tripleo_frr: add BGP TTL security
FRR supports enforcing Generalized TTL Security Mechanism (GTSM) where only neighbors that are the specified number of hops away will be allowed to become neighbors. This patch adds a new option to set the number of hops allowed, defaulting to 1 for strict security out of the box. Setting value to zero or less will disable GTSM. Change-Id: I1166f22fef8e3f6b825343b4e2792ce9cfb10547
This commit is contained in:
parent
fb8baf28d9
commit
237fe69c85
|
@ -26,6 +26,7 @@ tripleo_frr_bgp_ipv4_allowas_in: false
|
|||
tripleo_frr_bgp_ipv4_src_network: ctlplane
|
||||
tripleo_frr_bgp_ipv6: true
|
||||
tripleo_frr_bgp_ipv6_allowas_in: false
|
||||
tripleo_frr_bgp_neighbor_ttl_security_hops: 1
|
||||
tripleo_frr_bgp_uplinks_scope: internal
|
||||
tripleo_frr_config_basedir: "/var/lib/config-data/ansible-generated/frr"
|
||||
tripleo_frr_hostname: "{{ ansible_hostname }}"
|
||||
|
|
|
@ -18,6 +18,9 @@ router bgp {{ tripleo_frr_bgp_asn }}
|
|||
{% for iface in tripleo_frr_bgp_uplinks_mapped %}
|
||||
neighbor {{ iface }} interface peer-group uplink
|
||||
{% endfor %}
|
||||
{% if tripleo_frr_bgp_neighbor_ttl_security_hops | int > 0 %}
|
||||
neighbor uplink ttl-security hops {{ tripleo_frr_bgp_neighbor_ttl_security_hops }}
|
||||
{% endif %}
|
||||
|
||||
{% if tripleo_frr_bgp_ipv4 %}
|
||||
address-family ipv4 unicast
|
||||
|
|
Loading…
Reference in New Issue