Greg stated... >At the very end of Section 2.5 on NAS-Filter-Rule, >it says that the NAS can apply rules of its own before >rules supplied via the interface in this document. >I didn't understand the ordering and precedence >between filters originated from the different sources. I see your point. The thought was not to give complete treatment to all possible active rules sets (i.e. those specified by RADIUS, those configured locally, those rule the PEP enforces because of security considerations), but at least acknowledge that other active rules do exist and that they may influence the ultimate forwarding decision. What if the statement in question were changed as follows? "A NAS MAY apply deny rules of its own before the supplied rules, for example to protect the access device owner's infrastructure." To "A NAS MAY apply additional rules (deny, redirect, etc.) of its own before, in between, or after rules specified with NAS-Traffic-Rule. For example, these additional rules may protect the access device owner's infrastructure. Management of these additional rules is out of scope and are not subject to the semantics or behaviors described for NAS-Traffic-Rule." >Is that covered somewhere? If the server sends a >flush-rule via CoA-Request, does that remove the >NAS originated (configured) rules? The text is implying By NAS originated do you mean those rule sets not assigned via the RADIUS interface? If so, then the answer is no. The process of assignment, updates, and flushing only affect those rules controlled by RADIUS. >that the rules are applied in specific order based on >type, e.g. HTTP filter rules are last. What if the NAS >defines the HTTP filter rule, and other types come via >CoA? What's the order then? This seems like an area >of likely implementation confusion. If that HTTP filter was not assigned through the RADIUS interface, then flushes and CoA messages have no effect on it. The guidelines for rule ordering are only relevant for those controlled via this RADIUS specification. I see it as out of scope on mandating how non-RADIUS rules should behave. > >Requested change: >I think the precedence of locally configured rules >relative to dynamic updates needs to be clarified. >It might also be useful to treat this in the examples >of Appendix B. This seems similar to Issue 107 >related to Acct-Interim-Interval. The NAS owner needs >to be able to protect his resources, and the server >owner needs predictable results for dynamic updates. MS -------------------------------------------- Mauricio Sanchez, CISSP Network Security Architect ProCurve Networking Business Hewlett Packard 8000 Foothills Boulevard, ms 5557 Roseville CA, 95747-5557 916.785.1910 Tel 916.785.1815 Fax mauricio.sanchez@hp.com --------------------------------------------
Attachment:
smime.p7s
Description: S/MIME cryptographic signature