BGP is the singular protocol holding the internet together — directing traffic across 75,000 autonomous systems through a system built on trust, policy, and a decision algorithm running identically on every backbone router worldwide.
The internet isn't a single network — it's a federation of ~75,000 Autonomous Systems (ASes), each independently operated. Your ISP is an AS. Google is an AS. Amazon is an AS. BGP is how they all agree on how to reach each other.
Every AS announces the IP prefixes it owns to its neighbors. Those neighbors propagate the announcements outward. Within seconds, every router on the internet learns a path to your network. The catch? BGP has no built-in authentication. Any AS can claim to own any address space, and neighbors will believe it.
A collection of IP networks under a single administrative domain. Identified by a 32-bit ASN (e.g., Google is AS15169, Cloudflare is AS13335).
eBGP runs between autonomous systems — the business relationships. iBGP runs within an AS, distributing external routes internally. eBGP changes NEXT_HOP and prepends AS_PATH; iBGP preserves both.
BGP was designed in 1989 for a small trust-based academic network. It has zero capability to validate route origin. RPKI (54% coverage) and ASPA are slowly adding cryptographic validation.
Unlike OSPF/IS-IS which auto-discover neighbors via multicast, BGP requires manually configured peer relationships over TCP. This is deliberate — BGP operates between organizations with negotiated business relationships.
A BGP session progresses through six states before routes can be exchanged. Click each state to learn what happens at each stage.
When a router learns multiple paths to the same prefix, it evaluates them in strict order. The first tiebreaker that produces a winner stops the process. Click each step to highlight it.
Watch a packet traverse WiFi, metro fiber, a trans-Pacific submarine cable, and cross-continent backbone to reach Ashburn, VA — where 70% of the world's internet traffic passes daily.
See how a sub-prefix hijack works. The attacker announces a more-specific route (/24 inside a /22), and longest-prefix-match causes routers worldwide to prefer the attacker's path.
The DFZ — every router carrying a complete routing table — crossed one million IPv4 entries in 2025. Growth is now primarily deaggregation (splitting existing allocations for traffic engineering), not new address space.
~570 cable systems span 1.4 million km across the ocean floor, carrying 95% of intercontinental data through fibers roughly the diameter of a garden hose.
Hover over the layers to explore the engineering inside a deep-sea fiber optic cable.
Google's Grace Hopper cable capacity (US ↔ UK ↔ Spain). Meta's 2Africa cable: 180 Tbps across 46 landings in 33 countries.
75% from fishing and anchoring. Average repair time: 40 days. The 2022 Tonga eruption cut the island's sole cable for 5 weeks.
Spacing of EDFA repeaters. Powered by 3,000–15,000V DC from landing stations. Trans-Pacific cables have 200+ repeaters, designed for 25-year zero-maintenance lifespans.
Pakistan Telecom (AS17557) configured a /24 null route to block YouTube domestically. The route leaked to upstream PCCW, who propagated it globally. Longest-prefix-match sent the world's YouTube traffic into a black hole. Propagated to 97 ASes in under 2 minutes. Took ~2 hours to fix.
Global blackhole — 2 hour outageMainOne Cable (AS37282, Nigeria) leaked 212 Google prefixes to China Telecom, which propagated them to Russia. Google traffic traversed China's Great Firewall for 74 minutes. Whether it was accidental remains debated.
Traffic rerouted — 74 minutesDQE Communications' Noction BGP optimizer split prefixes into more-specifics that leaked through a customer to Verizon. With no prefix limits, Verizon propagated everything globally. Cloudflare lost 15% of global traffic.
Cloudflare 15% traffic lossRussia's Rostelecom announced 8,000+ prefixes belonging to Google, Facebook, Amazon, Akamai, Cloudflare via more-specific routes. Key proof of RPKI value: ISPs with ROV deployed (Telia, NTT) successfully filtered the invalid routes.
RPKI validation workedA maintenance command disconnected all backbone links. DNS servers auto-withdrew BGP routes when they lost backend connectivity. 133 IPv4 + 216 IPv6 prefixes disappeared. Internal tools depended on the downed network. Engineers dispatched physically to data centers. Cost: $60M+ in ad revenue.
6 hour global outage — $60M+ loss