PATTERN Cited by 1 source

Customer-community-tag export policy

Customer-community-tag export policy is the BGP export configuration pattern in which a router's outbound policy requires each advertised route to satisfy two independent conditions:

1. Prefix-list match against an IRR-derived prefix list for the upstream's customer cone.
2. BGP community tag match — the route must carry a community set only at the customer-facing ingress router, marking provenance as "learned from direct customer BGP session."

Both conditions must hold; the policy rejects routes that satisfy only one.

Why two conditions, not one

The two conditions answer different questions:

• Prefix list answers "is this prefix in my customer cone?"
• Community tag answers "did I learn this prefix directly from a customer session — or did it enter my RIB indirectly via a peer or provider?"

Route leaks occur when a route that is in the customer cone (so matches the prefix list) was learned indirectly (so shouldn't be re-exported upstream). Gating on the community tag prevents this: indirectly-learned copies don't carry the tag and are filtered out.

Implementation sketch (Junos-style)

/* At customer-ingress router */
policy-statement MARK-CUSTOMER {
    term set-tag {
        then {
            community add CUSTOMER-LEARNED;
            accept;
        }
    }
}

/* At upstream-facing router */
policy-statement EXPORT-TO-PROVIDER {
    term filter {
        from {
            prefix-list CUSTOMER-CONE;           /* IRR-derived */
            community CUSTOMER-LEARNED;          /* provenance */
        }
        then accept;
    }
    then reject;
}

If the customer session flaps and AS routes only reach the router indirectly (no CUSTOMER-LEARNED community), the export filter drops them.

Relationship to stronger protocols

This pattern is a hygiene measure, not a standard. It works only as long as the operator implements it consistently across all customer-ingress and upstream-egress routers. Protocol-level equivalents with stronger guarantees:

• RFC 9234 OTC — makes provenance a protocol-level attribute negotiated at session setup, not a per-operator convention.
• ASPA — makes authorized-upstream relationships RPKI-signed, validated at any vantage point on the Internet.

Community tagging is a local, protocol-unaware version of the same underlying property. It's the best thing operators can do today without waiting for vendor / standards adoption.

Seen in

• sources/2026-01-08-cloudflare-a-closer-look-at-a-bgp-anomaly-in-venezuela — Cloudflare names the customer-community-tag requirement as the specific discipline AS8048 appears not to have had in its export policy toward AS52320, allowing the recurring Type 1 hairpin leaks.

Related

• concepts/bgp-export-policy
• concepts/bgp-community
• concepts/irr-prefix-list
• concepts/route-leak
• concepts/hairpin-route-leak
• patterns/irr-prefix-filtering-export-policy