This repository was archived by the owner on Jul 4, 2026. It is now read-only.
v0.6.0 — management-plane access baseline
v0.6.0 — management-plane access baseline
This release was driven by a real-world config corpus: we ran vrp-ir over a
set of public Huawei lab/tutorial configs, measured which constructs it did not
yet recognise, and the data ranked management-plane access control as the top
gap. v0.6 closes it. Every parsed value still carries a SourceRef to its exact
file:line.
New parsing (with SourceRef)
user-interfacecon/vty blocks —protocol inbound(ssh/telnet/all),
acl <id> inbound,authentication-mode,user privilege levelssh server cipheralgorithm listaaalocal-users —local-user <name> service-type ...
Audit: 9 → 13 checks
- FW-MGMT-VTY-TELNET — a VTY line accepts Telnet (
protocol inbound telnet|all). - FW-MGMT-VTY-NO-ACL — a VTY line allows remote login but has no inbound source ACL.
- FW-SSH-WEAK-CIPHER — SSH server offers weak ciphers (CBC-mode / 3DES / DES).
- FW-AAA-LOCAL-USER-TELNET — a local AAA user is granted the Telnet service type.
These join the v0.5 set (default-deny, permit-scope with address-set dereference,
rule-logging, zone-iface-unique, address-set-any, HRP consistency, cleartext
Telnet/HTTP management). Every finding cites the exact config line; --strict
exits non-zero for CI gating.
Quality
- Zero runtime dependencies in the core.
- 147 stdlib
unittestcases; CI green (tests + regression + CodeQL).
vrp-ir is the open core of AegisTwin (Huawei security-integration acceptance workbench).