[bind10-dev] ACL Syntax proposal

Michal 'vorner' Vaner michal.vaner at nic.cz
Sat May 28 12:08:08 UTC 2011


On Fri, May 27, 2011 at 10:08:55PM +0000, Evan Hunt wrote:
> > I wrote a proposal how ACL syntax could look like. Could you please have
> > a look at it and tell me if you think this would work, be friendly to
> > users and usable?  Or if you see some minor glitches or think it's
> > completely wrong?
> I'm not sure boolean logic is quite the right approach here (and maybe it's
> not what you had in mind, but the use of AND, OR, and NOT suggests that it
> is).

Yes, I had boolean logic in mind. As I noted down on the page, this
„descriptive“ approach looks easier to me than the usual „procedural“ (accept,
reject or continue).

> Boolean expressions strike me as an imperfect fit in a couple of ways.
> For example, does "ACCEPT": { "NOT": { "ip": "10/8" }} mean "reject any
> address which is in 10/8" , or does it mean "accept any address which is
> *not* in 10/8" ?  If an ACCEPT block and a REJECT block both matched a
> query, which one would get priority?

Well, not accept is the same as reject, so there's no problem in it. The ACL
either allows user to perform that action or doesn't.

> I would suggest looking at how router firewall rules are configured for
> guidance in this.  I don't know how Cisco and the like do it, but I've
> used ipfw and (ugh) iptables, and like BIND 9 ACLs they also take a
> first-match appraoch that concentrates on getting a yes/no answer as
> quickly as possible rather than traversing a logic tree.

Yes, I know them a little. I didn't use BIND 9, but I use firewalls. I always
find lost when there are many rules and keep asking „Does the packet get down
here or does it get handled somewhere above in the depth of rules?“ and „where
do I place this rule so it doesn't break anything?“ XMPP has similar way of
handling blocking (they call it privacy lists) and _nobody_ of users use it,
they had to come with „simple blocking“, where you just put the blocked
addresses. So I came to conclusion this is probably user-unfriendly and that
simple boolean logic might be easier to understand.

But I might be wrong at what is the goal of ACL. Is it, ultimately, something
that decides if user is allowed or not to do a given thing?

Thank you

When all else fails, EAT!!!

Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20110528/3f97698e/attachment.bin>

More information about the bind10-dev mailing list