50 likes | 68 Views
This document proposes updates to the RADIUS Redirection attribute for the NAS-Filter-Rule attribute to perform IP and URL level redirection for HTTP traffic. It also addresses concerns regarding NIST certification and specifies normative behavior for certain attribute combinations.
E N D
draft-congdon-radext-ieee802-03-txt IETF 62 – Minneapolis MN Bernard Aboba Paul Congdon Mauricio Sanchez
Updates since last time • Integrated ‘RADIUS Redirection’ draft (draft-lior-radius-redirection-01) • Merged informational and usage description into draft • Morphed ‘Redirection-Rule’ attribute in extension for ‘NAS-Filter-Rule’ attribute to perform redirection at IP and URL level for HTTP traffic. • Dropped ‘Redirection-ID’ attribute. • ‘NAS-Filter-Rule’ attribute extensions • I40: Extended usage to encompass L2 (Ethernet MAC) rules • Added ‘redirect’ and ‘flush’ actions • Removed 802.11-related attributes • Concerns about possible need for NIST certification and resulting time impact • Working the issues • I37: Specify normative behavior when ‘Filter-ID’ and ‘NAS-Filter-ID’ attributes present in same message. • I38: Clarified need to have multiple ‘NAS-Filter-ID’ attributes remain in order. • I39,I41: Dropped requirement for usage of ‘M’(andotory) bit from draft. Will instead rely on capabilities attribute currently being drafted.
Current Attribute Summary VLAN attributes Egress-VLAN-ID Ingress-Filter VLAN-Name Quality of Service Attributes User-Priority-Table QoS-Filter-Rule WLAN Attributes Allowed-SSID Access Control Attributes NAS-Filter-Rule Key Management Allowed-Called-Station-Id EAP-Master-Session-Key EAP-Key-Name Redirect-Host Origin-Realm Accounting Accounting-EAP-Auth-Method
Interested Parties in Draft • Trusted Computing Group (TCG) of the TCG (Mauricio S.) • RADIUS Attribute documents have been referenced in proposal of standardization of interface (IF-PEP) between NAS and Authentication Service • https://www.trustedcomputinggroup.org/downloads/background_docs/TNC_FAQ_revised_020305.pdf • Interface PEP (Policy Enforce Point) of the TNC reference model relies on Radius attributes to configure isolation behavior on NAS • The following IETF documents are currently of interest: • RFC 3580 • draft-congdon-radext-ieee802-03-txt • draft-adrangi-radius-bandwidth-capability-01.txt • 3GPP / GSMA IR61 WLAN Roaming (Farid A.) • 3GPP / GSMA IR61 has dependency on the following • draft-congdon-radext-ieee802-03-txt (GSMA IR61) • draft-ietf-geopriv-radius-lo-02.txt (GSMA IR61, 3GPP Rlease 6) • draft-ietf-radext-chargeable-user-id-03.txt (GSMA IR61, 3GPP Release 6) • The following IETF documents are currently of interest • draft-lior-radius-bandwidth-capability-00.txt (GSMA IR61) • draft-lior-radius-prepaid-extensions-07.txt (GSMA IR61) • draft-lior-radext-end-to-end-caps-00.txt (GSMA IR61)
Issues and Work Items • Capability attribute dependence • Drop of ‘M’ bit requirement engenders need to have deterministic method to enforce certain attributes • Refinement of NAS-Filter-Rule • Extend richness of Layer 2 (MAC Ethernet) rule definition • Clarify behavior regarding redirection as some unstated assumptions exist • Formalization of attribute syntax (perhaps through ABNF) • Need improvements to document flow with recent merge of previous draft and redirection draft • Title change under consideration • Next draft revision expected later this month • Hoping to make final call by end of summer; expect completion by end of year