1 / 12

Radius Redirection

Radius Redirection. draft-lior-radius-redirection-01.txt. Avi Lior Bridgewater Systems Farid Adrangi Intel. Acknowledgement. Jari Arkko Stefaane de Cnodder Parviz Yegani 3GPP2 folks. Motivation. Sometimes operators would like to be able to control a user’s session:

Télécharger la présentation

Radius Redirection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Radius Redirection draft-lior-radius-redirection-01.txt Avi Lior Bridgewater Systems Farid Adrangi Intel

  2. Acknowledgement • Jari Arkko • Stefaane de Cnodder • Parviz Yegani • 3GPP2 folks

  3. Motivation • Sometimes operators would like to be able to control a user’s session: • A Prepaid user may need to replenish resources • A user may need to rectify an issue with their account • Operations consist of : • Limiting what the user can do (Eg. walled garden). • Notifying the user (Eg. HTTP hijacking). • Allowing the user to rectify the issue. • In 3GPP2 this feature is called hot-lining.

  4. Example • A Wireless Prepaid user maybe hot-lined once their account is depleted. We want to be able to let the user replenish their account. • Block their traffic except to a Web Portal. • We redirect all their HTTP traffic to the Prepaid Web Portal. • We redirect all other traffic such that when we detect packets we respond with an SMS message instructing the user to visit the Prepaid Web Portal. • Once the user purchases more time we return the traffic back to normal.

  5. Requirements • Mechanism to block traffic (all or selectively). • Mechanism to Redirect traffic (all or selectively) • We need to be able to do this at the start of the session, or mid-session.

  6. Overview of Draft • Describes how to block and redirect traffic • At the start of the session • Mid session. • It describes how redirection could be done using tunnelling. • It introduces 5 new attributes.

  7. Blocking User Flows • RADIUS has Filter-Id. • Filter’s need to be pre-configured at the NAS. • Not roaming friendly. • New attribute called NAS-Filter-Rule • specify what IP flows should be blocked. • same syntax as IP-Filter-Rule in Diameter. • Except we have added an action called “flush” so that we can use it with 3576 CoA. To block all tcp traffic from a terminal: deny in tcp from assigned to any

  8. Redirection • The purpose of redirection is to capture user traffic so that we can notify them. • We don’t cover the notification scheme. • HTTP notification, SMS messaging, Application specific, etc,…. • Its not to allow the service to continue. • We recognize that the service will break in most if not all cases. • The alternative is to kill the session without notification of the user.

  9. Redirection using Tunnelling • Tunnels can be used to redirect traffic. • Tunnel can be setup at the start of the session or mid-session using tunnel attributes. • Its not clear how you would de-tunnel traffic (needed to return traffic back to normal). • We suggest using the CoA with Authorize-Only (“Pull Method”) for removing tunnels.

  10. Redirecting IP-Traffic • IP-Redirection-Id attribute: • Index to preconfigured redirection policy (rules) at the NAS. Similar to Filter-Id. • IP-Redirection-Rule attribute: • explicit redirection rule • Similar syntax to NAS-Filter-Rule To redirect all HTTP traffic from the terminal to a Web Portal redirect 123.104.100.8 80 in tcp from assigned to any 80

  11. HTTP Redirection • Some NAS’s are capable of inspecting packets at the HTTP layer. • HTTP-Redirection-Id and HTTP-Redirection-Rule attributes are provided to redirect traffic at the HTTP layer. • HTTP-Redirection-Id is same a s Filter-Id • HTTP-Redirection rule: redirecthttp://www.x.com:80/fraudfrom assigned to any 80 • When the rule matches the NAS responds with an HTTP Redirection specifying the URL

  12. What’s Next? • Added reference to Prepaid work.

More Related