Radius Redirection

1
Radius Redirection

• draft-lior-radius-redirection-01.txt

Avi Lior Bridgewater Systems Farid
Adrangi Intel
2
Acknowledgement

• Jari Arkko
• Stefaane de Cnodder
• Parviz Yegani
• 3GPP2 folks

3
Motivation

• Sometimes operators would like to be able to
  control a users session
• A Prepaid user may need to replenish resources
• A user may need to rectify an issue with their
  account
• Operations consist of
• Limiting what the user can do (Eg. walled
  garden).
• Notifying the user (Eg. HTTP hijacking).
• Allowing the user to rectify the issue.
• In 3GPP2 this feature is called hot-lining.

4
Example

• A Wireless Prepaid user maybe hot-lined once
  their account is depleted. We want to be able to
  let the user replenish their account.
• Block their traffic except to a Web Portal.
• We redirect all their HTTP traffic to the Prepaid
  Web Portal.
• We redirect all other traffic such that when we
  detect packets we respond with an SMS message
  instructing the user to visit the Prepaid Web
  Portal.
• Once the user purchases more time we return the
  traffic back to normal.

5
Requirements

• Mechanism to block traffic (all or selectively).
• Mechanism to Redirect traffic (all or
  selectively)
• We need to be able to do this at the start of the
  session, or mid-session.

6
Overview of Draft

• Describes how to block and redirect traffic
• At the start of the session
• Mid session.
• It describes how redirection could be done using
  tunnelling.
• It introduces 5 new attributes.

7
Blocking User Flows

• RADIUS has Filter-Id.
• Filters need to be pre-configured at the NAS.
• Not roaming friendly.
• New attribute called NAS-Filter-Rule
• specify what IP flows should be blocked.
• same syntax as IP-Filter-Rule in Diameter.
• Except we have added an action called flush so
  that we can use it with 3576 CoA.
• To block all tcp traffic from a terminal
• deny in tcp from assigned to any

8
Redirection

• The purpose of redirection is to capture user
  traffic so that we can notify them.
• We dont cover the notification scheme.
• HTTP notification, SMS messaging, Application
  specific, etc,.
• Its not to allow the service to continue.
• We recognize that the service will break in most
  if not all cases.
• The alternative is to kill the session without
  notification of the user.

9
Redirection using Tunnelling

• Tunnels can be used to redirect traffic.
• Tunnel can be setup at the start of the session
  or mid-session using tunnel attributes.
• Its not clear how you would de-tunnel traffic
  (needed to return traffic back to normal).
• We suggest using the CoA with Authorize-Only
  (Pull Method) for removing tunnels.

10
Redirecting IP-Traffic

• IP-Redirection-Id attribute
• Index to preconfigured redirection policy (rules)
  at the NAS. Similar to Filter-Id.
• IP-Redirection-Rule attribute
• explicit redirection rule
• Similar syntax to NAS-Filter-Rule
• To redirect all HTTP traffic from the terminal to
  a Web Portal
• redirect 123.104.100.8 80 in tcp from assigned to
  any 80

11
HTTP Redirection

• Some NASs are capable of inspecting packets at
  the HTTP layer.
• HTTP-Redirection-Id and HTTP-Redirection-Rule
  attributes are provided to redirect traffic at
  the HTTP layer.
• HTTP-Redirection-Id is same a s Filter-Id
• HTTP-Redirection rule
• redirect http//www.x.com80/fraud from assigned
  to any 80
• When the rule matches the NAS responds with an
  HTTP Redirection specifying the URL

12
Whats Next?

• Added reference to Prepaid work.