[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue 170: Precedence and Order for NAS-Filter-Rule



Mauricio Sanchez writes...

> "A NAS MAY apply additional rules (deny, redirect, etc.) 
> of its own before, in between, or after rules specified 
> with NAS-Traffic-Rule.  For example, these additional rules
> may protect the access device owner's infrastructure.
> Management of these additional rules is out of scope and are 
> not subject to the semantics or behaviors described for 
> NAS-Traffic-Rule."

Wow.  In other words, the entity that creates a NAS-Traffic-Rule
attribute really has no idea what the aggregate traffic filtering
behavior of a given NAS will be.  So what makes this new attribute
useful?
 
> The guidelines for rule ordering are only relevant for those
> controlled via this RADIUS specification.  I see it as out of
> scope on mandating how non-RADIUS rules should behave.

Fair enough.  I still wonder how useful this attribute will be if the
administrator that sets it up has no idea which (if any) of the elements
he has specified will be enforced by the NAS, and which (potentially
all) of the elements are superseded by a local NAS filtering rule.

I can see this mechanism working in a predictable fashion only in
certain situations, based on assumptions of the locally configured NAS
rules that take precedence.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>