Presentation is loading. Please wait.

Presentation is loading. Please wait.

Radius Redirection draft-lior-radius-redirection-01.txt Avi Lior Bridgewater Systems Farid Adrangi Intel.

Published byHope Parker Modified over 9 years ago

Similar presentations

Presentation on theme: "Radius Redirection draft-lior-radius-redirection-01.txt Avi Lior Bridgewater Systems Farid Adrangi Intel."— Presentation transcript:

1 Radius Redirection draft-lior-radius-redirection-01.txt Avi Lior Bridgewater Systems Farid Adrangi Intel

2 Acknowledgement Jari Arkko Stefaane de Cnodder Parviz Yegani 3GPP2 folks

3 Motivation Sometimes operators would like to be able to control a user’s session: –A Prepaid user may need to replenish resources –A user may need to rectify an issue with their account Operations consist of : –Limiting what the user can do (Eg. walled garden). –Notifying the user (Eg. HTTP hijacking). –Allowing the user to rectify the issue. In 3GPP2 this feature is called hot-lining.

4 Example A Wireless Prepaid user maybe hot-lined once their account is depleted. We want to be able to let the user replenish their account. –Block their traffic except to a Web Portal. –We redirect all their HTTP traffic to the Prepaid Web Portal. –We redirect all other traffic such that when we detect packets we respond with an SMS message instructing the user to visit the Prepaid Web Portal. Once the user purchases more time we return the traffic back to normal.

5 Requirements Mechanism to block traffic (all or selectively). Mechanism to Redirect traffic (all or selectively) We need to be able to do this at the start of the session, or mid-session.

6 Overview of Draft Describes how to block and redirect traffic –At the start of the session –Mid session. It describes how redirection could be done using tunnelling. It introduces 5 new attributes.

7 Blocking User Flows RADIUS has Filter-Id. –Filter’s need to be pre-configured at the NAS. –Not roaming friendly. New attribute called NAS-Filter-Rule –specify what IP flows should be blocked. –same syntax as IP-Filter-Rule in Diameter. Except we have added an action called “flush” so that we can use it with 3576 CoA. To block all tcp traffic from a terminal: deny in tcp from assigned to any

8 Redirection The purpose of redirection is to capture user traffic so that we can notify them. –We don’t cover the notification scheme. –HTTP notification, SMS messaging, Application specific, etc,…. Its not to allow the service to continue. –We recognize that the service will break in most if not all cases. The alternative is to kill the session without notification of the user.

9 Redirection using Tunnelling Tunnels can be used to redirect traffic. Tunnel can be setup at the start of the session or mid-session using tunnel attributes. Its not clear how you would de-tunnel traffic (needed to return traffic back to normal). –We suggest using the CoA with Authorize- Only (“Pull Method”) for removing tunnels.

10 Redirecting IP-Traffic IP-Redirection-Id attribute: –Index to preconfigured redirection policy (rules) at the NAS. Similar to Filter-Id. IP-Redirection-Rule attribute: –explicit redirection rule –Similar syntax to NAS-Filter-Rule To redirect all HTTP traffic from the terminal to a Web Portal redirect 123.104.100.8 80 in tcp from assigned to any 80

11 HTTP Redirection Some NAS’s are capable of inspecting packets at the HTTP layer. HTTP-Redirection-Id and HTTP-Redirection- Rule attributes are provided to redirect traffic at the HTTP layer. HTTP-Redirection-Id is same as Filter-Id HTTP-Redirection rule: redirect http://www.x.com:80/fraud from assigned to any 80http://www.x.com:80/fraud When the rule matches the NAS responds with an HTTP Redirection specifying the URL

12 What’s Next? Added reference to Prepaid work.

Download ppt "Radius Redirection draft-lior-radius-redirection-01.txt Avi Lior Bridgewater Systems Farid Adrangi Intel."

Similar presentations

Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez.

Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Access Control Lists Accessing the WAN – Chapter 5.
1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.

1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Protocols and the TCP/IP Suite

Protocols and the TCP/IP Suite
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
RADIUS Prepaid Extension draft-lior-radius-prepaid-extensions-05.txt Avi Lior, Yong Li, Bridgewater Systems Parviz Yegani, Cisco Systems Kuntal Chowdhury.

RADIUS Prepaid Extension draft-lior-radius-prepaid-extensions-05.txt Avi Lior, Yong Li, Bridgewater Systems Parviz Yegani, Cisco Systems Kuntal Chowdhury.
RADIUS Chargeable User Identity Farid Adrangi Avi Lior Jouni Korhonen draft-adrangi-radius-chargeable-user-identity-02.txt.

RADIUS Chargeable User Identity Farid Adrangi Avi Lior Jouni Korhonen draft-adrangi-radius-chargeable-user-identity-02.txt.
Diameter Congestion And Filter Attributes IETF 88, Vancouver, BC Lyle Bertz Brent Hirschman

Diameter Congestion And Filter Attributes IETF 88, Vancouver, BC Lyle Bertz Brent Hirschman
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.

Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Lesson 24. Protocols and the OSI Model. Objectives At the end of this Presentation, you will be able to:

Lesson 24. Protocols and the OSI Model. Objectives At the end of this Presentation, you will be able to:
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.

Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.

Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering

Similar presentations

Ads by Google