[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RADEXT WG last call on RADIUS Attributes for Filtering and Redirection

To: Bernard Aboba <bernard_aboba@hotmail.com>
Subject: Re: RADEXT WG last call on RADIUS Attributes for Filtering and Redirection
From: Alan DeKok <aland@nitros9.org>
Date: Fri, 28 Dec 2007 12:13:09 +0100
Cc: radiusext@ops.ietf.org
In-reply-to: <BAY117-W31B57682156DD5061B1FC5935B0@phx.gbl>
References: <BAY117-W31B57682156DD5061B1FC5935B0@phx.gbl>
User-agent: Thunderbird 2.0.0.6 (X11/20071022)

Bernard Aboba wrote:
> Given that no comments have been received during the last two RADEXT WG
> last calls, we are going to bring the document to RADEXT WG call again. 
> This RADEXT WG last call will last until January 15, 2008.

  Some comments:

1.4:

  It may be useful to note that an Accounting-Request packet MAY be
generated when the NAS cannot apply an attribute in the Access-Accept.
The Accounting Request MAY contain Error-Cause, with value "Unsupported
Attribute" (401), and Acct-Status-Type = Stop, Acct-Terminate-Cause =
NAS-Error.  This serves as limited capability feedback.

Page 12:

        "any"       Keyword for 0.0.0.0/0 or the IPv6 equivalent.

  The IPv6 equivalent is...?  It could be specified here.

        "ipoptions" Match if the IP header contains the comma separated
                     list of options specified in spec.  The supported

  Can we allow hexadecimal specifications of options, too?  This would
be useful, and would match the rest of the document (e.g. IP proto as a
number, icmptypes, ...)

  A similar comment applies for tcpoptions.

3.1:

  Acct-NAS-Traffic-Rule is a complex attribute not meeting the
suggestions in the guidelines document.  Is there another way to achieve
the same end?  Since the extended attributes draft is still pending, I
think the answer is "no".

1.3:

  Capability advertisement could be done in a limited way by permitting
NAS-Traffic-Rule in an Access-Request.  Allowing this has practical
uses, too.  e.g. a WiFi hotspot (walled garden) could advertise upstream
 that it is *currently* blocking traffic, by sending it's filter rule:

    NAS-Traffic-Rule = "v1 redirect http://....local-login/";

  Similarly, a NAS requiring 802.1x could send:

   NAS-Traffic-Rule = "v1 permit inout l2:ether2:0x888e from any to
NAS-MAC-address"

  i.e. EAPoL is permitted, everything else is discarded.

  This information is useful for upstream servers, and can help them
make better policy decisions.  It solves a serious problem in many
current deployments, where you have no idea what the NAS is currently
doing...

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RADEXT WG last call on RADIUS Attributes for Filtering and Redirection
  - From: Bernard Aboba <bernard_aboba@hotmail.com>

Prev by Date: Re: Questions on modified Extended Attribute format?
Next by Date: RE: Questions on modified Extended Attribute format?
Previous by thread: RADEXT WG last call on RADIUS Attributes for Filtering and Redirection
Next by thread: Consideration of draft-lior-radius-attribute-type-extension-01.txt
Index(es):
- Date
- Thread