Hi everyone again,

This one is more interesting.

Right now, if you want to allow DNS and NTP and similar services, you
have to entirely allow them.  You can't specify which servers to allow. 
But we are this close to being able to do just that.  There is a
controller class function already available, although there is no
standard naming for that class.  What I propose to do is create a
registry for certain standard classes that devices can be registered
into.  In this way, authorized DNS servers (for example) could be
registered by the enterprise administrator into urn:mud:nameserver, or
for NTP being urn:mud:ntp.

This allows us to solve another problem as well.  We can also specify
defaults.  My suggestion is that both of those classes (nameserver and
ntp) be included as "permit" defaults.  In the context of an access
list, that would mean that they would be *appended*, meaning that it
would be possible for the manufacturer to add an explicit "deny" in
front of them to negate either or both.  These proposals require no
explicit model changes, but I would specify in the document the precise
JSON that the default would mean.  The benefit of doing this is to keep
the files more succinct and readable.

Comments?

Eliot


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

Reply via email to