[bind10-dev] ACL Syntax proposal
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Fri Jun 3 07:33:21 UTC 2011
At Fri, 27 May 2011 14:19:20 +0000,
Michal 'vorner' Vaner <michal.vaner at nic.cz> wrote:
> I wrote a proposal how ACL syntax could look like. Could you please have a look
> at it and tell me if you think this would work, be friendly to users and usable?
> Or if you see some minor glitches or think it's completely wrong?
>
> It's located at „http://bind10.isc.org/wiki/AclSyntax“. The accompanying ticket
> is #767.
A few comments of mine:
- I was a bit confused about the syntax in the use of ACCEPT(-IF) and
REJECT(-IF). To me, an ACL rule essentially consists of a function
that maps some object (an IP address, DNS message, etc) to boolean
values (i.e., "match" or "not match") and associated actions (often
"accept", "reject", etc) for the boolean values. Most of the
example syntax shown in the wiki page seems to define such
functions. For example, this one would be considered a function
of IP addresses that returns true/false:
{
"ip": ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
}
But I'm confused when I see this
ACCEPT: {"AND": []}
or even this:
{"ACCEPT-IF": {"ip": "132.147.67.16"}}
This seems to indicate that a JSON object that contains ACCEPT(-IF),
etc, is also a part of "function".
I think I understand the general concept of the proposal, but to be
fully sure and to be able to implement it, I'd like to see some
level of formal definition of the syntax.
- Regarding TSIG, in BIND 9 we only use key names in ACLs. (As I
thought documented somewhere in the wiki proposal) TSIG check will
be performed independently from ACLs, I think it's reasonable to
only consider whether TSIG is included, and if so, which key name is
used. Note also that in that case TSIG matching in the ACL may not
be that expensive (in fact, if we identify TSIG keys in an efficient
way such as unique integer identifiers, it may be even more
lightweight than IP address/prefix matching).
- Maybe related to the first point, we'll often want to specify a rule
like "accept something from this source address". How would such a
rule look like in this proposed scheme?
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
More information about the bind10-dev
mailing list