HTTP-over-IPv6 on Cisco IOS

Stumbled across this marvel while updating my IPv6 presentations for a 2-day seminar in Milano and Rome (straight from 15.2M&T command reference):

With IPv6 support added in Cisco IOS Release 12.2(2)T, the ip http server command simultaneously enables and disables both IP and IPv6 access to the HTTP server. However, an access list configured with the ip http access-class command will only be applied to IPv4 traffic. IPv6 traffic filtering is not supported.

Wait ... WHAT? I cannot control who can access the HTTP(S) server running in Cisco IOS over IPv6 (apart from kludges like ingress ACLs on all interfaces or CoPP), and this stupidity has been left unfixed for nine(9) years?. Are we really in 2012, less than a month away from World IPv6 Launch or have I been transported to 1990’s?

11 comments:

  1. Moreover

    ip http access-class access-list-number

    Where "access-list-number" is - standard IP access list number in the range 0 to 99, as configured by the access-list global configuration command.
    No named or extended ACL's, and no ACL's with expanded range <1300-1999>
    Seems to be very strange

    ReplyDelete
  2. Pffff.... all I have to say :)

    ReplyDelete
  3. It's a shame how big vendors still treat IPv6 as an experimental protocol without commercial relevance. A respected North-European telco equipment vendor delivered us an IPv6 implementation that doesn't support path MTU discovery. 'Just use TCP if you you want to send anything bigger than 1280 bytes'. In 2012.

    ReplyDelete
  4. any decent STIG would have the http server disabled.

    ReplyDelete
  5. Haha. The truth is no one cares. Even bad guys :)

    ReplyDelete
  6. What would be our world without your blog! Thanks to that posting, I can now go to bed with a calm conscience...

    ReplyDelete
  7. Open a case and add this URL to the case notes: http://www.youtube.com/watch?v=VCCgVh8wFdA

    ReplyDelete
  8. I suppose this is an indication of justhow awful the IOS code base has become. Lord knows release quality has also taken a nose-dive in the last few years

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.