BGP and CIDR: How the Internet Routes Your Packets

Border Gateway Protocol is the routing protocol that holds the global internet together. Every routing decision between Autonomous Systems — every time a packet leaves your ISP for someone else's network — involves BGP. And the unit BGP uses to describe destinations is the CIDR prefix.

This article explains how BGP and CIDR work together: what an Autonomous System is, how prefixes are announced, how routers pick between competing routes, and why longest prefix match means "more specific wins."

Autonomous Systems

An Autonomous System (AS) is a network operated by a single organization with consistent routing policy. The internet is a graph of ~120,000 ASes connected to each other. Each one has a number:

• 2-byte ASN range: 1–65,535 (the original allocation)
• 4-byte ASN range: 65,536–4,294,967,295 (since 2007)
• Private ASNs: 64,512–65,534 (2-byte) and 4,200,000,000–4,294,967,294 (4-byte)

Examples: Google is AS15169. Cloudflare is AS13335. Comcast is AS7922. Your own organization probably has private ASNs internally (e.g., for separating data center routing domains) and may have a public ASN for internet peering.

What BGP carries: prefix + path

Each BGP route announcement consists of:

• A CIDR prefix: e.g., 8.8.8.0/24, 2606:4700::/32
• An AS path: the sequence of ASes the route passed through, e.g., [AS1234, AS5678, AS15169]
• Attributes: next hop, local preference, MED, community values, etc.

When AS A announces a prefix to AS B, B prepends A's ASN to the path before sharing the route further. This builds up the visible AS path for each prefix.

A typical full BGP table in 2026 has roughly 1 million IPv4 prefixes and 200,000 IPv6 prefixes. Every internet-edge router holds this entire table, which is why edge routers need substantial memory.

Longest prefix match

When a router needs to forward a packet, it looks up the destination IP in its routing table and selects the longest matching prefix. This is the fundamental forwarding rule of CIDR.

Example. Suppose a router knows about these prefixes:

0.0.0.0/0           via ISP-A   (default route, matches everything)
10.0.0.0/8          via Hub     (RFC1918 internal)
10.0.1.0/24         via Office-VPN
10.0.1.128/26       via Lab-Switch

A packet destined for 10.0.1.150 matches all four prefixes. Longest wins: the router sends it to Lab-Switch via the /26 route.

This is how a small organization can announce a /25 of their address space to a specific upstream while still having a default route handle everything else. The /25 takes precedence over the default.

Why prefix length matters in DDoS mitigation

DDoS attacks often target a specific IP or a small subnet. The standard mitigation: announce a more specific prefix that redirects the targeted range to a scrubbing center.

If you normally announce 198.51.100.0/22 and the attacker targets 198.51.100.42, you can announce 198.51.100.0/24 from your scrubbing provider's AS. Every router on the internet now sends traffic for that /24 to the scrubber (longest match wins), while traffic for the rest of your /22 still flows normally.

This is why BGP communities like "blackhole" (RFC 7999) and the existence of RTBH (Remote Triggered Black Hole) routing are based on longest-prefix-match: you announce a more specific prefix with a special community telling neighbors to drop the traffic.

How an AS chooses between competing routes

If a router learns the same prefix from multiple BGP neighbors (which is common for popular destinations), it has to pick one. The simplified decision order:

1. Highest LOCAL_PREF wins. (Set by the operator's policy. "Prefer paid transit over peering.")
2. Shortest AS path wins. (Fewer hops.)
3. Lowest origin code wins. (IGP < EGP < incomplete.)
4. Lowest MED wins. (Multi-Exit Discriminator. Hint from the announcing AS about which entry point to prefer.)
5. eBGP routes preferred over iBGP.
6. Lowest IGP cost to next hop.
7. Lowest router ID (tiebreaker).

In practice, steps 1 and 2 decide most cases. LOCAL_PREF is the policy lever operators use to express "send traffic this way."

RPKI: validating that an AS owns its prefix

For decades, BGP had no built-in way to verify that an AS legitimately owns a prefix it announces. A malicious or compromised AS could announce someone else's prefix and hijack their traffic. There have been several famous incidents.

RPKI (Resource Public Key Infrastructure) fixes this. Address owners cryptographically sign records mapping their prefixes to their authorized ASNs (these signed records are called Route Origin Authorizations, ROAs). Routers running RPKI validation drop announcements that contradict published ROAs.

Adoption is ~50% of internet routes as of 2026. If you operate a public BGP AS, publishing ROAs for your prefixes is a no-brainer — it prevents hijacks of your space with almost no operational cost. ARIN's RPKI page walks through the process for North American operators.

Prefix aggregation and the /24 floor

One way to reduce the global BGP table size is to aggregate adjacent prefixes. If you have 10.0.0.0/24 and 10.0.1.0/24, you can announce 10.0.0.0/23 to your upstreams and they will receive one route instead of two.

In practice, most ISPs do not accept announcements more specific than /24 for IPv4 or /48 for IPv6. Announcements of /25 through /32 are typically dropped by tier-1 transit providers to keep the global table from exploding. So if you want to be globally routable, the smallest you can announce is /24 (256 addresses).

The internet's prefix accounting

Current global BGP table counts (approximate, 2026):

• IPv4 prefixes: ~1,000,000
• IPv6 prefixes: ~200,000
• Active ASNs: ~80,000
• Median AS path length: 4 hops

You can browse current statistics at the CIDR Report or Hurricane Electric's BGP toolkit.

Implications for cloud architecture

• Bringing your own IP space to AWS / Azure requires owning a /24 (the minimum that cloud providers will announce on your behalf), having a Letter of Authorization, and publishing ROAs for it.
• Anycast services (Cloudflare, AWS Global Accelerator, Cloudflare Tunnels, modern DNS providers) announce the same prefix from multiple physical sites. BGP's longest-prefix-match plus shortest-AS-path naturally directs each user to their nearest endpoint.
• Internal MPLS / BGP networks use BGP for site-to-site routing inside an organization. Same rules, smaller scale.

Key takeaways

• BGP carries CIDR prefixes + AS paths between Autonomous Systems.
• Routers forward packets using longest prefix match. More specific routes always win over less specific ones.
• The internet has ~120k ASes, ~1M IPv4 prefixes, ~200k IPv6 prefixes.
• BGP's path selection prefers highest LOCAL_PREF, then shortest AS path (most of the time).
• RPKI cryptographically validates which AS owns each prefix — a critical defense against BGP hijacks.
• The smallest globally-routable prefix is /24 (IPv4) or /48 (IPv6) — anything smaller is typically filtered.