L2 NAS-Filter-Rule syntax choices

["Congdon, Paul T (ProCurve)" <paul.congdon@hp.com>]

We are working on -04 of the 802 extensions draft and have added in a
syntax for L2 filters for the NAS-Filter-Rule attribute.  I'd like some
feedback from the group on if we are going in the right direction before
posting -04 for review.

The current proposal is trying to balance usability with extensibility.
It provides two ways to express a L2 frame; one for Ethernet
encapsulation and another for everything else. We expect that the vast
majority of the time (maybe 99%) a L2 frame will be encapsulated with
Ethernet type encapsulation.  The Ethernet encapsulation syntax in the
attribute specifies the Ethertype and addresses as seen in the following
example:

	deny in l2:ether2:0x806 from 00-10-A4-23-19-C0 to any

This would block all ARP packets from a particular host.  The key words
are l2:ether2[:value].

A second, more extensible, yet harder to use, syntax is also defined to
cover all other cases.  It uses the OID format defined in RFC2895 for
protocol definitions.  For example:

	deny in l2:0.0.0.2.0.0.0.240

This would block all NetBIOS over LLC traffic.  We should be able to
define all L2 protocols using this format.

The belief is the current proposal covers all bases and is still usable,
but perhaps specifies more than many NAS devices could actually
implement or are interested in supporting.

Alternatives to the current scheme include:

1. defining additional key words like 'ether2' for other encapsulations
like SNAP, LLC, IPX-Raw, etc..
2. Drop the rmon_str syntax and just support ether2
3. only use the rmon_str syntax
4. others?

Let me know what you think

Paul

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>