[anonsec] BYPASS OR PROTECT
kent at bbn.com
Thu Apr 5 05:13:03 PDT 2007
At 2:08 PM -0500 4/4/07, Nicolas Williams wrote:
>On Tue, Apr 03, 2007 at 12:31:27PM -0400, Michael Richardson wrote:
>> Stephen Kent wrote:
>> > The existing 4301 model describes BYPASS and PROTECT as mutually
>> > exclusive descriptions. So, the new option, which might more properly
>> > be named "PROTECT IF POSSIBLE" is a third option that the user has to
>> As this is used primarily on the responder, I suggest th
>>wording be infact:
>> "PROTECT IF REQUESTED"
>Actually, these rules might not be used at all by administrators, but be
>created dynamically by applications. In any case, they are used on both
>sides (client and server).
>We could just call them TEMPLATE BYPASS OR PROTECT (yes, I still like
>the name I picked originally) -- something that indicates: a) the fact
>these aren't rules as such but rules that give rise to flow-specific
>rules, and b) that the latter may be either BYPASS or PROTECT rules.
I'n not saying this is a bad idea, but I don't think I've seen a
clear description of how the templates fit into the extant 4301
model. maybe we need more details. Also, if apps create the rules,
there is still a need to be able to determine if they conflict with
other rules already created by an admin, in order to be sure that an
admin-controlled access control policy is not subverted.
More information about the ANONSEC