Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: foundry

Question about IPv6 SSH Access Group on Jetcore

 

 

nsp foundry RSS feed   Index | Next | Previous | View Threaded


foundry-nsp at pgmail

Nov 25, 2010, 5:55 AM

Post #1 of 3 (834 views)
Permalink
Question about IPv6 SSH Access Group on Jetcore

Hi,

I seem to be unable to get SSH Access via IPv6 restricted on a Jetcore
with Provider Firmware 08.0.01v.

After reading the manual, my understanding is that the following should
restrict ssh access only to subnet 2001:db8:1:2::/64:

ipv6 access-list ipv6-mgmt-in
permit ipv6 2001:db8:1:2::/64 any
ssh access-group ipv6 ipv6-mgmt-in

As all IPv6 acl's have an implicit deny ipv6 any any rule as soon as any
permit rules are configured this should block everything but the subnet
2001:db8:1:2::/64 from having access using SSH.
But when I test from any other IPv6 address I can log on to SSH without
any trouble.

I tried to use a manual deny ipv6 any any rule in the acl without any
difference.


Does anybody successfully restrict SSH Access on IPv6 and can give me a
hint here?


Thanks,
Philipp



_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


arnaud.turpin at groupe-mit

Feb 8, 2011, 10:25 AM

Post #2 of 3 (657 views)
Permalink
Re: Question about IPv6 SSH Access Group on Jetcore [In reply to]

Any up for this post ?


---------
I seem to be unable to get SSH Access via IPv6 restricted on a Jetcore
with Provider Firmware 08.0.01v.

After reading the manual, my understanding is that the following should
restrict ssh access only to subnet 2001:db8:1:2::/64:

ipv6 access-list ipv6-mgmt-in
permit ipv6 2001:db8:1:2::/64 any
ssh access-group ipv6 ipv6-mgmt-in

As all IPv6 acl's have an implicit deny ipv6 any any rule as soon as any
permit rules are configured this should block everything but the subnet
2001:db8:1:2::/64 from having access using SSH.
But when I test from any other IPv6 address I can log on to SSH without
any trouble.

I tried to use a manual deny ipv6 any any rule in the acl without any
difference.


Does anybody successfully restrict SSH Access on IPv6 and can give me a
hint here?
------

Arnaud

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp


foundry-nsp at pgmail

Feb 9, 2011, 2:18 AM

Post #3 of 3 (633 views)
Permalink
Re: Question about IPv6 SSH Access Group on Jetcore [In reply to]

Hi,

On Tue, 8 Feb 2011 19:25:31 +0100, "Arnaud Turpin > Groupe MIT"
<arnaud.turpin [at] groupe-mit> wrote:
> Any up for this post ?

Unfortunately not. You can use the "ipv6 access-class" command to
configure a firewall on all connections to/from the device, which will work
for SSH too, of course.
But this will also affect all other connections, like BGP sessions, OSPF,
DNS, basically every packet that will goes to/comes from the device itself.


Regards,
Philipp

_______________________________________________
foundry-nsp mailing list
foundry-nsp [at] puck
http://puck.nether.net/mailman/listinfo/foundry-nsp

nsp foundry RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.