1 / 6

Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt

Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt. IETF 65 – Dallas,TX Mauricio Sanchez. Why am I here?. Radext defining attribute (NAS-Traffic-Rule) for filtering that is superset of IPFilterRule Concerns around RadExt charter on DIAMETER compatibility

breanna-daugherty
Download Presentation

Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presentation to DIME WG ondraft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez

  2. Why am I here? • Radext defining attribute (NAS-Traffic-Rule) for filtering that is superset of IPFilterRule • Concerns around RadExt charter on DIAMETER compatibility • “All RADIUS work MUST be compatible with equivalent facilities inDiameter. Where possible, new attributes should be defined so thatthe same attribute can be used in both RADIUS and Diameter withouttranslation. In other cases a translation considerationssection should be included in the specification.” • Give DIME WG comparison of NAS-Traffic-Rule to IPFilterRule • Get DIME WG to give feedback on rule syntax • Get buy in to use NAS-Traffic-Rule syntax as basis for update to DIAMETER

  3. NAS-Traffic-Rule • Offers 3 rule types • Base Encapsulation : Ethernet MAC layer • IP : IP/TCP layer • HTTP : IP and HTTP URL • Offers up to 4 actions per rule type • Permit : Allow traffic • Deny : Block traffic • Tunnel : Forward traffic to/from a named tunnel (RFC2868) • Redirect : Code 302 HTTP redirect • Allowed Rule/Action Combinations Comparable to IPFilterRule

  4. NAS-Traffic-Rule Examples • Example #1: Permit only L2 traffic coming from and going to a user's Ethernet MAC address. Block all other traffic. Assume user's MAC address is 00-10-A4-23-19-C0. permit in l2:ether2 from 00-10-A4-23-19-C0 to any permit out l2:ether2 from any to 00-10-A4-23-19-C0 • Example #2: Tunnel all L2 traffic coming from and going to a user. Assume tunnel name is: tunnel "1234". permit tunnel "tunnel \"1234\"" inout l2:ether2 from any to any • Example #3: Permit only L3 traffic coming and going to from a user's IP address. Block all other traffic. Assume user's IP address is 192.0.2.128. permit in ip from 192.0.2.128 to any permit out ip from any to 192.0.2.128 • Example #4: Allow user to generate ARP requests, DNS requests, and HTTP (port 80) requests, of which only requests to http://www.goo.org are redirected to http://www.foo.org. Assume user's MAC address is 00-10-A4-23-19-C0 and IP address is 192.0.2.128 permit in l2:ether:0x0806 from 00-10-A4-23-19-C0 to any permit out l2:ether:0x806 from any to 00-10-A4-23-19-C0 permit in 17 from 192.0.2.168 to any 53 permit out 17 from any 53 to 192.0.2.168 redirect http://www.foo.org in from 192.0.2.168 to any 80 http://www.goo.org

  5. Diameter Compatibility Discussion in RADEXT • Draft does not contain a suitable section on Diameter compatibility and this led to passionate debate • At IETF 64 tenuous consensus was to: a. Not split-up attribute into multiple attributes b. Use existing practices to allow Diameter to translate NAS-Traffic-Rule attribute • Consensus fell apart on point B • “Diameter community should get their say on rule syntax” • “We shouldn’t have two related yet non-compatible rule dialects”

  6. Next steps • Send your feedback on rule syntax, whether positive or negative • Get your buy in to use NAS-Traffic-Rule syntax as basis for update to DIAMETER • Figure out appropriate process for updating DIAMETER

More Related