System validation
regard the definition of Security Association (SA) or Security Policy (SP). For this reason, the ruleType attribute describes XFRM rules and makes the NSF Translator understand if the rule regards SA or SP. As a consequence, the NSFPolicyDetails ruleAttributeDetails node allows the NSF Translator to know how to handle SA or SP. In fact, this node stores the strings to be replaced when SA or SP rule type is defined. For XFRM low level rules, the strings state or policy have to be used properly.
<nsfPolicyDetails >
<ruleStart >ip xfrm </ ruleStart >
<policyAttribute >
<attributeName >ipSecAction </ attributeName >
</ policyAttribute >
<ruleAttribute >
<attributeName >ruleType </ attributeName >
</ ruleAttribute >
<ruleAttributeDetails ref=" ruleType ">
<mappingDetails >
<key >SecurityAssociation </key >
<value >state </ value >
</ mappingDetails >
<mappingDetails >
<key >SecurityPolicy </key >
<value >policy </ value >
</ mappingDetails >
</ ruleAttributeDetails >
<defaultSecurityCapability >
ipSecRuleTypeActionCapability
</ defaultSecurityCapability >
</ nsfPolicyDetails >
Listing 6.8: NSFPolicyDetails for XFRM
6.2 Condition and Action Security Capabilities
System validation
Operator Value type Security Capability
exactMatch Integer, string, IPAddress Condition, Action union Integer, string, IPAddress Condition
range Integer, IPAddress Condition
rangeMask IPAddress Condition
rangeCIDR IPAddress Condition
proposal String Action
Table 6.1: Available Security Capability operators In the following, more details about each operator:
• exactMatch operator is used when only one value is provided for Condition or Action Security Capability. It supports integer, string, and IPAddress types.
• union operator is used when a set of values is provided for Condition Security Capability. It supports integer, string, and IPAddress types.
• range operator is used when a start and end values are provided for Condition Security Capability. It supports integer and IPAddress types.
• rangeMask operator is used to provide as Condition Security Capability value an IPAddress in the format of x.x.x.x/x.x.x.x where x is a decimal value be-tween 0 and 255.
• rangeCIDR operator is used to provide as Condition Security Capability value an IPAddress in the format of x.x.x.x/y where x is a decimal value between 0 and 255 and y is a decimal value between 0 and 32.
• proposal operator is used to provide as Action Security Capability value a set of strings representing the desired encryption algorithms for IPSec operations.
In Section 6.2.1 it is shown an example of how integer-based operators function.
In particular, it properly describes how the expansion mechanism works. For the sake of readability, IP-based operators are omitted.
6.2.1 IpTables SourcePortConditionCapability
SourcePortConditionCapability for IpTables requires the user to provide integer val-ues representing TCP ports. This Security Capability supports exactMatch, union, and range operators as can be seen in Listing 6.9 and Listing 6.10. exactMatch bodyConcatenator is omitted.
Union operator uses “,” to concatenate the single value and/or the range value that the user provides in order to represent TCP ports.
System validation
<bodyConcatenator >
<operatorType >union </ operatorType >
<realConcatenator >,</ realConcatenator >
<concatenatorCondition >
<preVariable >elementRange </ preVariable >
<postVariable >elementValue </ postVariable >
</ concatenatorCondition >
<newCommandName >
<realCommandName >-m multiport --sports </ realCommandName >
</ newCommandName >
...
...
</ bodyConcatenator >
Listing 6.9: Union bodyConcatenator for SourcePortConditionCapability
Range operator uses “:” to concatenate the start and the end range values that the user provide in order to represent TCP ports.
<bodyConcatenator >
<operatorType >range </ operatorType >
<realConcatenator >:</ realConcatenator >
<concatenatorCondition >
<preVariable >start </ preVariable >
<postVariable >end </ postVariable >
</ concatenatorCondition >
<newCommandName >
<realCommandName >-m multiport --sports </ realCommandName >
</ newCommandName >
...
...
</ bodyConcatenator >
Listing 6.10: Range bodyConcatenator for SourcePortConditionCapability
In both cases, it is specified that the Security Capability command name has to be translated according to the specific operator.
SourcePortConditionCapability values can be provided using one of the formats displayed in the following listings. By default, SourcePortConditionCapability sup-ports the mentioned operators. Nonetheless, the expansion functioning is demon-strated, too.
When the operator used within the Abstract Language Rule is not supported, the NSF Translator will still allow the user to use it. Then no error will happen during the translation. In fact, the NSF Translator will expand the used operator toward one of the Security Capability available operators.
Exact match operator
For exactMatch operator, no kind of expansion is needed since the framework has made all the available Security Capabilities to support it. Listing 6.11 and
List-System validation
ing 6.12 show how exactMatch operator is translated.
<sourcePortConditionCapability operator =" exactMatch ">
<capabilityValue >
<exactMatch >
80
</ exactMatch >
</ capabilityValue >
</ sourcePortConditionCapability >
Listing 6.11: Abstract language rule using exactMatch
--sport 80
Listing 6.12: Low level rule using exactMatch
Union operator
Listing 6.13 shows how union operator is used within the abstract language rule.
Listing 6.14 represents the case in which union operator is supported and Listing 6.15 describes the case in which union is not supported and then the expansion toward exactMatch has to be performed.
<sourcePortConditionCapability operator =" union ">
<capabilityValue >
<union >
<elementValue >10 </ elementValue >
<elementValue >20 </ elementValue >
<elementValue >30 </ elementValue >
</ union >
</ capabilityValue >
</ sourcePortConditionCapability >
Listing 6.13: Abstract language rule using union
-m multiport --sport 10 ,20 ,30
Listing 6.14: Low level rule using union
--sport 10 --sport 20 --sport 30
Listing 6.15: Low level rule expansion from union to exactMatch
System validation
Range operator
Listing 6.16 shows how range operator is used within the abstract language rule and Listing 6.17 represents the case in which range operator is supported. Listing 6.18 describes the case in which range is not supported but union operator is, hence the expansion toward union has to be performed and Listing 6.19 describes the case in which range nor union are supported and then the expansion toward exactMatch has to be performed.
<sourcePortConditionCapability operator =" range ">
<capabilityValue >
<range >
<start >30</start >
<end >35 </end >
</ range >
</ capabilityValue >
</ sourcePortConditionCapability >
Listing 6.16: Abstract language rule using range
-m multiport --sport 30 :35
Listing 6.17: Low level rule using range
-m multiport --sport 30 ,31 ,32 ,33 ,34 ,35
Listing 6.18: Low level rule expansion from range to union
--sport 30 --sport 31 ...
--sport 35
Listing 6.19: Low level rule expansion from range to exactMatch