draft-ietf-radext-filter-03.txt   draft-ietf-radext-filter-04.txt 
Network Working Group Paul Congdon Network Working Group Paul Congdon
INTERNET-DRAFT Mauricio Sanchez INTERNET-DRAFT Mauricio Sanchez
Category: Proposed Standard Hewlett-Packard Company Category: Proposed Standard Hewlett-Packard Company
<draft-ietf-radext-filter-03.txt> Bernard Aboba <draft-ietf-radext-filter-04.txt> Bernard Aboba
4 October 2006 Microsoft Corporation 22 October 2006 Microsoft Corporation
RADIUS Filter Rule Attribute RADIUS Filter Rule Attribute
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 2, line 16 skipping to change at page 2, line 16
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Terminology ..................................... 3 1.1 Terminology ..................................... 3
1.2 Requirements Language ........................... 3 1.2 Requirements Language ........................... 3
1.3 Attribute Interpretation ........................ 3 1.3 Attribute Interpretation ........................ 3
2. NAS-Filter-Rule Attribute ............................. 4 2. NAS-Filter-Rule Attribute ............................. 4
3. Table of Attributes ................................... 5 3. Table of Attributes ................................... 5
4. Diameter Considerations ............................... 5 4. Diameter Considerations ............................... 5
5. IANA Considerations ................................... 6 5. IANA Considerations ................................... 6
6. Security Considerations ............................... 6 6. Security Considerations ............................... 6
7. References ............................................ 7 7. References ............................................ 6
7.1 Normative References ............................ 7 7.1 Normative References ............................ 6
7.2 Informative References .......................... 7 7.2 Informative References .......................... 7
ACKNOWLEDGMENTS .............................................. 7 ACKNOWLEDGMENTS .............................................. 7
AUTHORS' ADDRESSES ........................................... 8 AUTHORS' ADDRESSES ........................................... 8
Intellectual Property Statement............................... 9 Intellectual Property Statement............................... 9
Disclaimer of Validity........................................ 9 Disclaimer of Validity........................................ 9
Full Copyright Statement ..................................... 9 Full Copyright Statement ..................................... 9
1. Introduction 1. Introduction
This document defines the NAS-Filter-Rule attribute within the Remote This document defines the NAS-Filter-Rule attribute within the Remote
skipping to change at page 4, line 15 skipping to change at page 4, line 15
2. NAS-Filter-Rule Attribute 2. NAS-Filter-Rule Attribute
Description Description
This attribute indicates filter rules to be applied for this user. This attribute indicates filter rules to be applied for this user.
Zero or more NAS-Filter-Rule attributes MAY be sent in Access- Zero or more NAS-Filter-Rule attributes MAY be sent in Access-
Accept, CoA-Request, or Accounting-Request packets. Accept, CoA-Request, or Accounting-Request packets.
The NAS-Filter-Rule attribute is not intended to be used The NAS-Filter-Rule attribute is not intended to be used
concurrently with any other filter rule attribute, including concurrently with any other filter rule attribute, including
Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and Filter-Id (11) and NAS-Traffic-Rule [Traffic] attributes, and MUST
SHOULD NOT appear in the same RADIUS packet. If a Filter-Id NOT appear in the same RADIUS packet. If a Filter-Id or NAS-
attribute is present, then implementations of this specification Traffic-Rule attribute is present, then implementations of this
MUST silently discard NAS-Filter-Rule attributes, if present. specification MUST silently discard NAS-Filter-Rule attributes, if
present.
Where adjacent NAS-Filter-Rule attributes with the same non-zero Where multiple NAS-Filter-Rule attributes are included in a RADIUS
Tag field value are included in a RADIUS packet, the String field packet, the String field of the attributes are to be concatenated
of the attributes are to be concatenated to form a single filter. to form a set of filter rules. As noted in [RFC2865] Section 2.3,
As noted in [RFC2865] Section 2.3, "the forwarding server MUST NOT "the forwarding server MUST NOT change the order of any attributes
change the order of any attributes of the same type", so that of the same type", so that RADIUS proxies will not reorder NAS-
RADIUS proxies will not reorder NAS-Filter-Rule attributes. Filter-Rule attributes.
A summary of the NAS-Filter-Rule Attribute format is shown below. A summary of the NAS-Filter-Rule Attribute format is shown below.
The fields are transmitted from left to right. The fields are transmitted from left to right.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Tag | String... | Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type
TBD TBD
Length Length
>=4 >=3
Tag
The Tag field is used to identify the filter rule that is
represented; the length of the Tag field is one octet and it MUST
always be present.
Where a single filter rule is less than or equal to 252 octets in
length, it MUST be encoded with a Tag field value of zero (0) and
MUST NOT be split between multiple NAS-Filter-Rule attributes. On
receipt, attributes with a Tag field value of zero (0) MUST NOT be
concatenated to form a single filter rule.
Where a single filter rule exceeds 252 octets in length, the rule
MUST be encoded across multiple NAS-Filter-Rule attributes, each
with the same Tag value which MUST be in the range 0x01 - 0x3F.
NAS-Filter-Rule attributes comprising a single filter rule MUST be
sent consecutively, without intervening attributes with another
Tag field value. The Tag field value of 0xFF is reserved and NAS-
Filter-Rule attributes containing this Tag field value should be
ignored upon receipt.
Adjacent filter rules exceeding 252 octets in length MUST be
encoded with different non-zero Tag field values; however, the Tag
field value used for a given filter rule need not be unique within
the entire RADIUS packet.
String String
The String field is one or more octets. It contains filter rules The String field is one or more octets. It contains filter rules
in the IPFilterRule syntax defined in [RFC3588] Section 4.3. A in the IPFilterRule syntax defined in [RFC3588] Section 4.3, with
robust implementation SHOULD support the field as undistinguished individual filter rules separated by a NUL (0x00). A NAS-Filter-
octets. Rule attribute may contain a partial rule, one rule, or more than
one rule. Filter rules may be continued across attribute
boundaries, so implementations cannot assume that individual
filter rules begin or end on attribute boundaries.
The set of NAS-Filter-Rule attributes SHOULD be created by
concatenating the individual filter rules, separated by a NUL
(0x00) octet. The resulting data should be split on 253 byte
boundaries to obtain a set of NAS-Filter-Rule attributes. On
reception, the individual filter rules SHOULD be determined by
concatenating the contents of all NAS-Filter-Rule attributes, and
then splitting individual filter rules with the the NUL octet
(0x00) as a delimeter.
3. Table of Attributes 3. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity. in which kinds of packets, and in what quantity.
Access- Access- Access- Access- CoA- Acct- Access- Access- Access- Access- CoA- Acct-
Request Accept Reject Challenge Req Req # Attribute Request Accept Reject Challenge Req Req # Attribute
0 0+ 0 0 0+ 0+ TBD NAS-Filter-Rule 0 0+ 0 0 0+ 0+ TBD NAS-Filter-Rule
skipping to change at page 6, line 4 skipping to change at page 5, line 38
present in the packet. present in the packet.
0-1 Zero or one instance of this attribute MAY be 0-1 Zero or one instance of this attribute MAY be
present in the packet. present in the packet.
4. Diameter Considerations 4. Diameter Considerations
[RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the [RFC4005] Section 6.6 defines the NAS-Filter-Rule AVP (400) with the
same functionality as the RADIUS NAS-Filter-Rule attribute. In order same functionality as the RADIUS NAS-Filter-Rule attribute. In order
to support interoperability, Diameter/RADIUS gateways will need to be to support interoperability, Diameter/RADIUS gateways will need to be
configured to translate RADIUS attribute TBD to Diameter AVP 400 and configured to translate RADIUS attribute TBD to Diameter AVP 400 and
vice-versa. Where a Diameter NAS-Filter-Rule AVP contains a filter vice-versa.
rule larger than 252 octets, Diameter/RADIUS gateways translate the
AVP to multiple RADIUS NAS-Filter-Rule attributes, each with the same Where a Diameter NAS-Filter-Rule AVP contains a filter rule larger
Tag field value not equal to '0' (0x30). Similarly, when multiple than 253 octets, Diameter/RADIUS gateways translate the AVP to
RADIUS NAS-Filter-Rule attributes are received with the same Tag multiple RADIUS NAS-Filter-Rule attributes, with each filter rule
field value not equal to '0' (0x30), the String fields of the separated by a NUL octet (0x00). When multiple RADIUS NAS-Filter-
attributes are concatenated together and encoded as the value in a Rule attributes are received, the String fields of the attributes are
single Diameter NAS-Filter-Rule AVP. RADIUS NAS-Filter-Rule concatenated and the individual rules are separated out based on the
attributes with a Tag field of '0' (0x30) are encoded as distinct use of the NUL octet as a delimiter. Each rule is then encoded as a
Diameter NAS-Filter-Rule AVPs. single Diameter NAS-Filter-Rule AVP.
Note that a translated Diameter message can be larger than the Note that a translated Diameter message can be larger than the
maximum RADIUS packet size (4096). Where a Diameter/RADIUS gateway maximum RADIUS packet size (4096). Where a Diameter/RADIUS gateway
receives a Diameter message containing a NAS-Filter-Rule AVP that is receives a Diameter message containing a NAS-Filter-Rule AVP that is
too large to fit into a RADIUS packet, the Diameter/RADIUS gateway too large to fit into a RADIUS packet, the Diameter/RADIUS gateway
will respond to the originating Diameter peer with the will respond to the originating Diameter peer with the
DIAMETER_INVALID_AVP_LENGTH error (5014), and with a Failed-AVP AVP DIAMETER_INVALID_AVP_LENGTH error (5014), and with a Failed-AVP AVP
containing the NAS-Filter-Rule AVP. Since repairing the error will containing the NAS-Filter-Rule AVP. Since repairing the error will
probably require re-working the filter rules, the originating peer probably require re-working the filter rules, the originating peer
should treat the combination of a DIAMETER_INVALID_AVP_LENGTH error should treat the combination of a DIAMETER_INVALID_AVP_LENGTH error
skipping to change at page 7, line 24 skipping to change at page 7, line 12
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March, 1997. Requirement Levels", RFC 2119, March, 1997.
[RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000. 2000.
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
Arkko, "Diameter Base Protocol", RFC 3588, September 2003. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 3629,
November 2003.
[RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter [RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter
Network Access Server Application", RFC 4005, August 2005. Network Access Server Application", RFC 4005, August 2005.
7.2. Informative references 7.2. Informative references
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
Implementation in Roaming", RFC 2607, June 1999. Implementation in Roaming", RFC 2607, June 1999.
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba,
"Dynamic Authorization Extensions to Remote Authentication "Dynamic Authorization Extensions to Remote Authentication
skipping to change at page 8, line 4 skipping to change at page 7, line 36
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J., "IEEE [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J., "IEEE
802.1X Remote Authentication Dial In User Service (RADIUS) 802.1X Remote Authentication Dial In User Service (RADIUS)
Usage Guidelines", RFC3580, September 2003. Usage Guidelines", RFC3580, September 2003.
[Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba, [Traffic] Congdon, P., Sanchez, M., Lior, A., Adrangi, F. and B. Aboba,
"Filter Attributes", Internet draft (work in progress), draft- "Filter Attributes", Internet draft (work in progress), draft-
ietf-radext-filter-rules-00.txt, February 2006. ietf-radext-filter-rules-00.txt, February 2006.
Acknowledgments Acknowledgments
The authors would like to acknowledge Greg Weber of Cisco and David
Nelson of Enterasys. The authors would like to acknowledge Emile Bergen, Alan DeKok, Greg
Weber and David Nelson for contributions to this document.
Authors' Addresses Authors' Addresses
Paul Congdon Paul Congdon
Hewlett Packard Company Hewlett Packard Company
HP ProCurve Networking HP ProCurve Networking
8000 Foothills Blvd, M/S 5662 8000 Foothills Blvd, M/S 5662
Roseville, CA 95747 Roseville, CA 95747
EMail: paul.congdon@hp.com EMail: paul.congdon@hp.com
 End of changes. 10 change blocks. 
61 lines changed or deleted 45 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/