[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Six issues
On 22 July, Tim Moses writes: [xacml] Six issues > Colleagues - As I mentioned on the call this morning there are six issues > surrounding url/urn matching that I need to resolve urgently. Please give > them your consideration and (if you feel strongly) express your preferences. > It is proposed to ... > > 1. provide separate functions for matching URNs and URLs. Fine. > 2. simply use our existing regex-match function to match URNs. Fine. > 3. provide an ipV4Address match function. We will not provide a matching > function for ipV6 addresses. I am trying to support java.net.SocketPermission, where host can be a hostname, an IPv4address, or an IPv6address, and is followed by an optional portrange. There is a format for mixed ipV6/ipV4 addresses defined on page 4 of RFC2373.txt: 3. An alternative form that is sometimes more convenient when dealing with a mixed environment of IPv4 and IPv6 nodes is x:x:x:x:x:x:d.d.d.d, where the 'x's are the hexadecimal values of the six high-order 16-bit pieces of the address, and the 'd's are the decimal values of the four low-order 8-bit pieces of the address (standard IPv4 representation). Examples: 0:0:0:0:0:0:13.1.68.3 0:0:0:0:0:FFFF:129.144.52.38 or in compressed form: ::13.1.68.3 ::FFFF:129.144.52.38 > 4. tackle ipV4address ranges using upper and lower limits, as opposed to a > subnet mask. Where do people use ranges now? Subnet masks are common in the types of situations where you might want to limit access to people coming from a particular subnet, and people know how to state them and use them. Using upper and lower limits makes arguments to functions more complex: you now need two arguments (one upper and one lower) for ranges. With subnet masks, they are in a single argument. Subnet masks also exist for ipv6, using exactly the same bit-wise mask mechanism (see 2.5 Unicast Addresses on page 7 of rfc2373.txt). I have not seen a standard format for them, but we could assume they are /<mask>, where <mask> is in the same format as IPv6 or combined IPv6/IPv4 addresses. > 5. simply use our existing regex-match function to match DNS names. Fine. > 6. split URLs into three parts: a scheme part for which string-match will be > used; an authority part for which we will use either ipV4Address-match or > dnsName-match and a path part for which we will use the existing regex-match > function. IP addresses will be distinguishable from DNS names because they > begin with a number. Port number will be treated as part of the path and, > if it is missing, the default port number for the scheme will be inserted. Fine. > The bit about distinguishing between IP address and DNS name is uncertain. > If anyone has a better idea, please let me know. Your idea sounds fine. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]