[bind10-dev] ACL Syntax proposal

Michal 'vorner' Vaner michal.vaner at nic.cz
Sat May 28 20:48:03 UTC 2011


Hello

On Sat, May 28, 2011 at 04:00:39PM +0000, Evan Hunt wrote:
> > Well, not accept is the same as reject, so there's no problem in it.
> ... aren't the same thing.  The ambiguity is in where the "not" is
> being applied:  "not-accept X", or "accept not-X".

OK, I probably wasn't clear in what I mean. To avoid confusion between these two,
I'd like to put an equivalence there. Say „accept exactly the ones that are not
there“ (eg, it would mean both do not accept the ones there and accept the ones
not being there).

> > The ACL either allows user to perform that action or doesn't.
> 
> True, but consider a "doughnut hole" ACL:
> 
>    accept 132.147.67.16
>    reject 132.147.67/24
>    accept 132.147/16
>    reject everyone

Yes, every syntax and approach has some situation which is slightly awkward to
describe. I don't know, are these donuts usual? To what depth? Or is it more
usual to have many distinct ranges and stuff like that, so it just grows
„large“, not „complicated“?

>     allow and {ip A, key K}

Well, with the abbreviated forms, you don't even need the and, but that's a
detail.

Anyway, as I said, we probably want to have an ability to have a python snippet
as the ACL, for the situation when you want to describe something really
complicated or need to compute it using moon phase. I just find the procedural
ones to be complicated in usual scenarios (or even C++, when it comes to
performance).

Or, we could come up with one extra composition modifier, which would allow this
kind of chaining, which people could use if they really wanted (and it would
answer yes/no for itself and the chain could be included in further logic
processing), something like this:

{
  "CHAIN": [
    {"ACCEPT-IF": {"ip": "132.147.67.16"}},
    {"DENY-IF": {"ip": "132.147.67.0/24"}},
    {"ACCEPT-IP": {"ip": "132.147.0./16"}},
    "DENY"
  ],
  "TSIG": ["tsig1", "tsig2"]
}

Do you think this would help for the donut cases and such? It would help us next
year as well, when we'll do the BIND9 compatibility (it still shouldn't be a
problem to translate the BIND9 ACL to the logic ones automatically, but the
result wouldn't look nice).

Thanks

With regards

-- 
Security warning: Do not expose this email to direct sunlight.
It may lead to undefined behaviour, including possible data or life loses.

Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20110528/dc7b6233/attachment.bin>


More information about the bind10-dev mailing list