draft-ietf-radext-filter-00.txt   draft-ietf-radext-filter-01.txt 
Network Working Group Paul Congdon Network Working Group Paul Congdon
INTERNET-DRAFT Mauricio Sanchez INTERNET-DRAFT Mauricio Sanchez
Category: Proposed Standard Hewlett-Packard Company Category: Proposed Standard Hewlett-Packard Company
<draft-ietf-radext-filter-00.txt> Bernard Aboba <draft-ietf-radext-filter-01.txt> Bernard Aboba
16 June 2006 Microsoft Corporation 20 August 2006 Microsoft Corporation
RADIUS Filter Rule Attribute RADIUS Filter Rule Attribute
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 32 skipping to change at page 1, line 32
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 10, 2006. This Internet-Draft will expire on March 10, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society 2006. Copyright (C) The Internet Society 2006.
Abstract Abstract
This document defines the NAS-Filter-Rule attribute within the Remote This document defines the NAS-Filter-Rule attribute within the Remote
Authentication Dial In User Service (RADIUS), equivalent to the Authentication Dial In User Service (RADIUS), equivalent to the
Diameter NAS-Filter-Rule AVP described in RFC 4005. Diameter NAS-Filter-Rule AVP described in RFC 4005.
skipping to change at page 4, line 20 skipping to change at page 4, line 20
Zero or more NAS-Filter-Rule attributes MAY be sent in Access- Zero or more NAS-Filter-Rule attributes MAY be sent in Access-
Accept, CoA-Request, or Accounting-Request packets. Accept, CoA-Request, or Accounting-Request packets.
The NAS-Filter-Rule attribute is not intended to be used The NAS-Filter-Rule attribute is not intended to be used
concurrently with any other filter rule attribute, including concurrently with any other filter rule attribute, including
Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and
SHOULD NOT appear in the same RADIUS packet. If a Filter-Id SHOULD NOT appear in the same RADIUS packet. If a Filter-Id
attribute is present, then implementations of this specification attribute is present, then implementations of this specification
MUST silently discard NAS-Filter-Rule attributes, if present. MUST silently discard NAS-Filter-Rule attributes, if present.
Where more than one NAS-Filter-Rule attribute is included in a Where more than one NAS-Filter-Rule attribute with the same Tag
RADIUS packet, the attributes MUST be consecutive and it is field value is included in a RADIUS packet, the String field of
assumed that the attributes are to be concatenated to form a the attributes are to be concatenated to form a single filter. As
single filter list. As noted in [RFC2865] Section 2.3, "the noted in [RFC2865] Section 2.3, "the forwarding server MUST NOT
forwarding server MUST NOT change the order of any attributes of change the order of any attributes of the same type", so that
the same type", so that RADIUS proxies will not reorder NAS- RADIUS proxies will not reorder NAS-Filter-Rule attributes.
Filter-Rule attributes.
A summary of the NAS-Filter-Rule Attribute format is shown below. A summary of the NAS-Filter-Rule Attribute format is shown below.
The fields are transmitted from left to right. The fields are transmitted from left to right.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String... | Type | Length | Tag | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type
TBD TBD
Length Length
>=3 >=4
Tag
The Tag field is one octet, and is used to identify the filter
rule that is represented. Each filter rule being represented MUST
utilize a unique Tag field value. Where a single filter rule
exceeds 253 octets in length, the filter rule may be encoded
across multiple NAS-Filter-Rule attributes, each with the same Tag
value.
String String
The string field is one or more octets. It contains filter rules The String field is one or more octets. It contains filter rules
in the IPFilterRule syntax defined in [RFC3588] Section 4.3. in the IPFilterRule syntax defined in [RFC3588] Section 4.3.
[RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a [RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a
robust implementation SHOULD support the field as undistinguished robust implementation SHOULD support the field as undistinguished
octets. octets.
3. Table of Attributes 3. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity. in which kinds of packets, and in what quantity.
skipping to change at page 5, line 28 skipping to change at page 5, line 36
present in the packet. present in the packet.
0-1 Zero or one instance of this attribute MAY be 0-1 Zero or one instance of this attribute MAY be
present in the packet. present in the packet.
4. Diameter Considerations 4. Diameter Considerations
[RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the [RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the
same functionality as the RADIUS NAS-Filter-Rule attribute. In order same functionality as the RADIUS NAS-Filter-Rule attribute. In order
to support interoperability, Diameter/RADIUS gateways will need to be to support interoperability, Diameter/RADIUS gateways will need to be
configured to translate RADIUS attribute TBD to Diameter AVP 400 and configured to translate RADIUS attribute TBD to Diameter AVP 400 and
vice-versa. Note that since a Diameter AVP can be larger than the vice-versa. Where a Diameter NAS-Filter-Rule AVP contains a filter
maximum RADIUS packet size (4096), this translation may not be rule larger than 253 octets, Diameter/RADIUS gateways translate the
possible in all cases. AVP to multiple RADIUS NAS-Filter-Rule attributes, each with the same
Tag field value. Similarly, when multiple RADIUS NAS-Filter-Rule
attributes are received with the same Tag field value, the String
fields of the attributes are concatenated together and encoded as the
value in a single Diameter NAS-Filter-Rule AVP. Note that since a
Diameter AVP can be larger than the maximum RADIUS packet size
(4096), translation from Diameter to RADIUS may not be possible in
all cases.
5. IANA Considerations 5. IANA Considerations
This specification does not create any new registries. This specification does not create any new registries.
This document uses the RADIUS [RFC2865] namespace, see This document uses the RADIUS [RFC2865] namespace, see
<http://www.iana.org/assignments/radius-types>. Allocation of four <http://www.iana.org/assignments/radius-types>. Allocation of four
updates for the section "RADIUS Attribute Types" is requested. The updates for the section "RADIUS Attribute Types" is requested. The
RADIUS attributes for which values are requested are: RADIUS attributes for which values are requested are:
skipping to change at page 7, line 8 skipping to change at page 7, line 27
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J., "IEEE [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J., "IEEE
802.1X Remote Authentication Dial In User Service (RADIUS) 802.1X Remote Authentication Dial In User Service (RADIUS)
Usage Guidelines", RFC3580, September 2003. Usage Guidelines", RFC3580, September 2003.
[Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba, [Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba,
"Filter Attributes", Internet draft (work in progress), draft- "Filter Attributes", Internet draft (work in progress), draft-
ietf-radext-filter-rules-00.txt, February 2006. ietf-radext-filter-rules-00.txt, February 2006.
Acknowledgments Acknowledgments
The authors would like to acknowledge Greg Weber of Cisco, and David The authors would like to acknowledge Greg Weber of Cisco and David
Nelson of Enterasys. Nelson of Enterasys.
Authors' Addresses Authors' Addresses
Paul Congdon Paul Congdon
Hewlett Packard Company Hewlett Packard Company
HP ProCurve Networking HP ProCurve Networking
8000 Foothills Blvd, M/S 5662 8000 Foothills Blvd, M/S 5662
Roseville, CA 95747 Roseville, CA 95747
 End of changes. 8 change blocks. 
17 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/