Browse Source

tripleo_frr: add BGP TTL security

FRR supports enforcing Generalized TTL Security Mechanism (GTSM) where
only neighbors that are the specified number of hops away will be
allowed to become neighbors.

This patch adds a new option to set the number of hops allowed,
defaulting to 1 for strict security out of the box. Setting value to
zero or less will disable GTSM.

Change-Id: I1166f22fef8e3f6b825343b4e2792ce9cfb10547
changes/01/770301/10
Carlos Goncalves 3 months ago
committed by Michele Baldessari
parent
commit
237fe69c85
2 changed files with 4 additions and 0 deletions
  1. +1
    -0
      tripleo_ansible/roles/tripleo_frr/defaults/main.yml
  2. +3
    -0
      tripleo_ansible/roles/tripleo_frr/templates/frr.conf.j2

+ 1
- 0
tripleo_ansible/roles/tripleo_frr/defaults/main.yml View File

@ -26,6 +26,7 @@ tripleo_frr_bgp_ipv4_allowas_in: false
tripleo_frr_bgp_ipv4_src_network: ctlplane
tripleo_frr_bgp_ipv6: true
tripleo_frr_bgp_ipv6_allowas_in: false
tripleo_frr_bgp_neighbor_ttl_security_hops: 1
tripleo_frr_bgp_uplinks_scope: internal
tripleo_frr_config_basedir: "/var/lib/config-data/ansible-generated/frr"
tripleo_frr_hostname: "{{ ansible_hostname }}"


+ 3
- 0
tripleo_ansible/roles/tripleo_frr/templates/frr.conf.j2 View File

@ -18,6 +18,9 @@ router bgp {{ tripleo_frr_bgp_asn }}
{% for iface in tripleo_frr_bgp_uplinks_mapped %}
neighbor {{ iface }} interface peer-group uplink
{% endfor %}
{% if tripleo_frr_bgp_neighbor_ttl_security_hops | int > 0 %}
neighbor uplink ttl-security hops {{ tripleo_frr_bgp_neighbor_ttl_security_hops }}
{% endif %}
{% if tripleo_frr_bgp_ipv4 %}
address-family ipv4 unicast


Loading…
Cancel
Save