Paul responded...
> -----Original Message-----
> Sent: Friday, September 23, 2005 3:04 PM [pc] Comments on Pasi's issue
> 102...
<...unneeded discussion cut...>
> 7) The document does not seem to describe what HTTP filter rules are
> or how they work (HTTP redirect rules are explained, but not HTTP
> filter rules).
>
> [pc] There really aren't specific HTTP filter rules per-se.
> We don't filter based upon HTTP content, but it is possible to filter
> all HTTP traffic using normal IP filter rules. The text is a little
> unclear at the end of the section that indicates there are 'redirect'
> and 'filter'
> rules. Seems like we need to discuss redirect rules separately from
> filter rules. There are really two types of redirect rules; tunnel
> and http, and two filter rules; L2 and IP.
Discussion on this sub-issue 102-7 never was satisfactorily completed as it stopped here. Here's a new stab at for the beginning portion of the 'description' sub-section for nas-filter-rule attribute that I hope is a bit better to understand. I await comments.
------------------------------------------------------
The NAS-Filter-Rule attribute is derived from the Diameter IPFilterRule and enables provisioning of base encapsulation (Layer 2) rules, Internet Protocol (Layer 3-4) rules, and HTTP (Layer 5+) rules on the NAS by the RADIUS server. For each rule and depending on the rule type, the NAS can be instructed to take a single action as follows:
Rule Type Allowable rule action
------------------- ---------------------
Base Encapsultation filter
Internet Protocol filter, tunnel
HTTP filter, redirect
When specifying a base encapsulation rule, NAS-Filter-Rule processes packets based on the following information that is associated with it:
Direction (in and/or out)
Base encapsulation type
Source and destination MAC address (possibly masked)
For a base encapsulation rule, the filter action entails having the NAS permit (i.e. forward) or deny (i.e. block) a user's traffic.
When specifying an Internet Protocol rule, NAS-Filter-Rule processes packets based on the following information that is associated with it:
Direction (in and/or out)
Source and destination IP address (possibly masked)
Protocol
Source and destination port (lists or ranges)
TCP flags
IP fragment flag
IP options
ICMP types
For an Internet Protocol rule, the filter action entails having the NAS permit (i.e. forward) or deny (i.e. block) a user's traffic. The tunnel action entails having the NAS forward user traffic to or from a named tunnel that has been established per [RFC2868].
When specifying an HTTP rule, NAS-Filter-Rule process packets based on the following information that is associated with it:
HTTP URL
Source and destination IP address (possibly masked)
For an HTTP rule, the filter action entails having the NAS permit (i.e. forward) or deny (i.e. block) a user's [RFC2616] request message. For a deny action, the NAS MAY respond to the request message with a code 403 (Forbidden) response in accordance with [RFC2616]. For a redirect action the NAS SHOULD respond to the user's request with a code 302 (Found) response in accordance with [RFC2616].
It should be noted that an HTTP filter...<description text continues same as in current draft>
---------------------------------------------------------------------------------------------------------------------------
--------------------------------------------
Mauricio Sanchez, CISSP
Network Security Architect
Procurve Networking Business
Hewlett Packard
8000 Foothills Boulevard, ms 5555
Roseville CA, 95747-5557
916.785.1910 Tel
916.785.1815 Fax
mauricio.sanchez@hp.com
--------------------------------------------