[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Proposal for WI#66: Add IP address match functions
Proposal for XACML 2.0 Work Item #66. Add IP address match functions
Contents
========
Problem statement
Solution overview
Proposed DataTypes
Proposed Functions
Problem statement
=================
Policies may need to protect access to or depend on subject
identities stated as IP addresses or DNS names, including
optional port ranges.
Examples:
1) Anne can connect (action) to research.sun.com on port 8080
(resource).
2) A Subject with SubjectCategory "requesting-machine",
identified using an IPv6 address, wants to access a resource.
XACML 1.1 does not have a DataType for expressing IP addresses or
DNS names and does not have functions suitable for comparing
them. It is extremely awkward, if not impossible, to express
these identifiers using regular expressions.
Solution overview
=================
The proposed solution defines new DataTypes for the three common
network address formats: IPv4, IPv6, and Domain Name Service
(DNS) names. It extends these with optional port-range
specifications, since many users of addresses are interested in
specific ports at those addresses.
The IPv4 and IPv6 address formats already include an optional
"mask" that can be used to specify a range of network addresses.
The DNS name syntax is extended with an optional wildcard "*" as
the leftmost name component to indicate all subdomains under the
domain specified to its right.
Proposed DataTypes
==================
A. urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
An IPv4 or IPv6 network address, with optional mask and
optional port or port range.
ipAddress = address [ "/" mask ] [ ":" [ portrange ] ]
For an IPv4 address, the address and mask are formatted in
accordance with the syntax for a "host" in IETF RFC2396
"Uniform Resource Identifiers (URI): Generic Syntax", section
3.2.
for an IPv6 address, the address and mask are formatted in
accordance with the syntax for an "ipv6reference" in IETF
RFC2732 "Format for Literal IPv6 Addresses in URL's". (Note
that an IPv6 address or mask, in this syntax, is enclosed in
literal "[" "]" brackets.)
B. urn:oasis:names:tc:xacml:2.0:data-type:dnsName
A Domain Name Service (DNS) host name, with optional port or
port range.
dnsName = hostname [ ":" portrange ]
The hostname is formatted in accordance with IETF RFC2396
"Uniform Resource Identifiers (URI): Generic Syntax", section
3.2, except that a wildcard "*" may be used in the left-most
component of the hostname to indicate "any subdomain" under
the domain specified to its right.
For both:
The port or port range syntax is
portrange = portnumber | "-"portnumber | portnumber"-"[portnumber]
where "portnumber" is a decimal port number. If the port
number is of the form "-x", where "x" is a port number, then
the range is all ports numbered "x" and below. If the port
number is of the form "x-", then the range is all ports
numbered "x" and above.
[this syntax is taken from the Java SocketPermission]
Proposed Functions
==================
A. urn:oasis:names:tc:xacml:2.0:function:ipAddress-match
This function SHALL take two arguments of data-type
urn:oasis:names:tc:xacml:2.0:data-type:ipAddress and SHALL return
an "http://www.w3.org/2001/XMLSchema#boolean";. The first
argument specifies the set of addresses and optional portrange
that are acceptable for the match to be "True". The second
argument specifies a particular address or set of addresses and
optional portrange to be tested against the set of acceptable
values.
This function SHALL return "True" if, after each address and mask
are converted to their byte-sequence equivalents,
a) the first argument, AND'ed with its mask if present, matches
the second argument, AND'ed with its mask if present.
AND
b) any port range values in the second argument are a subset of
the port range values in the first argument.
Otherwise, this function SHALL return "False".
B. urn:oasis:names:tc:xacml:2.0:function:dnsName-match
This function SHALL take two arguments of data-type
urn:oasis:names:tc:xacml:2.0:data-type:dnsName and SHALL return
an "http://www.w3.org/2001/XMLSchema#boolean";. The first
argument specifies the set of DNS names that are acceptable for
the match to be "True". The second argument specifies a
particular address or set of subdomains and optional portrange to
be tested against the set of acceptable values.
This function SHALL return "True" if, after converting both
arguments to upper-case,
a) If there is no "*" wildcard character in the first argument,
then the two arguments match using "string-equal". Otherwise,
if the first argument contains a "*" wildcard character, then
all name components to the right of this wildcard MUST match
corresponding name components in the second argument using
"string-equal".
AND
b) any port range values in the second argument are a subset of
the port range values in the first argument.
Otherwise, this function SHALL return "False".
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]