--- /dev/null
+# built by ARouteServer
+AS 999
+router-id 192.0.2.2
+
+fib-update no
+log updates
+
+nexthop qualify via default
+
+rde evaluate all
+
+INTCOMM_PREF_OK_ROA="soo 65535:1"
+INTCOMM_ROUTE_OK_WL="soo 65535:2"
+
+INTCOMM_ORIGIN_OK="soo 65535:4"
+INTCOMM_ORIGIN_KO="soo 65535:5"
+INTCOMM_PREFIX_OK="soo 65535:6"
+INTCOMM_PREFIX_KO="soo 65535:7"
+INTCOMM_IRR_REJECT="soo 65535:8"
+
+INTCOMM_RPKI_UNKNOWN="soo 65535:9"
+INTCOMM_RPKI_INVALID="soo 65535:10"
+INTCOMM_RPKI_VALID="soo 65535:11"
+
+INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13"
+
+INTCOMM_NO_EXPORT="soo 65535:65281"
+INTCOMM_NO_ADVERTISE="soo 65535:65282"
+
+# ---------------------------------------------------------
+# IRRDB
+
+# AS2, used by client AS2_1
+# no origin ASNs found for AS2
+# no prefixes found for AS2
+
+# AS-AS1, AS-AS1_CUSTOMERS, used by client AS1_1
+as-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns" {
+ 1 101 103 104
+}
+prefix-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes" {
+ 1.0.0.0/8 prefixlen 8 - 32
+ 128.0.0.0/7 prefixlen 7 - 32
+ 101.0.0.0/16 prefixlen 16 - 32
+ 103.0.0.0/16 prefixlen 16 - 32
+}
+
+# AS-AS2, AS-AS2_CUSTOMERS, used by client AS2_1
+as-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns" {
+ 2 101 103
+}
+prefix-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes" {
+ 2.0.0.0/16 prefixlen 16 - 32
+ 101.0.0.0/16 prefixlen 16 - 32
+ 103.0.0.0/16 prefixlen 16 - 32
+}
+
+# AS1, used by client AS1_1
+# no origin ASNs found for AS1
+# no prefixes found for AS1
+
+# WHITE_LIST_AS1_1, used by client AS1_1 white list
+as-set "AS_SET_WHITE_LIST_AS1_1_asns" {
+ 1011
+}
+prefix-set "AS_SET_WHITE_LIST_AS1_1_prefixes" {
+ 11.1.0.0/16 prefixlen 16 - 32
+}
+
+# ---------------------------------------------------------
+# ROAs source
+
+
+roa-set {
+ 2.0.3.0/24 source-as 2
+ 2.0.4.0/24 source-as 0
+}
+
+# ---------------------------------------------------------
+# MEMBERS
+
+group "clients" {
+ transparent-as yes
+ rde evaluate all
+
+ neighbor 192.0.2.11 {
+ remote-as 1
+ descr "AS1_1 client"
+ }
+
+ neighbor 192.0.2.21 {
+ remote-as 2
+ descr "AS2_1 client"
+ }
+
+ neighbor 192.0.2.31 {
+ remote-as 3
+ descr "AS3_1 client"
+ }
+
+ neighbor 192.0.2.41 {
+ remote-as 4
+ descr "AS4_1 client"
+ }
+}
+
+# ---------------------------------------------------------
+# FILTERS
+
+# NO_ADVERTISE usage notes.
+# The NO_ADVERTISE well-know community is used here to handle
+# filters that span over multiple steps. At first it is added
+# to any route, then it is removed as filters conditions are
+# satisfied. Finally, if it is still present, it means that
+# the route should be discarded.
+
+
+
+
+prefix-set "global_black_list_pref" {
+ 192.0.2.0/24 prefixlen 24 - 32
+ 2.0.7.0/24 prefixlen 24 - 32
+}
+
+prefix-set "bogons" {
+ 0.0.0.0/0
+ 0.0.0.0/8 prefixlen 8 - 32
+ 10.0.0.0/8 prefixlen 8 - 32
+ 127.0.0.0/8 prefixlen 8 - 32
+ 169.254.0.0/16 prefixlen 16 - 32
+ 172.16.0.0/12 prefixlen 12 - 32
+ 192.0.2.0/24 prefixlen 24 - 32
+ 192.88.99.0/24 prefixlen 24 - 32
+ 192.168.0.0/16 prefixlen 16 - 32
+ 198.18.0.0/15 prefixlen 15 - 32
+ 198.51.100.0/24 prefixlen 24 - 32
+ 203.0.113.0/24 prefixlen 24 - 32
+ 224.0.0.0/3 prefixlen 3 - 32
+ 100.64.0.0/10 prefixlen 10 - 32
+ ::/0
+ ::/8 prefixlen 8 - 128
+ 64:ff9b::/96 prefixlen 96 - 128
+ 100::/8 prefixlen 8 - 128
+ 200::/7 prefixlen 7 - 128
+ 400::/6 prefixlen 6 - 128
+ 800::/5 prefixlen 5 - 128
+ 1000::/4 prefixlen 4 - 128
+ 2001::/33 prefixlen 33 - 128
+ 2001:0:8000::/33 prefixlen 33 - 128
+ 2001:2::/48 prefixlen 48 - 128
+ 2001:3::/32 prefixlen 32 - 128
+ 2001:10::/28 prefixlen 28 - 128
+ 2001:20::/28 prefixlen 28 - 128
+ 2001:db8::/32 prefixlen 32 - 128
+ 2002::/16 prefixlen 16 - 128
+ 3ffe::/16 prefixlen 16 - 128
+ 4000::/3 prefixlen 3 - 128
+ 5f00::/8 prefixlen 8 - 128
+ 6000::/3 prefixlen 3 - 128
+ 8000::/3 prefixlen 3 - 128
+ a000::/3 prefixlen 3 - 128
+ c000::/3 prefixlen 3 - 128
+ e000::/4 prefixlen 4 - 128
+ f000::/5 prefixlen 5 - 128
+ f800::/6 prefixlen 6 - 128
+ fc00::/7 prefixlen 7 - 128
+ fe80::/10 prefixlen 10 - 128
+ fec0::/10 prefixlen 10 - 128
+ ff00::/8 prefixlen 8 - 128
+
+}
+
+# never via route-servers ASNs
+as-set "neverviarouteserver" {
+ 666, 777
+}
+
+# =====================================================================================
+# Global rules.
+
+# This part of configuration is processed at the beginning of the filters.
+# The rules defined in this part are applied to all the clients, and not on a
+# client-by-client basis (see the 'match from group clients'), so only global policies
+# can be implemented here, that is no client-level configuration are allowed.
+
+
+
+# Scrub communities from inbound routes
+# origin_not_present_in_as_set
+match from group clients set community delete 65530:0
+match from group clients set large-community delete 999:65530:0
+
+# origin_present_in_as_set
+match from group clients set community delete 65530:1
+match from group clients set large-community delete 999:65530:1
+
+# prefix_validated_via_arin_whois_db_dump
+match from group clients set community delete 65530:3
+match from group clients set large-community delete 999:65530:3
+
+# prefix_validated_via_rpki_roas
+match from group clients set community delete 65530:2
+match from group clients set large-community delete 999:65530:2
+
+# reject_cause
+match from group clients set community delete 65520:*
+
+# rejected_route_announced_by
+match from group clients set community delete 65524:*
+match from group clients set ext-community delete rt 65524:*
+
+# rpki_bgp_origin_validation_not_performed
+match from group clients set community delete 65530:4
+match from group clients set large-community delete 999:65530:4
+
+
+# Scrub internal communities from inbound routes
+match from group clients set {
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+
+# The main goal of this block is to enrich routes received from clients by attaching to them
+# internal informational communities which are used later by the rest of the filter rules.
+
+# Internal communities used for RFC1997 well-known communities handling
+
+# Transform NO_EXPORT into $INTCOMM_NO_EXPORT
+match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT }
+
+# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE
+match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE }
+
+
+# ---------------------------------------------------------
+# RPKI-based Origin Validation
+
+# Add $INTCOMM_RPKI_UNKNOWN, $INTCOMM_RPKI_INVALID and $INTCOMM_RPKI_VALID
+# ext community on the basis of ovs.
+match from group clients ovs not-found set {
+ ext-community $INTCOMM_RPKI_UNKNOWN
+ ext-community ovs not-found
+
+}
+match from group clients ovs valid set {
+ ext-community $INTCOMM_RPKI_VALID
+ ext-community ovs valid
+
+}
+match from group clients ovs invalid set {
+ ext-community $INTCOMM_RPKI_INVALID
+ ext-community ovs invalid
+
+}
+
+
+# ---------------------------------------------------------
+# RPKI ROAs used as route objects.
+
+# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose
+# origin ASN has a ROA for the announced prefix.
+# It will be used later during IRRDB validation in
+# case the origin ASN is authorized by a client's
+# AS-SET but the prefix is not.
+
+# Since RPKI-based Origin Validation is already performed above,
+# use the origin validation state to identify valid routes.
+match from group clients ovs valid set ext-community $INTCOMM_PREF_OK_ROA
+
+
+# Set the 'rejected_route_announced_by' community for all the clients.
+# It will be removed later if the route is not invalid
+match from 192.0.2.11 set community 65524:1
+match from 192.0.2.11 set ext-community rt 65524:1
+
+match from 192.0.2.21 set community 65524:2
+match from 192.0.2.21 set ext-community rt 65524:2
+
+match from 192.0.2.31 set community 65524:3
+match from 192.0.2.31 set ext-community rt 65524:3
+
+match from 192.0.2.41 set community 65524:4
+match from 192.0.2.41 set ext-community rt 65524:4
+
+
+# AS_PATH: length
+# Reject inbound routes when 'from group clients max-as-len 6' - reject code: 1
+allow quick from group clients max-as-len 6 set {
+ localpref 1
+ community 65520:0
+ community 65520:1
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Prefix: global blacklist
+# Reject inbound routes when 'from group clients prefix-set global_black_list_pref' - reject code: 3
+allow quick from group clients prefix-set global_black_list_pref set {
+ localpref 1
+ community 65520:0
+ community 65520:3
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Prefix: bogon
+# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2
+allow quick from group clients prefix-set bogons set {
+ localpref 1
+ community 65520:0
+ community 65520:2
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+
+
+# =====================================================================================
+# Per client rules.
+
+
+# ---------------------------------------------
+# client AS1_1, inbound
+
+
+
+# NEXT_HOP
+match from 192.0.2.11 set community NO_ADVERTISE
+match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE
+# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5
+allow quick from 192.0.2.11 community NO_ADVERTISE set {
+ localpref 1
+ community 65520:0
+ community 65520:5
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: invalid ASNs
+# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7
+allow quick from 192.0.2.11 AS 23456 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7
+allow quick from 192.0.2.11 AS 64496 - 131071 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7
+allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: transit-free ASNs
+# Reject inbound routes when 'from 192.0.2.11 AS { 3, 174 }' - reject code: 8
+allow quick from 192.0.2.11 AS { 3, 174 } set {
+ localpref 1
+ community 65520:0
+ community 65520:8
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: never via route-servers ASNs
+# Reject inbound routes when 'from 192.0.2.11 AS as-set neverviarouteserver' - reject code: 15
+allow quick from 192.0.2.11 AS as-set neverviarouteserver set {
+ localpref 1
+ community 65520:0
+ community 65520:15
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# client's white list
+# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which
+# are validated by a client's white list entry.
+# It will be used later during IRRDB validation in
+# case the route is not authorized by a client's
+# AS-SET.
+match from 192.0.2.11 prefix 11.3.0.0/16 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None
+match from 192.0.2.11 prefix 11.4.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None
+
+match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT
+
+# AS_PATH: check origin via AS-SET
+# IRRDB filters for AS1_1, AS1: asns
+# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object
+match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO
+# verifying if object is authorized by AS-SETs
+match from 192.0.2.11 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set {
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community $INTCOMM_ORIGIN_OK
+} # AS_AS1_AS_AS1_CUSTOMERS
+# AS-SET AS1 referenced but empty.
+match from 192.0.2.11 source-as as-set AS_SET_WHITE_LIST_AS1_1_asns set {
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community $INTCOMM_ORIGIN_OK
+} # WHITE_LIST_AS1_1
+
+
+# Prefix: check prefix via AS-SET
+# IRRDB filters for AS1_1, AS1: prefixes
+# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object
+match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO
+# verifying if object is authorized by AS-SETs
+match from 192.0.2.11 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set {
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community $INTCOMM_PREFIX_OK
+} # AS_AS1_AS_AS1_CUSTOMERS
+# AS-SET AS1 referenced but empty.
+match from 192.0.2.11 prefix-set AS_SET_WHITE_LIST_AS1_1_prefixes set {
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community $INTCOMM_PREFIX_OK
+} # WHITE_LIST_AS1_1
+
+
+# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK)
+match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT
+
+# route authorized by a client's white list?
+match from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT
+
+# enforcing: origin ASN
+# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9
+allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set {
+ localpref 1
+ community 65520:0
+ community 65520:9
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+# enforcing: prefix
+# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12
+allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set {
+ localpref 1
+ community 65520:0
+ community 65520:12
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Blackhole request?
+match from 192.0.2.11 set community delete 65524:1
+match from 192.0.2.11 set ext-community delete rt 65524:1
+
+
+# Remove internal communities before accepting the route
+match from 192.0.2.11 community BLACKHOLE set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+allow from 192.0.2.11 community 65534:0 set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+allow from 192.0.2.11 large-community 65534:0:0 set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Add the rpki_bgp_origin_validation_not_performed community
+match from 192.0.2.11 community BLACKHOLE set community 65530:4
+match from 192.0.2.11 community BLACKHOLE set large-community 999:65530:4
+
+match from 192.0.2.11 community 65534:0 set { community 65530:4 large-community 999:65530:4}
+match from 192.0.2.11 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4}
+
+
+allow quick from 192.0.2.11 community BLACKHOLE
+allow quick from 192.0.2.11 community 65534:0
+allow quick from 192.0.2.11 large-community 65534:0:0
+
+
+match from 192.0.2.11 set community 65524:1
+match from 192.0.2.11 set ext-community rt 65524:1
+
+
+# RPKI-based Origin Validation
+# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14
+allow quick from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID set {
+ localpref 1
+ community 65520:0
+ community 65520:14
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Prefix: length
+# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13
+allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set {
+ localpref 1
+ community 65520:0
+ community 65520:13
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Graceful shutdown
+match from 192.0.2.11 community GRACEFUL_SHUTDOWN set localpref 5
+
+# Remove internal communities before accepting the route
+match from 192.0.2.11 set {
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+match from 192.0.2.11 set community delete 65524:1
+match from 192.0.2.11 set ext-community delete rt 65524:1
+
+
+
+allow quick from 192.0.2.11
+
+
+
+# ---------------------------------------------
+# client AS1_1, outbound
+
+deny quick to 192.0.2.11 community 65520:0
+
+
+
+# Blackhole request?
+# Configured policy: rewrite-next-hop
+match to 192.0.2.11 community 65534:0 set community BLACKHOLE
+match to 192.0.2.11 large-community 65534:0:0 set community BLACKHOLE
+
+match to 192.0.2.11 community BLACKHOLE set community NO_EXPORT
+match to 192.0.2.11 community BLACKHOLE set nexthop 192.0.2.66
+
+
+# RPKI-based Origin Validation
+# Do not announce INVALID to clients
+deny quick to 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID
+
+# NO_EXPORT and NO_ADVERTISE communities
+# add_noexport_to_any
+match to 192.0.2.11 community 65507:999 set community NO_EXPORT
+match to 192.0.2.11 ext-community rt 65507:999 set community NO_EXPORT
+match to 192.0.2.11 large-community 999:65507:999 set community NO_EXPORT
+
+# add_noadvertise_to_any
+match to 192.0.2.11 community 65508:999 set community NO_ADVERTISE
+match to 192.0.2.11 ext-community rt 65508:999 set community NO_ADVERTISE
+match to 192.0.2.11 large-community 999:65508:999 set community NO_ADVERTISE
+
+# add_noexport_to_peer
+match to 192.0.2.11 community 65509:1 set community NO_EXPORT
+match to 192.0.2.11 ext-community rt 65509:1 set community NO_EXPORT
+match to 192.0.2.11 large-community 999:65509:1 set community NO_EXPORT
+
+# add_noadvertise_to_peer
+match to 192.0.2.11 community 65510:1 set community NO_ADVERTISE
+match to 192.0.2.11 ext-community rt 65510:1 set community NO_ADVERTISE
+match to 192.0.2.11 large-community 999:65510:1 set community NO_ADVERTISE
+
+
+# BGP control communities
+allow to 192.0.2.11
+
+# do_not_announce_to_any
+deny to 192.0.2.11 community 0:999
+deny to 192.0.2.11 ext-community rt 0:999
+deny to 192.0.2.11 large-community 999:0:999
+
+# do_not_announce_to_peer
+deny quick to 192.0.2.11 community 0:1
+deny quick to 192.0.2.11 ext-community rt 0:1
+deny quick to 192.0.2.11 large-community 999:0:1
+
+# announce_to_peer
+allow to 192.0.2.11 community 65501:1
+allow to 192.0.2.11 ext-community rt 65501:1
+allow to 192.0.2.11 large-community 999:65501:1
+
+
+# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities
+# for prepending can be processed. As soon as one prepending action is performed,
+# this internal community is removed, so that further actions are not processed.
+match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS
+
+# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+
+# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+
+
+# ---------------------------------------------
+# client AS2_1, inbound
+
+
+
+# NEXT_HOP
+match from 192.0.2.21 set community NO_ADVERTISE
+match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE
+match from 192.0.2.21 nexthop 192.0.2.22 set community delete NO_ADVERTISE
+# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5
+allow quick from 192.0.2.21 community NO_ADVERTISE set {
+ localpref 1
+ community 65520:0
+ community 65520:5
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: invalid ASNs
+# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7
+allow quick from 192.0.2.21 AS 23456 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7
+allow quick from 192.0.2.21 AS 64496 - 131071 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7
+allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: transit-free ASNs
+# Reject inbound routes when 'from 192.0.2.21 AS { 3, 174 }' - reject code: 8
+allow quick from 192.0.2.21 AS { 3, 174 } set {
+ localpref 1
+ community 65520:0
+ community 65520:8
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: never via route-servers ASNs
+# Reject inbound routes when 'from 192.0.2.21 AS as-set neverviarouteserver' - reject code: 15
+allow quick from 192.0.2.21 AS as-set neverviarouteserver set {
+ localpref 1
+ community 65520:0
+ community 65520:15
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+
+match from 192.0.2.21 set ext-community $INTCOMM_IRR_REJECT
+
+# AS_PATH: check origin via AS-SET
+# IRRDB filters for AS2_1, AS2: asns
+# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object
+match from 192.0.2.21 set ext-community $INTCOMM_ORIGIN_KO
+# verifying if object is authorized by AS-SETs
+# AS-SET AS2 referenced but empty.
+match from 192.0.2.21 source-as as-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns set {
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community $INTCOMM_ORIGIN_OK
+} # AS_AS2_AS_AS2_CUSTOMERS
+
+
+# Prefix: check prefix via AS-SET
+# IRRDB filters for AS2_1, AS2: prefixes
+# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object
+match from 192.0.2.21 set ext-community $INTCOMM_PREFIX_KO
+# verifying if object is authorized by AS-SETs
+# AS-SET AS2 referenced but empty.
+match from 192.0.2.21 prefix-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes set {
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community $INTCOMM_PREFIX_OK
+} # AS_AS2_AS_AS2_CUSTOMERS
+
+
+# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK)
+match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT
+
+# enforcing: origin ASN
+# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9
+allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set {
+ localpref 1
+ community 65520:0
+ community 65520:9
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+# enforcing: prefix
+# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12
+allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set {
+ localpref 1
+ community 65520:0
+ community 65520:12
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Blackhole request?
+match from 192.0.2.21 set community delete 65524:2
+match from 192.0.2.21 set ext-community delete rt 65524:2
+
+
+# Remove internal communities before accepting the route
+match from 192.0.2.21 community BLACKHOLE set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+allow from 192.0.2.21 community 65534:0 set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+allow from 192.0.2.21 large-community 65534:0:0 set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Add the rpki_bgp_origin_validation_not_performed community
+match from 192.0.2.21 community BLACKHOLE set community 65530:4
+match from 192.0.2.21 community BLACKHOLE set large-community 999:65530:4
+
+match from 192.0.2.21 community 65534:0 set { community 65530:4 large-community 999:65530:4}
+match from 192.0.2.21 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4}
+
+
+allow quick from 192.0.2.21 community BLACKHOLE
+allow quick from 192.0.2.21 community 65534:0
+allow quick from 192.0.2.21 large-community 65534:0:0
+
+
+match from 192.0.2.21 set community 65524:2
+match from 192.0.2.21 set ext-community rt 65524:2
+
+
+# RPKI-based Origin Validation
+# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14
+allow quick from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID set {
+ localpref 1
+ community 65520:0
+ community 65520:14
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Prefix: length
+# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13
+allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set {
+ localpref 1
+ community 65520:0
+ community 65520:13
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Graceful shutdown
+match from 192.0.2.21 community GRACEFUL_SHUTDOWN set community delete GRACEFUL_SHUTDOWN
+
+# Remove internal communities before accepting the route
+match from 192.0.2.21 set {
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+match from 192.0.2.21 set community delete 65524:2
+match from 192.0.2.21 set ext-community delete rt 65524:2
+
+
+
+allow quick from 192.0.2.21
+
+
+
+# ---------------------------------------------
+# client AS2_1, outbound
+
+deny quick to 192.0.2.21 community 65520:0
+
+
+
+# Blackhole request?
+# Configured policy: rewrite-next-hop
+match to 192.0.2.21 community 65534:0 set community BLACKHOLE
+match to 192.0.2.21 large-community 65534:0:0 set community BLACKHOLE
+
+match to 192.0.2.21 community BLACKHOLE set community NO_EXPORT
+match to 192.0.2.21 community BLACKHOLE set nexthop 192.0.2.66
+
+
+# RPKI-based Origin Validation
+# Do not announce INVALID to clients
+deny quick to 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID
+
+# NO_EXPORT and NO_ADVERTISE communities
+# add_noexport_to_any
+match to 192.0.2.21 community 65507:999 set community NO_EXPORT
+match to 192.0.2.21 ext-community rt 65507:999 set community NO_EXPORT
+match to 192.0.2.21 large-community 999:65507:999 set community NO_EXPORT
+
+# add_noadvertise_to_any
+match to 192.0.2.21 community 65508:999 set community NO_ADVERTISE
+match to 192.0.2.21 ext-community rt 65508:999 set community NO_ADVERTISE
+match to 192.0.2.21 large-community 999:65508:999 set community NO_ADVERTISE
+
+# add_noexport_to_peer
+match to 192.0.2.21 community 65509:2 set community NO_EXPORT
+match to 192.0.2.21 ext-community rt 65509:2 set community NO_EXPORT
+match to 192.0.2.21 large-community 999:65509:2 set community NO_EXPORT
+
+# add_noadvertise_to_peer
+match to 192.0.2.21 community 65510:2 set community NO_ADVERTISE
+match to 192.0.2.21 ext-community rt 65510:2 set community NO_ADVERTISE
+match to 192.0.2.21 large-community 999:65510:2 set community NO_ADVERTISE
+
+
+# BGP control communities
+allow to 192.0.2.21
+
+# do_not_announce_to_any
+deny to 192.0.2.21 community 0:999
+deny to 192.0.2.21 ext-community rt 0:999
+deny to 192.0.2.21 large-community 999:0:999
+
+# do_not_announce_to_peer
+deny quick to 192.0.2.21 community 0:2
+deny quick to 192.0.2.21 ext-community rt 0:2
+deny quick to 192.0.2.21 large-community 999:0:2
+
+# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities
+# for prepending can be processed. As soon as one prepending action is performed,
+# this internal community is removed, so that further actions are not processed.
+match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS
+
+# prepend_once_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:2 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:2 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:2 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_twice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:2 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:2 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:2 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_thrice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:2 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:2 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:2 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+
+# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+
+
+# ---------------------------------------------
+# client AS3_1, inbound
+
+
+
+# NEXT_HOP
+match from 192.0.2.31 set community NO_ADVERTISE
+match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE
+# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5
+allow quick from 192.0.2.31 community NO_ADVERTISE set {
+ localpref 1
+ community 65520:0
+ community 65520:5
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: invalid ASNs
+# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7
+allow quick from 192.0.2.31 AS 23456 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7
+allow quick from 192.0.2.31 AS 64496 - 131071 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7
+allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: transit-free ASNs
+# Reject inbound routes when 'from 192.0.2.31 AS { 174 }' - reject code: 8
+allow quick from 192.0.2.31 AS { 174 } set {
+ localpref 1
+ community 65520:0
+ community 65520:8
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: never via route-servers ASNs
+# Reject inbound routes when 'from 192.0.2.31 AS as-set neverviarouteserver' - reject code: 15
+allow quick from 192.0.2.31 AS as-set neverviarouteserver set {
+ localpref 1
+ community 65520:0
+ community 65520:15
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+
+
+
+# Prefix: client's blacklist
+prefix-set "client_AS3_1_black_list_pref_ipv4" {
+ 3.0.1.0/24 prefixlen 24 - 32
+
+}
+# Reject inbound routes when 'from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4' - reject code: 11
+allow quick from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4 set {
+ localpref 1
+ community 65520:0
+ community 65520:11
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+
+
+# Blackhole request?
+match from 192.0.2.31 set community delete 65524:3
+match from 192.0.2.31 set ext-community delete rt 65524:3
+
+
+# Remove internal communities before accepting the route
+match from 192.0.2.31 community BLACKHOLE set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+allow from 192.0.2.31 community 65534:0 set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+allow from 192.0.2.31 large-community 65534:0:0 set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Add the rpki_bgp_origin_validation_not_performed community
+match from 192.0.2.31 community BLACKHOLE set community 65530:4
+match from 192.0.2.31 community BLACKHOLE set large-community 999:65530:4
+
+match from 192.0.2.31 community 65534:0 set { community 65530:4 large-community 999:65530:4}
+match from 192.0.2.31 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4}
+
+
+allow quick from 192.0.2.31 community BLACKHOLE
+allow quick from 192.0.2.31 community 65534:0
+allow quick from 192.0.2.31 large-community 65534:0:0
+
+
+match from 192.0.2.31 set community 65524:3
+match from 192.0.2.31 set ext-community rt 65524:3
+
+
+# RPKI-based Origin Validation
+# Reject inbound routes when 'from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14
+allow quick from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID set {
+ localpref 1
+ community 65520:0
+ community 65520:14
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Prefix: length
+# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13
+allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set {
+ localpref 1
+ community 65520:0
+ community 65520:13
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Graceful shutdown
+match from 192.0.2.31 community GRACEFUL_SHUTDOWN set localpref 5
+
+# Remove internal communities before accepting the route
+match from 192.0.2.31 set {
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+match from 192.0.2.31 set community delete 65524:3
+match from 192.0.2.31 set ext-community delete rt 65524:3
+
+
+
+allow quick from 192.0.2.31
+
+
+
+# ---------------------------------------------
+# client AS3_1, outbound
+
+deny quick to 192.0.2.31 community 65520:0
+
+
+
+# Blackhole request?
+# Configured policy: rewrite-next-hop
+match to 192.0.2.31 community 65534:0 set community BLACKHOLE
+match to 192.0.2.31 large-community 65534:0:0 set community BLACKHOLE
+
+match to 192.0.2.31 community BLACKHOLE set community NO_EXPORT
+match to 192.0.2.31 community BLACKHOLE set nexthop 192.0.2.66
+
+
+# RPKI-based Origin Validation
+# Do not announce INVALID to clients
+deny quick to 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID
+
+# NO_EXPORT and NO_ADVERTISE communities
+# add_noexport_to_any
+match to 192.0.2.31 community 65507:999 set community NO_EXPORT
+match to 192.0.2.31 ext-community rt 65507:999 set community NO_EXPORT
+match to 192.0.2.31 large-community 999:65507:999 set community NO_EXPORT
+
+# add_noadvertise_to_any
+match to 192.0.2.31 community 65508:999 set community NO_ADVERTISE
+match to 192.0.2.31 ext-community rt 65508:999 set community NO_ADVERTISE
+match to 192.0.2.31 large-community 999:65508:999 set community NO_ADVERTISE
+
+# add_noexport_to_peer
+match to 192.0.2.31 community 65509:3 set community NO_EXPORT
+match to 192.0.2.31 ext-community rt 65509:3 set community NO_EXPORT
+match to 192.0.2.31 large-community 999:65509:3 set community NO_EXPORT
+
+# add_noadvertise_to_peer
+match to 192.0.2.31 community 65510:3 set community NO_ADVERTISE
+match to 192.0.2.31 ext-community rt 65510:3 set community NO_ADVERTISE
+match to 192.0.2.31 large-community 999:65510:3 set community NO_ADVERTISE
+
+
+# BGP control communities
+allow to 192.0.2.31
+
+# do_not_announce_to_any
+deny to 192.0.2.31 community 0:999
+deny to 192.0.2.31 ext-community rt 0:999
+deny to 192.0.2.31 large-community 999:0:999
+
+# do_not_announce_to_peer
+deny quick to 192.0.2.31 community 0:3
+deny quick to 192.0.2.31 ext-community rt 0:3
+deny quick to 192.0.2.31 large-community 999:0:3
+
+# announce_to_peer
+allow to 192.0.2.31 community 65501:3
+allow to 192.0.2.31 ext-community rt 65501:3
+allow to 192.0.2.31 large-community 999:65501:3
+
+
+# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities
+# for prepending can be processed. As soon as one prepending action is performed,
+# this internal community is removed, so that further actions are not processed.
+match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS
+
+# prepend_once_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:3 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:3 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:3 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_twice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:3 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:3 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:3 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_thrice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:3 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:3 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:3 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+
+# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+
+
+# ---------------------------------------------
+# client AS4_1, inbound
+
+
+
+# NEXT_HOP
+match from 192.0.2.41 set community NO_ADVERTISE
+match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE
+# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5
+allow quick from 192.0.2.41 community NO_ADVERTISE set {
+ localpref 1
+ community 65520:0
+ community 65520:5
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: invalid ASNs
+# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7
+allow quick from 192.0.2.41 AS 23456 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7
+allow quick from 192.0.2.41 AS 64496 - 131071 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7
+allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set {
+ localpref 1
+ community 65520:0
+ community 65520:7
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: transit-free ASNs
+# Reject inbound routes when 'from 192.0.2.41 AS { 3, 174 }' - reject code: 8
+allow quick from 192.0.2.41 AS { 3, 174 } set {
+ localpref 1
+ community 65520:0
+ community 65520:8
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# AS_PATH: never via route-servers ASNs
+# Reject inbound routes when 'from 192.0.2.41 AS as-set neverviarouteserver' - reject code: 15
+allow quick from 192.0.2.41 AS as-set neverviarouteserver set {
+ localpref 1
+ community 65520:0
+ community 65520:15
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+
+
+
+
+
+
+# Blackhole request?
+match from 192.0.2.41 set community delete 65524:4
+match from 192.0.2.41 set ext-community delete rt 65524:4
+
+
+# Remove internal communities before accepting the route
+match from 192.0.2.41 community BLACKHOLE set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+allow from 192.0.2.41 community 65534:0 set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+allow from 192.0.2.41 large-community 65534:0:0 set {
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Add the rpki_bgp_origin_validation_not_performed community
+match from 192.0.2.41 community BLACKHOLE set community 65530:4
+match from 192.0.2.41 community BLACKHOLE set large-community 999:65530:4
+
+match from 192.0.2.41 community 65534:0 set { community 65530:4 large-community 999:65530:4}
+match from 192.0.2.41 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4}
+
+
+allow quick from 192.0.2.41 community BLACKHOLE
+allow quick from 192.0.2.41 community 65534:0
+allow quick from 192.0.2.41 large-community 65534:0:0
+
+
+match from 192.0.2.41 set community 65524:4
+match from 192.0.2.41 set ext-community rt 65524:4
+
+
+# RPKI-based Origin Validation
+# Reject inbound routes when 'from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14
+allow quick from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID set {
+ localpref 1
+ community 65520:0
+ community 65520:14
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Prefix: length
+# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13
+allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set {
+ localpref 1
+ community 65520:0
+ community 65520:13
+ community delete NO_ADVERTISE
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+
+# Graceful shutdown
+match from 192.0.2.41 community GRACEFUL_SHUTDOWN set localpref 5
+
+# Remove internal communities before accepting the route
+match from 192.0.2.41 set {
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
+match from 192.0.2.41 set community delete 65524:4
+match from 192.0.2.41 set ext-community delete rt 65524:4
+
+
+
+allow quick from 192.0.2.41
+
+
+
+# ---------------------------------------------
+# client AS4_1, outbound
+
+deny quick to 192.0.2.41 community 65520:0
+
+
+
+# Blackhole request?
+# Configured policy: rewrite-next-hop
+match to 192.0.2.41 community 65534:0 set community BLACKHOLE
+match to 192.0.2.41 large-community 65534:0:0 set community BLACKHOLE
+
+match to 192.0.2.41 community BLACKHOLE set community NO_EXPORT
+match to 192.0.2.41 community BLACKHOLE set nexthop 192.0.2.66
+
+
+# RPKI-based Origin Validation
+# Do not announce INVALID to clients
+deny quick to 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID
+
+# NO_EXPORT and NO_ADVERTISE communities
+# add_noexport_to_any
+match to 192.0.2.41 community 65507:999 set community NO_EXPORT
+match to 192.0.2.41 ext-community rt 65507:999 set community NO_EXPORT
+match to 192.0.2.41 large-community 999:65507:999 set community NO_EXPORT
+
+# add_noadvertise_to_any
+match to 192.0.2.41 community 65508:999 set community NO_ADVERTISE
+match to 192.0.2.41 ext-community rt 65508:999 set community NO_ADVERTISE
+match to 192.0.2.41 large-community 999:65508:999 set community NO_ADVERTISE
+
+# add_noexport_to_peer
+match to 192.0.2.41 community 65509:4 set community NO_EXPORT
+match to 192.0.2.41 ext-community rt 65509:4 set community NO_EXPORT
+match to 192.0.2.41 large-community 999:65509:4 set community NO_EXPORT
+
+# add_noadvertise_to_peer
+match to 192.0.2.41 community 65510:4 set community NO_ADVERTISE
+match to 192.0.2.41 ext-community rt 65510:4 set community NO_ADVERTISE
+match to 192.0.2.41 large-community 999:65510:4 set community NO_ADVERTISE
+
+
+# BGP control communities
+allow to 192.0.2.41
+
+# do_not_announce_to_any
+deny to 192.0.2.41 community 0:999
+deny to 192.0.2.41 ext-community rt 0:999
+deny to 192.0.2.41 large-community 999:0:999
+
+# do_not_announce_to_peer
+deny quick to 192.0.2.41 community 0:4
+deny quick to 192.0.2.41 ext-community rt 0:4
+deny quick to 192.0.2.41 large-community 999:0:4
+
+
+# announce_to_peer
+allow to 192.0.2.41 community 65501:4
+allow to 192.0.2.41 ext-community rt 65501:4
+allow to 192.0.2.41 large-community 999:65501:4
+
+
+# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities
+# for prepending can be processed. As soon as one prepending action is performed,
+# this internal community is removed, so that further actions are not processed.
+match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS
+
+# prepend_once_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:4 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:4 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:4 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_twice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:4 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:4 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:4 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_thrice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:4 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:4 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:4 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+
+# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set {
+ prepend-neighbor 1
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set {
+ prepend-neighbor 2
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set {
+ prepend-neighbor 3
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+}
+
+
+
+# Scrub communities from outbound routes
+# add_noadvertise_to_any
+match to group clients set community delete 65508:999
+match to group clients set ext-community delete rt 65508:999
+match to group clients set large-community delete 999:65508:999
+
+# add_noadvertise_to_peer
+match to group clients set community delete 65510:*
+match to group clients set ext-community delete rt 65510:*
+match to group clients set large-community delete 999:65510:*
+
+# add_noexport_to_any
+match to group clients set community delete 65507:999
+match to group clients set ext-community delete rt 65507:999
+match to group clients set large-community delete 999:65507:999
+
+# add_noexport_to_peer
+match to group clients set community delete 65509:*
+match to group clients set ext-community delete rt 65509:*
+match to group clients set large-community delete 999:65509:*
+
+# announce_to_peer
+match to group clients set community delete 65501:*
+match to group clients set ext-community delete rt 65501:*
+match to group clients set large-community delete 999:65501:*
+
+# blackholing
+match to group clients set community delete 65534:0
+match to group clients set large-community delete 65534:0:0
+
+# do_not_announce_to_any
+match to group clients set community delete 0:999
+match to group clients set ext-community delete rt 0:999
+match to group clients set large-community delete 999:0:999
+
+# do_not_announce_to_peer
+match to group clients set community delete 0:*
+match to group clients set ext-community delete rt 0:*
+match to group clients set large-community delete 999:0:*
+
+# prepend_once_to_any
+match to group clients set community delete 65521:65521
+match to group clients set ext-community delete rt 65521:65521
+match to group clients set large-community delete 999:65521:65521
+
+# prepend_once_to_peer
+match to group clients set community delete 65521:*
+match to group clients set ext-community delete rt 65521:*
+match to group clients set large-community delete 999:65521:*
+
+# prepend_thrice_to_any
+match to group clients set community delete 65523:65523
+match to group clients set ext-community delete rt 65523:65523
+match to group clients set large-community delete 999:65523:65523
+
+# prepend_thrice_to_peer
+match to group clients set community delete 65523:*
+match to group clients set ext-community delete rt 65523:*
+match to group clients set large-community delete 999:65523:*
+
+# prepend_twice_to_any
+match to group clients set community delete 65522:65522
+match to group clients set ext-community delete rt 65522:65522
+match to group clients set large-community delete 999:65522:65522
+
+# prepend_twice_to_peer
+match to group clients set community delete 65522:*
+match to group clients set ext-community delete rt 65522:*
+match to group clients set large-community delete 999:65522:*
+
+# reject_cause
+match to group clients set community delete 65520:*
+
+# rejected_route_announced_by
+match to group clients set community delete 65524:*
+match to group clients set ext-community delete rt 65524:*
+
+
+# Scrub prepending communities
+match to group clients set {
+ community delete 65521:65521
+ ext-community delete rt 65521:65521
+ large-community delete 999:65521:65521
+
+}
+match to group clients set {
+ community delete 65521:*
+ ext-community delete rt 65521:*
+ large-community delete 999:65521:*
+
+}
+match to group clients set {
+ community delete 64537:*
+ ext-community delete rt 64537:*
+ large-community delete 999:64537:*
+
+}
+match to group clients set {
+ community delete 64534:*
+ ext-community delete rt 64534:*
+ large-community delete 999:64534:*
+
+}
+match to group clients set {
+ community delete 65523:65523
+ ext-community delete rt 65523:65523
+ large-community delete 999:65523:65523
+
+}
+match to group clients set {
+ community delete 65523:*
+ ext-community delete rt 65523:*
+ large-community delete 999:65523:*
+
+}
+match to group clients set {
+ community delete 64539:*
+ ext-community delete rt 64539:*
+ large-community delete 999:64539:*
+
+}
+match to group clients set {
+ community delete 64536:*
+ ext-community delete rt 64536:*
+ large-community delete 999:64536:*
+
+}
+match to group clients set {
+ community delete 65522:65522
+ ext-community delete rt 65522:65522
+ large-community delete 999:65522:65522
+
+}
+match to group clients set {
+ community delete 65522:*
+ ext-community delete rt 65522:*
+ large-community delete 999:65522:*
+
+}
+match to group clients set {
+ community delete 64538:*
+ ext-community delete rt 64538:*
+ large-community delete 999:64538:*
+
+}
+match to group clients set {
+ community delete 64535:*
+ ext-community delete rt 64535:*
+ large-community delete 999:64535:*
+
+}
+
+
+# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy
+match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT
+match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE
+
+# Remove internal communities before announcing the route
+match to group clients set {
+ ext-community delete $INTCOMM_PREF_OK_ROA
+ ext-community delete $INTCOMM_ROUTE_OK_WL
+ ext-community delete $INTCOMM_ORIGIN_OK
+ ext-community delete $INTCOMM_ORIGIN_KO
+ ext-community delete $INTCOMM_PREFIX_OK
+ ext-community delete $INTCOMM_PREFIX_KO
+ ext-community delete $INTCOMM_IRR_REJECT
+ ext-community delete $INTCOMM_RPKI_UNKNOWN
+ ext-community delete $INTCOMM_RPKI_INVALID
+ ext-community delete $INTCOMM_RPKI_VALID
+ ext-community delete $INTCOMM_NO_EXPORT
+ ext-community delete $INTCOMM_NO_ADVERTISE
+ ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS
+
+}
+
projects / openbsd / commitdiff