On 08/03/2019 14:28, Paul Wouters wrote:
But assigned and left completely opague is not really suitable for
"heterogenous off-the-shelf software". These different vendors must
understand the meaning of the opaque data even if their functionality
can be non-standard.
No, it does *not* require that at all.
We very careful referred to the *operators* of the software in the
draft, not the implementors.
The intention is that software operators can define rules in their
configuration files such that *they* determine which values have what
meaning. Just like how a BGP router can use BGP communities within
routing policy maps.
In the load-balancer case, they might decide to use a few bits to select
one of several RPZ feeds, or perhaps a view, without having to pass the
client IP for the use a "source match" ACL to the backend.
They might decide to use another bit to indicate that the client is
trusted such that the server doesn't need to apply RRL.
Granted this will need some form of representation in whatever
configuration syntax is in use, but that would be implementation
dependent. The minimal implementation would just need to be able to
test "tag & mask == value".
Ray
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
