One of Kentik's core missions has always been to help our users make sense of their infrastructure, taking the front seat in the Network Intelligence space by constantly enriching the Telemetry our users send us to ingest.
This release adds new BGP dimensions and filters for you and the AI Advisor to leverage as you are trying to make sense of the Infrastructure at the edge of your network.

Let's dive into it!

---

How do BGP enrichments work ?

When registering devices in Kentik, you have the option of establishing a BGP session with our SaaS or OnPrem cluster. These sessions, v4 and v6 are configured as iBGP Route Reflector Clients.
As we ingest your Netflow/Sflow/IPFIX telemetry, we map the SRC_IP and DST_IP from the flow fields with the Routing Data gathered from these iBGP sessions and enrich flows with such useful dimensions as

• Source or Destination ASN (Autonomous System)
• AS Path for the outgoing traffic
• Next-Hop, 2nd Hop, 3rd Hop ASN from the AS Path
• BGP Communities
• A variety of VRF related dimensions
• ...

If you don't peer directly with our clusters for a Kentik-registered device, you can choose to adopt the routing table of another device, or use a Generic Routing Table to access part of that information.

Alternate enrichment of Source or Destination ASN with a Generic Table

If your device is iBGP-peered with Kentik's SaaS cluster, the Source and Destination ASN enriched in your Netflow/Sflow/IPFIX records will be in priority based off your own routing data, but will fall back to a Generic Routing table if your own routing information has no entry for a given Source or Destination IP. This Generic Routing table is built on MTR Route Dumps from the RouteViews Project (courtesy of University of Oregon).

Two things are worth noting

• you should never send default routes (0.0.0.0/0) in your iBGP Route Reflector Client sessions to Kentik, as it will attract all source or destinations that you do not have a route for
• if your device does not have an iBGP session established with Kentik, we'll use this Generic Routing table for your entire traffic

In some cases, using your BGP tables to enrich your traffic may hide an issue: if these are intermittent, you may see Source or Destination ASN flapping around for the same prefix, which can result in a long and often sterile investigation.

We are now solving that problem by adding two Source ASN (Generic Table) and Destination (Generic Table) to the default BGP available dimensions. These are additions and do not replace the original Source ASN and Destination ASN dimensions: they can be used together within the same Data Explorer query to more rapidly track down such situations. You'll find them in the Dimensions selector as depicted in the screenshot below:

Collapsed AS Path

Every prefix learned by a BGP peer contains an AS Path, which indicates the series of Networks (identified by their Autonomous System Number, aka ASN) - this path is used heavily in the BGP decision mechanism to determine which route is best when multiple are received, and the length of the AS Path is a key decision factor: the BGP route election process will select the one with the fewer hops (ASN Hops) in the AS Path attribute of the prefix received.

Most BGP-speaking Networks are homed Multi-Homed: this means they have at least two upstream providers to receive the Full Internet Routing table from. While it is trivial BGP-wise to influence which of the two upstream providers you want to select for any destination prefix, it is much more complicated (if not impossible) to influence which one of the two upstreams you want to receive traffic from in priority.
To achieve that, BGP offers a mechanism named AS Path Prepending which basically allows any ASN along the path to insert their ASN in the AS Path attribute of the prefix as a last-ditch effort have their upstreams prefer another route for this prefix (Last ditch because this is far from being an efficient method).

In the following example, AS62775 which originates two /48 IPv6 prefixes and announces them to AS396955 who in turns announces them to AS1299. AS396955 prepends their ASN one more time when announcing to AS1299, signaling that they want to prevent AS1299 to use them to reach these AS62775 prefixes.

While the prepending info is useful in itself in the AS Path because it publicly translates policy from the prepending party, it doesn't doesn't add much to the visualization if you only want to display each network your traffic towards these prefixes will go through.

As a way to de-noise the above picture, we've come up with a bunch of additional of AS Path related dimensions that contract the AS Path when it sees duplicate hops in it - these dimensions come in addition to the existing AS Path related ones, as can be seen on the screenshot below

Using AS Path (Collapsed) instead of AS Path as a Group By dimension will yield the following sankey for the same prefixes

IPv6 Flow Labels

IPv6 flow labels are a 20-bit field in the IPv6 header used to identify packets belonging to the same traffic flow, allowing routers to provide special handling for them. A flow is a sequence of packets from a specific source to a destination. The label is used to efficiently handle and prioritize these flows, such as for real-time voice or video, without inspecting the entire packet payload.

As this relatively new standard gets adopted more broadly (it allows routers along the path to perform special handling of a Flow between a Source and a Destination marked with these labels), a number of our customers have asked us to include this additional dimension to our flow enrichment process. This has now been done as part of the below highlighted dimension.

Unfortunately, as any new networking standard tends to be vendor specific, our initial support for IPv6 Flow Labels is currently limited to Juniper Networks devices.
Please do let us know if your current use warrants to extend this support to other vendors by raising a feature request with your Customer Success specialist and we'll add it to our list of future work to consider for future roadmaps.