Download
1 / 6
60 likes | 61 Views
This presentation discusses the NAS-Traffic-Rule attribute for filtering in Radext and its compatibility with Diameter. It explores the rule syntax, offers examples, and highlights the need for a unified rule dialect. Feedback and buy-in are sought for using NAS-Traffic-Rule as the basis for updating Diameter.
E N D
Presentation to DIME WG ondraft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez
Why am I here? • Radext defining attribute (NAS-Traffic-Rule) for filtering that is superset of IPFilterRule • Concerns around RadExt charter on DIAMETER compatibility • “All RADIUS work MUST be compatible with equivalent facilities inDiameter. Where possible, new attributes should be defined so thatthe same attribute can be used in both RADIUS and Diameter withouttranslation. In other cases a translation considerationssection should be included in the specification.” • Give DIME WG comparison of NAS-Traffic-Rule to IPFilterRule • Get DIME WG to give feedback on rule syntax • Get buy in to use NAS-Traffic-Rule syntax as basis for update to DIAMETER
NAS-Traffic-Rule • Offers 3 rule types • Base Encapsulation : Ethernet MAC layer • IP : IP/TCP layer • HTTP : IP and HTTP URL • Offers up to 4 actions per rule type • Permit : Allow traffic • Deny : Block traffic • Tunnel : Forward traffic to/from a named tunnel (RFC2868) • Redirect : Code 302 HTTP redirect • Allowed Rule/Action Combinations Comparable to IPFilterRule
NAS-Traffic-Rule Examples • Example #1: Permit only L2 traffic coming from and going to a user's Ethernet MAC address. Block all other traffic. Assume user's MAC address is 00-10-A4-23-19-C0. permit in l2:ether2 from 00-10-A4-23-19-C0 to any permit out l2:ether2 from any to 00-10-A4-23-19-C0 • Example #2: Tunnel all L2 traffic coming from and going to a user. Assume tunnel name is: tunnel "1234". permit tunnel "tunnel \"1234\"" inout l2:ether2 from any to any • Example #3: Permit only L3 traffic coming and going to from a user's IP address. Block all other traffic. Assume user's IP address is 192.0.2.128. permit in ip from 192.0.2.128 to any permit out ip from any to 192.0.2.128 • Example #4: Allow user to generate ARP requests, DNS requests, and HTTP (port 80) requests, of which only requests to http://www.goo.org are redirected to http://www.foo.org. Assume user's MAC address is 00-10-A4-23-19-C0 and IP address is 192.0.2.128 permit in l2:ether:0x0806 from 00-10-A4-23-19-C0 to any permit out l2:ether:0x806 from any to 00-10-A4-23-19-C0 permit in 17 from 192.0.2.168 to any 53 permit out 17 from any 53 to 192.0.2.168 redirect http://www.foo.org in from 192.0.2.168 to any 80 http://www.goo.org
Diameter Compatibility Discussion in RADEXT • Draft does not contain a suitable section on Diameter compatibility and this led to passionate debate • At IETF 64 tenuous consensus was to: a. Not split-up attribute into multiple attributes b. Use existing practices to allow Diameter to translate NAS-Traffic-Rule attribute • Consensus fell apart on point B • “Diameter community should get their say on rule syntax” • “We shouldn’t have two related yet non-compatible rule dialects”
Next steps • Send your feedback on rule syntax, whether positive or negative • Get your buy in to use NAS-Traffic-Rule syntax as basis for update to DIAMETER • Figure out appropriate process for updating DIAMETER
