[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] IPv4 and IPv6 Address Objects
| From: | "Jordan, Bret" <bret.jordan@bluecoat.com> |
| To: | "Terry MacDonald" <terry.macdonald@cosive.com> |
| Cc: | cti-cybox@lists.oasis-open.org, "Mates, Jeffrey CIV DC3DCCI" <Jeffrey.Mates@dc3.mil> |
| Date: | Tue, Aug 30, 2016 7:42 PM |
| Subject: | Re: [cti-cybox] IPv4 and IPv6 Address Objects |
On Aug 30, 2016, at 15:41, Terry MacDonald <terry.macdonald@cosive.com> wrote:We may extend those objects in the future, so it potentially makes sense to keep these separate to allow that to happen. We gain flexibility by keeping them separate.
Cheers
Terry MacDonald
CosiveOn 31/08/2016 08:55, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:Well for IPv4 and IPv6 the address field is just a string. So when you unmarshall the data in to your struct, it does not really matter you will have the same amount of processing either way. Right now you have to unmarshall the object before you can figure out the "type" anyway. So no difference.If we were going to have protocol specific fields in the object, then I would agree with you. But given how they are identical and I can not see us adding much to them over time, I question which way makes more sense.This would be attune to the labels that we do all over the place in STIX. Now I am not advocating that we have this be a general purpose Address object... I think it should be an IP object..Thanks,BretBret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTOBlue Coat SystemsPGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."On Aug 30, 2016, at 14:38, Mates, Jeffrey CIV DC3\DCCI <Jeffrey.Mates@dc3.mil> wrote:I think it had to do with the fact that we were trying to avoid the generic
CybOX 2 Address Object that could store an email address, IPv4 or IPv6
address with the type determined by a separate field.
I also don't think that JSON has anything like the XSD choice, so it
wouldn't be possible to have dedicated ipv4 and ipv6 tags that are mutually
exclusive in a larger address object. So you would need something like:
{"type":"IP","format":"ipv6","address":"1234::5678"}
While this format is human readable it adds an additional step to machine
validation. This is because unlike other object types you would need to
read in a format tag, which would then determine your parsing rule for your
address tag rather than just reading in the tag you wanted to validate.
Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335
-----Original Message-----
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org ]
On Behalf Of Jordan, Bret
Sent: Tuesday, August 30, 2016 4:27 PM
To: OASIS CTI TC CybOX SC list
Subject: [Non-DoD Source] [cti-cybox] IPv4 and IPv6 Address Objects
I find it interesting that we have two identical objects, one for IPv4 and
IPv6. This was probably discussed at length in the past, but I am curious
to know the rational for having two objects vs just having an "IP" object
with a label of ipv4 or ipv6.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO Blue
Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415
0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
can not be unscrambled is an egg."
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]