I just had a chat with Eliot after reviewing the latest draft he is working on, and I expressed a couple of concerns about how the from-device/to-device semantics for traffic have been baked into the ACL definition. I think this approach is intrusive and somewhat non-obvious (depending who you are;-), so I'd like to propose a change to this to take the binding of an ACL to a "MUD device" out of the ACL and instead have a standalone container construct to express this binding. I think that this could also set the basic direction for future extensibility targeted at going beyond just access policy.
I will propose something early-to-mid next week and will work with Eliot to ensure the cut-off isn't missed. Cheers, Einar > Hi everyone, > > I wanted to give a brief update on this draft. Right now we've resolved > a lot of comments in our previous version. I am awaiting an update on > draft-ietf-netmod-acl-model, which is undergoing revisions, as discussed > in the last opsawg meeting. Once that has taken place I will rev the > draft again. At the same time, we have gotten some amount of experience > in terms of generating config that we can share in the draft, much of > which is common sense. And so, for instance, we would want to probably > at least suggest or perhaps require that MUD files that are generated > use "permit" parts of the ACLs to keep things simple at the beginning. > Also, making use of IP addresses themselves in the ACL would be > considered unfriendly, unless it's a multicast address. This is because > the whole scaling function of MUD is to abstract those addresses out. > > Beyond that, look for more before the last call cutoff. > > Eliot > > _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
