Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez.

Similar presentations


Presentation on theme: "Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez."— Presentation transcript:

1 Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez

2 Why am I here? Radext defining attribute (NAS-Traffic-Rule) for filtering that is superset of IPFilterRule Concerns around RadExt charter on DIAMETER compatibility –“All RADIUS work MUST be compatible with equivalent facilities in Diameter. Where possible, new attributes should be defined so that the same attribute can be used in both RADIUS and Diameter without translation. In other cases a translation considerations section should be included in the specification.” Give DIME WG comparison of NAS-Traffic-Rule to IPFilterRule Get DIME WG to give feedback on rule syntax Get buy in to use NAS-Traffic-Rule syntax as basis for update to DIAMETER

3 NAS-Traffic-Rule Offers 3 rule types –Base Encapsulation : Ethernet MAC layer –IP : IP/TCP layer –HTTP : IP and HTTP URL Offers up to 4 actions per rule type –Permit : Allow traffic –Deny : Block traffic –Tunnel : Forward traffic to/from a named tunnel (RFC2868) –Redirect : Code 302 HTTP redirect Allowed Rule/Action Combinations Rule TypeAction Base Encapsulationpermit, deny, tunnel IPpermit, deny, tunnel HTTPpermit, deny, redirect Comparable to IPFilterRule

4 NAS-Traffic-Rule Examples Example #1: Permit only L2 traffic coming from and going to a user's Ethernet MAC address. Block all other traffic. Assume user's MAC address is A C0. permit in l2:ether2 from A C0 to any permit out l2:ether2 from any to A C0 Example #2: Tunnel all L2 traffic coming from and going to a user. Assume tunnel name is: tunnel "1234". permit tunnel "tunnel \"1234\"" inout l2:ether2 from any to any Example #3: Permit only L3 traffic coming and going to from a user's IP address. Block all other traffic. Assume user's IP address is permit in ip from to any permit out ip from any to Example #4: Allow user to generate ARP requests, DNS requests, and HTTP (port 80) requests, of which only requests to are redirected to Assume user's MAC address is A C0 and IP address is permit in l2:ether:0x0806 from A C0 to any permit out l2:ether:0x806 from any to A C0 permit in 17 from to any 53 permit out 17 from any 53 to redirect in from to any 80

5 Diameter Compatibility Discussion in RADEXT Draft does not contain a suitable section on Diameter compatibility and this led to passionate debate At IETF 64 tenuous consensus was to: a. Not split-up attribute into multiple attributes b. Use existing practices to allow Diameter to translate NAS-Traffic- Rule attribute Consensus fell apart on point B –“Diameter community should get their say on rule syntax” –“We shouldn’t have two related yet non-compatible rule dialects”

6 Next steps Send your feedback on rule syntax, whether positive or negative Get your buy in to use NAS-Traffic-Rule syntax as basis for update to DIAMETER Figure out appropriate process for updating DIAMETER


Download ppt "Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez."

Similar presentations


Ads by Google