[anonsec] BYPASS OR PROTECT
Nicolas Williams
Nicolas.Williams at sun.com
Thu Apr 5 08:49:47 PDT 2007
On Thu, Apr 05, 2007 at 07:32:37AM -0400, Stephen Kent wrote:
> At 12:27 PM -0500 4/4/07, Nicolas Williams wrote:
> >On Wed, Apr 04, 2007 at 01:09:51PM -0400, Michael Richardson wrote:
> >> Your word "precedence" is funny to me, since the entries don't have
> >> the same precedence if they are ordered.
> >
> >I too wondered about the "but those were entries that all had the same
> >precedence" bit -- these are ordered lists, so no two rules can have the
> >"sam precedence."
> >_______________________________________________
>
> The issue is not precedence once the list (PAD or SPD) is ordered.
> The issue is that given an extant, presumably OK list, if someone
> tries to add a new entry at a given location in the ordered database,
> are they allowed to do so. If PAD/SPD entries have a label that
> indicates the precedence/priority of the each entry, analogous to
> user/supervisor state, then maybe one can decide whether the new
> entry can be added (at the requested point) based o the comparison
> with the extant entries and their labels.
This sounds very much like what I meant by insertion points -- you have
to know, or else you have to have some way to figure out where in the
SPD to insert API-driven rules.
(Of course, native implementions might not implement API-driven rules as
rules that are inserted into the SPD as there are other morally
equivalent ways to describe this, but we're trying to stay close to the
RFC4301 model.)
Nico
--
More information about the ANONSEC
mailing list