Re: [cti-cybox] IPv4 and IPv6 Address Objects

On Aug 31, 2016, at 07:09, Kirillov, Ivan A. <ikirillov@mitre.org> wrote:

Yes, this will be an issue in places where multiple types of objects are supported as references. However, going to a single “IP Address” type won’t fix it, as you’ll still have to specify an “address_type” or similar field to differentiate between IPv4/IPv6.

Also, as Jeff and others have mentioned, the primary reason for having separate Objects is that this leads to clearer semantics in the data model. There are places where we want to restrict addresses to specific types, and therefore having separate IPv4/IPv6 address types was the consensus solution that we came up with. Let’s not rehash this debate.

Regards,
Ivan

From: <cti-cybox@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, August 31, 2016 at 5:25 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: Bret Jordan <bret.jordan@bluecoat.com>, Terry MacDonald <terry.macdonald@cosive.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "Mates, Jeffrey CIV DC3DCCI" <Jeffrey.Mates@dc3.mil>
Subject: Re: [cti-cybox] IPv4 and IPv6 Address Objects

I apologize for my confusing example where I changed from MAC address to IP address half way through my email.. I have not yet had enough coffee...

Here is a re-write of my email

--

Actually - when trying to write this example, I have run into another issue WRT patterning and our decision for some list properties to be able to continue multiple types simultaneously, along with the "always deref" decision.

Take the network-connection src_ref type. How would I write a pattern comparing this against an IPv4 address?

You can't simply do this:
network-connection-object:src_ref.value = '1.2.3.4'

.. because there is no way for me to declare that the type is a IPv4 address and not something else that looks like it

It is like you *always* have to write the type...
network-connection-object:src_ref.type = 'ipv4-address-object' AND network-connection-object:src_ref.value = '1.2.3.4'

... this will be quite cumbersome...

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

<image001.gif>Jason Keirstead---08/31/2016 08:20:23 AM---Actually - when trying to write this example, I have run into another issue WRT patterning and our d

From: Jason Keirstead/CanEast/IBM@IBMCA
To: "Jordan, Bret" <bret.jordan@bluecoat.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "Mates, Jeffrey CIV DC3DCCI" <Jeffrey.Mates@dc3.mil>
Date: 08/31/2016 08:20 AM
Subject: Re: [cti-cybox] IPv4 and IPv6 Address Objects
Sent by: <cti-cybox@lists.oasis-open.org>

Actually - when trying to write this example, I have run into another issue WRT patterning and our decision for some list properties to be able to continue multiple types simultaneously, along with the "always deref" decision.

Take the network-connection src_ref type. How would I write a pattern comparing this against a MAC address?

You can't simply do this:
network-connection-object:src_ref.value = '42:29:82:8d:b5:a9'

.. because there is no way for me to declare that the type is a IPv4 address and not something else

It is like you *always* have to write the type...
network-connection-object:src_ref.type = 'ipv4-address-object' AND network-connection-object:src_ref.value = '1.2.3.4'

... this will be quite cumbersome...

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

<trim>

cti-cybox message