+1 to Bob’s statement that RFC4949 is the broader definition. It better fits the expanded work represented by SUPA and I2RS on Filter-based policy that may be ordered by the user.
Sue PS – If you wish additional comments on SUPA and I2RS. John Strassner is best able to comment on SUPA and I will comment on I2RS Filters. From: I2nsf [mailto:[email protected]] On Behalf Of [email protected] Sent: Monday, September 12, 2016 3:35 PM To: Bob Natale; Linda Dunbar; John Strassner; Susan Hares Cc: [email protected] Subject: Re: [I2nsf] I2NSF Terminology's definition on "ACL" is different from ietf-netmod-acl-model One of the difficulties in defining an ACL is actually in how an ACL works. The RFC 4949 definition describes a 'mechanism' where ietf-netmod-acl-model describe a functional 'ordered set'. In other words, RFC 4949 does not say how a list is processed, where ietf-netmod-acl-model implies a serial processing, although not how the list is ordered or how a resulting match is attained. It seems like splitting hairs but I would argue that the ietf-netmod-acl-model definition is a subset of the RFC 4949 one. So which one we use determines a scope of outcome. I think the real implied question here is if the focus of our work is biased or limited towards YANG models, and by implication NETCONF as a management protocol? Adopting the ietf-netmod-acl-model definition clearly means yes. I do not believe that RFC 4949 is planned to be superseded, and I agree with BobN in this case that the RFC 4949 definition is the broader one Cheers! Ed Lopez On 9/12/2016 at 1:27 PM, "Bob Natale" <[email protected]> wrote: Hi Linda, It seems to me that the RFC4949 definition is more general and that ietf-netmod-acl-model defines one compatible specific variation. Some of the specifics of that definition might not apply in all cases. In fact, I am somewhat surprised that the latter document did not, evidently, reference RFC4949 … at least for a baseline definition. True, it’s a bit dated, but I think that mostly affects concepts and constructs introduced since its publication … the widespread use of ACLs predates RFC4949 by a lot. For reference, the fairly recent CNSSI 4009, Committee on National Security Systems (CNSS) Glossary (Apr 6, 2015) also uses a more general definition: access control list (ACL) A list of permissions associated with an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object. Avanti, BobN From: I2nsf [mailto:[email protected]] On Behalf Of Linda Dunbar Sent: Monday, September 12, 2016 1:07 PM To: John Strassner <[email protected]>; Susan Hares <[email protected]>; [email protected] Subject: [I2nsf] I2NSF Terminology's definition on "ACL" is different from ietf-netmod-acl-model John, et al, The “ietf-netmod-acl-model” has “ACL” defined as: An ACL is an ordered set of rules that is used to filter traffic on a networking device. Each rule is represented by an Access Control Entry (ACE). The “draft-ietf-i2nsf-terminology-01” has ACL as: ACL (Acess Control List): This is a mechanism that implements access control for a system resource by enumerating the system entities that are permitted to access the resource and stating, either implicitly or explicitly, the access modes granted to each entity [RFC4949]. A YANG description is defined in [I-D.ietf-netmod-acl-model]. Can we make I2NSF’s ACL definition consistent with the ““ietf-netmod-acl-model”? Thanks, Linda
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
