One of the difficulties in defining an ACL is actually in how an ACL
works. The RFC 4949 definition describes a 'mechanism' where
ietf-netmod-acl-model describe a functional 'ordered set'. In other
words, RFC 4949 does not say how a list is processed, where
ietf-netmod-acl-model implies a serial processing, although not how
the list is ordered or how a resulting match is attained. It seems
like splitting hairs but I would argue that the ietf-netmod-acl-model
definition is a subset of the RFC 4949 one. So which one we use
determines a scope of outcome.
I think the real implied question here is if the focus of our work is
biased or limited towards YANG models, and by implication NETCONF as a
management protocol? Adopting the ietf-netmod-acl-model definition
clearly means yes. I do not believe that RFC 4949 is planned to be
superseded, and I agree with BobN in this case that the RFC 4949
definition is the broader one
Cheers!Ed Lopez
On 9/12/2016 at 1:27 PM, "Bob Natale" wrote:
Hi Linda,
It seems to me that the RFC4949 definition is more general and that
ietf-netmod-acl-model defines one compatible specific variation. Some
of the specifics of that definition might not apply in all cases.
In fact, I am somewhat surprised that the latter document did not,
evidently, reference RFC4949 … at least for a baseline definition.
True, it’s a bit dated, but I think that mostly affects concepts
and constructs introduced since its publication … the widespread use
of ACLs predates RFC4949 by a lot.
For reference, the fairly recent CNSSI 4009, _Committee on National
Security Systems (CNSS) Glossary_ (Apr 6, 2015) also uses a more
general definition:
access control list (ACL)
A list of permissions associated with an object. The list specifies
who or what is allowed to access the object and what operations are
allowed to be performed on the object.
Avanti,
BobN
From: I2nsf [mailto:[email protected]] On Behalf Of Linda Dunbar
Sent: Monday, September 12, 2016 1:07 PM
To: John Strassner ; Susan Hares ; [email protected]
Subject: [I2nsf] I2NSF Terminology's definition on "ACL" is different
from ietf-netmod-acl-model
John, et al,
The “ietf-netmod-acl-model” has “ACL” defined as:
An ACL is an ordered set of rules that is used to filter traffic on a
networking device. Each rule is represented by an Access Control
Entry (ACE).
The “draft-ietf-i2nsf-terminology-01” has ACL as:
ACL (Acess Control List): This is a mechanism that implements
access control for a system resource by enumerating the system
entities that are permitted to access the resource and stating,
either implicitly or explicitly, the access modes granted to
each
entity [RFC4949]. A YANG description is defined in
[I-D.ietf-netmod-acl-model].
Can we make I2NSF’s ACL definition consistent with the
““ietf-netmod-acl-model”?
Thanks,
Linda _______________________________________________
I2nsf mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/i2nsf
