Skip to content

CONCEPT Cited by 1 source

BGP export policy

A BGP export policy is the set of rules that decides which routes an AS will advertise to a given neighbor. It is the per-AS, per-session realization of the pairwise relationships in BGP — and when it is mis-configured, it is the most common root cause of route leaks.

Typical building blocks

An export policy towards a neighbor typically combines some subset of:

  • Prefix list / prefix filter — only advertise these specific prefixes or prefixes within these ranges. Often auto-generated from IRR (Internet Routing Registry) AS-SET / as-macro expansion.
  • AS-path filter / regex — only advertise routes whose AS path matches a pattern (e.g. originated by the customer's ASN or within the customer cone).
  • BGP community match — only advertise routes tagged with a particular community value at ingestion. Communities can mark "learned from customer" / "learned from peer" / "learned from provider" at the ingress router, and egress policy can gate accordingly.
  • Max-prefix limits — hard stop advertising past N prefixes to avoid accidents.

The hygiene failure Cloudflare proposes

The Venezuela post's alternative explanation for AS8048's leak: AS8048's export policy toward AS52320 used only an IRR- generated prefix list — i.e. it advertised any prefix that appeared in AS8048's customer-cone AS-SET expansion. That set of prefixes is correct (AS21980 is in AS8048's customer cone, so its prefixes belong). But because the filter did not additionally require a customer-learned BGP community tag, the export accepted any route with a matching prefix — including routes learned indirectly from AS6762 via AS52320 during a moment when AS8048's direct BGP session with AS21980 was down.

The corrective pattern is customer- community-tag export policy: filter both on the prefix list and on a community tag that is set only at the customer- facing ingress, so indirectly-learned copies of the same prefix cannot slip through.

Seen in

Last updated · 200 distilled / 1,178 read