Presentation to DIME WG on draft-ietf-radext-filter-rules-00 -txt IETF

Presentation to DIME WG on draft-ietf-radext-filter-rules-00 -txt IETF 65 – Dallas, TX Mauricio Sanchez

Why am I here? • Radext defining attribute (NAS-Traffic-Rule) for filtering that is superset of IPFilter. Rule • Concerns around Rad. Ext charter on DIAMETER compatibility – “All RADIUS work MUST be compatible with equivalent facilities in Diameter. Where possible, new attributes should be defined so that the same attribute can be used in both RADIUS and Diameter without translation. In other cases a translation considerations section should be included in the specification. ” • Give DIME WG comparison of NAS-Traffic-Rule to IPFilter. Rule • Get DIME WG to give feedback on rule syntax • Get buy in to use NAS-Traffic-Rule syntax as basis for update to DIAMETER

NAS-Traffic-Rule • Offers 3 rule types – Base Encapsulation : Ethernet MAC layer – IP : IP/TCP layer – HTTP : IP and HTTP URL Comparable to IPFilter. Rule • Offers up to 4 actions per rule type – – Permit : Allow traffic Deny : Block traffic Tunnel : Forward traffic to/from a named tunnel (RFC 2868) Redirect : Code 302 HTTP redirect • Allowed Rule/Action Combinations Rule Type Action Base Encapsulation permit, deny, tunnel IP permit, deny, tunnel HTTP permit, deny, redirect

NAS-Traffic-Rule Examples • Example #1: Permit only L 2 traffic coming from and going to a user's Ethernet MAC address. Block all other traffic. Assume user's MAC address is 00 -10 -A 4 -23 -19 -C 0. permit in l 2: ether 2 from 00 -10 -A 4 -23 -19 -C 0 to any permit out l 2: ether 2 from any to 00 -10 -A 4 -23 -19 -C 0 • Example #2: Tunnel all L 2 traffic coming from and going to a user. Assume tunnel name is: tunnel "1234". permit tunnel "tunnel "1234"" inout l 2: ether 2 from any to any • Example #3: Permit only L 3 traffic coming and going to from a user's IP address. Block all other traffic. Assume user's IP address is 192. 0. 2. 128. permit in ip from 192. 0. 2. 128 to any permit out ip from any to 192. 0. 2. 128 • Example #4: Allow user to generate ARP requests, DNS requests, and HTTP (port 80) requests, of which only requests to http: //www. goo. org are redirected to http: //www. foo. org. Assume user's MAC address is 00 -10 -A 4 -23 -19 -C 0 and IP address is 192. 0. 2. 128 permit in l 2: ether: 0 x 0806 from 00 -10 -A 4 -23 -19 -C 0 to any permit out l 2: ether: 0 x 806 from any to 00 -10 -A 4 -23 -19 -C 0 permit in 17 from 192. 0. 2. 168 to any 53 permit out 17 from any 53 to 192. 0. 2. 168 redirect http: //www. foo. org in from 192. 0. 2. 168 to any 80 http: //www. goo. org

Diameter Compatibility Discussion in RADEXT • Draft does not contain a suitable section on Diameter compatibility and this led to passionate debate • At IETF 64 tenuous consensus was to: a. Not split-up attribute into multiple attributes b. Use existing practices to allow Diameter to translate NAS-Traffic. Rule attribute • Consensus fell apart on point B – “Diameter community should get their say on rule syntax” – “We shouldn’t have two related yet non-compatible rule dialects”

Next steps • Send your feedback on rule syntax, whether positive or negative • Get your buy in to use NAS-Traffic-Rule syntax as basis for update to DIAMETER • Figure out appropriate process for updating DIAMETER