draft-ietf-radext-filter-06.txt		draft-ietf-radext-filter-07.txt
	Network Working Group Paul Congdon		Network Working Group Paul Congdon
	INTERNET-DRAFT Mauricio Sanchez		INTERNET-DRAFT Mauricio Sanchez
	Category: Proposed Standard Hewlett-Packard Company		Category: Proposed Standard Hewlett-Packard Company
	<draft-ietf-radext-filter-06.txt> Bernard Aboba		<draft-ietf-radext-filter-07.txt> Bernard Aboba
	1 December 2006 Microsoft Corporation		10 January 2007 Microsoft Corporation
	RADIUS Filter Rule Attribute		RADIUS Filter Rule Attribute
	By submitting this Internet-Draft, each author represents that any		By submitting this Internet-Draft, each author represents that any
	applicable patent or other IPR claims of which he or she is aware		applicable patent or other IPR claims of which he or she is aware
	have been or will be disclosed, and any of which he or she becomes		have been or will be disclosed, and any of which he or she becomes
	aware will be disclosed, in accordance with Section 6 of BCP 79.		aware will be disclosed, in accordance with Section 6 of BCP 79.
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF), its areas, and its working groups. Note that		Task Force (IETF), its areas, and its working groups. Note that
	skipping to change at page 1, line 32		skipping to change at page 1, line 32
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	The list of current Internet-Drafts can be accessed at		The list of current Internet-Drafts can be accessed at
	http://www.ietf.org/ietf/1id-abstracts.txt.		http://www.ietf.org/ietf/1id-abstracts.txt.
	The list of Internet-Draft Shadow Directories can be accessed at		The list of Internet-Draft Shadow Directories can be accessed at
	http://www.ietf.org/shadow.html.		http://www.ietf.org/shadow.html.
	This Internet-Draft will expire on May 10, 2007.		This Internet-Draft will expire on July 10, 2007.
	Copyright Notice		Copyright Notice
	Copyright (C) The IETF Trust (2006). All rights reserved.		Copyright (C) The IETF Trust (2007). All rights reserved.
	Abstract		Abstract
	While RFC 2865 defines the Filter-Id attribute, this requires that		While RFC 2865 defines the Filter-Id attribute, this requires that
	the Network Access Server (NAS) be pre-populated with the desired		the Network Access Server (NAS) be pre-populated with the desired
	filters. However, in situations where the server operator does not		filters. However, in situations where the server operator does not
	know which filters have been pre-populated, it useful to specify		know which filters have been pre-populated, it is useful to specify
	filter rules explicitly. This document defines the NAS-Filter-Rule		filter rules explicitly. This document defines the NAS-Filter-Rule
	attribute within the Remote Authentication Dial In User Service		attribute within the Remote Authentication Dial In User Service
	(RADIUS). This attribute is based on the Diameter NAS-Filter-Rule		(RADIUS). This attribute is based on the Diameter NAS-Filter-Rule
	Attribute Value Pair (AVP) described in RFC 4005, and the		Attribute Value Pair (AVP) described in RFC 4005, and the
	IPFilterRule syntax defined in RFC 3588.		IPFilterRule syntax defined in RFC 3588.
	Table of Contents		Table of Contents
	1. Introduction .......................................... 3		1. Introduction .......................................... 3
	1.1 Terminology ..................................... 3		1.1 Terminology ..................................... 3
	1.2 Requirements Language ........................... 3		1.2 Requirements Language ........................... 3
	1.3 Attribute Interpretation ........................ 3		1.3 Attribute Interpretation ........................ 3
	2. NAS-Filter-Rule Attribute ............................. 4		2. NAS-Filter-Rule Attribute ............................. 4
	3. Table of Attributes ................................... 5		3. Table of Attributes ................................... 5
	4. Diameter Considerations ............................... 5		4. Diameter Considerations ............................... 5
	5. IANA Considerations ................................... 6		5. IANA Considerations ................................... 6
	6. Security Considerations ............................... 6		6. Security Considerations ............................... 6
	7. References ............................................ 7		7. References ............................................ 7
	7.1 Normative References ............................ 7		7.1 Normative References ............................ 7
	7.2 Informative References .......................... 7		7.2 Informative References .......................... 7
	ACKNOWLEDGMENTS .............................................. 7		ACKNOWLEDGMENTS .............................................. 8
	AUTHORS' ADDRESSES ........................................... 8		AUTHORS' ADDRESSES ........................................... 8
	Intellectual Property Statement............................... 9		Intellectual Property Statement............................... 9
	Disclaimer of Validity........................................ 9		Disclaimer of Validity........................................ 9
	Full Copyright Statement ..................................... 9		Full Copyright Statement ..................................... 9
	1. Introduction		1. Introduction
	This document defines the NAS-Filter-Rule attribute within the Remote		This document defines the NAS-Filter-Rule attribute within the Remote
	Authentication Dialin User Service (RADIUS). This attribute has the		Authentication Dialin User Service (RADIUS). This attribute has the
	same functionality as the Diameter NAS-Filter-Rule AVP (400) defined		same functionality as the Diameter NAS-Filter-Rule AVP (400) defined
	skipping to change at page 6, line 16		skipping to change at page 6, line 16
	Filter-Rule AVPs, the individual rules are determined by		Filter-Rule AVPs, the individual rules are determined by
	concatenating the contents of all NAS-Filter-Rule attributes, and		concatenating the contents of all NAS-Filter-Rule attributes, and
	then splitting individual filter rules with the NUL octet as a		then splitting individual filter rules with the NUL octet as a
	delimeter. Each rule is then encoded as a single Diameter NAS-		delimeter. Each rule is then encoded as a single Diameter NAS-
	Filter-Rule AVP.		Filter-Rule AVP.
	Note that a translated Diameter message can be larger than the		Note that a translated Diameter message can be larger than the
	maximum RADIUS packet size (4096). Where a Diameter/RADIUS gateway		maximum RADIUS packet size (4096). Where a Diameter/RADIUS gateway
	receives a Diameter message containing a NAS-Filter-Rule AVP that is		receives a Diameter message containing a NAS-Filter-Rule AVP that is
	too large to fit into a RADIUS packet, the Diameter/RADIUS gateway		too large to fit into a RADIUS packet, the Diameter/RADIUS gateway
	will respond to the originating Diameter peer with the		will respond to the originating Diameter peer with a Result-Code AVP
	DIAMETER_INVALID_AVP_LENGTH error (5014), and with a Failed-AVP AVP		with the value DIAMETER_RADIUS_AVP_UNTRANSLATABLE (TBD), and with a
	containing the NAS-Filter-Rule AVP. Since repairing the error will		Failed-AVP AVP containing the NAS-Filter-Rule AVP. Since repairing
	probably require re-working the filter rules, the originating peer		the error will probably require re-working the filter rules, the
	should treat the combination of a DIAMETER_INVALID_AVP_LENGTH error		originating peer should treat the combination of a Result-Code AVP
	and a Failed-AVP AVP containing a NAS-Filter-Rule AVP as a terminal		with value DIAMETER_RADIUS_AVP_UNTRANSLATABLE and a Failed-AVP AVP
	error.		containing a NAS-Filter-Rule AVP as a terminal error.
	5. IANA Considerations		5. IANA Considerations
	This specification does not create any new registries.		This specification does not create any new registries.
	This document uses the RADIUS [RFC2865] namespace, see		This document uses the RADIUS [RFC2865] namespace, see
	<http://www.iana.org/assignments/radius-types>. Allocation of one		<http://www.iana.org/assignments/radius-types>. Allocation of one
	update for the section "RADIUS Attribute Types" is requested. The		update for the section "RADIUS Attribute Types" is requested. The
	RADIUS attribute for which a value is requested is:		RADIUS attribute for which a value is requested is:
	TBD - NAS-Filter-Rule		TBD - NAS-Filter-Rule
			This document also utilizes the Diameter [RFC3588] namespace.
			Allocation of a Diameter Result-Code AVP value for the
			DIAMETER_RADIUS_AVP_UNTRANSLATABLE error is requested. Since this is
			a permanent failure, an allocation should be provided in the 5xxx
			range.
	6. Security Considerations		6. Security Considerations
	This specification describes the use of RADIUS for purposes of		This specification describes the use of RADIUS for purposes of
	authentication, authorization and accounting. Threats and security		authentication, authorization and accounting. Threats and security
	issues for this application are described in [RFC3579] and [RFC3580];		issues for this application are described in [RFC3579] and [RFC3580];
	security issues encountered in roaming are described in [RFC2607].		security issues encountered in roaming are described in [RFC2607].
	This document specifies a new attribute that can be included in		This document specifies a new attribute that can be included in
	existing RADIUS packets, which are protected as described in		existing RADIUS packets, which are protected as described in
	[RFC3579] and [RFC3576]. See those documents for a more detailed		[RFC3579] and [RFC3576]. See those documents for a more detailed
	skipping to change at page 7, line 47		skipping to change at page 8, line 8
	Usage Guidelines", RFC3580, September 2003.		Usage Guidelines", RFC3580, September 2003.
	[Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba,		[Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba,
	"RADIUS Attributes for Filtering and Redirection", Internet		"RADIUS Attributes for Filtering and Redirection", Internet
	draft (work in progress), draft-ietf-radext-filter-		draft (work in progress), draft-ietf-radext-filter-
	rules-01.txt, June 2006.		rules-01.txt, June 2006.
	Acknowledgments		Acknowledgments
	The authors would like to acknowledge Emile Bergen, Alan DeKok, Greg		The authors would like to acknowledge Emile Bergen, Alan DeKok, Greg
	Weber, Pasi Eronen, David Mitton and David Nelson for contributions		Weber, Glen Zorn, Pasi Eronen, David Mitton and David Nelson for
	to this document.		contributions to this document.
	Authors' Addresses		Authors' Addresses
	Paul Congdon		Paul Congdon
	Hewlett Packard Company		Hewlett Packard Company
	HP ProCurve Networking		HP ProCurve Networking
	8000 Foothills Blvd, M/S 5662		8000 Foothills Blvd, M/S 5662
	Roseville, CA 95747		Roseville, CA 95747
	EMail: paul.congdon@hp.com		EMail: paul.congdon@hp.com
	skipping to change at page 9, line 41		skipping to change at page 9, line 41
	This document and the information contained herein are provided on an		This document and the information contained herein are provided on an
	"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS		"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
	OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND		OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
	THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS		THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
	OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF		OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
	THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED		THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
	WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.		WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
	Copyright Statement		Copyright Statement
	Copyright (C) The IETF Trust (2006). This document is subject to the		Copyright (C) The IETF Trust (2007). This document is subject to the
	rights, licenses and restrictions contained in BCP 78, and except as		rights, licenses and restrictions contained in BCP 78, and except as
	set forth therein, the authors retain all their rights.		set forth therein, the authors retain all their rights.
	Acknowledgment		Acknowledgment
	Funding for the RFC Editor function is currently provided by the		Funding for the RFC Editor function is currently provided by the
	Internet Society.		Internet Society.
	Open issues		Open issues
End of changes. 9 change blocks.
	16 lines changed or deleted		22 lines changed or added
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/