On 02/02/2018 07:48, Eliot Lear wrote:
Hi Kristian,

On 02.02.18 08:44, Kristian Larsson wrote:

I've reviewed this model, I think I largely caused the last couple of
updates to it late last year. Overall I think it is a good model.
Placement of feature-statements could be debated - no clear answers.
object groupings is something I would like to see in the model but it
was always deferred.

On 2018-01-22 16:50, Kent Watsen wrote:
Hi Mahesh,

Thanks, it doesn't get much more concrete then a pull request  ;)

Okay, so from a chair/shepherd perspective, can folks please consider
this update to -15 as the LC solution to removing the open issue
Juergen found in the draft?

As a contributor, I don't think the name of the groupings or their
description statements should allude to something that doesn't exist
yet.  Rather than e.g. "source-or-group", could it be instead
something like "source-type"?

Also, the update seems to be for both when specifying networks as
well as when specifying port-ranges, but the original issue (see
below) only mentioned addresses - is the pull-request actually what's
needed and the description of the issue in Section 8 is incomplete?

      8.  Open Issues

         o  The current model does not support the concept of

              used to contain multiple addresses per rule entry.
Object groupings are useful whenever there are many of something.
There are usually more address entries than ports, so perhaps more
useful for addresses, but it can still be useful to say "NFS-PORTS"
and mean all the ports that NFS use (god knows what they are).

Other have mentioned scale ACL and that it can be solved in other
ways. To me, this sort of object-groupings is not about optimising
things for the hardware but rather making it easy for me to write
rules. I think it is paramount for security that ACLs can be easily
read and understood. If we do not understand them, then we cannot say
they are effective and secure. Object groupings greatly improves the
readability of ACLs and thus makes it easier to write secure ACLs.

I understand the authors wishes to get the first version out the door
but I can't help but wonder if it isn't just easier to add in object
groupings now. It's not that damn complicated (they are just lists).
If not, I'm happy to work with them on the next version which could
include object groupings.
Please let's aim for the next version.  This document just completed
what I think is its FIFTH last call, which to me is nothing short of insane.
+1 for publishing the draft now.

If there are further bells and whistles that need to be added then ideally they would be covered by an ACL-extensions model that augments the base ACL model.  If tweaks are required to the base model to achieve it then I think that creating a v2 version of the ACL model is also OK.


netmod mailing list

Reply via email to