[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Proposal for WI#66: Add IP address match functions
Proposal for XACML 2.0 Work Item #66. Add IP address match functions Contents ======== Problem statement Solution overview Proposed DataTypes Proposed Functions Problem statement ================= Policies may need to protect access to or depend on subject identities stated as IP addresses or DNS names, including optional port ranges. Examples: 1) Anne can connect (action) to research.sun.com on port 8080 (resource). 2) A Subject with SubjectCategory "requesting-machine", identified using an IPv6 address, wants to access a resource. XACML 1.1 does not have a DataType for expressing IP addresses or DNS names and does not have functions suitable for comparing them. It is extremely awkward, if not impossible, to express these identifiers using regular expressions. Solution overview ================= The proposed solution defines new DataTypes for the three common network address formats: IPv4, IPv6, and Domain Name Service (DNS) names. It extends these with optional port-range specifications, since many users of addresses are interested in specific ports at those addresses. The IPv4 and IPv6 address formats already include an optional "mask" that can be used to specify a range of network addresses. The DNS name syntax is extended with an optional wildcard "*" as the leftmost name component to indicate all subdomains under the domain specified to its right. Proposed DataTypes ================== A. urn:oasis:names:tc:xacml:2.0:data-type:ipAddress An IPv4 or IPv6 network address, with optional mask and optional port or port range. ipAddress = address [ "/" mask ] [ ":" [ portrange ] ] For an IPv4 address, the address and mask are formatted in accordance with the syntax for a "host" in IETF RFC2396 "Uniform Resource Identifiers (URI): Generic Syntax", section 3.2. for an IPv6 address, the address and mask are formatted in accordance with the syntax for an "ipv6reference" in IETF RFC2732 "Format for Literal IPv6 Addresses in URL's". (Note that an IPv6 address or mask, in this syntax, is enclosed in literal "[" "]" brackets.) B. urn:oasis:names:tc:xacml:2.0:data-type:dnsName A Domain Name Service (DNS) host name, with optional port or port range. dnsName = hostname [ ":" portrange ] The hostname is formatted in accordance with IETF RFC2396 "Uniform Resource Identifiers (URI): Generic Syntax", section 3.2, except that a wildcard "*" may be used in the left-most component of the hostname to indicate "any subdomain" under the domain specified to its right. For both: The port or port range syntax is portrange = portnumber | "-"portnumber | portnumber"-"[portnumber] where "portnumber" is a decimal port number. If the port number is of the form "-x", where "x" is a port number, then the range is all ports numbered "x" and below. If the port number is of the form "x-", then the range is all ports numbered "x" and above. [this syntax is taken from the Java SocketPermission] Proposed Functions ================== A. urn:oasis:names:tc:xacml:2.0:function:ipAddress-match This function SHALL take two arguments of data-type urn:oasis:names:tc:xacml:2.0:data-type:ipAddress and SHALL return an "http://www.w3.org/2001/XMLSchema#boolean". The first argument specifies the set of addresses and optional portrange that are acceptable for the match to be "True". The second argument specifies a particular address or set of addresses and optional portrange to be tested against the set of acceptable values. This function SHALL return "True" if, after each address and mask are converted to their byte-sequence equivalents, a) the first argument, AND'ed with its mask if present, matches the second argument, AND'ed with its mask if present. AND b) any port range values in the second argument are a subset of the port range values in the first argument. Otherwise, this function SHALL return "False". B. urn:oasis:names:tc:xacml:2.0:function:dnsName-match This function SHALL take two arguments of data-type urn:oasis:names:tc:xacml:2.0:data-type:dnsName and SHALL return an "http://www.w3.org/2001/XMLSchema#boolean". The first argument specifies the set of DNS names that are acceptable for the match to be "True". The second argument specifies a particular address or set of subdomains and optional portrange to be tested against the set of acceptable values. This function SHALL return "True" if, after converting both arguments to upper-case, a) If there is no "*" wildcard character in the first argument, then the two arguments match using "string-equal". Otherwise, if the first argument contains a "*" wildcard character, then all name components to the right of this wildcard MUST match corresponding name components in the second argument using "string-equal". AND b) any port range values in the second argument are a subset of the port range values in the first argument. Otherwise, this function SHALL return "False". -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]