search

oasis-tcs / openc2-apsc-stateless-packet-filter

OASIS OpenC2 TC: A GitHub repository is to provide configuration management and to aid in the development of the first generation OpenC2 firewall profile
https://github.com/oasis-tcs/openc2-apsc-stateless-packet-filter
Other
6 stars 10 forks source link

Priority and Order #116

Open alevere opened 4 years ago

alevere commented 4 years ago

Many cloud providers utilize priority to determine which rule applies. Often this is an integer between 0-65535 with 0 being the first evaluation and 65535 the last. We should consider order as a command argument. For instance, an allow at priority 1000 is evaluated before a deny at order 2000.

Vasileios-Mavroeidis commented 4 years ago

Rule numbers are evaluated in the same way. The difference is that in the cloud you would be able to add multiple rules with the same priority number. We could use the same argument "rule_number" for that. I mean, i do see the benefits of having a separate argument for this scenario, but maybe we could just extend the definition and say that rule-number could also be perceived as a priority number in cases where technologies can handle multiple rules with the same priority number.

On the other hand, rule_number is very self describable.

Also, What would be the values of the key "order"?

jmbrule commented 4 years ago

I actually thought that rule numbers were ALWAYS evaluated in order, and if that is in fact the case, then not convinced that the benefits of defining a priority number is worth the extra complexity. It also opens up an issue on what one should do if the rule number and the priority number conflict (if rule number 2000 has highest priority, and rule number 1000 has routine priority, then which one should be executed first? ) I err on the side of concise

Vasileios-Mavroeidis commented 4 years ago

Joe, if the technology uses priority number the difference is that you can have multiple rules with the same priority. I think that the standard is the deny rules are evaluated first, then the allow at the same priority level. So in some technologies, you will use the rule number and in some others the priority number. Maybe better naming convention of the rule_number or just description that can be used also as a priority number would solve this issue. Otherwise, if this doesn't sound adequate we can specify a new argument priority.

I would go with articulating better the description and include the use case of priority number.

jmbrule commented 4 years ago

+1 with the notion of a better description that indicates the use of the rule_number. I understand the notion that different products do things in different ways, but in a perfect world, we can look for the commonality or at least look for reasonable compromises.