--- 1/draft-ietf-radext-filter-06.txt 2007-01-11 22:12:24.000000000 +0100 +++ 2/draft-ietf-radext-filter-07.txt 2007-01-11 22:12:24.000000000 +0100 @@ -1,16 +1,16 @@ Network Working Group Paul Congdon INTERNET-DRAFT Mauricio Sanchez Category: Proposed Standard Hewlett-Packard Company - Bernard Aboba -1 December 2006 Microsoft Corporation + Bernard Aboba +10 January 2007 Microsoft Corporation RADIUS Filter Rule Attribute By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -21,53 +21,53 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on May 10, 2007. + This Internet-Draft will expire on July 10, 2007. Copyright Notice - Copyright (C) The IETF Trust (2006). All rights reserved. + Copyright (C) The IETF Trust (2007). All rights reserved. Abstract While RFC 2865 defines the Filter-Id attribute, this requires that the Network Access Server (NAS) be pre-populated with the desired filters. However, in situations where the server operator does not - know which filters have been pre-populated, it useful to specify + know which filters have been pre-populated, it is useful to specify filter rules explicitly. This document defines the NAS-Filter-Rule attribute within the Remote Authentication Dial In User Service (RADIUS). This attribute is based on the Diameter NAS-Filter-Rule Attribute Value Pair (AVP) described in RFC 4005, and the IPFilterRule syntax defined in RFC 3588. Table of Contents 1. Introduction .......................................... 3 1.1 Terminology ..................................... 3 1.2 Requirements Language ........................... 3 1.3 Attribute Interpretation ........................ 3 2. NAS-Filter-Rule Attribute ............................. 4 3. Table of Attributes ................................... 5 4. Diameter Considerations ............................... 5 5. IANA Considerations ................................... 6 6. Security Considerations ............................... 6 7. References ............................................ 7 7.1 Normative References ............................ 7 7.2 Informative References .......................... 7 -ACKNOWLEDGMENTS .............................................. 7 +ACKNOWLEDGMENTS .............................................. 8 AUTHORS' ADDRESSES ........................................... 8 Intellectual Property Statement............................... 9 Disclaimer of Validity........................................ 9 Full Copyright Statement ..................................... 9 1. Introduction This document defines the NAS-Filter-Rule attribute within the Remote Authentication Dialin User Service (RADIUS). This attribute has the same functionality as the Diameter NAS-Filter-Rule AVP (400) defined @@ -215,39 +215,45 @@ Filter-Rule AVPs, the individual rules are determined by concatenating the contents of all NAS-Filter-Rule attributes, and then splitting individual filter rules with the NUL octet as a delimeter. Each rule is then encoded as a single Diameter NAS- Filter-Rule AVP. Note that a translated Diameter message can be larger than the maximum RADIUS packet size (4096). Where a Diameter/RADIUS gateway receives a Diameter message containing a NAS-Filter-Rule AVP that is too large to fit into a RADIUS packet, the Diameter/RADIUS gateway - will respond to the originating Diameter peer with the - DIAMETER_INVALID_AVP_LENGTH error (5014), and with a Failed-AVP AVP - containing the NAS-Filter-Rule AVP. Since repairing the error will - probably require re-working the filter rules, the originating peer - should treat the combination of a DIAMETER_INVALID_AVP_LENGTH error - and a Failed-AVP AVP containing a NAS-Filter-Rule AVP as a terminal - error. + will respond to the originating Diameter peer with a Result-Code AVP + with the value DIAMETER_RADIUS_AVP_UNTRANSLATABLE (TBD), and with a + Failed-AVP AVP containing the NAS-Filter-Rule AVP. Since repairing + the error will probably require re-working the filter rules, the + originating peer should treat the combination of a Result-Code AVP + with value DIAMETER_RADIUS_AVP_UNTRANSLATABLE and a Failed-AVP AVP + containing a NAS-Filter-Rule AVP as a terminal error. 5. IANA Considerations This specification does not create any new registries. This document uses the RADIUS [RFC2865] namespace, see . Allocation of one update for the section "RADIUS Attribute Types" is requested. The RADIUS attribute for which a value is requested is: TBD - NAS-Filter-Rule + This document also utilizes the Diameter [RFC3588] namespace. + Allocation of a Diameter Result-Code AVP value for the + DIAMETER_RADIUS_AVP_UNTRANSLATABLE error is requested. Since this is + a permanent failure, an allocation should be provided in the 5xxx + range. + 6. Security Considerations This specification describes the use of RADIUS for purposes of authentication, authorization and accounting. Threats and security issues for this application are described in [RFC3579] and [RFC3580]; security issues encountered in roaming are described in [RFC2607]. This document specifies a new attribute that can be included in existing RADIUS packets, which are protected as described in [RFC3579] and [RFC3576]. See those documents for a more detailed @@ -295,22 +301,22 @@ Usage Guidelines", RFC3580, September 2003. [Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba, "RADIUS Attributes for Filtering and Redirection", Internet draft (work in progress), draft-ietf-radext-filter- rules-01.txt, June 2006. Acknowledgments The authors would like to acknowledge Emile Bergen, Alan DeKok, Greg - Weber, Pasi Eronen, David Mitton and David Nelson for contributions - to this document. + Weber, Glen Zorn, Pasi Eronen, David Mitton and David Nelson for + contributions to this document. Authors' Addresses Paul Congdon Hewlett Packard Company HP ProCurve Networking 8000 Foothills Blvd, M/S 5662 Roseville, CA 95747 EMail: paul.congdon@hp.com @@ -365,21 +371,21 @@ This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement - Copyright (C) The IETF Trust (2006). This document is subject to the + Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Open issues