IETF Logo Mail Archive

Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)

<lionel.morand@orange.com> Tue, 31 March 2015 17:49 UTC

Return-Path: <lionel.morand@orange.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CFBA1A7028 for <dime@ietfa.amsl.com>; Tue, 31 Mar 2015 10:49:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.699
X-Spam-Level:
X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, J_CHICKENPOX_45=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UsDAireS5vmO for <dime@ietfa.amsl.com>; Tue, 31 Mar 2015 10:49:19 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias243.francetelecom.com [80.12.204.243]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1C011A7004 for <dime@ietf.org>; Tue, 31 Mar 2015 10:49:15 -0700 (PDT)
Received: from omfeda05.si.francetelecom.fr (unknown [xx.xx.xx.198]) by omfeda10.si.francetelecom.fr (ESMTP service) with ESMTP id 786E937432F; Tue, 31 Mar 2015 19:49:14 +0200 (CEST)
Received: from Exchangemail-eme1.itn.ftgroup (unknown [10.114.1.186]) by omfeda05.si.francetelecom.fr (ESMTP service) with ESMTP id 5C9DE1800CD; Tue, 31 Mar 2015 19:49:14 +0200 (CEST)
Received: from PEXCVZYM13.corporate.adroot.infra.ftgroup ([fe80::cc7e:e40b:42ef:164e]) by PEXCVZYH01.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0224.002; Tue, 31 Mar 2015 19:49:14 +0200
From: lionel.morand@orange.com
To: Jouni Korhonen <jouni.nospam@gmail.com>, Henrik Villför <hvillfor@gmail.com>
Thread-Topic: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
Thread-Index: AQHQZtVXo3E0+Y3Toky225tf8HpvuZ0uJwCAgAHDMoCAAK4TgIAGTdVw
Date: Tue, 31 Mar 2015 17:49:13 +0000
Message-ID: <5082_1427824154_551ADE1A_5082_12514_1_6B7134B31289DC4FAF731D844122B36EEF7464@PEXCVZYM13.corporate.adroot.infra.ftgroup>
References: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com> <551393FF.1090700@gmail.com> <CAOQYgR++rJ3s63xjDw+YjNh0-y2pjX-BxV41nJUFGOFn4uGHUQ@mail.gmail.com> <5515A083.2030106@gmail.com>
In-Reply-To: <5515A083.2030106@gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.197.38.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-PMX-Version: 6.2.1.2478543, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.3.31.173618
Archived-At: <http://mailarchive.ietf.org/arch/msg/dime/Hakbu81v7iT27lJe1eMXp5umPig>
Cc: "dime@ietf.org" <dime@ietf.org>
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 17:49:21 -0000

Hi,

As said in another mail, from my understanding, at the protocol level, the only restriction is that the x-Host AVP uniquely identifies a peer in the peer table of a node of the realm identified by the x-Realm AVP.
From an operational point of view, it is more than likely that the FQDN will be part of the realm identified in the x-Realm AVP. But this is not deemed mandatory to ensure a successful request routing, as long as there is at least one peer in the given realm as transport connection open with the peer identified in the x-Host AVP whatever the realm it belongs to.

And there is no compatible issue here from my point of view.

regards,

Lionel

-----Message d'origine-----
De : DiME [mailto:dime-bounces@ietf.org] De la part de Jouni Korhonen
Envoyé : vendredi 27 mars 2015 19:25
À : Henrik Villför
Cc : dime@ietf.org
Objet : Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)

Hi,

3/27/2015, 1:02 AM, Henrik Villför kirjoitti:
> Thank you Jouni,
> I interpret your answer to say that from a standards and functional 
> point of view the Origin-realm and the domain part of the Origin-host 
> may differ but for (backward) compatibility reasons it is a good idea 
> to keep them the same.
>
> Correct?

Yes'ish.. and to my best collective memory of Diameter it was never intended that these two would have non-overlapping domain parts.

- Jouni

>
> Regards,
> Henrik
>
>
>
> 2015-03-26 6:07 GMT+01:00 Jouni Korhonen <jouni.nospam@gmail.com
> <mailto:jouni.nospam@gmail.com>>:
>
>     Hi,
>
>     3/25/2015, 1:18 AM, Henrik Villför kirjoitti:
>
>         Hi,
>
>             a follow up on the question below.
>
>         Is there anything in the base specification requiring the realm
>         in the
>         Origin-Realm AVP to be the same as the domain part of the
>         Origin-Host AVP?
>
>         Would the following be allowed?
>
>         Origin-Realm: realmexample.com <http://realmexample.com>
>
>         Origin-Host: node.domainexample.com 
> <http://node.domainexample.com>
>
>
>     Based on my reading of RFC6733 yes.. but when reading RFC3588
>     no'ish. The subttle change between these two was:
>
>     OLD:
>        DiameterIdentity  = FQDN
>     NEW:
>        DiameterIdentity  = FQDN/Realm
>
>     And when reading the text on a DiameterIdentity a Diameter node
>     _should_ (ok.. the should is not must..) only use one
>     DiameterIdentity which means the FQDN in Origin-Host and
>     Origin-Realm should be the same..
>
>         Also, although none of the examples of Diameter host identities
>         in rfc
>         6733 show an FQDN with a trailing dot it should be allowed, but
>         a realm
>         may not end in a dot.
>
>
>     AFAIR the FQDN first appeared in RFC1206.. none of the FQDN examples
>     use the trailing ".". Anyway, referring to RFC1034 and the "relative
>     names" it is stated that:
>
>     --
>     Relative names are either taken relative to a well known origin, or to a
>     list of domains used as a search list.  Relative names appear mostly at
>     the user interface, where their interpretation varies from
>     implementation to implementation, and in master files, where they are
>     relative to a single origin domain name.  The most common interpretation
>     uses the root "." as either the single origin or as one of the members
>     of the search list, so a multi-label relative name is often one where
>     the trailing dot has been omitted to save typing.
>     --
>
>     Thus it is expected that the resolver library (or equivalent) knows
>     when to add the missing "." e.g. when the domain name is supposed to
>     be a DiameterIdentity.
>
>         So, this should be allowed:
>
>         Origin-Host: node.domainexample.com <http://node.domainexample.com>.
>
>
>     Irrespective of my above rant, I agree.
>
>         This should not be allowed:
>
>         Origin-Realm: realmexample.com <http://realmexample.com>.
>
>
>     Agree (since the example shows a realm).
>
>     - Jouni
>
>         (Sorry about the ugly cut'n'paste. Just joined the list and
>         found the
>         recent post below in the archive.)
>
>         Best Regards,
>
>         Henrik Villför
>
>         ---------
>
>         Hi Lars,
>
>         According to the base protocol, there is no such restriction.
>         When the
>         DiameterIdentity format is used to identify a Diameter node, the
>         only
>         requirement is that:
>
>         * the DiameterIdentity value in Origin/Destination-Host AVP is
>         an FQDN.
>
>         * there is at least one peer table in the realm identified by the
>         Origin/Destination-Realm  AVP that contains the host identified
>         by the FQDN.
>
>         So Example 2 is perfectly valid from a base protocol point of
>         view, as
>         long as there is at least one node in "example.com
>         <http://example.com> <http://example.com>"
>         with a transport connection with the peer
>         "node.site1.example.com <http://node.site1.example.com>
>         <http://node.site1.example.com__>".
>
>         Now, some Diameter applications may have defined specific rules
>         regarding the format of realm/host identity, with explicit
>         restrictions/limitations. It is then required to check if there
>         is any
>         of these restrictions defined in the related specification.
>
>         Regards,
>
>         Lionel
>
>         De : DiME [mailto:dime-bounces <mailto:dime-bounces>
>         <mailto:dime-bounces <mailto:dime-bounces>> at ietf.org
>         <http://ietf.org>
>         <http://ietf.org>] De la part de Lars Jørgen Lillehovde Envoyé :
>         dimanche 15 mars 2015 12:54 À : dime at ietf.org
>         <http://ietf.org> <http://ietf.org> Objet
>         : [Dime] Allowed host and realm naming for a diameter node
>
>         Hi,
>
>         I'm trying to clarify the allowed naming convension for the host and
>         realm of a diameter node. This relates to the values used in the
>         Origin-Host AVP (AVP Code 264) and Origin-Realm AVP (AVP Code
>         296). I've
>         reviewed the Diameter RFCs and cannot find a definitive answer
>         to this
>         issue.
>
>         The reason for asking this question is that I'm in discussion with a
>         vendor of a Diameter Routing Agent (DRA) which claims that the
>         host of a
>         diameter node has to be in the format host.realm.
>
>         (1) Example of the only allowed format according to the vendor:
>
>         Origin-Realm: example.com <http://example.com> 
> <http://example.com>
>
>         Origin-Host: node.example.com <http://node.example.com>
>         <http://node.example.com>
>
>         I want to clarify if multiple subdomains are allowed to be added
>         in the
>         host without being present in the realm.
>
>         (2) Example:
>
>         Origin-Realm: example.com <http://example.com> 
> <http://example.com>
>
>         Origin-Host: node.site1.example.com
>         <http://node.site1.example.com> 
> <http://node.site1.example.com__>
>
>         According to the vendor, the example 2 is not allowed. To have
>         the host
>         as in example 2, the realm will have to be site1.example.com
>         <http://site1.example.com>
>         <http://site1.example.com>.
>
>         Could someone please clarify this naming issue or point me to the
>         standard where this is defined.
>
>         Thank you.
>
>         Best regards,
>
>         Lars J. Lillehovde
>
>         
> ______________________________________________________________________
> ___________________________________________________________
>
>         Ce message et ses pieces jointes peuvent contenir des informations
>         confidentielles ou privilegiees et ne doivent donc pas etre
>         diffuses,
>         exploites ou copies sans autorisation. Si vous avez recu ce
>         message par
>         erreur, veuillez le signaler a l'expediteur et le detruire ainsi
>         que les
>         pieces jointes. Les messages electroniques etant susceptibles
>         d'alteration, Orange decline toute responsabilite si ce message
>         a ete
>         altere, deforme ou falsifie. Merci.
>
>         This message and its attachments may contain confidential or
>         privileged
>         information that may be protected by law; they should not be
>         distributed, used or copied without authorisation.
>
>         If you have received this email in error, please notify the
>         sender and
>         delete this message and its attachments.
>
>         As emails may be altered, Orange is not liable for messages that
>         have
>         been modified, changed or falsified.
>
>         Thank you.
>
>
>
>         _________________________________________________
>         DiME mailing list
>         DiME@ietf.org <mailto:DiME@ietf.org>
>         https://www.ietf.org/mailman/__listinfo/dime
>         <https://www.ietf.org/mailman/listinfo/dime>
>
>

_______________________________________________
DiME mailing list
DiME@ietf.org
https://www.ietf.org/mailman/listinfo/dime

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email