2.2.1.6 MS-IPv6-Filter

MS-IPv6-Filter is a VSA, as specified in section 2.2.1. It is used to limit the inbound and/or outbound access of the endpoint.

This attribute can be sent by a RADIUS server to define the network access scope of the endpoint. It is used only for IPv6 addresses and MS-Filter; [RFC2548] VSA is the corresponding attribute for IPv4 addresses.<3> This attribute defines traffic filters to a NAS for restricting access for a specific network access connection. If multiple MS-IPv6-Filter attributes are contained within a packet, they MUST be in order and they MUST be consecutive attributes in the packet.

The fields of MS-IPv6-Filter MUST be set as follows:

Vendor-Type: An 8-bit unsigned integer that MUST be set to 0x33.

Vendor-Length: An 8-bit unsigned integer that MUST be set to the length of the Attribute-Specific Value field plus 2. Its value MUST be at least 98, to specify a minimum of 1 filter. The total length will depend on the number of filter sets and filters in each set.

Attribute-Specific Value: A list of IPv6 filter sets, defined as follows.

The usage of this attribute within Access-Request, Access-Accept, Access-Reject, Access-Challenge and Accounting-Request packets is defined in section 3.1.5.2. If multiple MS-IPv6-Filter attributes occur in a single RADIUS packet, the Attribute-Specific Value field from each MUST be concatenated in the order received to form the full MS-IPv6-Filter value.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Version

Size

FilterSetEntryCount

FilterSetEntryList (variable)

...

FilterSetList (variable)

...

Version (4 bytes): A 32-bit unsigned integer in network byte order that MUST be set to 0x00000001. No other versions are defined. For processing details, see section 3.1.5.3.

Size (4 bytes): A 32-bit unsigned integer in network byte order that MUST specify the size of the Attribute-Specific Value field for this VSA, including the version, size, and subsequent filter set data. The size MUST be at least 96, so as to specify at least one filter. The total size depends on the number of filter sets and filters in each set.

FilterSetEntryCount (4 bytes): A 32-bit unsigned integer in network byte order that MUST specify the number of filter set entries. Its value MUST be greater than 0.

FilterSetEntryList (variable): A list of consecutive filter set entries, equal in number to the value of FilterSetEntryCount, each of which MUST be formatted as defined below.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

InfoType

InfoSize

FilterSetCount

Offset

InfoType (4 bytes): A 32-bit unsigned integer in network byte order specifying the type of filters that are contained in the filter set list. The value MUST be one of the following.

Value

Meaning

0XFFFF0011

Input filter – The filter NAS MUST be applied to IP packets sent from the endpoint to the NAS.

0XFFFF0012

Output filter – The filter MUST be applied to IP packets sent from the NAS to the endpoint.

InfoSize (4 bytes): A 32-bit unsigned integer in network byte order specifying the overall size, in bytes, of the list of filter sets specified by this filter set entry.

FilterSetCount (4 bytes): A 32-bit unsigned integer in network byte order specifying the overall size, in bytes, of the list of filter sets specified by this filter set entry.

Offset (4 bytes): A 32-bit unsigned integer in network byte order specifying the offset of start of the first filter set of this filter set entry within the Attribute-Specific Value of this VSA. Offset values are always multiples of 8, and a filter set MUST therefore begin at an 8-octet aligned offset within the Attribute-Specific Value. To meet this requirement, any unused octets (holes) within the Attribute-Specific Value before or after a filter set MUST be set to 0 (padded) as necessary.

FilterSetList (variable): A list of consecutive filter sets, equal in number to the value of FilterSetCount, each of which MUST be formatted as defined below.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

FilterVersion

FilterCount

ForwardAction

FilterList (variable)

...

FilterVersion (4 bytes): A 32-bit unsigned integer in network byte order that MUST be set to 0x00000001. No other versions are defined. For processing details, see section 3.1.5.3.

FilterCount (4 bytes): A 32-bit unsigned integer in network byte order specifying the number of filters. Its value MUST be greater than 0.

ForwardAction (4 bytes): A 32-bit unsigned integer in network byte order specifying the action for the filter. Its value MUST be one of the following.

Value

Meaning

0x00000000

Forward

0x00000001

Drop

FilterList (variable): A list of consecutive filters, equal in number to the value of FilterCount, each of which MUST be formatted as defined below.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Source Address (16 bytes)

...

...

Source Prefix Length

Destination Address (16 bytes)

...

...

Destination Prefix Length

Protocol

Late Bound

Source Port

Destination Port

Source Address (16 bytes): A 128-bit unsigned integer in network byte order specifying the IPv6 source address for which the filter applies. A value of 0x00000000 in this field MUST denote ANY.

Source Prefix Length (4 bytes): A 32-bit unsigned integer in network byte order specifying the prefix length for the source address. If this value is set to zero, the NAS MUST use ANY as a source address.

Destination Address (16 bytes): A 128-bit unsigned integer in network byte order that specifies the IPv6 destination address for the filter. A value of zero in this field denotes ANY.

Destination Prefix Length (4 bytes): A 32-bit unsigned integer in network byte order that specifies the Prefix Length for the destination address. If this value is set to zero, the NAS MUST use ANY as a destination address.

Protocol (4 bytes): A 32-bit unsigned integer in network byte order specifying the protocol number (such as TCP or UDP) for the filter. Possible values include the following.

Name

Value

ANY

0x00000000

ICMP

0x00000001

ICMPv6

0x0000003A

TCP

0x00000006

UDP

0x00000011

Late Bound (4 bytes): A 32-bit unsigned integer in network byte order that indicates if the fields in the filter MAY be dynamically replaced by the NAS with values for specific endpoints. Its value MUST be at least one of the following or a bit-wise OR of two or more such values.

Value

Meaning

0x00000000

No source or destination address or mask replacement

0x00000001

Source address replaceable with a new address

0x00000004

Destination address replaceable with a new address

0x00000010

Source address mask replaceable with a new mask

0x00000020

Destination address mask replaceable with a new mask

Source Port (2 bytes): If the Protocol is TCP or UDP, this MUST be a 16-bit unsigned integer in network byte order that specifies a port number for the corresponding protocol. If the Protocol is ICMP or ICMPv6, this MUST be a 16-bit unsigned integer in network byte order that specifies a corresponding type indicator for ICMP or ICMPv6. For all other protocol values, this MUST be set to 0 (byte order does not matter).

Destination Port (2 bytes): If the Protocol is TCP or UDP, this MUST be a 16-bit unsigned integer in network byte order that specifies a port number for the corresponding protocol. If the Protocol is ICMP or ICMPv6, this MUST be a 16-bit unsigned integer in network byte order that specifies a corresponding code indicator for ICMP or ICMPv6. For all other protocol values, this MUST be set to 0 (byte order does not matter).

For more details about MS-IPv6-Filter, see sections 3.2.5.2.1 and 3.3.5.2.1.