Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez.

Slides:



Advertisements
Similar presentations
Benoit Lourdelet Wojciech Dec Behcet Sarikaya Glen Zorn July 2009 IPv6 RADIUS attributes for IPv6 access networks IETF-75
Advertisements

RADEXT WG IETF-71 Agenda Friday, March 14, :00 – 11:30 AM.
Draft-wing-behave-http-46-relay-02 1 Relaying HTTP from IPv4 to IPv6 draft-wing-behave-http-46-relay-02 IETF 76 – Hiroshima November, 2009 Dan Wing,
Everything.
Deployment Considerations for Dual-stack Lite IETF 80 Prague Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed Boucadair.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
IP over ETH over IEEE draft-riegel-16ng-ip-over-eth-over Max Riegel
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Review of Important Networking Concepts
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
1 Review of Important Networking Concepts Introductory material. This module uses the example from the previous module to review important networking concepts:
Instructor & Todd Lammle
Everything. MACIP End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: MACIP MACInterfaceMACInterface.
1 Review of Important Networking Concepts Introductory material. This slide uses the example from the previous module to review important networking concepts:
Lecture 8 Modeling & Simulation of Communication Networks.
ARP Scenarios CIS 81 and CST 311 Rick Graziani Fall 2005.
IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Dean Cheng Jouni Korhonen Mehamed Boucadair
Computer Networks (CS 132/EECS148) General Networking Example Karim El Defrawy Donald Bren School of Information and Computer Science University of California.
Access Control List ACL. Access Control List ACL.
NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.
Ethernet Basics - 5 IGMP. The Internet Group Management Protocol (IGMP) is an Internet protocol that provides a way for an Internet computer to report.
Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner
RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Radius Redirection draft-lior-radius-redirection-01.txt Avi Lior Bridgewater Systems Farid Adrangi Intel.
Instructor & Todd Lammle
Presented by Rebecca Meinhold But How Does the Internet Work?
Unit - III. Providing a Caching Proxy Server (1) A caching proxy server is software that stores (caches) frequently requested internet objects such as.
HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs- cookie-01 92nd IETF, Dallas, Mar 2015 V6OPS WG.
TCP/IP Model of Networking. TCP/IP Model - Layers Access Internet Transport Application.
1. Layered Architecture of Communication Networks: TCP/IP Model
Draft-ietf-radext-filter-rules-01-txt “NAS-Traffic-Rule Attribute” Bernard Aboba Paul Congdon Mauricio Sanchez IETF 67 – San Diego, CA draft-ietf-radext-filter-05-txt.
1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
Signaling Transport WG (sigtran) Wednesday, March 29, :30 AM =================================== CHAIR: Lyndon Ong -- Intro and agenda bashing.
Diameter Group Signaling draft-jones-diameter-group-signaling-00 Mark Jones Taipei, Taiwan November 2011.
Doc.: IEEE /1040r0 Submission September 2014 Dorothy Stanley, Aruba NetworksSlide 1 IEEE IETF Liaison Report Date: Authors:
RADEXT WG draft-ietf-radext-ieee802ext-09 Bernard Aboba November 4, 2013 IETF 88 Please join the Jabber room:
J. Liebeher (modified by M. Veeraraghavan) 1 Introduction Complexity of networking: An example Layered communications The TCP/IP protocol suite.
RADEXT WG Virtual Interim Agenda Monday, October 11, :00 AM – 10:00 AM PDT Please join the Jabber room:
ZoneDirector WISPr/Guest/Web Auth
Configuring the SIP Application Filter Configuration Example Alcatel-Lucent Security Products Configuration Example Series.
End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: interne t interface DNS server IP:
Also known as hardware/physi cal address Customer Computer (Client) Internet Service Provider (ISP) MAC Address Each Computer has: Given by NIC card.
RADIUS attributes commonly used in fixed networks draft-klammorrissette-radext-very-common-vsas-00 Devasena Morrissette, Frederic Klamm, Lionel Morand.
IETF 85 Use cases for MAP-T draft-maglione-softwire-map-t-scenarios-01 R. Maglione.
Moving IPv6 Documents to Draft Standard IETF 53 Minneapolis, MN March 18th, 2002.
FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.
User-group-based Security Policy for Service Layer
RADEXT WG RADIUS Attribute Guidelines
Address Resolution Protocol (ARP)
AAA and AAAS URI Miguel A. Garcia draft-garcia-dime-aaa-uri-00.txt
Generalized MPLS (GMPLS) Support For Metro Ethernet Forum and G
Link Model Analysis for based Networks
Network Architecture Introductory material
ND-Shield: Protecting against Neighbor Discovery Attacks
Review of Important Networking Concepts
Address Resolution Protocol (ARP)
ECN Experimentation draft-black-ecn-experimentation
Networking Essentials For Firewall-1 Administrators
ACCESS CONTROL LIST Slides Prepared By Adeel Ahmed,
Virtual Hub-and-Spoke in BGP EVPNs
draft-ietf-bier-ipv6-requirements-01
Presentation transcript:

Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez

Why am I here? Radext defining attribute (NAS-Traffic-Rule) for filtering that is superset of IPFilterRule Concerns around RadExt charter on DIAMETER compatibility –“All RADIUS work MUST be compatible with equivalent facilities in Diameter. Where possible, new attributes should be defined so that the same attribute can be used in both RADIUS and Diameter without translation. In other cases a translation considerations section should be included in the specification.” Give DIME WG comparison of NAS-Traffic-Rule to IPFilterRule Get DIME WG to give feedback on rule syntax Get buy in to use NAS-Traffic-Rule syntax as basis for update to DIAMETER

NAS-Traffic-Rule Offers 3 rule types –Base Encapsulation : Ethernet MAC layer –IP : IP/TCP layer –HTTP : IP and HTTP URL Offers up to 4 actions per rule type –Permit : Allow traffic –Deny : Block traffic –Tunnel : Forward traffic to/from a named tunnel (RFC2868) –Redirect : Code 302 HTTP redirect Allowed Rule/Action Combinations Rule TypeAction Base Encapsulationpermit, deny, tunnel IPpermit, deny, tunnel HTTPpermit, deny, redirect Comparable to IPFilterRule

NAS-Traffic-Rule Examples Example #1: Permit only L2 traffic coming from and going to a user's Ethernet MAC address. Block all other traffic. Assume user's MAC address is A C0. permit in l2:ether2 from A C0 to any permit out l2:ether2 from any to A C0 Example #2: Tunnel all L2 traffic coming from and going to a user. Assume tunnel name is: tunnel "1234". permit tunnel "tunnel \"1234\"" inout l2:ether2 from any to any Example #3: Permit only L3 traffic coming and going to from a user's IP address. Block all other traffic. Assume user's IP address is permit in ip from to any permit out ip from any to Example #4: Allow user to generate ARP requests, DNS requests, and HTTP (port 80) requests, of which only requests to are redirected to Assume user's MAC address is A C0 and IP address is permit in l2:ether:0x0806 from A C0 to any permit out l2:ether:0x806 from any to A C0 permit in 17 from to any 53 permit out 17 from any 53 to redirect in from to any 80

Diameter Compatibility Discussion in RADEXT Draft does not contain a suitable section on Diameter compatibility and this led to passionate debate At IETF 64 tenuous consensus was to: a. Not split-up attribute into multiple attributes b. Use existing practices to allow Diameter to translate NAS-Traffic- Rule attribute Consensus fell apart on point B –“Diameter community should get their say on rule syntax” –“We shouldn’t have two related yet non-compatible rule dialects”

Next steps Send your feedback on rule syntax, whether positive or negative Get your buy in to use NAS-Traffic-Rule syntax as basis for update to DIAMETER Figure out appropriate process for updating DIAMETER

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.