By
Steven Wallace - Director, Internet2 Routing Integrity
Estimated reading time: 4 minutes
In this blog series, we take a closer look at a growing toolkit designed to make routing security more visible, understandable, and actionable for the research and education community. The tools are free and openly available through the Routing Operations Observational Technology: Building to Enable Education and Research (ROOTBEER) project, an NSF-funded collaboration between UC San Diego’s Center for Applied Internet Data Analysis (CAIDA) and Internet2.
The ROOTBEER toolset is practical and purpose-built for the real challenges R&E network operators face. Get insights into how each tool supports routing security and how institutions like yours are using it.
Research and education (R&E) networks are purpose-built for the community, designed for the trusted performance and resiliency institutions depend on. Keeping traffic on R&E infrastructure rather than the commodity internet requires collective action by network operators. BGP — the internet’s routing protocol — selects the shortest path by default, and the R&E path is not always the shortest.
To ensure R&E routes are consistently used, network operators steer traffic using an attribute called Local Preference, or local pref, which BGP evaluates ahead of path length. One of the ROOTBEER project’s unique capabilities is to measure the use of local pref across the R&E ecosystem and offer a more complete picture of how traffic flows.
The R&E Topology Report surfaces that data as an interactive visualization, allowing users to see the BGP routes that the Internet2 network receives from its peers. Routes and AS paths are represented in an interactive Sankey-style diagram, making it easy to explore all the possible ways traffic may reach Internet2 and how different paths relate to one another.
How the R&E Topology Report Works
The R&E Topology Report uses pre-policy BGP routing data received by the Internet2 network. Pre-policy includes all routes, not just the best paths. This is significant because networks typically export only their best path to a given route, eliminating the ability to see potential backup or alternative routes. These data are captured daily for each BGP peering session from each Internet2 router. Routes rejected by policy (e.g., routes that are too long, routes from private AS numbers, routes that traverse Tier 1 providers) are also depicted.
In the Sankey diagram, each colored band is composed of one or more “route ribbons.” A route ribbon represents a set of routes that share a common AS path. Rejected routes appear as red route ribbons. If there are multiple paths near a selected route ribbon, a route ribbon picker appears, allowing you to narrow the graph to depict the path of interest.
For example, the diagram below shows the routes Internet2 receives that include the University of Hawaii.
You can also interact with the live version of this diagram.
Why the Topology Report Matters for R&E Network Operators
The R&E Topology Report helps network operators:
- Verify that route policy is working as intended. The report shows which routes are accepted or rejected and why, making it easier to confirm that local pref and other route policy configurations are producing intended results.
- Visualize the full connectivity, including potential backup paths. Because the report uses pre-policy BGP data rather than only best-path exports, operators can see the complete picture of how traffic could reach Internet2.
- Spot instances of unintended route leaks. When unexpected routes appear, the Sankey diagram makes those anomalies visible at a glance.
- Communicate traffic behavior clearly with shareable diagrams. The visual format helps translate technical details for IT leadership and other stakeholders who want to understand routing decisions without reading BGP tables.
More About the Development Effort
The initial R&E Topology Report consists of roughly 10,000 lines of Python and JavaScript, developed over 15 days using a number of AI coding tools. That pace was possible in part because the ROOTBEER toolset operates entirely outside of Internet2’s production network and doesn’t interface with operational Internet2 systems. Working in a greenfield environment with that level of separation meant I could delegate implementation details to AI while staying focused on intent, design, correctness, resilience, and security.
The report was also a team effort. The backend raw-data collection was built by Ryan Harden at Internet2 and Matthew Luckie at CAIDA. The container and pod environment was largely built by Karl Newell, and the specialized network configurations supporting these measurements were configured by Jeff Bartig, both at Internet2.
Community input continues to be instrumental, with feedback from R&E network operators shaping how the R&E Topology Report and the ROOTBEER toolset evolve.
Get Started with the R&E Topology Report
The R&E Topology Report is currently available as an experimental tool. Explore route paths for your R&E network at R&E Topology Report.
For questions or to learn more about the ROOTBEER project, contact rootbeer@internet2.edu.
ROOTBEER is supported by the NSF (award no. OAC-2530871). The project runs from October 1, 2025, through September 30, 2028.
ICYMI
About the Author(s)
Steve Wallace promotes the adoption and improvement of routing security and integrity throughout the Internet2 community. He has been an active community member for over 24 years, having started as the engineer responsible for the team that built Abilene, Internet2's first network.