--- 1/draft-ietf-radext-filter-02.txt 2006-10-20 22:12:32.000000000 +0200 +++ 2/draft-ietf-radext-filter-03.txt 2006-10-20 22:12:32.000000000 +0200 @@ -1,16 +1,16 @@ Network Working Group Paul Congdon INTERNET-DRAFT Mauricio Sanchez Category: Proposed Standard Hewlett-Packard Company - Bernard Aboba -1 October 2006 Microsoft Corporation + Bernard Aboba +4 October 2006 Microsoft Corporation RADIUS Filter Rule Attribute By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -21,21 +21,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on April 10, 2007. + This Internet-Draft will expire on May 10, 2007. Copyright Notice Copyright (C) The Internet Society 2006. Abstract This document defines the NAS-Filter-Rule attribute within the Remote Authentication Dial In User Service (RADIUS), equivalent to the Diameter NAS-Filter-Rule AVP described in RFC 4005. @@ -117,26 +117,26 @@ Zero or more NAS-Filter-Rule attributes MAY be sent in Access- Accept, CoA-Request, or Accounting-Request packets. The NAS-Filter-Rule attribute is not intended to be used concurrently with any other filter rule attribute, including Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and SHOULD NOT appear in the same RADIUS packet. If a Filter-Id attribute is present, then implementations of this specification MUST silently discard NAS-Filter-Rule attributes, if present. - Where more than one NAS-Filter-Rule attribute with the same non- - zero Tag field value is included in a RADIUS packet, the String - field of the attributes are to be concatenated to form a single - filter. As noted in [RFC2865] Section 2.3, "the forwarding server - MUST NOT change the order of any attributes of the same type", so - that RADIUS proxies will not reorder NAS-Filter-Rule attributes. + Where adjacent NAS-Filter-Rule attributes with the same non-zero + Tag field value are included in a RADIUS packet, the String field + of the attributes are to be concatenated to form a single filter. + As noted in [RFC2865] Section 2.3, "the forwarding server MUST NOT + change the order of any attributes of the same type", so that + RADIUS proxies will not reorder NAS-Filter-Rule attributes. A summary of the NAS-Filter-Rule Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Tag | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -145,39 +145,42 @@ TBD Length >=4 Tag The Tag field is used to identify the filter rule that is represented; the length of the Tag field is one octet and it MUST - always be present. The Tag field value MUST be in the range - 0x01-0x3F; NAS-Filter-Rule attributes with a Tag field value of - 0x00 are ignored upon receipt. + always be present. Where a single filter rule is less than or equal to 252 octets in - length, it MUST be encoded with a tag value of '0' (0x30) and MUST - NOT be split between multiple NAS-Filter-Rule attributes. Where a - single filter rule is split into multiple NAS-Filter-Rule - attributes, the attributes SHOULD be sent consecutively, without - intervening attributes with another Tag field value. On receipt, - attributes with a Tag value of '0' (0x30) MUST NOT be concatenated - to form a single filter rule. + length, it MUST be encoded with a Tag field value of zero (0) and + MUST NOT be split between multiple NAS-Filter-Rule attributes. On + receipt, attributes with a Tag field value of zero (0) MUST NOT be + concatenated to form a single filter rule. Where a single filter rule exceeds 252 octets in length, the rule MUST be encoded across multiple NAS-Filter-Rule attributes, each - with the same Tag value which MUST NOT be '0' (0x30). Tag values - MUST be unique for each filter rule present in a RADIUS packet - with the exception of a Tag value of '0' (0x30), which may be used - in multiple attributes, each describing a single filter rule. + with the same Tag value which MUST be in the range 0x01 - 0x3F. + + NAS-Filter-Rule attributes comprising a single filter rule MUST be + sent consecutively, without intervening attributes with another + Tag field value. The Tag field value of 0xFF is reserved and NAS- + Filter-Rule attributes containing this Tag field value should be + ignored upon receipt. + + Adjacent filter rules exceeding 252 octets in length MUST be + encoded with different non-zero Tag field values; however, the Tag + field value used for a given filter rule need not be unique within + the entire RADIUS packet. String The String field is one or more octets. It contains filter rules in the IPFilterRule syntax defined in [RFC3588] Section 4.3. A robust implementation SHOULD support the field as undistinguished octets. 3. Table of Attributes