Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
Jouni Korhonen <jouni.nospam@gmail.com> Fri, 27 March 2015 18:26 UTC
Return-Path: <jouni.nospam@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E3E51A88CF for <dime@ietfa.amsl.com>; Fri, 27 Mar 2015 11:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.1
X-Spam-Level:
X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_45=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvaZ4xgkWJyN for <dime@ietfa.amsl.com>; Fri, 27 Mar 2015 11:26:08 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55BC01ACE81 for <dime@ietf.org>; Fri, 27 Mar 2015 11:25:12 -0700 (PDT)
Received: by wibbg6 with SMTP id bg6so36419859wib.0 for <dime@ietf.org>; Fri, 27 Mar 2015 11:25:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=4ZYWEYMBRARfiFROyCmbfe3w51J3cYkwcb3J1mBAS3k=; b=RykgL49vzHhexDc9xstL/8yu65HO5puFHgX62wrkB+SbAUHhoppvwuQoqMRY21sHkl 4GSKRa7fQ5PamPAjorCSVGdU4c6SKApTOCXGNQyWSBuC63C6k2PhdlsG4d7vy+mpUIUy yVN6U9p381ZV0Tp2/P2ezMSFtVbdWyBbxtIipH6crVwTCgAKJpHzYqn+vQSRLy1zCVVy otTuPEp/aRgpnQ8Aw+AFMzeMj5nn3KCe8G3MlMowpxt394W6kxwBH9WwWINCSraJUV8p Pj/6F1u+ZlAPuohxkBNHGXjw1EgvO9xMysWeqVyJaAXVptR0oqTkhd3APm5INEFACsUF 5GWA==
X-Received: by 10.180.160.226 with SMTP id xn2mr207088wib.43.1427480711055; Fri, 27 Mar 2015 11:25:11 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:160:f930:19ba:e7a2:81ec? ([2001:67c:370:160:f930:19ba:e7a2:81ec]) by mx.google.com with ESMTPSA id gj16sm3876464wic.24.2015.03.27.11.25.09 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Mar 2015 11:25:10 -0700 (PDT)
Message-ID: <5515A083.2030106@gmail.com>
Date: Fri, 27 Mar 2015 11:25:07 -0700
From: Jouni Korhonen <jouni.nospam@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Henrik Villför <hvillfor@gmail.com>
References: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com> <551393FF.1090700@gmail.com> <CAOQYgR++rJ3s63xjDw+YjNh0-y2pjX-BxV41nJUFGOFn4uGHUQ@mail.gmail.com>
In-Reply-To: <CAOQYgR++rJ3s63xjDw+YjNh0-y2pjX-BxV41nJUFGOFn4uGHUQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dime/FQQ7VTvRojK4KNhzAKYt3cK8x8c>
Cc: dime@ietf.org
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 18:26:10 -0000
Hi, 3/27/2015, 1:02 AM, Henrik Villför kirjoitti: > Thank you Jouni, > I interpret your answer to say that from a standards and functional > point of view the Origin-realm and the domain part of the Origin-host > may differ but for (backward) compatibility reasons it is a good idea to > keep them the same. > > Correct? Yes'ish.. and to my best collective memory of Diameter it was never intended that these two would have non-overlapping domain parts. - Jouni > > Regards, > Henrik > > > > 2015-03-26 6:07 GMT+01:00 Jouni Korhonen <jouni.nospam@gmail.com > <mailto:jouni.nospam@gmail.com>>: > > Hi, > > 3/25/2015, 1:18 AM, Henrik Villför kirjoitti: > > Hi, > > a follow up on the question below. > > Is there anything in the base specification requiring the realm > in the > Origin-Realm AVP to be the same as the domain part of the > Origin-Host AVP? > > Would the following be allowed? > > Origin-Realm: realmexample.com <http://realmexample.com> > > Origin-Host: node.domainexample.com <http://node.domainexample.com> > > > Based on my reading of RFC6733 yes.. but when reading RFC3588 > no'ish. The subttle change between these two was: > > OLD: > DiameterIdentity = FQDN > NEW: > DiameterIdentity = FQDN/Realm > > And when reading the text on a DiameterIdentity a Diameter node > _should_ (ok.. the should is not must..) only use one > DiameterIdentity which means the FQDN in Origin-Host and > Origin-Realm should be the same.. > > Also, although none of the examples of Diameter host identities > in rfc > 6733 show an FQDN with a trailing dot it should be allowed, but > a realm > may not end in a dot. > > > AFAIR the FQDN first appeared in RFC1206.. none of the FQDN examples > use the trailing ".". Anyway, referring to RFC1034 and the "relative > names" it is stated that: > > -- > Relative names are either taken relative to a well known origin, or to a > list of domains used as a search list. Relative names appear mostly at > the user interface, where their interpretation varies from > implementation to implementation, and in master files, where they are > relative to a single origin domain name. The most common interpretation > uses the root "." as either the single origin or as one of the members > of the search list, so a multi-label relative name is often one where > the trailing dot has been omitted to save typing. > -- > > Thus it is expected that the resolver library (or equivalent) knows > when to add the missing "." e.g. when the domain name is supposed to > be a DiameterIdentity. > > So, this should be allowed: > > Origin-Host: node.domainexample.com <http://node.domainexample.com>. > > > Irrespective of my above rant, I agree. > > This should not be allowed: > > Origin-Realm: realmexample.com <http://realmexample.com>. > > > Agree (since the example shows a realm). > > - Jouni > > (Sorry about the ugly cut'n'paste. Just joined the list and > found the > recent post below in the archive.) > > Best Regards, > > Henrik Villför > > --------- > > Hi Lars, > > According to the base protocol, there is no such restriction. > When the > DiameterIdentity format is used to identify a Diameter node, the > only > requirement is that: > > * the DiameterIdentity value in Origin/Destination-Host AVP is > an FQDN. > > * there is at least one peer table in the realm identified by the > Origin/Destination-Realm AVP that contains the host identified > by the FQDN. > > So Example 2 is perfectly valid from a base protocol point of > view, as > long as there is at least one node in "example.com > <http://example.com> <http://example.com>" > with a transport connection with the peer > "node.site1.example.com <http://node.site1.example.com> > <http://node.site1.example.com__>". > > Now, some Diameter applications may have defined specific rules > regarding the format of realm/host identity, with explicit > restrictions/limitations. It is then required to check if there > is any > of these restrictions defined in the related specification. > > Regards, > > Lionel > > De : DiME [mailto:dime-bounces <mailto:dime-bounces> > <mailto:dime-bounces <mailto:dime-bounces>> at ietf.org > <http://ietf.org> > <http://ietf.org>] De la part de Lars Jørgen Lillehovde Envoyé : > dimanche 15 mars 2015 12:54 À : dime at ietf.org > <http://ietf.org> <http://ietf.org> Objet > : [Dime] Allowed host and realm naming for a diameter node > > Hi, > > I'm trying to clarify the allowed naming convension for the host and > realm of a diameter node. This relates to the values used in the > Origin-Host AVP (AVP Code 264) and Origin-Realm AVP (AVP Code > 296). I've > reviewed the Diameter RFCs and cannot find a definitive answer > to this > issue. > > The reason for asking this question is that I'm in discussion with a > vendor of a Diameter Routing Agent (DRA) which claims that the > host of a > diameter node has to be in the format host.realm. > > (1) Example of the only allowed format according to the vendor: > > Origin-Realm: example.com <http://example.com> <http://example.com> > > Origin-Host: node.example.com <http://node.example.com> > <http://node.example.com> > > I want to clarify if multiple subdomains are allowed to be added > in the > host without being present in the realm. > > (2) Example: > > Origin-Realm: example.com <http://example.com> <http://example.com> > > Origin-Host: node.site1.example.com > <http://node.site1.example.com> <http://node.site1.example.com__> > > According to the vendor, the example 2 is not allowed. To have > the host > as in example 2, the realm will have to be site1.example.com > <http://site1.example.com> > <http://site1.example.com>. > > Could someone please clarify this naming issue or point me to the > standard where this is defined. > > Thank you. > > Best regards, > > Lars J. Lillehovde > > _________________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc pas etre > diffuses, > exploites ou copies sans autorisation. Si vous avez recu ce > message par > erreur, veuillez le signaler a l'expediteur et le detruire ainsi > que les > pieces jointes. Les messages electroniques etant susceptibles > d'alteration, Orange decline toute responsabilite si ce message > a ete > altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or > privileged > information that may be protected by law; they should not be > distributed, used or copied without authorisation. > > If you have received this email in error, please notify the > sender and > delete this message and its attachments. > > As emails may be altered, Orange is not liable for messages that > have > been modified, changed or falsified. > > Thank you. > > > > _________________________________________________ > DiME mailing list > DiME@ietf.org <mailto:DiME@ietf.org> > https://www.ietf.org/mailman/__listinfo/dime > <https://www.ietf.org/mailman/listinfo/dime> > >
- [Dime] realm vs domain (was: Allowed host and rea… Henrik Villför
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain (was: Allowed host and… Henrik Villför
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain Iliya Peregoudov
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni.nosmap
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain (was: Allowed host and… Dave Dolson
- Re: [Dime] realm vs domain (was: Allowed host and… Lars Jørgen Lillehovde
- Re: [Dime] realm vs domain (was: Allowed host and… John Basha