Radius Redirection

1. Radius Redirection draft-lior-radius-redirection-01.txt Avi Lior Bridgewater Systems Farid Adrangi Intel

2. Acknowledgement • Jari Arkko • Stefaane de Cnodder • Parviz Yegani • 3GPP2 folks

3. Motivation • Sometimes operators would like to be able to control a user’s session: • A Prepaid user may need to replenish resources • A user may need to rectify an issue with their account • Operations consist of : • Limiting what the user can do (Eg. walled garden). • Notifying the user (Eg. HTTP hijacking). • Allowing the user to rectify the issue. • In 3GPP2 this feature is called hot-lining.

4. Example • A Wireless Prepaid user maybe hot-lined once their account is depleted. We want to be able to let the user replenish their account. • Block their traffic except to a Web Portal. • We redirect all their HTTP traffic to the Prepaid Web Portal. • We redirect all other traffic such that when we detect packets we respond with an SMS message instructing the user to visit the Prepaid Web Portal. • Once the user purchases more time we return the traffic back to normal.

5. Requirements • Mechanism to block traffic (all or selectively). • Mechanism to Redirect traffic (all or selectively) • We need to be able to do this at the start of the session, or mid-session.

6. Overview of Draft • Describes how to block and redirect traffic • At the start of the session • Mid session. • It describes how redirection could be done using tunnelling. • It introduces 5 new attributes.

7. Blocking User Flows • RADIUS has Filter-Id. • Filter’s need to be pre-configured at the NAS. • Not roaming friendly. • New attribute called NAS-Filter-Rule • specify what IP flows should be blocked. • same syntax as IP-Filter-Rule in Diameter. • Except we have added an action called “flush” so that we can use it with 3576 CoA. To block all tcp traffic from a terminal: deny in tcp from assigned to any

8. Redirection • The purpose of redirection is to capture user traffic so that we can notify them. • We don’t cover the notification scheme. • HTTP notification, SMS messaging, Application specific, etc,…. • Its not to allow the service to continue. • We recognize that the service will break in most if not all cases. • The alternative is to kill the session without notification of the user.

9. Redirection using Tunnelling • Tunnels can be used to redirect traffic. • Tunnel can be setup at the start of the session or mid-session using tunnel attributes. • Its not clear how you would de-tunnel traffic (needed to return traffic back to normal). • We suggest using the CoA with Authorize-Only (“Pull Method”) for removing tunnels.

10. Redirecting IP-Traffic • IP-Redirection-Id attribute: • Index to preconfigured redirection policy (rules) at the NAS. Similar to Filter-Id. • IP-Redirection-Rule attribute: • explicit redirection rule • Similar syntax to NAS-Filter-Rule To redirect all HTTP traffic from the terminal to a Web Portal redirect 123.104.100.8 80 in tcp from assigned to any 80

11. HTTP Redirection • Some NAS’s are capable of inspecting packets at the HTTP layer. • HTTP-Redirection-Id and HTTP-Redirection-Rule attributes are provided to redirect traffic at the HTTP layer. • HTTP-Redirection-Id is same a s Filter-Id • HTTP-Redirection rule: redirecthttp://www.x.com:80/fraudfrom assigned to any 80 • When the rule matches the NAS responds with an HTTP Redirection specifying the URL

12. What’s Next? • Added reference to Prepaid work.