draft-ietf-radext-filter-02.txt   draft-ietf-radext-filter-03.txt 
Network Working Group Paul Congdon Network Working Group Paul Congdon
INTERNET-DRAFT Mauricio Sanchez INTERNET-DRAFT Mauricio Sanchez
Category: Proposed Standard Hewlett-Packard Company Category: Proposed Standard Hewlett-Packard Company
<draft-ietf-radext-filter-02.txt> Bernard Aboba <draft-ietf-radext-filter-03.txt> Bernard Aboba
1 October 2006 Microsoft Corporation 4 October 2006 Microsoft Corporation
RADIUS Filter Rule Attribute RADIUS Filter Rule Attribute
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 32 skipping to change at page 1, line 32
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 10, 2007. This Internet-Draft will expire on May 10, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society 2006. Copyright (C) The Internet Society 2006.
Abstract Abstract
This document defines the NAS-Filter-Rule attribute within the Remote This document defines the NAS-Filter-Rule attribute within the Remote
Authentication Dial In User Service (RADIUS), equivalent to the Authentication Dial In User Service (RADIUS), equivalent to the
Diameter NAS-Filter-Rule AVP described in RFC 4005. Diameter NAS-Filter-Rule AVP described in RFC 4005.
skipping to change at page 4, line 20 skipping to change at page 4, line 20
Zero or more NAS-Filter-Rule attributes MAY be sent in Access- Zero or more NAS-Filter-Rule attributes MAY be sent in Access-
Accept, CoA-Request, or Accounting-Request packets. Accept, CoA-Request, or Accounting-Request packets.
The NAS-Filter-Rule attribute is not intended to be used The NAS-Filter-Rule attribute is not intended to be used
concurrently with any other filter rule attribute, including concurrently with any other filter rule attribute, including
Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and
SHOULD NOT appear in the same RADIUS packet. If a Filter-Id SHOULD NOT appear in the same RADIUS packet. If a Filter-Id
attribute is present, then implementations of this specification attribute is present, then implementations of this specification
MUST silently discard NAS-Filter-Rule attributes, if present. MUST silently discard NAS-Filter-Rule attributes, if present.
Where more than one NAS-Filter-Rule attribute with the same non- Where adjacent NAS-Filter-Rule attributes with the same non-zero
zero Tag field value is included in a RADIUS packet, the String Tag field value are included in a RADIUS packet, the String field
field of the attributes are to be concatenated to form a single of the attributes are to be concatenated to form a single filter.
filter. As noted in [RFC2865] Section 2.3, "the forwarding server As noted in [RFC2865] Section 2.3, "the forwarding server MUST NOT
MUST NOT change the order of any attributes of the same type", so change the order of any attributes of the same type", so that
that RADIUS proxies will not reorder NAS-Filter-Rule attributes. RADIUS proxies will not reorder NAS-Filter-Rule attributes.
A summary of the NAS-Filter-Rule Attribute format is shown below. A summary of the NAS-Filter-Rule Attribute format is shown below.
The fields are transmitted from left to right. The fields are transmitted from left to right.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Tag | String... | Type | Length | Tag | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 4, line 48 skipping to change at page 4, line 48
TBD TBD
Length Length
>=4 >=4
Tag Tag
The Tag field is used to identify the filter rule that is The Tag field is used to identify the filter rule that is
represented; the length of the Tag field is one octet and it MUST represented; the length of the Tag field is one octet and it MUST
always be present. The Tag field value MUST be in the range always be present.
0x01-0x3F; NAS-Filter-Rule attributes with a Tag field value of
0x00 are ignored upon receipt.
Where a single filter rule is less than or equal to 252 octets in Where a single filter rule is less than or equal to 252 octets in
length, it MUST be encoded with a tag value of '0' (0x30) and MUST length, it MUST be encoded with a Tag field value of zero (0) and
NOT be split between multiple NAS-Filter-Rule attributes. Where a MUST NOT be split between multiple NAS-Filter-Rule attributes. On
single filter rule is split into multiple NAS-Filter-Rule receipt, attributes with a Tag field value of zero (0) MUST NOT be
attributes, the attributes SHOULD be sent consecutively, without concatenated to form a single filter rule.
intervening attributes with another Tag field value. On receipt,
attributes with a Tag value of '0' (0x30) MUST NOT be concatenated
to form a single filter rule.
Where a single filter rule exceeds 252 octets in length, the rule Where a single filter rule exceeds 252 octets in length, the rule
MUST be encoded across multiple NAS-Filter-Rule attributes, each MUST be encoded across multiple NAS-Filter-Rule attributes, each
with the same Tag value which MUST NOT be '0' (0x30). Tag values with the same Tag value which MUST be in the range 0x01 - 0x3F.
MUST be unique for each filter rule present in a RADIUS packet
with the exception of a Tag value of '0' (0x30), which may be used NAS-Filter-Rule attributes comprising a single filter rule MUST be
in multiple attributes, each describing a single filter rule. sent consecutively, without intervening attributes with another
Tag field value. The Tag field value of 0xFF is reserved and NAS-
Filter-Rule attributes containing this Tag field value should be
ignored upon receipt.
Adjacent filter rules exceeding 252 octets in length MUST be
encoded with different non-zero Tag field values; however, the Tag
field value used for a given filter rule need not be unique within
the entire RADIUS packet.
String String
The String field is one or more octets. It contains filter rules The String field is one or more octets. It contains filter rules
in the IPFilterRule syntax defined in [RFC3588] Section 4.3. A in the IPFilterRule syntax defined in [RFC3588] Section 4.3. A
robust implementation SHOULD support the field as undistinguished robust implementation SHOULD support the field as undistinguished
octets. octets.
3. Table of Attributes 3. Table of Attributes
 End of changes. 6 change blocks. 
23 lines changed or deleted 26 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/