Embed Size (px)
Citation preview
Radius Redirection
draft-lior-radius-redirection-01.txt
Avi Lior Bridgewater SystemsFarid Adrangi Intel
Acknowledgement
• Jari Arkko
• Stefaane de Cnodder
• Parviz Yegani
• 3GPP2 folks
Motivation
• Sometimes operators would like to be able to control a user’s session:– A Prepaid user may need to replenish resources– A user may need to rectify an issue with their account
• Operations consist of :– Limiting what the user can do (Eg. walled garden).– Notifying the user (Eg. HTTP hijacking).– Allowing the user to rectify the issue.
• In 3GPP2 this feature is called hot-lining.
Example
• A Wireless Prepaid user maybe hot-lined once their account is depleted. We want to be able to let the user replenish their account.– Block their traffic except to a Web Portal.– We redirect all their HTTP traffic to the Prepaid Web
Portal.– We redirect all other traffic such that when we detect
packets we respond with an SMS message instructing the user to visit the Prepaid Web Portal.
• Once the user purchases more time we return the traffic back to normal.
Requirements
• Mechanism to block traffic (all or selectively).
• Mechanism to Redirect traffic (all or selectively)
• We need to be able to do this at the start of the session, or mid-session.
Overview of Draft
• Describes how to block and redirect traffic– At the start of the session– Mid session.
• It describes how redirection could be done using tunnelling.
• It introduces 5 new attributes.
Blocking User Flows
• RADIUS has Filter-Id.– Filter’s need to be pre-configured at the NAS.– Not roaming friendly.
• New attribute called NAS-Filter-Rule– specify what IP flows should be blocked.– same syntax as IP-Filter-Rule in Diameter.
• Except we have added an action called “flush” so that we can use it with 3576 CoA.
To block all tcp traffic from a terminal:
deny in tcp from assigned to any
Redirection
• The purpose of redirection is to capture user traffic so that we can notify them.– We don’t cover the notification scheme.– HTTP notification, SMS messaging, Application
specific, etc,….
• Its not to allow the service to continue.– We recognize that the service will break in most if not
all cases.
• The alternative is to kill the session without notification of the user.
Redirection using Tunnelling
• Tunnels can be used to redirect traffic.• Tunnel can be setup at the start of the
session or mid-session using tunnel attributes.
• Its not clear how you would de-tunnel traffic (needed to return traffic back to normal).– We suggest using the CoA with Authorize-
Only (“Pull Method”) for removing tunnels.
Redirecting IP-Traffic
• IP-Redirection-Id attribute:– Index to preconfigured redirection policy (rules) at the
NAS. Similar to Filter-Id.
• IP-Redirection-Rule attribute:– explicit redirection rule– Similar syntax to NAS-Filter-Rule
To redirect all HTTP traffic from the terminal to a Web Portal
redirect 123.104.100.8 80 in tcp from assigned to any 80
HTTP Redirection
• Some NAS’s are capable of inspecting packets at the HTTP layer.
• HTTP-Redirection-Id and HTTP-Redirection-Rule attributes are provided to redirect traffic at the HTTP layer.
• HTTP-Redirection-Id is same a s Filter-Id• HTTP-Redirection rule:
redirect http://www.x.com:80/fraud from assigned to any 80
• When the rule matches the NAS responds with an HTTP Redirection specifying the URL
What’s Next?
• Added reference to Prepaid work.
![[Challenge:Future] Redirection](https://img.pdfslide.net/doc/110x75/58f195841a28ab40408b4661/challengefuture-redirection.jpg)
