Re: IP Address in the ACM (Was: Comments on Access Control Model - BNF)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Bob said:
>I agree in general that IP addresses shouldn't be used
>as identities and that RFC2820 is correct on this count.
>However the goal at the time the original model draft was
>written was to support (or at least not exclude) things
>which existing implementations were already doing, however
>misguided they might be from a "pure security" point of
>view.  Several implementations supported and still
>support IP addresses as subject attributes.

I note that most implementations actually support IP address
with some form of wildcard support.  Requiring an ACI
value per IP address just doesn't scale.

>To your second point, the precedence assignment was based
>on the observation that it's usually not a single IP
>address which is included in a policy, but a range of IP
>addresses.  Normally everything within (or everything
>except) a specific IP address range is excluded from access
>-- REGARDLESS of other attributes.  Hence IP address became
>the highest precedence -- because the mechanism is essentially
>enforcing topology control & hence to be effective has
>to be enforced first.

Since you did note "IP address range", my general comment
is that this subject is less specific than varous other
subjects and hence should be lower.

Also, as far as implementing "topology controls", non-ACM
mechanisms are often far more effective.  For example, our
server implements "TCP wrappers" (an internal "firewalling"
mechanism) to enforce topology controls.  We also do support
IP addresses in our ACM (only in ACLs, not ACIs), but normally
their use is in combination with other factors.

Kurt