If you've ever wondered what it takes to control your own slice of the internet — your own AS number, your own IP space, announced via BGP to the world — this guide is for you. I'll walk through the entire process from zero to a working BGP announcement, based on real experience doing exactly this in 2025–2026.
This is not theory. By the end, you'll understand exactly how to obtain an ASN, get IPv6 space, configure BIRD to peer with an upstream, and even bring your own IPs into cloud providers.
Why You'd Want Your Own ASN
Most engineers never think about this. You rent a VPS, you get an IP, life goes on. But there are compelling reasons to own your own Autonomous System Number:
Provider independence. Your IP addresses follow you. Switch hosting providers, add new ones, move between data centers — your IPs stay yours. No more DNS propagation delays when migrating, no more "we'll release your IPs in 30 days."
Multi-homing. Announce your prefix from two or more upstreams simultaneously. If one goes down, BGP converges and traffic flows through the other. Real redundancy, not DNS-based failover hacks.
Reputation portability. If you run email infrastructure or any service where IP reputation matters, owning your IPs means your reputation is an asset you control.
Learning. Understanding BGP — the protocol that literally holds the internet together — makes you a fundamentally better network engineer. There is no substitute for operating it yourself.
It's more accessible than you think. The cost of an ASN through a sponsoring LIR is typically $50–150/year. That's less than most SaaS subscriptions.
Quick Primer: ASN and BGP
An Autonomous System Number (ASN) is a unique identifier for a network that participates in BGP routing. Think of it as your network's passport number on the internet.
BGP (Border Gateway Protocol) is how ASes tell each other which IP prefixes they're responsible for. When you "announce" a prefix via BGP, you're telling the internet: "traffic destined for 2001:db8:abcd::/48 should come to me (AS 214XXX)."
The key concepts:
- Prefix: A block of IP addresses you're authorized to announce (e.g., a /48 IPv6 block)
- AS-PATH: The chain of ASNs traffic traverses to reach a prefix — this is how BGP prevents loops and selects best paths
- RPKI/ROA: Cryptographic validation that an ASN is authorized to announce a specific prefix — essential in 2026, not optional
- IRR (Internet Routing Registry): Database entries (route/route6 objects) documenting your routing intentions
A simplified BGP announcement flow:
Your Server (BIRD) → BGP Session → Upstream Provider → Internet
AS 214XXX AS 6939 (e.g., HE)
announces propagates
2001:db8:abcd::/48 to global table
Step 1: Getting Your ASN
You cannot get an ASN directly from ARIN or RIPE as an individual (easily). You need a sponsoring LIR (Local Internet Registry) — an organization that is a member of a Regional Internet Registry and can sponsor resource requests on your behalf.
What to look for in a sponsoring LIR:
- Supports the RIR region you need (ARIN for North America, RIPE for Europe/Middle East/Central Asia)
- Handles the paperwork and justification letters
- Reasonable annual fees (the ASN itself has an RIR fee; the LIR charges a sponsorship fee on top)
- Responsive support — you'll need them when creating ROA objects or updating registry entries
We obtained our ASN through NoPKT LLC, a US-based LIR that holds memberships with both ARIN and RIPE NCC. The process was straightforward: we submitted a short justification explaining our multi-homing intent, NoPKT handled the RIR paperwork, and the ASN was assigned within about a week. Your experience with other LIRs may vary, but that's the general flow.
The process:
- Contact your chosen LIR and request ASN sponsorship
- Provide justification — typically: "I intend to multi-home with at least two upstream providers" is sufficient
- LIR submits the request to the appropriate RIR
- ASN assigned — you'll get a 32-bit ASN (e.g., AS 2147XX or AS 40944X)
- Create IRR objects — your LIR should help you create aut-num and as-set objects in the relevant routing registry
Cost breakdown (approximate, 2026):
| Item | Cost |
|------|------|
| ARIN ASN registration | ~$550 one-time + $100/year |
| RIPE ASN (via LIR) | Included in LIR sponsorship |
| LIR sponsorship fee | $50–200/year (varies by LIR) |
Tip: If you're primarily targeting European or global infrastructure, RIPE is often simpler and cheaper for individuals. ARIN has stricter justification requirements.
Step 2: Getting IPv6 Space
With your ASN in hand, you need IP prefixes to announce. In 2026, there is no practical reason to start with IPv4 — it's scarce, expensive ($15–25 per IP), and a /24 minimum announcement size means you need 256 addresses. IPv6 is the move.
IPv6 allocation:
Your sponsoring LIR can allocate you a /48 IPv6 block from their larger allocation. This gives you 65,536 /64 subnets — more than enough for any project.
NoPKT, for instance, provides IPv6 allocations as part of their LIR sponsorship package. Most competent LIRs bundle this — if yours charges extra for a /48, shop around.
What you get:
Allocation: 2a0e:XXXX:XXXX::/48
Subnets available: 65,536 x /64
Usable addresses per /64: 18,446,744,073,709,551,616
Yeah. You won't run out.
Setting up RPKI/ROA:
This is mandatory. Without a valid ROA (Route Origin Authorization), many networks will reject your announcements. Your LIR should provide access to create ROAs through the RIR's portal.
Create a ROA record:
-
Prefix:
2a0e:XXXX:XXXX::/48 -
Max Length:
/48 -
Origin ASN:
AS 214XXX(your ASN)
For RIPE, this is done through the RIPE NCC portal. For ARIN, through ARIN Online. Your LIR typically handles this or gives you delegated access.
Step 3: Setting Up BIRD for BGP Announcement
BIRD is the standard open-source BGP daemon for this kind of work. It's what most tunnel brokers, IXPs, and small networks run. We'll use BIRD 2.x.
Prerequisites:
- A VPS or dedicated server with IPv6 connectivity
- An upstream provider willing to peer with you (more on this below)
- Your ASN and IPv6 prefix assigned and ROA created
Install BIRD:
# Debian/Ubuntu
sudo apt update && sudo apt install bird2 -y
# Verify
bird --version
# BIRD version 2.15
Core BIRD configuration:
Create /etc/bird/bird.conf:
# /etc/bird/bird.conf
# BGP configuration for AS214XXX
log syslog all;
router id 203.0.113.10; # Your server's IPv4 address (used as router-id)
# Define your IPv6 prefix
protocol static static_bgp {
ipv6;
route 2a0e:XXXX:XXXX::/48 reject;
}
# Device protocol - required for interface detection
protocol device {
scan time 10;
}
# Direct protocol - for directly connected routes
protocol direct {
ipv6;
interface "lo";
}
# Kernel protocol - install routes into the OS routing table
protocol kernel {
ipv6 {
import none;
export filter {
if source = RTS_STATIC then accept;
reject;
};
};
}
# --- Upstream BGP Session ---
# Example: Peering with a transit provider
protocol bgp upstream1 {
local as 214XXX;
neighbor 2001:db8:peer::1 as 6939; # Upstream's BGP endpoint
ipv6 {
import filter {
# Accept default route or full table from upstream
if net = ::/0 then accept;
reject;
};
export filter {
# Only announce YOUR prefix
if net = 2a0e:XXXX:XXXX::/48 then accept;
reject;
};
};
# Recommended settings
hold time 90;
keepalive time 30;
graceful restart on;
# Password if required by upstream
# password "your-bgp-md5-password";
}
Configure the loopback interface:
You need your IPv6 prefix reachable on the server. Add an address from your /48 to the loopback:
# Add a /48 route and a /128 address on loopback
sudo ip -6 addr add 2a0e:XXXX:XXXX::1/128 dev lo
sudo ip -6 route add local 2a0e:XXXX:XXXX::/48 dev lo
Make it persistent in /etc/network/interfaces or a netplan config:
# /etc/netplan/99-bgp.yaml
network:
version: 2
ethernets:
lo:
addresses:
- "2a0e:XXXX:XXXX::1/128"
routes:
- to: "2a0e:XXXX:XXXX::/48"
scope: host
type: local
Start and verify:
sudo systemctl enable bird
sudo systemctl restart bird
# Check BIRD status
sudo birdc show protocols all
# You should see:
# upstream1 BGP --- up 2026-03-15 Established
# Routes: 1 imported, 1 exported
Verify your announcement is reaching the internet:
# Check on a looking glass (e.g., he.net)
# Or use the RIPE RIS looking glass:
curl -s "https://stat.ripe.net/data/looking-glass/data.json?resource=2a0e:XXXX:XXXX::/48" | python3 -m json.tool
# Check RPKI validity:
curl -s "https://rpki-validator.ripe.net/api/v1/validity/214XXX/2a0e:XXXX:XXXX::/48" | python3 -m json.tool
Step 4: Finding Upstream Providers
You need at least one network willing to establish a BGP session with you. Common options:
Tunnel brokers with BGP support:
| Provider | Type | Cost | Notes |
|---|---|---|---|
| iFog | GRE/WireGuard tunnel | Free–$5/mo | Good for testing |
| Securebit (AS58057) | WireGuard | Free | Community-focused |
| Bakker IT | GRE | ~€3/mo | Reliable |
| Vultr | Native BGP | $5/mo+ | Real transit, no tunnel |
| BuyVM | BGP on dedicated | $15/mo+ | Solid budget option |
Setting up a WireGuard tunnel to a BGP peer:
Many providers offer BGP over WireGuard or GRE tunnels. Here's a typical WireGuard setup:
# Install WireGuard
sudo apt install wireguard -y
# Generate keys
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
# /etc/wireguard/wg-upstream.conf
[Interface]
PrivateKey = <your-private-key>
Address = fe80::2/64
ListenPort = 51820
[Peer]
PublicKey = <upstream-public-key>
Endpoint = upstream.example.com:51820
AllowedIPs = ::/0
sudo wg-quick up wg-upstream
Then update your BIRD config to peer over the WireGuard interface:
protocol bgp upstream1 {
local as 214XXX;
neighbor fe80::1%wg-upstream as 6939;
ipv6 {
import all;
export filter {
if net = 2a0e:XXXX:XXXX::/48 then accept;
reject;
};
};
}
Step 5: BYOIP with Cloud Providers
Once you own IP space, you can bring it into major cloud platforms. This is powerful — run your IPs on AWS, Cloudflare, or GCP without being locked into their address space.
AWS BYOIP:
# 1. Create a ROA authorizing Amazon's ASN
# Origin ASN: AS16509 (Amazon)
# Prefix: 2a0e:XXXX:XXXX::/48
# Max length: /48
# 2. Create a self-signed X.509 certificate and sign your address range
# (AWS uses RDAP-based verification)
# 3. Provision the CIDR in AWS
aws ec2 provision-byoip-cidr \
--cidr "2a0e:XXXX:XXXX::/48" \
--cidr-authorization-context \
Message="1|aws|<account-id>|2a0e:XXXX:XXXX::/48|20260401|SHA256|RSAPSS" \
Signature="<base64-signature>"
# 4. Wait for provisioning (can take up to 2 weeks)
aws ec2 describe-byoip-cidrs --max-results 10
# 5. Advertise when ready
aws ec2 advertise-byoip-cidr --cidr "2a0e:XXXX:XXXX::/48"
Cloudflare BYOIP (with Magic Transit or Spectrum):
Cloudflare supports BYOIP for customers on enterprise plans or using Magic Transit. You create a Letter of Authorization (LOA), submit it to Cloudflare, and they announce your prefix through their global anycast network. This gives your IPs Cloudflare's DDoS protection and global edge network.
GCP BYOIP:
gcloud compute addresses create my-byoip-ipv6 \
--global \
--ip-version=IPV6 \
--purpose=VPC_PEERING \
--prefix-length=48 \
--network=default \
--addresses="2a0e:XXXX:XXXX::"
Practical Tips and Gotchas
1. Always create ROAs before announcing. If you announce without a valid ROA, RPKI-enforcing networks (which is most of them in 2026) will drop your routes. Your prefix will be "RPKI Invalid" and effectively unreachable from large parts of the internet.
2. Start with IPv6 only. IPv4 space requires a minimum /24 for global announcement and costs thousands. IPv6 /48 allocations are essentially free through your LIR. Get your BGP operations solid with IPv6 first.
3. Monitor your announcements. Set up alerts on:
- bgp.tools — excellent looking glass and monitoring
- RIPE RIPEstat — official RIPE data
- bgp.he.net — Hurricane Electric's looking glass
4. Join an IXP. Internet Exchange Points let you peer directly with other networks, reducing latency and costs. Many have low or no membership fees for small members. Check PeeringDB for IXPs near your servers.
5. IRR entries matter. Many networks filter based on IRR data. Make sure your route6 objects are registered and your as-set is maintained. Your LIR should help with initial setup.
6. Don't announce more-specifics without reason. Announcing a /48 is fine. Breaking it into /64s and announcing them all will get you filtered and possibly earn you angry emails from network operators.
7. Use communities. BGP communities let you signal intent to your upstreams (e.g., "don't export to AS X" or "prepend 3x to AS Y"). Learn your upstream's community policy.
8. Keep your LIR contact current. If your sponsoring LIR goes out of business or drops you, your resources can be revoked. Maintain the relationship and keep your contact info updated with the RIR.
Resources
- RIPE NCC Academy: academy.ripe.net — Free courses on BGP, RPKI, and internet governance
- BIRD Documentation: bird.network.cz
- DN42: dn42.dev — Practice BGP in a sandbox network before going to production
- PeeringDB: peeringdb.com — Find peering partners and IXPs
- bgp.tools: bgp.tools — Monitor your ASN and prefixes
- RPKI Documentation: rpki.readthedocs.io
- NoPKT LLC: nopkt.com — LIR services for ASN sponsorship and IPv6 allocations (ARIN & RIPE NCC)
Wrapping Up
Getting your own ASN and announcing IP space via BGP is no longer reserved for ISPs and large enterprises. With a sponsoring LIR handling the administrative side and open-source tools like BIRD, any competent engineer can participate in the global routing system.
The total cost — an LIR sponsorship, a cheap VPS, and some time — is trivial compared to what you gain: true provider independence, hands-on understanding of how the internet works at its core, and infrastructure you genuinely own.
Start with IPv6, get your BGP sessions established, verify with looking glasses, and build from there. Once you've announced your first prefix and watched it propagate across the global routing table, you'll wonder why you didn't do it sooner.
Have questions about the process? Drop a comment below — happy to help with specific configs or provider recommendations.
Top comments (0)