Re: [xacml] Six issues

[Anne Anderson <Anne.Anderson@Sun.COM>]

On 22 July, Tim Moses writes: [xacml] Six issues
 > Colleagues - As I mentioned on the call this morning there are six issues
 > surrounding url/urn matching that I need to resolve urgently.  Please give
 > them your consideration and (if you feel strongly) express your preferences.
 > It is proposed to ...
 > 
 > 1. provide separate functions for matching URNs and URLs.

Fine.

 > 2. simply use our existing regex-match function to match URNs.

Fine.

 > 3. provide an ipV4Address match function.  We will not provide a matching
 > function for ipV6 addresses.

I am trying to support java.net.SocketPermission, where host can
be a hostname, an IPv4address, or an IPv6address, and is followed
by an optional portrange.

There is a format for mixed ipV6/ipV4 addresses defined on page 4
of RFC2373.txt:

   3. An alternative form that is sometimes more convenient when dealing
      with a mixed environment of IPv4 and IPv6 nodes is
      x:x:x:x:x:x:d.d.d.d, where the 'x's are the hexadecimal values of
      the six high-order 16-bit pieces of the address, and the 'd's are
      the decimal values of the four low-order 8-bit pieces of the
      address (standard IPv4 representation).  Examples:

         0:0:0:0:0:0:13.1.68.3

         0:0:0:0:0:FFFF:129.144.52.38

      or in compressed form:

         ::13.1.68.3

         ::FFFF:129.144.52.38


 > 4. tackle ipV4address ranges using upper and lower limits, as opposed to a
 > subnet mask.

Where do people use ranges now?  Subnet masks are common in the
types of situations where you might want to limit access to
people coming from a particular subnet, and people know how to
state them and use them.

Using upper and lower limits makes arguments to functions more
complex: you now need two arguments (one upper and one lower) for
ranges.  With subnet masks, they are in a single argument.

Subnet masks also exist for ipv6, using exactly the same bit-wise
mask mechanism (see 2.5 Unicast Addresses on page 7 of
rfc2373.txt). I have not seen a standard format for them, but we
could assume they are /<mask>, where <mask> is in the same format
as IPv6 or combined IPv6/IPv4 addresses.

 > 5. simply use our existing regex-match function to match DNS names.

Fine.

 > 6. split URLs into three parts: a scheme part for which string-match will be
 > used; an authority part for which we will use either ipV4Address-match or
 > dnsName-match and a path part for which we will use the existing regex-match
 > function.  IP addresses will be distinguishable from DNS names because they
 > begin with a number.  Port number will be treated as part of the path and,
 > if it is missing, the default port number for the scheme will be inserted.

Fine.

 > The bit about distinguishing between IP address and DNS name is uncertain.
 > If anyone has a better idea, please let me know.

Your idea sounds fine.

Anne
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692