Mailing List Archive: nsp: foundry

Question about IPv6 SSH Access Group on Jetcore

Index | Next | Previous | View Threaded

foundry-nsp at pgmail

Nov 25, 2010, 5:55 AM

Post #1 of 3 (687 views)
Permalink

Question about IPv6 SSH Access Group on Jetcore

Hi,

I seem to be unable to get SSH Access via IPv6 restricted on a Jetcore
with Provider Firmware 08.0.01v.

After reading the manual, my understanding is that the following should
restrict ssh access only to subnet 2001:db8:1:2::/64:

ipv6 access-list ipv6-mgmt-in
permit ipv6 2001:db8:1:2::/64 any
ssh access-group ipv6 ipv6-mgmt-in

As all IPv6 acl's have an implicit deny ipv6 any any rule as soon as any
permit rules are configured this should block everything but the subnet
2001:db8:1:2::/64 from having access using SSH.
But when I test from any other IPv6 address I can log on to SSH without
any trouble.

I tried to use a manual deny ipv6 any any rule in the acl without any
difference.

Does anybody successfully restrict SSH Access on IPv6 and can give me a
hint here?

Thanks,
Philipp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

arnaud.turpin at groupe-mit

Feb 8, 2011, 10:25 AM

Post #2 of 3 (523 views)
Permalink

Re: Question about IPv6 SSH Access Group on Jetcore [In reply to]

Any up for this post ?

---------
I seem to be unable to get SSH Access via IPv6 restricted on a Jetcore
with Provider Firmware 08.0.01v.

After reading the manual, my understanding is that the following should
restrict ssh access only to subnet 2001:db8:1:2::/64:

ipv6 access-list ipv6-mgmt-in
permit ipv6 2001:db8:1:2::/64 any
ssh access-group ipv6 ipv6-mgmt-in

As all IPv6 acl's have an implicit deny ipv6 any any rule as soon as any
permit rules are configured this should block everything but the subnet
2001:db8:1:2::/64 from having access using SSH.
But when I test from any other IPv6 address I can log on to SSH without
any trouble.

I tried to use a manual deny ipv6 any any rule in the acl without any
difference.

Does anybody successfully restrict SSH Access on IPv6 and can give me a
hint here?
------

Arnaud

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

foundry-nsp at pgmail

Feb 9, 2011, 2:18 AM

Post #3 of 3 (500 views)
Permalink

Re: Question about IPv6 SSH Access Group on Jetcore [In reply to]

Hi,

On Tue, 8 Feb 2011 19:25:31 +0100, "Arnaud Turpin > Groupe MIT"
<arnaud.turpin [at] groupe-mit> wrote:
> Any up for this post ?

Unfortunately not. You can use the "ipv6 access-class" command to
configure a firewall on all connections to/from the device, which will work
for SSH too, of course.
But this will also affect all other connections, like BGP sessions, OSPF,
DNS, basically every packet that will goes to/comes from the device itself.

Regards,
Philipp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads