draft-ietf-radext-filter-07.txt   draft-ietf-radext-filter-08.txt 
Network Working Group Paul Congdon Network Working Group Paul Congdon
INTERNET-DRAFT Mauricio Sanchez INTERNET-DRAFT Mauricio Sanchez
Category: Proposed Standard Hewlett-Packard Company Category: Proposed Standard Hewlett-Packard Company
<draft-ietf-radext-filter-07.txt> Bernard Aboba <draft-ietf-radext-filter-08.txt> Bernard Aboba
10 January 2007 Microsoft Corporation 13 January 2007 Microsoft Corporation
RADIUS Filter Rule Attribute RADIUS Filter Rule Attribute
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 32 skipping to change at page 1, line 32
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 10, 2007. This Internet-Draft will expire on July 18, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). All rights reserved. Copyright (C) The IETF Trust (2007). All rights reserved.
Abstract Abstract
While RFC 2865 defines the Filter-Id attribute, this requires that While RFC 2865 defines the Filter-Id attribute, this requires that
the Network Access Server (NAS) be pre-populated with the desired the Network Access Server (NAS) be pre-populated with the desired
filters. However, in situations where the server operator does not filters. However, in situations where the server operator does not
skipping to change at page 7, line 5 skipping to change at page 7, line 5
This specification describes the use of RADIUS for purposes of This specification describes the use of RADIUS for purposes of
authentication, authorization and accounting. Threats and security authentication, authorization and accounting. Threats and security
issues for this application are described in [RFC3579] and [RFC3580]; issues for this application are described in [RFC3579] and [RFC3580];
security issues encountered in roaming are described in [RFC2607]. security issues encountered in roaming are described in [RFC2607].
This document specifies a new attribute that can be included in This document specifies a new attribute that can be included in
existing RADIUS packets, which are protected as described in existing RADIUS packets, which are protected as described in
[RFC3579] and [RFC3576]. See those documents for a more detailed [RFC3579] and [RFC3576]. See those documents for a more detailed
description. description.
A NAS-Filter-Rule attribute sent by a RADIUS server may not be The security mechanisms supported in RADIUS and Diameter are focused
understood by the NAS which receives it. A legacy NAS not compliant on preventing an attacker from spoofing packets or modifying packets
with this specification may silently discard the NAS-Filter-Rule in transit. They do not prevent an authorized RADIUS/Diameter server
attribute while permitting the user to access the network. This can or proxy from modifying, inserting or removing attributes with
lead to users improperly receiving unfiltered access to the network. malicious intent. Filter attributes modified or removed by a
As a result, the NAS-Filter-Rule attribute SHOULD only be sent to a RADIUS/Diameter proxy may enable a user to obtain network access
NAS that is known to support it. without the appropriate filters; if the proxy were also to modify
accounting packets, then the modification would not be reflected in
the accounting server logs.
Since the RADIUS protocol currently does not support capability
negotiation, a RADIUS server cannot automatically discover whether a
NAS supports the NAS-Filter-Rule attribute. A legacy NAS not
compliant with this specification may silently discard the NAS-
Filter-Rule attribute while permitting the user to access the
network. This can lead to users improperly receiving unfiltered
access to the network. As a result, the NAS-Filter-Rule attribute
SHOULD only be sent to a NAS that is known to support it.
7. References 7. References
7.1. Normative references 7.1. Normative references
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March, 1997. Requirement Levels", RFC 2119, March, 1997.
[RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June Authentication Dial In User Service (RADIUS)", RFC 2865, June
 End of changes. 3 change blocks. 
10 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/