2.2.1.15 MS-IPv6-Filter
MS-IPv6-Filter is a VSA, as specified in section 2.2.1. It is used to limit the inbound and/or outbound access of the endpoint.
This attribute can be sent by a RADIUS server to define the network access scope of the endpoint. It is used only for IPv6 addresses and MS-Filter; [RFC2548] VSA is the corresponding attribute for IPv4 addresses. The structure of MS-Filter is identical to the structure of MS-Quarantine-IPFilter, as specified in section 2.2.1.3. <3> This attribute defines traffic filters to a NAS for restricting access for a specific network access connection. If multiple MS-IPv6-Filter attributes are contained within a packet, they MUST be in order and they MUST be consecutive attributes in the packet.
The fields of MS-IPv6-Filter MUST be set as follows:
Vendor-Type: An 8-bit unsigned integer that MUST be set to 0x33.
Vendor-Length: An 8-bit unsigned integer that MUST be set to the length of the Attribute-Specific Value field plus 2. Its value MUST be at least 98, to specify a minimum of 1 filter. The total length will depend on the number of filter sets and filters in each set.
Attribute-Specific Value: A list of IPv6 filter sets, defined as follows.
The usage of this attribute within Access-Request, Access-Accept, Access-Reject, Access-Challenge and Accounting-Request packets is defined in section 3.1.5.2. If multiple MS-IPv6-Filter attributes occur in a single RADIUS packet, the Attribute-Specific Value field from each MUST be concatenated in the order received to form the full MS-IPv6-Filter value.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Version |
|||||||||||||||||||||||||||||||
|
Size |
|||||||||||||||||||||||||||||||
|
FilterSetEntryCount |
|||||||||||||||||||||||||||||||
|
FilterSetEntryList (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
FilterSetList (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Version (4 bytes): A 32-bit unsigned integer in network byte order that MUST be set to 0x00000001. No other versions are defined. For processing details, see section 3.1.5.3.
Size (4 bytes): A 32-bit unsigned integer in network byte order that MUST specify the size of the Attribute-Specific Value field for this VSA, including the version, size, and subsequent filter set data. The size MUST be at least 96, so as to specify at least one filter. The total size depends on the number of filter sets and filters in each set.
FilterSetEntryCount (4 bytes): A 32-bit unsigned integer in network byte order that MUST specify the number of filter set entries. Its value MUST be greater than 0.
FilterSetEntryList (variable): A list of consecutive filter set entries, equal in number to the value of FilterSetEntryCount, each of which MUST be formatted as defined below.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1InfoType
InfoSize
FilterSetCount
Offset
-
InfoType (4 bytes): A 32-bit unsigned integer in network byte order specifying the type of filters that are contained in the filter set list. The value MUST be one of the following.
-
Value
Meaning
0XFFFF0011
Input filter - The filter NAS MUST be applied to IP packets sent from the endpoint to the NAS.
0XFFFF0012
Output filter - The filter MUST be applied to IP packets sent from the NAS to the endpoint.
-
-
InfoSize (4 bytes): A 32-bit unsigned integer in network byte order specifying the overall size, in bytes, of the list of filter sets specified by this filter set entry.
-
FilterSetCount (4 bytes): A 32-bit unsigned integer in network byte order specifying the overall size, in bytes, of the list of filter sets specified by this filter set entry.
-
Offset (4 bytes): A 32-bit unsigned integer in network byte order specifying the offset of start of the first filter set of this filter set entry within the Attribute-Specific Value of this VSA. Offset values are always multiples of 8, and a filter set MUST therefore begin at an 8-octet aligned offset within the Attribute-Specific Value. To meet this requirement, any unused octets (holes) within the Attribute-Specific Value before or after a filter set MUST be set to 0 (padded) as necessary.
FilterSetList (variable): A list of consecutive filter sets, equal in number to the value of FilterSetCount, each of which MUST be formatted as defined below.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1FilterVersion
FilterCount
ForwardAction
FilterList (variable)
...
-
FilterVersion (4 bytes): A 32-bit unsigned integer in network byte order that MUST be set to 0x00000001. No other versions are defined. For processing details, see section 3.1.5.3.
-
FilterCount (4 bytes): A 32-bit unsigned integer in network byte order specifying the number of filters. Its value MUST be greater than 0.
-
ForwardAction (4 bytes): A 32-bit unsigned integer in network byte order specifying the action for the filter. Its value MUST be one of the following.
-
Value
Meaning
0x00000000
Forward
0x00000001
Drop
-
-
FilterList (variable): A list of consecutive filters, equal in number to the value of FilterCount, each of which MUST be formatted as defined below.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Source Address (16 bytes)
...
...
Source Prefix Length
Destination Address (16 bytes)
...
...
Destination Prefix Length
Protocol
Late Bound
Source Port
Destination Port
-
Source Address (16 bytes): A 128-bit unsigned integer in network byte order specifying the IPv6 source address for which the filter applies. A value of 0x00000000 in this field MUST denotes ANY.
-
Source Prefix Length (4 bytes): A 32-bit unsigned integer in network byte order specifying the prefix length for the source address. If this value is set to zero, the NAS MUST use ANY as a source address.
-
Destination Address (16 bytes): A 128-bit unsigned integer in network byte order that specifies the IPv6 destination address for the filter. A value of zero in this field denotes ANY.
-
Destination Prefix Length (4 bytes): A 32-bit unsigned integer in network byte order that specifies the Prefix Length for the destination address. If this value is set to zero, the NAS MUST use ANY as a Destination address.
-
Protocol (4 bytes): A 32-bit unsigned integer in network byte order specifying the protocol number (such as TCP or UDP) for the filter. Possible values include the following.
-
-
Name
Value
ANY
0x00000000
ICMP
0x00000001
ICMPv6
0x0000003A
TCP
0x00000006
UDP
0x00000011
-
-
-
Late Bound (4 bytes): A 32-bit unsigned integer in network byte order that indicates if the fields in the filter MAY be dynamically replaced by the NAS with values for specific endpoints. Its value MUST be at least one of the following or a bit-wise OR of two or more such values.
-
-
Value
Meaning
0x00000000
No source or destination address or mask replacement
0x00000001
Source address replaceable with a new address
0x00000004
Destination address replaceable with a new address
0x00000010
Source address mask replaceable with a new mask
0x00000020
Destination address mask replaceable with a new mask
-
-
-
Source Port (2 bytes): If the Protocol is TCP or UDP, this MUST be a 16-bit unsigned integer in network byte order that specifies a port number for the corresponding protocol. If the Protocol is ICMP or ICMPv6, this MUST be a 16-bit unsigned integer in network byte order that specifies a corresponding type indicator for ICMP or ICMPv6. For all other protocol values, this MUST be set to 0 (byte order does not matter).
-
Destination Port (2 bytes): If the Protocol is TCP or UDP, this MUST be a 16-bit unsigned integer in network byte order that specifies a port number for the corresponding protocol. If the Protocol is ICMP or ICMPv6, this MUST be a 16-bit unsigned integer in network byte order that specifies a corresponding code indicator for ICMP or ICMPv6. For all other protocol values, this MUST be set to 0 (byte order does not matter).
-
For more details about MS-IPv6-Filter, see sections 3.2.5.2.8 and 3.3.5.2.8.
-