tripleo_frr: add BGP TTL security

FRR supports enforcing Generalized TTL Security Mechanism (GTSM) where only neighbors that are the specified number of hops away will be allowed to become neighbors. This patch adds a new option to set the number of hops allowed, defaulting to 1 for strict security out of the box. Setting value to zero or less will disable GTSM. Change-Id: I1166f22fef8e3f6b825343b4e2792ce9cfb10547
2021-01-12 13:49:26 +01:00 · 2021-01-12 13:49:26 +01:00 · 237fe69c85
parent fb8baf28d9
commit 237fe69c85
2 changed files with 4 additions and 0 deletions
--- a/tripleo_ansible/roles/tripleo_frr/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_frr/defaults/main.yml
@ -26,6 +26,7 @@ tripleo_frr_bgp_ipv4_allowas_in: false
 tripleo_frr_bgp_ipv4_src_network: ctlplane
 tripleo_frr_bgp_ipv6: true
 tripleo_frr_bgp_ipv6_allowas_in: false
+tripleo_frr_bgp_neighbor_ttl_security_hops: 1
 tripleo_frr_bgp_uplinks_scope: internal
 tripleo_frr_config_basedir: "/var/lib/config-data/ansible-generated/frr"
 tripleo_frr_hostname: "{{ ansible_hostname }}"
--- a/tripleo_ansible/roles/tripleo_frr/templates/frr.conf.j2
+++ b/tripleo_ansible/roles/tripleo_frr/templates/frr.conf.j2
@ -18,6 +18,9 @@ router bgp {{ tripleo_frr_bgp_asn }}
 {% for iface in tripleo_frr_bgp_uplinks_mapped %}
  neighbor {{ iface }} interface peer-group uplink
 {% endfor %}
+{% if tripleo_frr_bgp_neighbor_ttl_security_hops | int > 0 %}
+  neighbor uplink ttl-security hops {{ tripleo_frr_bgp_neighbor_ttl_security_hops }}
+{% endif %}

 {% if tripleo_frr_bgp_ipv4 %}
  address-family ipv4 unicast