OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-cybox message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti-cybox] CybOX 3.0: Address Object Refactoring

Hi John,

 

I think from an analytical point of view it is important that we are able to easily discern an IPv4 address from an IPv6 address. I am always a fan of explicitly marking an IP address v4 or v6 because then it is something the producer has actively done, versus something the client has to implicitly extract themselves.

 

Cheers

 

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | terry@soltra.com

 

 

From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Jordan, Bret
Sent: Wednesday, 28 October 2015 9:09 AM
To: John Anderson <janderson@soltra.com>
Cc: Jerome Athias <athiasjerome@gmail.com>; Ivan Kirillov <ikirillov@mitre.org>; cti-cybox@lists.oasis-open.org
Subject: Re: [cti-cybox] CybOX 3.0: Address Object Refactoring

 

I am not sure I fully agree with your first statement of creating one address field for IPv4 and IPv6.

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 27, 2015, at 12:10, John Anderson <janderson@soltra.com> wrote:

 

Thanks for posting this, Ivan. +20 for refactoring Addresses!

Two thoughts:

1. IPv4 and IPv6 are mutually-exclusive data formats. Why can't we just have one generic "ip_address" object that accepts data in both formats? The client will have to validate the data anyway, so let the client figure out whether it has an IPv4 or IPv6 address.

2. Let's get rid of the netmasks entirely and just have one generic CIDR object (for both IPv4 and IPv6). If someone has a netmask they want to share, make them convert it into CIDR first. The logical transformation between netmask and CIDR is lossless, so there's no worries there.  It's an easy conversion, and there's already code for it: https://python-iptools.readthedocs.org/en/release-0.5.0/#iptools.netmask2prefix

JSA

________________________________________
From: cti-cybox@lists.oasis-open.org <cti-cybox@lists.oasis-open.org> on behalf of Jerome Athias <athiasjerome@gmail.com>
Sent: Tuesday, October 27, 2015 12:47 PM
To: Kirillov, Ivan A.
Cc: cti-cybox@lists.oasis-open.org
Subject: Re: [cti-cybox] CybOX 3.0: Address Object Refactoring

Does this make sense or not?

Yes

Which of the options around IP Address specification (option 1 or
option 2) do you prefer?

Option 2 (Note that simple regexs would avoid the 'Version issue' anyway)

Do you agree with using CIDR notation as the only supported syntax for
IP addresses?

Ok for me

Do you think we need other Objects for capturing ATM address and net masks?

I would say no



2015-10-27 19:35 GMT+03:00 Kirillov, Ivan A. <ikirillov@mitre.org>:

All,

Trey and I have been busy thinking about some ideas around refactoring
related to CybOX 3.0. The first idea we’d like to propose to you is around
the refactoring of the Address Object into more atomic entities (as
discussed in some of the GitHub issues):
https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-Address-Object-Refactoring

Let us know your thoughts! In particular we’d love to know:

Does this make sense or not?
Which of the options around IP Address specification (option 1 or option 2)
do you prefer?
Do you agree with using CIDR notation as the only supported syntax for IP
addresses?
Do you think we need other Objects for capturing ATM address and net masks?

Regards,
Ivan and Trey


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]