draft-ietf-radext-filter-05.txt   draft-ietf-radext-filter-06.txt 
Network Working Group Paul Congdon Network Working Group Paul Congdon
INTERNET-DRAFT Mauricio Sanchez INTERNET-DRAFT Mauricio Sanchez
Category: Proposed Standard Hewlett-Packard Company Category: Proposed Standard Hewlett-Packard Company
<draft-ietf-radext-filter-05.txt> Bernard Aboba <draft-ietf-radext-filter-06.txt> Bernard Aboba
7 November 2006 Microsoft Corporation 1 December 2006 Microsoft Corporation
RADIUS Filter Rule Attribute RADIUS Filter Rule Attribute
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 40 skipping to change at page 1, line 40
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 10, 2007. This Internet-Draft will expire on May 10, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2006). All rights reserved. Copyright (C) The IETF Trust (2006). All rights reserved.
Abstract Abstract
This document defines the NAS-Filter-Rule attribute within the Remote While RFC 2865 defines the Filter-Id attribute, this requires that
Authentication Dial In User Service (RADIUS). This attribute is the Network Access Server (NAS) be pre-populated with the desired
based on the Diameter NAS-Filter-Rule AVP described in RFC 4005. filters. However, in situations where the server operator does not
know which filters have been pre-populated, it useful to specify
filter rules explicitly. This document defines the NAS-Filter-Rule
attribute within the Remote Authentication Dial In User Service
(RADIUS). This attribute is based on the Diameter NAS-Filter-Rule
Attribute Value Pair (AVP) described in RFC 4005, and the
IPFilterRule syntax defined in RFC 3588.
Table of Contents Table of Contents
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Terminology ..................................... 3 1.1 Terminology ..................................... 3
1.2 Requirements Language ........................... 3 1.2 Requirements Language ........................... 3
1.3 Attribute Interpretation ........................ 3 1.3 Attribute Interpretation ........................ 3
2. NAS-Filter-Rule Attribute ............................. 4 2. NAS-Filter-Rule Attribute ............................. 4
3. Table of Attributes ................................... 5 3. Table of Attributes ................................... 5
4. Diameter Considerations ............................... 5 4. Diameter Considerations ............................... 5
5. IANA Considerations ................................... 6 5. IANA Considerations ................................... 6
6. Security Considerations ............................... 6 6. Security Considerations ............................... 6
7. References ............................................ 6 7. References ............................................ 7
7.1 Normative References ............................ 6 7.1 Normative References ............................ 7
7.2 Informative References .......................... 7 7.2 Informative References .......................... 7
ACKNOWLEDGMENTS .............................................. 7 ACKNOWLEDGMENTS .............................................. 7
AUTHORS' ADDRESSES ........................................... 8 AUTHORS' ADDRESSES ........................................... 8
Intellectual Property Statement............................... 9 Intellectual Property Statement............................... 9
Disclaimer of Validity........................................ 9 Disclaimer of Validity........................................ 9
Full Copyright Statement ..................................... 9 Full Copyright Statement ..................................... 9
1. Introduction 1. Introduction
This document defines the NAS-Filter-Rule attribute within the Remote This document defines the NAS-Filter-Rule attribute within the Remote
Authentication Dialin User Service (RADIUS) which has the same Authentication Dialin User Service (RADIUS). This attribute has the
functionality as the Diameter NAS-Filter-Rule AVP (400) defined in same functionality as the Diameter NAS-Filter-Rule AVP (400) defined
[RFC4005] Section 6.6. This attribute may prove useful for in [RFC4005] Section 6.6 and the same syntax as an IPFilterRule
provisioning of filter rules. defined in [RFC3588] Section 4.3. This attribute may prove useful
for provisioning of filter rules.
While [RFC2865] Section 5.11 defines the Filter-Id attribute (11), While [RFC2865] Section 5.11 defines the Filter-Id attribute (11),
this requires that the NAS be pre-populated with the desired filters. this requires that the Network Access Server (NAS) be pre-populated
However, in situations where the server operator does not know which with the desired filters. However, in situations where the server
filters have been pre-populated, it useful to specify filter rules operator does not know which filters have been pre-populated, it
explicitly. useful to specify filter rules explicitly.
1.1. Terminology 1.1. Terminology
This document uses the following terms: This document uses the following terms:
Network Access Server (NAS) Network Access Server (NAS)
A device that provides an access service for a user to a network. A device that provides an access service for a user to a network.
RADIUS server RADIUS server
A RADIUS authentication server is an entity that provides an A RADIUS authentication server is an entity that provides an
skipping to change at page 4, line 16 skipping to change at page 4, line 17
2. NAS-Filter-Rule Attribute 2. NAS-Filter-Rule Attribute
Description Description
This attribute indicates filter rules to be applied for this user. This attribute indicates filter rules to be applied for this user.
Zero or more NAS-Filter-Rule attributes MAY be sent in Access- Zero or more NAS-Filter-Rule attributes MAY be sent in Access-
Accept, CoA-Request, or Accounting-Request packets. Accept, CoA-Request, or Accounting-Request packets.
The NAS-Filter-Rule attribute is not intended to be used The NAS-Filter-Rule attribute is not intended to be used
concurrently with any other filter rule attribute, including concurrently with any other filter rule attribute, including
Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and MUST Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes. NAS-
NOT appear in the same RADIUS packet. If a Filter-Id or NAS- Filter-Rule and NAS-Traffic-Rule attributes MUST NOT appear in the
Traffic-Rule attribute is present, then implementations of this same RADIUS packet. If a NAS-Traffic-Rule attribute is present, a
specification MUST silently discard NAS-Filter-Rule attributes, if NAS implementing this specification MUST silently discard NAS-
present. Filter-Rule attributes, if present. Filter-Id and NAS-Filter-Rule
attributes SHOULD NOT appear in the same RADIUS packet. Given the
absence in [RFC4005] of well-defined precedence rules for
combining Filter-Id and NAS-Filter-Rule attributes into a single
rule set, the behavior of NASes receiving both attributes is
undefined, and therefore a RADIUS server implementation cannot
assume a consistent behavior.
Where multiple NAS-Filter-Rule attributes are included in a RADIUS Where multiple NAS-Filter-Rule attributes are included in a RADIUS
packet, the String field of the attributes are to be concatenated packet, the String field of the attributes are to be concatenated
to form a set of filter rules. As noted in [RFC2865] Section 2.3, to form a set of filter rules. As noted in [RFC2865] Section 2.3,
"the forwarding server MUST NOT change the order of any attributes "the forwarding server MUST NOT change the order of any attributes
of the same type", so that RADIUS proxies will not reorder NAS- of the same type", so that RADIUS proxies will not reorder NAS-
Filter-Rule attributes. Filter-Rule attributes.
A summary of the NAS-Filter-Rule Attribute format is shown below. A summary of the NAS-Filter-Rule Attribute format is shown below.
The fields are transmitted from left to right. The fields are transmitted from left to right.
skipping to change at page 5, line 24 skipping to change at page 5, line 30
then splitting individual filter rules with the the NUL octet then splitting individual filter rules with the the NUL octet
(0x00) as a delimeter. (0x00) as a delimeter.
3. Table of Attributes 3. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity. in which kinds of packets, and in what quantity.
Access- Access- Access- Access- CoA- Acct- Access- Access- Access- Access- CoA- Acct-
Request Accept Reject Challenge Req Req # Attribute Request Accept Reject Challenge Req Req # Attribute
0 0+ 0 0 0+ 0+ TBD NAS-Filter-Rule [Note 1] 0 0+ 0 0 0+ 0+ TBD NAS-Filter-Rule
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in the packet. 0 This attribute MUST NOT be present in the packet.
0+ Zero or more instances of this attribute MAY be 0+ Zero or more instances of this attribute MAY be
present in the packet. present in the packet.
0-1 Zero or one instance of this attribute MAY be 0-1 Zero or one instance of this attribute MAY be
present in the packet. present in the packet.
[Note 1]: NAS-Filter-Rule is precluded from appearing in a packet if a
Filter-Id or NAS-Traffic-Rule attribute is present.
4. Diameter Considerations 4. Diameter Considerations
[RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the [RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the
same functionality as the RADIUS NAS-Filter-Rule attribute. In order same functionality as the RADIUS NAS-Filter-Rule attribute. In order
to support interoperability, Diameter/RADIUS gateways will need to be to support interoperability, Diameter/RADIUS gateways will need to be
configured to translate RADIUS attribute TBD to Diameter AVP 400 and configured to translate RADIUS attribute TBD to Diameter AVP 400 and
vice-versa. vice-versa.
When translating Diameter NAS-Filter-Rule AVPs to RADIUS NAS-Filter- When translating Diameter NAS-Filter-Rule AVPs to RADIUS NAS-Filter-
Rule attributes, the set of NAS-Filter-Rule attributes is created by Rule attributes, the set of NAS-Filter-Rule attributes is created by
skipping to change at page 7, line 46 skipping to change at page 7, line 47
Usage Guidelines", RFC3580, September 2003. Usage Guidelines", RFC3580, September 2003.
[Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba, [Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba,
"RADIUS Attributes for Filtering and Redirection", Internet "RADIUS Attributes for Filtering and Redirection", Internet
draft (work in progress), draft-ietf-radext-filter- draft (work in progress), draft-ietf-radext-filter-
rules-01.txt, June 2006. rules-01.txt, June 2006.
Acknowledgments Acknowledgments
The authors would like to acknowledge Emile Bergen, Alan DeKok, Greg The authors would like to acknowledge Emile Bergen, Alan DeKok, Greg
Weber, Pasi Eronen and David Nelson for contributions to this Weber, Pasi Eronen, David Mitton and David Nelson for contributions
document. to this document.
Authors' Addresses Authors' Addresses
Paul Congdon Paul Congdon
Hewlett Packard Company Hewlett Packard Company
HP ProCurve Networking HP ProCurve Networking
8000 Foothills Blvd, M/S 5662 8000 Foothills Blvd, M/S 5662
Roseville, CA 95747 Roseville, CA 95747
EMail: paul.congdon@hp.com EMail: paul.congdon@hp.com
 End of changes. 9 change blocks. 
26 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/