Subject: Re: [xacml] DLP/NAC Profile wd4
The part that threw me for a bit was the use of "ignore". The process is exact match in order, which had me thinking one way, then an exclusion that works in another.
Now that I get it I have another question, do you intend to allow for sub-octet matching? Since we are in the realm of string matching this seems like something we should include. For example: ipAddressMatch(192.168.123.1*, 192.168.123.100) => TRUE ? If so then I would like to suggest an alternate matching mechanism because the current description does not cover it ("1*" != "*"):
IPv4 Address String Matching
The value of each octet of the first argument SHALL have identical value as the second argument taken in network transmission order. The first argument may contain the wildcard characters "?" OR "*", where "?" represents all single numeric characters between 0 and 9 and "*" represents a set of all numeric characters between 0 and 9 AND "". Wildcards SHALL NOT cause an octet to exceed 3 characters in length, nor the numeric value to exceed 255.
10.10.10.1? explicitly represents these addresses: 10.10.10.10, 10.10.10.11, 10.10.10.12, 10.10.10.13, 10.10.10.14, 10.10.10.15, 10.10.10.16, 10.10.10.17, 10.10.10.18, 10.10.10.19 (NOT 10.10.10.1, NOR 10.10.10.100 through 10.10.10.199)
10.10.10.1* represents the series of numbers in the last octet from 10.10.10.1 to 10.10.10.199
10.10.*.1 represents the series of numbers in the third octet from 10.10.0.1 to 10.10.255.1
10.10.10.255* LEGAL (an artifact of matching. no real value because the ONLY match is 10.10.10.255)
10.* ILLEGAL (wildcards are implemented at the octet level only)
The thing I like about this approach is that it is a "positive" comparison in all cases and allows for more specific wildcard usage.
Note: this type of "homemade regex" does have it's holes. For example I arbitrarily chose a looser match for "*" than "?" because it makes sense to include 10.10.10.1 in "10.10.10.1*", but not in "10.10.10.1?" (because it does not match contiguous range).
Does this make sense to others? If so, I can expand this to include IPv6. (I don't think we will be so lucky as to be able to munge the two types together without creating some crazy text due to the differences between the two specs...)
On Nov 19, 2013, at 8:21 AM, Hal Lockhart <email@example.com> wrote:
I added the IP Address and DNS Name datatypes and functions to the DLP profile as I described on the call last week.