draft-ietf-radext-filter-01.txt   draft-ietf-radext-filter-02.txt 
Network Working Group Paul Congdon Network Working Group Paul Congdon
INTERNET-DRAFT Mauricio Sanchez INTERNET-DRAFT Mauricio Sanchez
Category: Proposed Standard Hewlett-Packard Company Category: Proposed Standard Hewlett-Packard Company
<draft-ietf-radext-filter-01.txt> Bernard Aboba <draft-ietf-radext-filter-02.txt> Bernard Aboba
20 August 2006 Microsoft Corporation 1 October 2006 Microsoft Corporation
RADIUS Filter Rule Attribute RADIUS Filter Rule Attribute
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 32 skipping to change at page 1, line 32
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 10, 2007. This Internet-Draft will expire on April 10, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society 2006. Copyright (C) The Internet Society 2006.
Abstract Abstract
This document defines the NAS-Filter-Rule attribute within the Remote This document defines the NAS-Filter-Rule attribute within the Remote
Authentication Dial In User Service (RADIUS), equivalent to the Authentication Dial In User Service (RADIUS), equivalent to the
Diameter NAS-Filter-Rule AVP described in RFC 4005. Diameter NAS-Filter-Rule AVP described in RFC 4005.
Table of Contents Table of Contents
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Terminology ..................................... 3 1.1 Terminology ..................................... 3
1.2 Requirements Language ........................... 3 1.2 Requirements Language ........................... 3
1.3 Attribute Interpretation ........................ 3 1.3 Attribute Interpretation ........................ 3
2. NAS-Filter-Rule Attribute ............................. 4 2. NAS-Filter-Rule Attribute ............................. 4
3. Table of Attributes ................................... 5 3. Table of Attributes ................................... 5
4. Diameter Considerations ............................... 5 4. Diameter Considerations ............................... 5
5. IANA Considerations ................................... 5 5. IANA Considerations ................................... 6
6. Security Considerations ............................... 5 6. Security Considerations ............................... 6
7. References ............................................ 6 7. References ............................................ 7
7.1 Normative References ............................ 6 7.1 Normative References ............................ 7
7.2 Informative References .......................... 6 7.2 Informative References .......................... 7
ACKNOWLEDGMENTS .............................................. 7 ACKNOWLEDGMENTS .............................................. 7
AUTHORS' ADDRESSES ........................................... 7 AUTHORS' ADDRESSES ........................................... 8
Intellectual Property Statement............................... 7 Intellectual Property Statement............................... 9
Disclaimer of Validity........................................ 8 Disclaimer of Validity........................................ 9
Full Copyright Statement ..................................... 8 Full Copyright Statement ..................................... 9
1. Introduction 1. Introduction
This document defines the NAS-Filter-Rule attribute within the Remote This document defines the NAS-Filter-Rule attribute within the Remote
Authentication Dialin User Service (RADIUS) which has the same Authentication Dialin User Service (RADIUS) which has the same
functionality as the Diameter NAS-Filter-Rule AVP (400) defined in functionality as the Diameter NAS-Filter-Rule AVP (400) defined in
[RFC4005] Section 6.6. This attribute may prove useful for [RFC4005] Section 6.6. This attribute may prove useful for
provisioning of filter rules. provisioning of filter rules.
While [RFC2865] Section 5.11 defines the Filter-Id attribute (11), While [RFC2865] Section 5.11 defines the Filter-Id attribute (11),
skipping to change at page 4, line 20 skipping to change at page 4, line 20
Zero or more NAS-Filter-Rule attributes MAY be sent in Access- Zero or more NAS-Filter-Rule attributes MAY be sent in Access-
Accept, CoA-Request, or Accounting-Request packets. Accept, CoA-Request, or Accounting-Request packets.
The NAS-Filter-Rule attribute is not intended to be used The NAS-Filter-Rule attribute is not intended to be used
concurrently with any other filter rule attribute, including concurrently with any other filter rule attribute, including
Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and
SHOULD NOT appear in the same RADIUS packet. If a Filter-Id SHOULD NOT appear in the same RADIUS packet. If a Filter-Id
attribute is present, then implementations of this specification attribute is present, then implementations of this specification
MUST silently discard NAS-Filter-Rule attributes, if present. MUST silently discard NAS-Filter-Rule attributes, if present.
Where more than one NAS-Filter-Rule attribute with the same Tag Where more than one NAS-Filter-Rule attribute with the same non-
field value is included in a RADIUS packet, the String field of zero Tag field value is included in a RADIUS packet, the String
the attributes are to be concatenated to form a single filter. As field of the attributes are to be concatenated to form a single
noted in [RFC2865] Section 2.3, "the forwarding server MUST NOT filter. As noted in [RFC2865] Section 2.3, "the forwarding server
change the order of any attributes of the same type", so that MUST NOT change the order of any attributes of the same type", so
RADIUS proxies will not reorder NAS-Filter-Rule attributes. that RADIUS proxies will not reorder NAS-Filter-Rule attributes.
A summary of the NAS-Filter-Rule Attribute format is shown below. A summary of the NAS-Filter-Rule Attribute format is shown below.
The fields are transmitted from left to right. The fields are transmitted from left to right.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Tag | String... | Type | Length | Tag | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type
TBD TBD
Length Length
>=4 >=4
Tag Tag
The Tag field is one octet, and is used to identify the filter The Tag field is used to identify the filter rule that is
rule that is represented. Each filter rule being represented MUST represented; the length of the Tag field is one octet and it MUST
utilize a unique Tag field value. Where a single filter rule always be present. The Tag field value MUST be in the range
exceeds 253 octets in length, the filter rule may be encoded 0x01-0x3F; NAS-Filter-Rule attributes with a Tag field value of
across multiple NAS-Filter-Rule attributes, each with the same Tag 0x00 are ignored upon receipt.
value.
Where a single filter rule is less than or equal to 252 octets in
length, it MUST be encoded with a tag value of '0' (0x30) and MUST
NOT be split between multiple NAS-Filter-Rule attributes. Where a
single filter rule is split into multiple NAS-Filter-Rule
attributes, the attributes SHOULD be sent consecutively, without
intervening attributes with another Tag field value. On receipt,
attributes with a Tag value of '0' (0x30) MUST NOT be concatenated
to form a single filter rule.
Where a single filter rule exceeds 252 octets in length, the rule
MUST be encoded across multiple NAS-Filter-Rule attributes, each
with the same Tag value which MUST NOT be '0' (0x30). Tag values
MUST be unique for each filter rule present in a RADIUS packet
with the exception of a Tag value of '0' (0x30), which may be used
in multiple attributes, each describing a single filter rule.
String String
The String field is one or more octets. It contains filter rules The String field is one or more octets. It contains filter rules
in the IPFilterRule syntax defined in [RFC3588] Section 4.3. in the IPFilterRule syntax defined in [RFC3588] Section 4.3. A
[RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a
robust implementation SHOULD support the field as undistinguished robust implementation SHOULD support the field as undistinguished
octets. octets.
3. Table of Attributes 3. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity. in which kinds of packets, and in what quantity.
Access- Access- Access- Access- CoA- Acct- Access- Access- Access- Access- CoA- Acct-
Request Accept Reject Challenge Req Req # Attribute Request Accept Reject Challenge Req Req # Attribute
skipping to change at page 5, line 37 skipping to change at page 5, line 50
0-1 Zero or one instance of this attribute MAY be 0-1 Zero or one instance of this attribute MAY be
present in the packet. present in the packet.
4. Diameter Considerations 4. Diameter Considerations
[RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the [RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the
same functionality as the RADIUS NAS-Filter-Rule attribute. In order same functionality as the RADIUS NAS-Filter-Rule attribute. In order
to support interoperability, Diameter/RADIUS gateways will need to be to support interoperability, Diameter/RADIUS gateways will need to be
configured to translate RADIUS attribute TBD to Diameter AVP 400 and configured to translate RADIUS attribute TBD to Diameter AVP 400 and
vice-versa. Where a Diameter NAS-Filter-Rule AVP contains a filter vice-versa. Where a Diameter NAS-Filter-Rule AVP contains a filter
rule larger than 253 octets, Diameter/RADIUS gateways translate the rule larger than 252 octets, Diameter/RADIUS gateways translate the
AVP to multiple RADIUS NAS-Filter-Rule attributes, each with the same AVP to multiple RADIUS NAS-Filter-Rule attributes, each with the same
Tag field value. Similarly, when multiple RADIUS NAS-Filter-Rule Tag field value not equal to '0' (0x30). Similarly, when multiple
attributes are received with the same Tag field value, the String RADIUS NAS-Filter-Rule attributes are received with the same Tag
fields of the attributes are concatenated together and encoded as the field value not equal to '0' (0x30), the String fields of the
value in a single Diameter NAS-Filter-Rule AVP. Note that since a attributes are concatenated together and encoded as the value in a
Diameter AVP can be larger than the maximum RADIUS packet size single Diameter NAS-Filter-Rule AVP. RADIUS NAS-Filter-Rule
(4096), translation from Diameter to RADIUS may not be possible in attributes with a Tag field of '0' (0x30) are encoded as distinct
all cases. Diameter NAS-Filter-Rule AVPs.
Note that a translated Diameter message can be larger than the
maximum RADIUS packet size (4096). Where a Diameter/RADIUS gateway
receives a Diameter message containing a NAS-Filter-Rule AVP that is
too large to fit into a RADIUS packet, the Diameter/RADIUS gateway
will respond to the originating Diameter peer with the
DIAMETER_INVALID_AVP_LENGTH error (5014), and with a Failed-AVP AVP
containing the NAS-Filter-Rule AVP. Since repairing the error will
probably require re-working the filter rules, the originating peer
should treat the combination of a DIAMETER_INVALID_AVP_LENGTH error
and a Failed-AVP AVP containing a NAS-Filter-Rule AVP as a terminal
error.
5. IANA Considerations 5. IANA Considerations
This specification does not create any new registries. This specification does not create any new registries.
This document uses the RADIUS [RFC2865] namespace, see This document uses the RADIUS [RFC2865] namespace, see
<http://www.iana.org/assignments/radius-types>. Allocation of four <http://www.iana.org/assignments/radius-types>. Allocation of one
updates for the section "RADIUS Attribute Types" is requested. The update for the section "RADIUS Attribute Types" is requested. The
RADIUS attributes for which values are requested are: RADIUS attribute for which a value is requested is:
TBD - NAS-Filter-Rule TBD - NAS-Filter-Rule
6. Security Considerations 6. Security Considerations
This specification describes the use of RADIUS for purposes of This specification describes the use of RADIUS for purposes of
authentication, authorization and accounting. Threats and security authentication, authorization and accounting. Threats and security
issues for this application are described in [RFC3579] and [RFC3580]; issues for this application are described in [RFC3579] and [RFC3580];
security issues encountered in roaming are described in [RFC2607]. security issues encountered in roaming are described in [RFC2607].
 End of changes. 10 change blocks. 
37 lines changed or deleted 63 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/