tripleo_frr: add BGP TTL security

FRR supports enforcing Generalized TTL Security Mechanism (GTSM) where only neighbors that are the specified number of hops away will be allowed to become neighbors. This patch adds a new option to set the number of hops allowed, defaulting to 1 for strict security out of the box. Setting value to zero or less will disable GTSM. Change-Id: I1166f22fef8e3f6b825343b4e2792ce9cfb10547
10 months ago · 237fe69c85
2 changed files with 4 additions and 0 deletions
--- a/tripleo_ansible/roles/tripleo_frr/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_frr/defaults/main.yml
@ -26,6 +26,7 @@ tripleo_frr_bgp_ipv4_allowas_in: false
 tripleo_frr_bgp_ipv4_src_network: ctlplane
 tripleo_frr_bgp_ipv6: true
 tripleo_frr_bgp_ipv6_allowas_in: false
+tripleo_frr_bgp_neighbor_ttl_security_hops: 1
 tripleo_frr_bgp_uplinks_scope: internal
 tripleo_frr_config_basedir: "/var/lib/config-data/ansible-generated/frr"
 tripleo_frr_hostname: "{{ ansible_hostname }}"
--- a/tripleo_ansible/roles/tripleo_frr/templates/frr.conf.j2
+++ b/tripleo_ansible/roles/tripleo_frr/templates/frr.conf.j2
@ -18,6 +18,9 @@ router bgp {{ tripleo_frr_bgp_asn }}
 {% for iface in tripleo_frr_bgp_uplinks_mapped %}
  neighbor {{ iface }} interface peer-group uplink
 {% endfor %}
+{% if tripleo_frr_bgp_neighbor_ttl_security_hops | int > 0 %}
+  neighbor uplink ttl-security hops {{ tripleo_frr_bgp_neighbor_ttl_security_hops }}
+{% endif %}

 {% if tripleo_frr_bgp_ipv4 %}
  address-family ipv4 unicast