This paper considers the effects of dependencies between rules in Access Control Lists (ACLs). Dependent rules may not be reordered in an ACL if the policies of the list are to be preserved. This is an obstacle to the optimisation of rule order intended to reduce the time taken matching packets against rules. In this paper, the concept of rule dependency is defined in relation to the problem of minimising processing latency. The concepts of dependence and possible dependence are introduced and the relationship between them considered. Two measures of dependency, the dependency index and the fragmented dependency index are defined and formulated and an upper bound for each is derived. Examples of real-world ACLs are studied and the implications for practical optimisation discussed.
Computer and Systems Architecture | Digital Communications and Networking | Hardware Systems | Systems and Communications
Grout, V., McGinn, J., Davies, J., Picking, R. & Cunningham, S. (2006) ‘Rule Dependencies in Access Control Lists’, [Paper presented to the International Association for Development of the Information Society (IADIS) International Conference WWW/Internet 2006 (ICWI 2006), 5th-8th October 2006]. Murcia, Spain
Digital Commons Citation
Grout, Vic; McGinn, John; Davies, John N.; Picking, Rich; and Cunningham, Stuart, "Rule Dependencies in Access Control Lists" (2006). Computing. Paper 77.