[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Groups - DLP-NAC profile uploaded
1. The ip endpoint of a some entity (like the subject or the resource) 2. The subnet of the said entity.The former is an IP address with a netmask of /32 (which is commonly not spelled out in consumer/office grade user interfaces).
The latter is an IP address with a netmask which is less than /32.Shouldn't these be different XACML attributes? That would solve the ambiguity regarding the meaning of the netmask.
For instance, you could have a request like this: Subject subject-ip-address = 123.123.123.123/32 subject-subnet = 123.123.0.0/16 Resource resource-ip-address = 123.123.124.54/32 resource-subnet = 123.123.0.0/16To write a policy which permits the access if the subject and resource are on the same subnet, you would match the subject-subnet and resource-subnet attributes. Or perhaps the subject-ip-address against the resource-subnet.
You would not be matching the subject-ip-address with the resource-ip-address because they don't contain the required information. (Unless we change the meaning of the netmask in the ipAddress-value data type to mean the netmask of the subnet the ip is part of, but that is not consistent with the use of netmask /32 in firewalls, etc, as described by Bill.)
Bill, do I understand this correctly? Best regards, Erik On 2014-03-20 21:35, Bill Parducci wrote:
On Mar 20, 2014, at 1:25 PM, Hal Lockhart <hal.lockhart@oracle.com> wrote:First of all, I don't believe a non-routing host needs to know the mask to send messages. It just puts them out on the adapter (LAN). The Gateway (router) on the LAN is supposed to forward the message if required, based on its knowledge of the subnetting.The "gateway" is the first hop in the route. Do `netstat -nr` on your workstation (or whatever Windows uses if you have that) to verify. This is why the "gateway" is also referred to as the "Default Route". The workstation will not converse with the Gateway if the destination IP address is within the range of the bound IP's netmask. In that case it will issue an arp request and craft a packet using the MAC address of the responding device. bHal-----Original Message----- From: Bill Parducci [mailto:bill@parducci.net] Sent: Thursday, March 20, 2014 12:24 PM To: Erik Rissanen Cc: XACML TC Subject: Re: [xacml] Groups - DLP-NAC profile uploaded On Mar 20, 2014, at 8:59 AM, Erik Rissanen <erik@axiomatics.com> wrote:Thanks Bill, That clarifies things. So what you are saying is that what we usuallytype in as single IP, say 123.123.123.123, is actually shorthand for the actual meaning, 123.123.123.123/32? Pretty much. Every routing device/firewall I have been exposed to is rather picky about this :)Does that mean that all instances of the ipAddress-value data typemust have a mask of 32 (for IPv4), if they have the mask specified? That is my understanding. Given the sensitive nature of our space I believe that we should be as unambiguous as possible with this notation. While the two of us can agree upon what "192.168.1.1" means casually, there are literally millions of instances of that IP address out there and the only way to precisely define it is via a route from the current context (network). "/32" tells the router: "look for 192.168.1.1 HERE, do NOT explore beyond this subnet (make an arp request ONLY)". Your workstation thinks of its IP address the same way, it will not reach out to the router if [IP Address] is bound to its card because it considers locally bound IPs as /32 "routes" (and its local stack is a "network", but I digress :).Regarding when I said "... but an ipAddress-value does not have aportrange, it has a port", I was referring to a simple typo in the spec. It should say "Any _port_ values in either argument SHALL be ignored" Ah, got it. I still like your idea of port range inclusion and matching :) b --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]