| draft-ietf-radext-filter-05.txt | draft-ietf-radext-filter-06.txt | |||
|---|---|---|---|---|
| Network Working Group Paul Congdon | Network Working Group Paul Congdon | |||
| INTERNET-DRAFT Mauricio Sanchez | INTERNET-DRAFT Mauricio Sanchez | |||
| Category: Proposed Standard Hewlett-Packard Company | Category: Proposed Standard Hewlett-Packard Company | |||
| <draft-ietf-radext-filter-05.txt> Bernard Aboba | <draft-ietf-radext-filter-06.txt> Bernard Aboba | |||
| 7 November 2006 Microsoft Corporation | 1 December 2006 Microsoft Corporation | |||
| RADIUS Filter Rule Attribute | RADIUS Filter Rule Attribute | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 40 | skipping to change at page 1, line 40 | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on May 10, 2007. | This Internet-Draft will expire on May 10, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2006). All rights reserved. | Copyright (C) The IETF Trust (2006). All rights reserved. | |||
| Abstract | Abstract | |||
| This document defines the NAS-Filter-Rule attribute within the Remote | While RFC 2865 defines the Filter-Id attribute, this requires that | |||
| Authentication Dial In User Service (RADIUS). This attribute is | the Network Access Server (NAS) be pre-populated with the desired | |||
| based on the Diameter NAS-Filter-Rule AVP described in RFC 4005. | filters. However, in situations where the server operator does not | |||
| know which filters have been pre-populated, it useful to specify | ||||
| filter rules explicitly. This document defines the NAS-Filter-Rule | ||||
| attribute within the Remote Authentication Dial In User Service | ||||
| (RADIUS). This attribute is based on the Diameter NAS-Filter-Rule | ||||
| Attribute Value Pair (AVP) described in RFC 4005, and the | ||||
| IPFilterRule syntax defined in RFC 3588. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction .......................................... 3 | 1. Introduction .......................................... 3 | |||
| 1.1 Terminology ..................................... 3 | 1.1 Terminology ..................................... 3 | |||
| 1.2 Requirements Language ........................... 3 | 1.2 Requirements Language ........................... 3 | |||
| 1.3 Attribute Interpretation ........................ 3 | 1.3 Attribute Interpretation ........................ 3 | |||
| 2. NAS-Filter-Rule Attribute ............................. 4 | 2. NAS-Filter-Rule Attribute ............................. 4 | |||
| 3. Table of Attributes ................................... 5 | 3. Table of Attributes ................................... 5 | |||
| 4. Diameter Considerations ............................... 5 | 4. Diameter Considerations ............................... 5 | |||
| 5. IANA Considerations ................................... 6 | 5. IANA Considerations ................................... 6 | |||
| 6. Security Considerations ............................... 6 | 6. Security Considerations ............................... 6 | |||
| 7. References ............................................ 6 | 7. References ............................................ 7 | |||
| 7.1 Normative References ............................ 6 | 7.1 Normative References ............................ 7 | |||
| 7.2 Informative References .......................... 7 | 7.2 Informative References .......................... 7 | |||
| ACKNOWLEDGMENTS .............................................. 7 | ACKNOWLEDGMENTS .............................................. 7 | |||
| AUTHORS' ADDRESSES ........................................... 8 | AUTHORS' ADDRESSES ........................................... 8 | |||
| Intellectual Property Statement............................... 9 | Intellectual Property Statement............................... 9 | |||
| Disclaimer of Validity........................................ 9 | Disclaimer of Validity........................................ 9 | |||
| Full Copyright Statement ..................................... 9 | Full Copyright Statement ..................................... 9 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines the NAS-Filter-Rule attribute within the Remote | This document defines the NAS-Filter-Rule attribute within the Remote | |||
| Authentication Dialin User Service (RADIUS) which has the same | Authentication Dialin User Service (RADIUS). This attribute has the | |||
| functionality as the Diameter NAS-Filter-Rule AVP (400) defined in | same functionality as the Diameter NAS-Filter-Rule AVP (400) defined | |||
| [RFC4005] Section 6.6. This attribute may prove useful for | in [RFC4005] Section 6.6 and the same syntax as an IPFilterRule | |||
| provisioning of filter rules. | defined in [RFC3588] Section 4.3. This attribute may prove useful | |||
| for provisioning of filter rules. | ||||
| While [RFC2865] Section 5.11 defines the Filter-Id attribute (11), | While [RFC2865] Section 5.11 defines the Filter-Id attribute (11), | |||
| this requires that the NAS be pre-populated with the desired filters. | this requires that the Network Access Server (NAS) be pre-populated | |||
| However, in situations where the server operator does not know which | with the desired filters. However, in situations where the server | |||
| filters have been pre-populated, it useful to specify filter rules | operator does not know which filters have been pre-populated, it | |||
| explicitly. | useful to specify filter rules explicitly. | |||
| 1.1. Terminology | 1.1. Terminology | |||
| This document uses the following terms: | This document uses the following terms: | |||
| Network Access Server (NAS) | Network Access Server (NAS) | |||
| A device that provides an access service for a user to a network. | A device that provides an access service for a user to a network. | |||
| RADIUS server | RADIUS server | |||
| A RADIUS authentication server is an entity that provides an | A RADIUS authentication server is an entity that provides an | |||
| skipping to change at page 4, line 16 | skipping to change at page 4, line 17 | |||
| 2. NAS-Filter-Rule Attribute | 2. NAS-Filter-Rule Attribute | |||
| Description | Description | |||
| This attribute indicates filter rules to be applied for this user. | This attribute indicates filter rules to be applied for this user. | |||
| Zero or more NAS-Filter-Rule attributes MAY be sent in Access- | Zero or more NAS-Filter-Rule attributes MAY be sent in Access- | |||
| Accept, CoA-Request, or Accounting-Request packets. | Accept, CoA-Request, or Accounting-Request packets. | |||
| The NAS-Filter-Rule attribute is not intended to be used | The NAS-Filter-Rule attribute is not intended to be used | |||
| concurrently with any other filter rule attribute, including | concurrently with any other filter rule attribute, including | |||
| Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and MUST | Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes. NAS- | |||
| NOT appear in the same RADIUS packet. If a Filter-Id or NAS- | Filter-Rule and NAS-Traffic-Rule attributes MUST NOT appear in the | |||
| Traffic-Rule attribute is present, then implementations of this | same RADIUS packet. If a NAS-Traffic-Rule attribute is present, a | |||
| specification MUST silently discard NAS-Filter-Rule attributes, if | NAS implementing this specification MUST silently discard NAS- | |||
| present. | Filter-Rule attributes, if present. Filter-Id and NAS-Filter-Rule | |||
| attributes SHOULD NOT appear in the same RADIUS packet. Given the | ||||
| absence in [RFC4005] of well-defined precedence rules for | ||||
| combining Filter-Id and NAS-Filter-Rule attributes into a single | ||||
| rule set, the behavior of NASes receiving both attributes is | ||||
| undefined, and therefore a RADIUS server implementation cannot | ||||
| assume a consistent behavior. | ||||
| Where multiple NAS-Filter-Rule attributes are included in a RADIUS | Where multiple NAS-Filter-Rule attributes are included in a RADIUS | |||
| packet, the String field of the attributes are to be concatenated | packet, the String field of the attributes are to be concatenated | |||
| to form a set of filter rules. As noted in [RFC2865] Section 2.3, | to form a set of filter rules. As noted in [RFC2865] Section 2.3, | |||
| "the forwarding server MUST NOT change the order of any attributes | "the forwarding server MUST NOT change the order of any attributes | |||
| of the same type", so that RADIUS proxies will not reorder NAS- | of the same type", so that RADIUS proxies will not reorder NAS- | |||
| Filter-Rule attributes. | Filter-Rule attributes. | |||
| A summary of the NAS-Filter-Rule Attribute format is shown below. | A summary of the NAS-Filter-Rule Attribute format is shown below. | |||
| The fields are transmitted from left to right. | The fields are transmitted from left to right. | |||
| skipping to change at page 5, line 24 | skipping to change at page 5, line 30 | |||
| then splitting individual filter rules with the the NUL octet | then splitting individual filter rules with the the NUL octet | |||
| (0x00) as a delimeter. | (0x00) as a delimeter. | |||
| 3. Table of Attributes | 3. Table of Attributes | |||
| The following table provides a guide to which attributes may be found | The following table provides a guide to which attributes may be found | |||
| in which kinds of packets, and in what quantity. | in which kinds of packets, and in what quantity. | |||
| Access- Access- Access- Access- CoA- Acct- | Access- Access- Access- Access- CoA- Acct- | |||
| Request Accept Reject Challenge Req Req # Attribute | Request Accept Reject Challenge Req Req # Attribute | |||
| 0 0+ 0 0 0+ 0+ TBD NAS-Filter-Rule [Note 1] | 0 0+ 0 0 0+ 0+ TBD NAS-Filter-Rule | |||
| The following table defines the meaning of the above table entries. | The following table defines the meaning of the above table entries. | |||
| 0 This attribute MUST NOT be present in the packet. | 0 This attribute MUST NOT be present in the packet. | |||
| 0+ Zero or more instances of this attribute MAY be | 0+ Zero or more instances of this attribute MAY be | |||
| present in the packet. | present in the packet. | |||
| 0-1 Zero or one instance of this attribute MAY be | 0-1 Zero or one instance of this attribute MAY be | |||
| present in the packet. | present in the packet. | |||
| [Note 1]: NAS-Filter-Rule is precluded from appearing in a packet if a | ||||
| Filter-Id or NAS-Traffic-Rule attribute is present. | ||||
| 4. Diameter Considerations | 4. Diameter Considerations | |||
| [RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the | [RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the | |||
| same functionality as the RADIUS NAS-Filter-Rule attribute. In order | same functionality as the RADIUS NAS-Filter-Rule attribute. In order | |||
| to support interoperability, Diameter/RADIUS gateways will need to be | to support interoperability, Diameter/RADIUS gateways will need to be | |||
| configured to translate RADIUS attribute TBD to Diameter AVP 400 and | configured to translate RADIUS attribute TBD to Diameter AVP 400 and | |||
| vice-versa. | vice-versa. | |||
| When translating Diameter NAS-Filter-Rule AVPs to RADIUS NAS-Filter- | When translating Diameter NAS-Filter-Rule AVPs to RADIUS NAS-Filter- | |||
| Rule attributes, the set of NAS-Filter-Rule attributes is created by | Rule attributes, the set of NAS-Filter-Rule attributes is created by | |||
| skipping to change at page 7, line 46 | skipping to change at page 7, line 47 | |||
| Usage Guidelines", RFC3580, September 2003. | Usage Guidelines", RFC3580, September 2003. | |||
| [Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba, | [Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba, | |||
| "RADIUS Attributes for Filtering and Redirection", Internet | "RADIUS Attributes for Filtering and Redirection", Internet | |||
| draft (work in progress), draft-ietf-radext-filter- | draft (work in progress), draft-ietf-radext-filter- | |||
| rules-01.txt, June 2006. | rules-01.txt, June 2006. | |||
| Acknowledgments | Acknowledgments | |||
| The authors would like to acknowledge Emile Bergen, Alan DeKok, Greg | The authors would like to acknowledge Emile Bergen, Alan DeKok, Greg | |||
| Weber, Pasi Eronen and David Nelson for contributions to this | Weber, Pasi Eronen, David Mitton and David Nelson for contributions | |||
| document. | to this document. | |||
| Authors' Addresses | Authors' Addresses | |||
| Paul Congdon | Paul Congdon | |||
| Hewlett Packard Company | Hewlett Packard Company | |||
| HP ProCurve Networking | HP ProCurve Networking | |||
| 8000 Foothills Blvd, M/S 5662 | 8000 Foothills Blvd, M/S 5662 | |||
| Roseville, CA 95747 | Roseville, CA 95747 | |||
| EMail: paul.congdon@hp.com | EMail: paul.congdon@hp.com | |||
| End of changes. 9 change blocks. | ||||
| 26 lines changed or deleted | 36 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||