IETF Logo Mail Archive

Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)

Jouni Korhonen <jouni.nospam@gmail.com> Fri, 27 March 2015 18:26 UTC

Return-Path: <jouni.nospam@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E3E51A88CF for <dime@ietfa.amsl.com>; Fri, 27 Mar 2015 11:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.1
X-Spam-Level:
X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_45=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvaZ4xgkWJyN for <dime@ietfa.amsl.com>; Fri, 27 Mar 2015 11:26:08 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55BC01ACE81 for <dime@ietf.org>; Fri, 27 Mar 2015 11:25:12 -0700 (PDT)
Received: by wibbg6 with SMTP id bg6so36419859wib.0 for <dime@ietf.org>; Fri, 27 Mar 2015 11:25:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=4ZYWEYMBRARfiFROyCmbfe3w51J3cYkwcb3J1mBAS3k=; b=RykgL49vzHhexDc9xstL/8yu65HO5puFHgX62wrkB+SbAUHhoppvwuQoqMRY21sHkl 4GSKRa7fQ5PamPAjorCSVGdU4c6SKApTOCXGNQyWSBuC63C6k2PhdlsG4d7vy+mpUIUy yVN6U9p381ZV0Tp2/P2ezMSFtVbdWyBbxtIipH6crVwTCgAKJpHzYqn+vQSRLy1zCVVy otTuPEp/aRgpnQ8Aw+AFMzeMj5nn3KCe8G3MlMowpxt394W6kxwBH9WwWINCSraJUV8p Pj/6F1u+ZlAPuohxkBNHGXjw1EgvO9xMysWeqVyJaAXVptR0oqTkhd3APm5INEFACsUF 5GWA==
X-Received: by 10.180.160.226 with SMTP id xn2mr207088wib.43.1427480711055; Fri, 27 Mar 2015 11:25:11 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:160:f930:19ba:e7a2:81ec? ([2001:67c:370:160:f930:19ba:e7a2:81ec]) by mx.google.com with ESMTPSA id gj16sm3876464wic.24.2015.03.27.11.25.09 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Mar 2015 11:25:10 -0700 (PDT)
Message-ID: <5515A083.2030106@gmail.com>
Date: Fri, 27 Mar 2015 11:25:07 -0700
From: Jouni Korhonen <jouni.nospam@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Henrik Villför <hvillfor@gmail.com>
References: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com> <551393FF.1090700@gmail.com> <CAOQYgR++rJ3s63xjDw+YjNh0-y2pjX-BxV41nJUFGOFn4uGHUQ@mail.gmail.com>
In-Reply-To: <CAOQYgR++rJ3s63xjDw+YjNh0-y2pjX-BxV41nJUFGOFn4uGHUQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dime/FQQ7VTvRojK4KNhzAKYt3cK8x8c>
Cc: dime@ietf.org
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 18:26:10 -0000

Hi,

3/27/2015, 1:02 AM, Henrik Villför kirjoitti:
> Thank you Jouni,
> I interpret your answer to say that from a standards and functional
> point of view the Origin-realm and the domain part of the Origin-host
> may differ but for (backward) compatibility reasons it is a good idea to
> keep them the same.
>
> Correct?

Yes'ish.. and to my best collective memory of Diameter it was never 
intended that these two would have non-overlapping domain parts.

- Jouni

>
> Regards,
> Henrik
>
>
>
> 2015-03-26 6:07 GMT+01:00 Jouni Korhonen <jouni.nospam@gmail.com
> <mailto:jouni.nospam@gmail.com>>:
>
>     Hi,
>
>     3/25/2015, 1:18 AM, Henrik Villför kirjoitti:
>
>         Hi,
>
>             a follow up on the question below.
>
>         Is there anything in the base specification requiring the realm
>         in the
>         Origin-Realm AVP to be the same as the domain part of the
>         Origin-Host AVP?
>
>         Would the following be allowed?
>
>         Origin-Realm: realmexample.com <http://realmexample.com>
>
>         Origin-Host: node.domainexample.com <http://node.domainexample.com>
>
>
>     Based on my reading of RFC6733 yes.. but when reading RFC3588
>     no'ish. The subttle change between these two was:
>
>     OLD:
>        DiameterIdentity  = FQDN
>     NEW:
>        DiameterIdentity  = FQDN/Realm
>
>     And when reading the text on a DiameterIdentity a Diameter node
>     _should_ (ok.. the should is not must..) only use one
>     DiameterIdentity which means the FQDN in Origin-Host and
>     Origin-Realm should be the same..
>
>         Also, although none of the examples of Diameter host identities
>         in rfc
>         6733 show an FQDN with a trailing dot it should be allowed, but
>         a realm
>         may not end in a dot.
>
>
>     AFAIR the FQDN first appeared in RFC1206.. none of the FQDN examples
>     use the trailing ".". Anyway, referring to RFC1034 and the "relative
>     names" it is stated that:
>
>     --
>     Relative names are either taken relative to a well known origin, or to a
>     list of domains used as a search list.  Relative names appear mostly at
>     the user interface, where their interpretation varies from
>     implementation to implementation, and in master files, where they are
>     relative to a single origin domain name.  The most common interpretation
>     uses the root "." as either the single origin or as one of the members
>     of the search list, so a multi-label relative name is often one where
>     the trailing dot has been omitted to save typing.
>     --
>
>     Thus it is expected that the resolver library (or equivalent) knows
>     when to add the missing "." e.g. when the domain name is supposed to
>     be a DiameterIdentity.
>
>         So, this should be allowed:
>
>         Origin-Host: node.domainexample.com <http://node.domainexample.com>.
>
>
>     Irrespective of my above rant, I agree.
>
>         This should not be allowed:
>
>         Origin-Realm: realmexample.com <http://realmexample.com>.
>
>
>     Agree (since the example shows a realm).
>
>     - Jouni
>
>         (Sorry about the ugly cut'n'paste. Just joined the list and
>         found the
>         recent post below in the archive.)
>
>         Best Regards,
>
>         Henrik Villför
>
>         ---------
>
>         Hi Lars,
>
>         According to the base protocol, there is no such restriction.
>         When the
>         DiameterIdentity format is used to identify a Diameter node, the
>         only
>         requirement is that:
>
>         * the DiameterIdentity value in Origin/Destination-Host AVP is
>         an FQDN.
>
>         * there is at least one peer table in the realm identified by the
>         Origin/Destination-Realm  AVP that contains the host identified
>         by the FQDN.
>
>         So Example 2 is perfectly valid from a base protocol point of
>         view, as
>         long as there is at least one node in "example.com
>         <http://example.com> <http://example.com>"
>         with a transport connection with the peer
>         "node.site1.example.com <http://node.site1.example.com>
>         <http://node.site1.example.com__>".
>
>         Now, some Diameter applications may have defined specific rules
>         regarding the format of realm/host identity, with explicit
>         restrictions/limitations. It is then required to check if there
>         is any
>         of these restrictions defined in the related specification.
>
>         Regards,
>
>         Lionel
>
>         De : DiME [mailto:dime-bounces <mailto:dime-bounces>
>         <mailto:dime-bounces <mailto:dime-bounces>> at ietf.org
>         <http://ietf.org>
>         <http://ietf.org>] De la part de Lars Jørgen Lillehovde Envoyé :
>         dimanche 15 mars 2015 12:54 À : dime at ietf.org
>         <http://ietf.org> <http://ietf.org> Objet
>         : [Dime] Allowed host and realm naming for a diameter node
>
>         Hi,
>
>         I'm trying to clarify the allowed naming convension for the host and
>         realm of a diameter node. This relates to the values used in the
>         Origin-Host AVP (AVP Code 264) and Origin-Realm AVP (AVP Code
>         296). I've
>         reviewed the Diameter RFCs and cannot find a definitive answer
>         to this
>         issue.
>
>         The reason for asking this question is that I'm in discussion with a
>         vendor of a Diameter Routing Agent (DRA) which claims that the
>         host of a
>         diameter node has to be in the format host.realm.
>
>         (1) Example of the only allowed format according to the vendor:
>
>         Origin-Realm: example.com <http://example.com> <http://example.com>
>
>         Origin-Host: node.example.com <http://node.example.com>
>         <http://node.example.com>
>
>         I want to clarify if multiple subdomains are allowed to be added
>         in the
>         host without being present in the realm.
>
>         (2) Example:
>
>         Origin-Realm: example.com <http://example.com> <http://example.com>
>
>         Origin-Host: node.site1.example.com
>         <http://node.site1.example.com> <http://node.site1.example.com__>
>
>         According to the vendor, the example 2 is not allowed. To have
>         the host
>         as in example 2, the realm will have to be site1.example.com
>         <http://site1.example.com>
>         <http://site1.example.com>.
>
>         Could someone please clarify this naming issue or point me to the
>         standard where this is defined.
>
>         Thank you.
>
>         Best regards,
>
>         Lars J. Lillehovde
>
>         _________________________________________________________________________________________________________________________________
>
>         Ce message et ses pieces jointes peuvent contenir des informations
>         confidentielles ou privilegiees et ne doivent donc pas etre
>         diffuses,
>         exploites ou copies sans autorisation. Si vous avez recu ce
>         message par
>         erreur, veuillez le signaler a l'expediteur et le detruire ainsi
>         que les
>         pieces jointes. Les messages electroniques etant susceptibles
>         d'alteration, Orange decline toute responsabilite si ce message
>         a ete
>         altere, deforme ou falsifie. Merci.
>
>         This message and its attachments may contain confidential or
>         privileged
>         information that may be protected by law; they should not be
>         distributed, used or copied without authorisation.
>
>         If you have received this email in error, please notify the
>         sender and
>         delete this message and its attachments.
>
>         As emails may be altered, Orange is not liable for messages that
>         have
>         been modified, changed or falsified.
>
>         Thank you.
>
>
>
>         _________________________________________________
>         DiME mailing list
>         DiME@ietf.org <mailto:DiME@ietf.org>
>         https://www.ietf.org/mailman/__listinfo/dime
>         <https://www.ietf.org/mailman/listinfo/dime>
>
>

v2.23.0 | Report a Bug | By Email