BGP: Forbid TCP-AO on dynamic BGP sessions

Reconfiguration does not work properly for this case, disable it for now.

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 3d968e38aef01c63cd65397d806c37c174f6ebbb..6585672f7f1128b4ba7129eb110d73cda9126422 100644 (file)
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -3143,7 +3143,8 @@ protocol bgp [<name>] {
        the (single) password. Finally, <cf/ao/ means to use TCP Authentication
        Option (TCP-AO, <rfc id="5925">), allowing multiple keys and different
        cryptographic algorithms. These are specified using the option
-       <ref id="bgp-keys" name="keys">. Default: none.
+       <ref id="bgp-keys" name="keys">. Note that TCP-AO authentication is not
+       supported on dynamic BGP sessions. Default: none.
 
        <tag><label id="bgp-password">password "<m/text/"</tag>
        Use this password for MD5 authentication of BGP sessions (<rfc id="2385">). When

diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
index f1f8140d0aa28d3412a05f99db696dc2a9a0c56f..f5008f6cf86a002fd89e54258c388fd1f2394169 100644 (file)
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -2617,6 +2617,9 @@ bgp_postconfig(struct proto_config *CF)
   if ((cf->auth_type == BGP_AUTH_AO) != !!cf->ao_keys)
     cf_error("AO authentication and keys option should be used together");
 
+  if ((cf->auth_type == BGP_AUTH_AO) && cf->remote_range)
+    cf_error("AO authentication not supported on dynamic BGP sessions");
+
   struct bgp_channel_config *cc;
   BGP_CF_WALK_CHANNELS(cf, cc)
   {