[bind10-dev] where and how do we plan to actually check ACLs?
Michal 'vorner' Vaner
michal.vaner at nic.cz
Mon Jun 13 08:36:36 UTC 2011
Hello
On Fri, Jun 10, 2011 at 06:16:00PM +0200, Jelte Jansen wrote:
> I think it should be feature-based; An 'ACL' as they are described now on the
> wiki is really a (set of) identifiers, in which a certain third parties either
> is or is not. They would have no meaning on their own, but they are tied to
> features (like in bind9, allow-query, allow-notify, etc). So instead of checking
> one big acl the moment a packet arrives, you start processing it, and check a
> number of acls depending on what's actually in the packet ("I see your packet is
> an UPDATE for zone foo.example. I see zone foo.example has been configured to
> use this acl, this acl contains these adresses. You, sir, are not in this list.
> I am disinclined to acquiesce to your request.") Note that one acl-point can
> very well be whether a packet is accepted in the first place, without even
> looking at what it wants to achieve.
Well, with what is described on the wiki, I believe it just doesn't matter. The
syntax should allow for whatever is needed there (you either add actions (like
instead of allow/deny, we could have allow-notify) or add checks (if it's
notify, drop it).
It sounds reasonable to me to place multiple ACL-points into the processing (and
a packet must get trough all to get to the destinations). But on the other side,
it might be reasonable to check things like „this message is a notify“ (for
example to drop all notifies right away without really letting them in to eat
CPU for their processing). For that reason, I'd suggest that the message itself
is passed to the ACL as well, and let it be like that for now to be able to add
more possible checks for such things in future (and not change the interface).
> It's very probable this view is shared by others, and that it just has been
> assumed to be the case, or that is has simply not been aired yet. Or perhaps
> everyone had this view all along and my week has simply been too long, and we
> were talking past each other just now.
I don't know, I didn't think about it. I was thinking like „it must be possible
to work whereever they are put“.
With regards
--
This email has been checked by an automatic damage possibility check system.
It can contain harmful instructions if read backwards.
Internal checker ID: lacol.cr/cte/ << tlah ohce
Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20110613/6c26aef6/attachment.bin>
More information about the bind10-dev
mailing list