Diameter Domain and Arbitrary Mask Filters

An optional Diameter Attribute Value Pair (AVP) is defined in this document for DNS support. It is the DNS-Filters AVP which contains a list of DNS query names that follow the registered name QNAME format defined in , Section 3.7.1 and subsequent updates, notably . DNS Filter AVPs are used in various operator policy enforcement applications such as child protections, parental controls and flow based rating. Current practices require any updates to these applications to be sideloaded, i.e. updated via a file, on the enforcement points or proprietary mechanism. As an AVP, the list of entries in the AVP may be dynamically updated per current Diameter application specifications, e.g. . The second AVP, ArbitraryMask-AVP, defines an arbitrary bitmask for various maskable AVPs used in Classifiers . Prefix based masks are present in but the technologies such as Software Defined Networking (SDN) introduce new arbitrary bitmasks on multiple data types in the various protocol headers.

In this document, the key words "MAY", "MUST", "MUST NOT", "OPTIONAL", "RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be interpreted as described in .

The DNS-Filters AVP (AVP Code TBD1) is of type Grouped and specifies the list of QNAMES that restrict ip flows (5-tuples) that match the Classifier.

1*{ } * [ AVP ] ]]> QNAMES are defined in , Section 3.7.1. When this AVP is used for classification in the Filter-Rule, it MUST be part of the Classifier Grouped AVP as defined in .

The IP-Address-Mask-Pattern AVP (AVP Code TBD2) is of type OctetString. The value is 4 octets specifying the bit positions of a IP address that are taken for matching. When this AVP is used for classification in the Filter-Rule, it MUST be part of the Classifier Grouped AVP as defined in .

The Flow-Label AVP (AVP Code TBD3) is of type Unsigned32. This field identifies the Flow Label value to be matched. According to , the flow label is 20 bits long. For the purpose of this specification, the sender of this option MUST prefix the flow label value with 12 bits of "0" before inserting it in the Flow-Label AVP. The receiver SHOULD ignore the first 12 bits of this field before using it in comparisons with flow labels in packets. When this AVP is used for classification in the Filter-Rule, it MUST be part of the Classifier Grouped AVP as defined in .

The Flow-Label-Mask-Pattern AVP (AVP Code TBD3) is of type OctetString. The value is 4 octets specifying the bit positions of a Flow Label that are taken for matching. According to , the flow label is 20 bits long. For the purpose of this specification, the sender of this option MUST prefix the flow label value with 12 bits of "0" before inserting it in the Flow Label Mask Pattern AVP. The receiver SHOULD ignore the first 12 bits of this field before using it as a mask. When this AVP is used for classification in the Filter-Rule, it MUST be part of the Classifier Grouped AVP as defined in .

The Classifier AVP (AVP Code 511) specified in is a grouped AVP that consists of a set of attributes that specify how to match a packet. The addition of the DNS-Filter AVP is shown here.

{ Classifier-ID } [ Protocol ] [ Direction ] [ DNS-Filters ] * [ From-Spec ] * [ To-Spec ] * [ Diffserv-Code-Point ] [ Fragmentation-Flag ] * [ IP-Option ] * [ TCP-Option ] [ TCP-Flags ] * [ ICMP-Type ] * [ ETH-Option ] * [ AVP ] ]]> Setting the DNS-Filter value would specify the capture flows whose DNS related communications match the QUERY values specified in the Classifier. DNS related communications are those DNS queries which have valid DNS responses for scope implied by the container of the Classifier, i.e. if the Classifer is contained by a Filter-Rule installed during a mobility session then only resulting IP addresses conatined in DNS traffic for the mobility session is used in the selection of flows. The use of the DNS-Filters AVP implies that the following conditions exist: The related DNS traffic is known by the enforcement point The related DNS traffic is viewable by the enforcement point Such conditions are met in network services related to child protections and parental controls. Use of secured DNS communications is recommended. In such a case the enforemcent point may be a DNS relay used, as part of the network access service, to enforce or report generate Diameter events in applications such as Application Detection and Charging using DNS-Filters.

The From-Spec AVP (AVP Code 515) and To-Spec AVP (AVP Code 516) specified in are grouped AVPs that consist of a set of attributes that specify how to match a packet in the From/To direction (respectively). The addition of the SDN related AVPs are shown here.

* [ IP-Address ] * [ IP-Address-Range ] * [ IP-Address-Mask ] * [ MAC-Address ] * [ MAC-Address-Mask] * [ EUI64-Address ] * [ EUI64-Address-Mask] * [ Port ] * [ Port-Range ] [ Negated ] [ Use-Assigned-Address ] * [ IP-Address-Mask-Pattern ] * [ Flow-Label ] * [ Flow-Label-Mask-Pattern ] * [ AVP ] ]]> Setting the IP-Address-Mask-Pattern value would permit the capture of an arbitrarily masked IP pattern the flow, e.g. 192.0.22.0 with an arbitraty mask of 255.0.255.0. NOTE that if the value of this AVP is only '1' starting from the least significant bit it is no different than the IP-Address-Mask which could be used instead. For example, an arbitrary mask of 255.255.255.0 applied to 192.168.5.0 is no different than the prefix notation 192.168.5.0/24. Setting the Flow-Label value would permit capture of IPv6 packets with a specific Flow Label. Setting the Flow-Label-Mask-Pattern permits the capture of flows that match the appropriate mask pattern applied to the Flow Label.

IANA allocated AVP codes in the IANA-controlled namespace registry specified in Section 11.1.1 of for the following AVPs that are defined in this document. AVP AVP Code Section Defined Data Type DNS-Filters TBD1 GROUPED IP-Address-Mask-Pattern TBD2 OctetString Flow-Label TBD3 Unsigned32 Flow-Label-Mask-Pattern TBD4 OctetString

The use of DNS-Filters AVP implies visible access to DNS traffic associated with the containing rule's, e.g. Filter-Rule . It does not imply a specific design for DNS communications but it is strongly recommended that secured DNS communciations are used. In other words, it is NOT recommended to turn off secured DNS communications if this value is present. Rather, a Diameter application appropriate error should be thrown to indicate the rule cannot be enforced. An operator that can accomplish the same use cases, e.g. child protection or parental control, without the need to see customer DNS traffic is encouraged to do so.

This document describes SDN related attributes an extension of . It introduces a new to/from arbitraty mask for IP addresses. As this is an extension to , which already has an IP-Address-Mask defined it does not raise new security concerns. This document does introduce the ability to filter upon the IPv6 Flow Labels . Even though this is a visible IP header it was not previously defined in Diameter related filters but has been used for activities such as Traffic Selection . Per the flow label is used by a source to request special handling by routers. If a specific type of host has known flow label usage, i.e. signature, inspection of this field over one or more flows may yield information. However, the flow label is visible in the IPv6 header and thus this information is discernable by any device with access to the IPv6 packet. Recommendations on the security considerations of IPv6 flow usage is outside of the scope of this document.