Just a point of precision. Converting from CIDR to netmask is lossless, however, the reverse is not true. You can not always convert a netmask to a CIDR block given the very narrow esoteric use case I illustrated. Even though this use case exists, I do not believe that it warrants us adding anything to CybOX to address it. We can get greater than 98+% with CDIR, and that should be good enough, in fact any time we can get 80+% or higher, we should consider that a win for now.
In regards to the IP Address discussion I see two options.....
{ "ipv4Address": "128.25.213.19", "ipv6Address": "fe80::3e07:54ff:fe6c:6d13" }
or
{ "ipAddressVersion": "4", "ipAddress": "191.32.87.21" }
or
{ "ipAddress": [ { "ver": "4", "addr": "191.32.87.21" } ] }
And if you wanted to get _really_ cleaver you could call the address field name ip.addr so that field names match what they are in wireshark.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Thanks for the feedback, all!
That’s exactly what Trey and I were shooting for with CIDR notation be the only supported syntax for IP Addresses – one way of doing things :)
So far it seems like there’s consensus on:
- Using CIDR notation as the supported syntax for IP addresses
- Option 2 (class-based derivation) for the IP Address/IPv4 Address/IPv6 Address implementations
- No ATM Address Object
John, as far as your points:
1. IPv4 and IPv6 are mutually-exclusive data formats. Why can't we just have one generic "ip_address" object that accepts data in both formats? The client will have to validate the data anyway, so let the client figure out
whether it has an IPv4 or IPv6 address.
This is the intent of the over-arching IP Address Object, as it supports capture of both IPv4 and IPv6 addresses. However, there’s still a need for version specific restrictions on this Object, as there are certain places in CybOX (namely in the Network
Packet and Network Flow Objects) where fields MUST be restricted to a specific IP address type. This means that in such cases the “version” field must be set to a particular value and included as part of the Object; however, as Terry mentioned, this likely
isn’t a bad thing, as it makes the data more explicit and less ambiguous.
2. Let's get rid of the netmasks entirely and just have one generic CIDR object (for both IPv4 and IPv6). If someone has a netmask they want to share, make them convert it into CIDR first. The logical transformation between
netmask and CIDR is lossless, so there's no worries there. It's an easy conversion, and there's already code for it: https://python-iptools.readthedocs.org/en/release-0.5.0/#iptools.netmask2prefix
It seems like this is where the consensus is heading – as Bret mentioned, there’s a corner case that may necessitate a netmask Object, but as you said the translation between CIDR and a netmask is lossless. I also agree that having a separate IP Address
Object and Netmask Object is a little confusing (though the Netmask would likely just be an extension of the IP Address), so I’m all for keeping things simple unless we absolutely need some particular capability.
Regards,
Ivan
From: Bret Jordan
Date: Tuesday, October 27, 2015 at 6:24 PM
To: Terry MacDonald
Cc: Ivan Kirillov, " cti-cybox@lists.oasis-open.org"
Subject: Re: [cti-cybox] CybOX 3.0: Address Object Refactoring
Yes, one-way-of-doing things is a great thing..
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
We can always add this object back in a future minor revision of CybOX if it is required, so I am happy to not have a netmask if others have a definitive opinion
about it.
It is possible that users may get confused if they see a netmask object and an IP object, and the likelihood of them getting confused versus the likelihood that
someone will use the netmask object probably means having one IP object with CIDR is better.
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
Support for capturing the netmask out side of just using CIDR notation is a very very small corner case. CIDR assumes normal networking and contiguous blocks of IP addresses. What CIDR can not do that a netmask can do is non-contiguous IP addresses. But
no real network would do that and only an admin that hates his job and wants to punish people after he leaves would ever do that.
Further, it is super simple to convert between CIDR and a netmask, so I would suggest that we only use CIDR.
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Great idea to do this. We do need some clean-up to remove the duplication so I’m very glad to see this!
-
Does this make sense or not?
-
Which of the options around IP Address specification (option 1 or option 2) do you prefer?
Option 2. It seems more logical to extend each object from the base one.
-
Do you agree with using CIDR notation as the only supported syntax for IP addresses?
Yes. I like that there is ‘only one way to do it’.
-
Do you think we need other Objects for capturing ATM address and net masks?
Not ATM, but I do think that Netmasks could possibly make it easier if describing something like Cisco
kit setup. There may also be some weird scenario when a new piece of malware changes the netmask, and it could be useful to have a mechanism to describe it.
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
Let us know your thoughts! In particular we’d love to know:
-
Does this make sense or not?
-
Which of the options around IP Address specification (option 1 or option 2) do you prefer?
-
Do you agree with using CIDR notation as the only supported syntax for IP addresses?
-
Do you think we need other Objects for capturing ATM address and net masks?
|