[bind10-dev] ACL Syntax proposal

JINMEI Tatuya / 神明達哉 jinmei at isc.org
Fri Jun 3 07:33:21 UTC 2011 

At Fri, 27 May 2011 14:19:20 +0000,
Michal 'vorner' Vaner <michal.vaner at nic.cz> wrote:

> I wrote a proposal how ACL syntax could look like. Could you please have a look
> at it and tell me if you think this would work, be friendly to users and usable?
> Or if you see some minor glitches or think it's completely wrong?
> 
> It's located at „http://bind10.isc.org/wiki/AclSyntax“. The accompanying ticket
> is #767.

A few comments of mine:

- I was a bit confused about the syntax in the use of ACCEPT(-IF) and
  REJECT(-IF).  To me, an ACL rule essentially consists of a function
  that maps some object (an IP address, DNS message, etc) to boolean
  values (i.e., "match" or "not match") and associated actions (often
  "accept", "reject", etc) for the boolean values.  Most of the
  example syntax shown in the wiki page seems to define such
  functions.  For example, this one would be considered a function
  of IP addresses that returns true/false:
{
	"ip": ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
}
  But I'm confused when I see this
  ACCEPT: {"AND": []}
  or even this:
  {"ACCEPT-IF": {"ip": "132.147.67.16"}}
  This seems to indicate that a JSON object that contains ACCEPT(-IF),
  etc, is also a part of "function".

  I think I understand the general concept of the proposal, but to be
  fully sure and to be able to implement it, I'd like to see some
  level of formal definition of the syntax.

- Regarding TSIG, in BIND 9 we only use key names in ACLs.  (As I
  thought documented somewhere in the wiki proposal) TSIG check will
  be performed independently from ACLs, I think it's reasonable to
  only consider whether TSIG is included, and if so, which key name is
  used.  Note also that in that case TSIG matching in the ACL may not
  be that expensive (in fact, if we identify TSIG keys in an efficient
  way such as unique integer identifiers, it may be even more
  lightweight than IP address/prefix matching).

- Maybe related to the first point, we'll often want to specify a rule
  like "accept something from this source address".  How would such a
  rule look like in this proposed scheme?

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.

More information about the bind10-dev mailing list