# File lib/aws/ec2/security_group.rb, line 202
      def format_permission protocol, ports, sources

        permission = {}
        permission[:ip_protocol] = protocol.to_s.downcase
        permission[:from_port] = Array(ports).first.to_i
        permission[:to_port] = Array(ports).last.to_i

        ip_ranges = []
        groups = []

        # default to 0.0.0.0/0
        sources << '0.0.0.0/0' if sources.empty?

        sources.each do |where|
          case where 

          when String 
            ip_ranges << where

          when SecurityGroup
            groups << {:group_id => where.id, :user_id => where.owner_id}

          when Hash 
            if where.has_key?(:group_id) and where.has_key?(:user_id)
              groups << where
            else
              raise ArgumentError, 'invalid ingress ip permission, hashes ' +
               'must have :group_id and :user_id key/values'
            end
          else
            raise ArgumentError, 'invalid ingress ip permission, ' +
              'expected CIDR IP addres or SecurityGroup'
          end
        end

        unless ip_ranges.empty?
          permission[:ip_ranges] = ip_ranges.collect{|ip| { :cidr_ip => ip } }
        end

        unless groups.empty?
          permission[:user_id_group_pairs] = groups
        end

        [permission]

      end