Hi Ranga,
On 10/18/17 11:55 PM, M. Ranganathan wrote:
> This is a made up example.
>
> Is the following ACE valid for MUD?
>
> "matches": {
> "ietf-mud:mud-acl": {
> "controller": "urn:ietf:params:mud:dns"
> },
> "ipv4-acl": {
> "ietf-acldns:src-dnsname": "www.nist.gov",
> "protocol": 6,
> "source-port-range": {
> "lower-port": 53,
> "upper-port": 53
> }
> },
> "tcp-acl": {
> "ietf-mud:direction-initiated": "from-device"
> }
> }
>
> This ACL has both a controller AND dns-name ACL.
>
> Presumably the controller would take precedence and the dnsname must be
> ignored (?)
> Thank you in advance for your clarification.
No, I don't think it would make sense to write that. The way ACEs are
normally interpretted, and this is all based on the ACL model, is that
they are ANDed. It's likely also to confuse a controller. I could see
a pretty good argument for making an explicit statement about warning
against that in the text. If the chairs and the WG don't mind, I will
add that in my working copy.
Eliot
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
