The ICAP Content
Filtering solution is extended to support ICAP client communication with ICAP
server on Cisco ASR 5500 P-GW and HA in compliance with RFC 3507 - Internet
Content Adaptation Protocol (ICAP). Only HTTP Request modification and partial
enhancement of error codes per RFC 3507 is addressed in this release. The ICAP
client running on P-GW/HA communicates with external ICAP server over ICAP
protocol. If content filtering is enabled for a subscriber, all HTTP GET
requests from that subscriber are validated by the content filtering server
(ICAP server), and is allowed, denied or redirected depending on the content
can be enabled for subscribers either through Override Control (OC) feature for
predefined and static rules, or L7 Dynamic Rule Activation feature. A
configurable option is added in the Content Filtering Server Group
Configuration Mode to configure ICAP header that includes two parameters -
Subscriber number information and CIPA (Children's Internet Protection Act)
and L7 Dynamic Rule Activation are license-controlled features. A valid feature
license must be installed prior to configuring these features. Contact your
Cisco account representative for more information.
Number: The "Subscription ID" AVP is sent from gateway to PCRF in CCR message.
The AVP values are received to the gateway from HSS. The gateway does not
receive this AVP in CCI-A message.
The category string will be provided by PCRF and is included as an extension
header in ICAP request modification message. The AVP will be received from PCRF
in CCA-I or RAR.
A new Content
Filtering (CF) dictionary "custom4" is introduced and the following new AVPs
are added to r8-gx-standard and custom4 dictionaries.
Override-Content-Filtering-State: This attribute carries
information about Content Filtering status (CF state) of rules or
charging-action. This AVP is used for overriding the content-filtering status
of static and predefined rules. This attribute is included in the
Override-Control grouped AVP.
attribute contains the Children's Internet Protection Act (CIPA) category
string value that is treated as an ICAP plan identifier. This identifier helps
ICAP server in locating the correct Content Filtering plan i.e. CIPA category
based on which the packet is processed.
value is received from PCRF over Gx interface and is included in ICAP header
while sending ICAP request.
L7-Content-Filtering-State: This attribute carries information
about Content Filtering status (CF state) of L7 rules. This attribute indicates
whether or not the ICAP functionality is enabled or disabled for L7 charging
rule definition received for installation from PCRF. Based on this attribute
value, the traffic matching to the dynamic rule is sent to ICAP server.
is included in the L7-Application-Description grouped AVP for L7 rule
processing. This is applicable only for HTTP protocol.
CIPA and flags
for controlling content filtering via OC and L7 Dynamic Rules features is
applicable only for r8-gx-standard dictionary.
In addition to the
new AVP support, L7-Field AVP in the L7-Application-Description grouped AVP is
encoded to additionally accept ANY-MATCH as the input. The current framework
does not support the existing field "vlan-id" in Override-Control, which is
present in charging action. Hence, the Override-Content-Filtering-State AVP
replaces Override-VLAN-ID to support OC.
initiates create session request, P-GW/HA sends CCR-I message to PCRF to obtain
subscriber profile. PCRF responds with CCA-I message that contains CIPA and OC
information if ICAP functionality is enabled for this subscriber.
In the case of L7
dynamic rules, the Content-Filtering capability is enabled by sending
L7-Content-Filtering-State AVP in L7-Application-Description grouped AVP. At
least one L7 filter should be present when L7-Content-Filtering-State is
received for the dynamic rule. If L7-Content-Filtering-state AVP is sent along
with L7 filter information AVP, then the Content-Filtering state will not be
considered. Hence, the filter received with L7-Content-Filtering-State will not
be processed and the L7 rule will be discarded.
In the case of
Override Control, when content filtering is enabled for subscriber, PCRF sends
ICAP flag through Override-Control AVP. This AVP overwrites charging action to
enable ICAP feature for that subscriber.
Refer to the
Administration and Reference for more information on the supported AVPs.