How does the Internet work? Part 2: Autonomous Systems (AS)

In Part 1, we explored the tier hierarchy - how networks are classified by their business relationships. But there's a more fundamental unit that makes the internet work: the Autonomous System (AS). Every network on the internet, regardless of tier, operates as an AS. Understanding how these systems work, interconnect, and make routing decisions is essential to understanding the internet itself.

An Autonomous System is a collection of IP networks under single administrative control that presents a common routing policy to the internet. Think of it as a country in the world of networking - it has sovereignty over its internal affairs, but must negotiate with other countries (ASes) for international relations (traffic exchange).

What Is an Autonomous System?

Every AS is identified by a globally unique Autonomous System Number (ASN), assigned by Regional Internet Registries (RIRs). This number is what other networks use to identify you in BGP - the protocol that glues the internet together.

Real-world examples of who operates ASes:

Internet Service Providers: Comcast (AS7922), AT&T (AS7018)
Content providers: Netflix (AS2906), Google (AS15169)
Enterprises: Apple (AS714), JPMorgan Chase (AS10994)
Cloud providers: AWS (AS16509), Azure (AS8075)

ASNs come in two flavors: 2-byte ASNs (1-65535, mostly exhausted) and 4-byte ASNs (65536-4294967295, introduced in 2007). Getting an ASN costs $50-1,400 depending on your region, plus annual fees from ARIN, RIPE, APNIC, LACNIC, or AFRINIC.

How Autonomous Systems Connect

BGP: The Language ASes Speak

Border Gateway Protocol (BGP) is how ASes announce their routes and learn about others. It's fundamentally a distance-vector protocol that works on trust and business relationships.

# AS64512 establishing BGP session with AS64513
router bgp 64512
neighbor 198.51.100.1 remote-as 64513

# What gets announced:
network 192.0.2.0/24  # Our own network
network 198.51.100.0/24  # Our customer's network

# What we receive: routes from AS64513
# AS Path shows the networks to traverse: "64513"

Physical Connection Types

ASes physically interconnect through three main methods:

Private Network Interconnect (PNI): Direct fiber between two networks. Used for high-volume relationships like Netflix connecting to Comcast.

Internet Exchange Points (IXP): Shared switch fabric where many ASes connect. One port reaches hundreds of networks. Major IXPs include DE-CIX Frankfurt, AMS-IX, and Equinix Ashburn.

Transit Connections: Customer connects to provider's edge router, often in carrier-neutral data centers.

BGP Routing and Traffic Engineering

How ASes Make Routing Decisions

When multiple paths exist to a destination, BGP follows a strict priority list:

Highest Local Preference (internal policy)
Shortest AS Path (fewest networks to traverse)
Lowest MED (Multi-Exit Discriminator)
Prefer eBGP over iBGP routes
Lowest IGP metric to next hop

ASes manipulate these attributes to control traffic flow:

# AS Path Prepending - Make path look longer
route-map PREPEND-OUT permit 10
set as-path prepend 64512 64512 64512
# Other ASes see: "64512 64512 64512 64512"

# Local Preference - Control outbound traffic
route-map PREFER-PEER permit 10
set local-preference 150  # Default is 100

# Communities - Tags that trigger actions
set community no-export      # Don't advertise beyond this AS
set community 3356:9999     # Level3's blackhole community

Major providers publish their BGP communities:

AS Relationships and Business Models

The Five Types of AS Relationships

Customer-Provider (Transit): Customer pays provider for full internet connectivity
Peer-Peer (Settlement-Free): Mutual exchange of customer routes, no payment
Peer-Peer (Paid): One AS pays for peering when traffic is imbalanced
Sibling ASes: Same organization operates multiple ASNs
Route Server Peering: Multilateral peering through IXP route servers

Valley-Free Routing

The "valley-free" principle ensures nobody gives away free transit. Traffic should never go Provider→Peer→Provider (that would mean the peer is providing free transit).

# To customers: Send everything (they pay for it)
route-map TO-CUSTOMER permit 10
# No filter - full routes

# To peers: Only send customer routes
route-map TO-PEER permit 10
match community CUSTOMER-ROUTES
# Never send peer or provider routes

# To providers: Only send our originated routes
route-map TO-PROVIDER permit 10
match as-path LOCAL-ONLY

View peering policies of major networks:

AS Business Models

Different AS types have different economics:

Access ISPs: Revenue from subscribers ($50-150/month), transit costs 30-50% of revenue
Content Providers: No networking revenue, minimize delivery costs through peering
Enterprises: Cost center focused on redundancy over savings
Cloud Providers: Network is competitive advantage, aggressive peering

AS Security

BGP Hijacking

BGP operates on trust - any AS can announce any prefix, leading to hijacking incidents tracked by BGPStream:

Date	Incident	Impact
2008	Pakistan Telecom hijacks YouTube	Global outage, 2 hours
2018	China Telecom hijacks Google	Traffic redirected through China
2022	Rostelecom hijacks Twitter	200+ prefixes affected

# Legitimate: AS15169 announces 8.8.8.0/24
# Hijacker: AS99999 announces 8.8.8.0/25 (more specific wins!)
# Result: Half of Google DNS traffic goes to attacker

RPKI: Cryptographic Protection

Resource Public Key Infrastructure (RPKI) lets ASes cryptographically sign their announcements. Check validation status at RPKI Validator or Cloudflare's RPKI Portal:

# ROA declares "8.8.8.0/24 only from AS15169"
router bgp 64512
bgp rpki server 192.0.2.1

route-map VALIDATE permit 10
match rpki valid
set local-preference 110  # Prefer validated

route-map VALIDATE deny 20
match rpki invalid  # Reject hijacked routes

Adoption remains limited: ~40% of IPv4 space has ROAs, but only ~30% of networks validate.

AS Operations

Running Your Own AS

Operating an AS requires significant resources:

Technical Requirements:

BGP-capable routers with 8GB+ RAM for full table
24/7 operations capability
Redundant connections
Monitoring systems

Monthly Costs (Small AS):

Transit (1Gbps): $500-2,000
Colocation: $500
Cross-connects: $400
Staff (fractional): $5,000
Tools/Monitoring: $200
Total: ~$7,000-10,000/month

Build vs Buy Decision

def should_operate_own_as(monthly_bandwidth_gb):
    # Operating costs
    as_costs = {
        'staff': 10000,
        'equipment': 2000,
        'monitoring': 500,
        'fees': 250
    }
    
    # Customer vs operator comparison
    customer_cost = monthly_bandwidth_gb * 5  # $5/Mbps retail
    operator_cost = sum(as_costs.values()) + (monthly_bandwidth_gb * 1)  # $1/Mbps wholesale
    
    if customer_cost > operator_cost:
        return f"Save ${customer_cost - operator_cost}/month by operating AS"
    else:
        return f"Stay customer, save ${operator_cost - customer_cost}/month"

Rule of thumb: Need 10+ Gbps sustained traffic to justify operating an AS.

Common Operational Problems

Route Leaks: Accidentally announcing routes you shouldn't

# WRONG: No filter to upstream
neighbor 192.0.2.1 remote-as 3356

# RIGHT: Filter what you announce
neighbor 192.0.2.1 route-map OUR-ROUTES-ONLY out

BGP Hijacking Detection:

# Use looking glasses to verify your announcements
telnet route-views.oregon-ix.net
> show ip bgp 192.0.2.0/24

# Check for unexpected AS paths to your prefix

Check your AS visibility at:

Major network looking glasses:

Anycast and Multi-AS Strategies

Some services use anycast - announcing the same prefix from multiple locations:

# Cloudflare DNS (1.1.1.1) announced globally
San Francisco: AS13335 announces 1.1.1.0/24
London: AS13335 announces 1.1.1.0/24  
Tokyo: AS13335 announces 1.1.1.0/24

# Users reach nearest location via BGP path selection

Examples of anycast services:

Cloudflare (AS13335) - Global CDN and DNS
Google Public DNS - 8.8.8.8
Root DNS Servers - Critical infrastructure
Quad9 (AS19281) - Security-focused DNS

Large organizations often operate multiple ASNs:

Geographic separation (AS per region)
Service isolation (separate AS for cloud vs main services)
Regulatory compliance (country-specific requirements)

AS Economics

What Makes an AS Valuable

ASNs and their resources can be valuable assets:

IPv4 Addresses: $40-60 per IP address (check current prices at IPv4.Global or IPv4 Market Group)
- /24 block: $10,000-15,000
- /16 block: $2.6-3.9 million
Clean Reputation: 20-30% premium for non-blacklisted space
Established Peering: Valuable relationships that took years to build (viewable on PeeringDB)
Low ASN: 2-digit ASNs have collector value

The Peering Decision

def evaluate_peering(traffic_gbps, transit_cost_per_gbps):
    # IXP peering costs
    ixp_port = 2000  # Monthly
    cross_connect = 500
    
    # Calculate savings
    transit_avoided = traffic_gbps * transit_cost_per_gbps
    peering_cost = ixp_port + cross_connect
    
    monthly_savings = transit_avoided - peering_cost
    return {
        'monthly_savings': monthly_savings,
        'worthwhile': monthly_savings > 0
    }

Find peering opportunities at:

PeeringDB - Global peering directory
Euro-IX IXP Database - European IXPs
IX.br - Brazilian IXP system

Future of Autonomous Systems

IPv6 Impact

IPv6 is changing AS operations with parallel routing tables, easier PI space allocation, and higher RPKI adoption. Modern ASes must handle dual-stack complexity. Track IPv6 adoption at:

Security Evolution

ASPA (AS Provider Authorization): Coming 2025-2026, cryptographically validates provider relationships to prevent route leaks. Follow development at IETF SIDROPS.

BGPsec: Adds cryptographic signatures to entire AS paths but faces deployment challenges due to computational overhead. Details in RFC 8205.

Consolidation Trends

AS Growth:
2010: 35,000 active ASes
2020: 68,000 active ASes
2025: 73,000 active ASes (growth slowing)

By 2030:
- 50-100 "Super ASes" carry 90% of traffic
- Hyperscale providers dominate
- Enterprise ASes declining

Track AS statistics at:

Key Takeaways

Autonomous Systems are the fundamental unit of internet routing. Every network participating in global routing operates as an AS, using BGP to exchange routes based on business relationships and technical policies.

The AS system reveals the internet's true nature: a collection of independent networks cooperating through economic agreements. Whether networks peer freely, pay for peering, or buy transit depends on traffic ratios, market power, and mutual benefit.

Operating an AS requires significant technical expertise, 24/7 operations, and capital investment. While most organizations are better served as customers, understanding AS operations is crucial for anyone working with internet infrastructure.

Security remains the biggest challenge. BGP's trust-based model enables hijacking and route leaks, making solutions like RPKI critical for future stability. Yet deployment remains incomplete due to the internet's decentralized nature.

Despite being designed in the 1990s, the AS architecture has scaled from dozens to over 70,000 networks. This remarkable resilience demonstrates the power of simple, flexible protocols. As the internet evolves toward consolidation around hyperscale providers while simultaneously spreading to edge networks, Autonomous Systems remain the essential building blocks that make global connectivity possible.

Learn More:

NANOG (North American Network Operators Group) - Network operator community
Internet Society BGP Resources - BGP security initiatives
Peering Forum - European peering community
Packet Pushers - Networking education and podcasts