This is a continuation of the earlier posts starting with this one: http://ravinote.blogspot.com/2020/09/best-practice-from-networking.html
The rules are scoped to the artifacts they secure. For system-wide resources, there is only a singleton. For user resources, they can be dynamically fetched and executed if they are registered.
This export of logic is very helpful in overcoming the limitations of static-configuration and reload of service. Regardless of the need for a runtime to execute the logic, even listenable config values can help with changes to rules.
The type of rules and the classes of outcome generally don’t change even in the most heavily used filters. IPSec, for example, has a lot of attributes to secure the network but its type of rules and outcomes are well-known. Rules can therefore be rewritten periodically to make them more efficient.
Networking products must accumulate user artifacts such as rules, containers, and settings. It should be easy to migrate and upgrade them.
The migration mentioned above is preferable to be done via a user-friendly mechanism because they matter more to the user than to the system.
No comments:
Post a Comment