Skip to content
This repository was archived by the owner on Jul 4, 2026. It is now read-only.

v0.6.0 — management-plane access baseline

Choose a tag to compare

@zynovex-support zynovex-support released this 16 Jun 05:58
e3ec5ea

v0.6.0 — management-plane access baseline

This release was driven by a real-world config corpus: we ran vrp-ir over a
set of public Huawei lab/tutorial configs, measured which constructs it did not
yet recognise, and the data ranked management-plane access control as the top
gap. v0.6 closes it. Every parsed value still carries a SourceRef to its exact
file:line.

New parsing (with SourceRef)

  • user-interface con/vty blocks — protocol inbound (ssh/telnet/all),
    acl <id> inbound, authentication-mode, user privilege level
  • ssh server cipher algorithm list
  • aaa local-users — local-user <name> service-type ...

Audit: 9 → 13 checks

  • FW-MGMT-VTY-TELNET — a VTY line accepts Telnet (protocol inbound telnet|all).
  • FW-MGMT-VTY-NO-ACL — a VTY line allows remote login but has no inbound source ACL.
  • FW-SSH-WEAK-CIPHER — SSH server offers weak ciphers (CBC-mode / 3DES / DES).
  • FW-AAA-LOCAL-USER-TELNET — a local AAA user is granted the Telnet service type.

These join the v0.5 set (default-deny, permit-scope with address-set dereference,
rule-logging, zone-iface-unique, address-set-any, HRP consistency, cleartext
Telnet/HTTP management). Every finding cites the exact config line; --strict
exits non-zero for CI gating.

Quality

  • Zero runtime dependencies in the core.
  • 147 stdlib unittest cases; CI green (tests + regression + CodeQL).

vrp-ir is the open core of AegisTwin (Huawei security-integration acceptance workbench).