Hi everyone again, This one is more interesting.
Right now, if you want to allow DNS and NTP and similar services, you have to entirely allow them. You can't specify which servers to allow. But we are this close to being able to do just that. There is a controller class function already available, although there is no standard naming for that class. What I propose to do is create a registry for certain standard classes that devices can be registered into. In this way, authorized DNS servers (for example) could be registered by the enterprise administrator into urn:mud:nameserver, or for NTP being urn:mud:ntp. This allows us to solve another problem as well. We can also specify defaults. My suggestion is that both of those classes (nameserver and ntp) be included as "permit" defaults. In the context of an access list, that would mean that they would be *appended*, meaning that it would be possible for the manufacturer to add an explicit "deny" in front of them to negate either or both. These proposals require no explicit model changes, but I would specify in the document the precise JSON that the default would mean. The benefit of doing this is to keep the files more succinct and readable. Comments? Eliot
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg