Hi there, I have a feature request:
I would like to introduce the concept of a management VRF:
A management VRF allows you to use a separate routing-table for management. Access to ssh, winbox, telnet, whatever is only allowed within this VRF. Within an ISP environment this secures your main routing table, as this is the routing table that contains internet routes, thus your customer's internet traffic will pass through it. The management VRF will be the routing-table where all access to the router goes. Telnet, ssh, winbox, snmp, etc will only be listening to addresses on the VRF, as well as remote logging, ntp, etc.
I see this implemented in RouterOS like this:
1) Allow /ip service to have the keyword routing-table. So, I would be able to do the following:
/ip service set ssh routing-table=management. Then ssh will bind itself to interfaces within the management VRF. Default would be "main" to make it work without MPLS support.
2) Allow you to specify the @routingtable option globally, so you could do this:
/system logging target add name="my.nms.station" target=remote remote=192.168.255.13:514@management
alternatively a routing-table option here too.
I've seen this implemented on cisco's ASR-1000 routers and I believe it's a right way to secure MPLS networks that contains customer routes in the global table.
I hope you will implement this feature. If you have any questions, I'll be happy to elaborate.
The road to hell is paved with good intentions.