, they can start exchanging
routing information. This is done with the update message. In the update
message you will find information about the prefixes that are advertised.In
BGP language a prefix is referred to as NLRI (Network Layer
Reachability Information). Here are some of the things you will find in an
update message:

Withdrawn Route Length: this field shows the length of the Withdrawn Routes
field in bytes. When it is set to 0, there are no routes withdrawn and the
Withdrawn Routes field will not show up.

Withdrawn Routes: this field shows all the prefixes that should be removed
from the BGP table.

Total Path Attribute Length: here you will find the total length of the Path
Attributes field.

Path Attributes: the BGP attributes for the prefix are stored here, for example:
origin, as_path, next_hop, med, local preference, etc. These path attributes
are stored in TLV-format (Type, Length, Value).

Each of the BGP attributes also has an attribute flag that tells the BGP
router how to treat the attribute. Here are the different bit flags:

Optional: when the attribute is well-known this bit is set to 0, when its
optional it is set to 1.

Transitive: when an optional attribute is non-transitive this bit is set to 0,

when it is transitive it is set to 1.

Partial: when an optional attribute is complete this bit is set to 0, when its
partial it is set to 1.

Extended Length: when the attribute length is 1 octet it is set to 0, for 2

octets it is set to 1. This extended length flag may only be used if the length
of the attribute value is greater than 255 octets.

Lets take a look at an update message from R1:

R1(config)#router bgp 1
R1(config-router)#network 1.1.1.1 mask 255.255.255.255

Heres the capture:

Above you can see a update message from R1. No routes are withdrawn and
there are a couple of BGP attributes. You can see the ORIGIN, AS_PATH and
MULTI_EXIT_DISC (MED). I also highlighted some of the flags. The AS_PATH
attribute is transitive while MULTI_EXIT_DISC is optional. At the bottom you
can find the NLRI information with our prefix.

Lets remove the network command for the loopback interface on R1 so that
we can see a withdrawn in the update message:
R1(config)#interface loopback 0
R1(config-if)#shutdown