IETF Logo Mail Archive

Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)

Henrik Villför <hvillfor@gmail.com> Fri, 27 March 2015 08:02 UTC

Return-Path: <hvillfor@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10E561A9128 for <dime@ietfa.amsl.com>; Fri, 27 Mar 2015 01:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.099
X-Spam-Level:
X-Spam-Status: No, score=-1.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7U4j_mfW6hFA for <dime@ietfa.amsl.com>; Fri, 27 Mar 2015 01:02:06 -0700 (PDT)
Received: from mail-oi0-x233.google.com (mail-oi0-x233.google.com [IPv6:2607:f8b0:4003:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 403351A9108 for <dime@ietf.org>; Fri, 27 Mar 2015 01:02:06 -0700 (PDT)
Received: by oifl3 with SMTP id l3so69981919oif.0 for <dime@ietf.org>; Fri, 27 Mar 2015 01:02:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eq1lq//ZaU+Vdy9TcBh06hyGMTCSPEMJA955SNgbD8E=; b=WmYBA/EDbQ5diBecHMnZlPS+d+OqnQbJgE7DZ0L3UXOSnLDppcCPREvzMYy1jjZIyC Vx5ZZJaenQj0BGITKNGUlxqNz1IpMbSFdornsKn00vsH0hiclQqT5FHr+16VMb9MWJKf 9gB138YppX+V70Rdeaje+sMQWq6e/gMFMLYI0vEsE8lWq0NQwu9XbjdJtu0XZigsRI67 20DuHV+cGGPQavEhiXspZ40CzU8KEGOm+Iw2fR2TjxbsY7b3V2uHfvbudrqB8CZ8m3s1 Vws++n+mpEpI11aI54EDBlafywZELXVAaW/E5KOz8tYEFIEOZXL0j8qZqGtrgaSwIVU7 r7bw==
MIME-Version: 1.0
X-Received: by 10.182.210.197 with SMTP id mw5mr15568106obc.26.1427443325756; Fri, 27 Mar 2015 01:02:05 -0700 (PDT)
Received: by 10.182.116.234 with HTTP; Fri, 27 Mar 2015 01:02:05 -0700 (PDT)
In-Reply-To: <551393FF.1090700@gmail.com>
References: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com> <551393FF.1090700@gmail.com>
Date: Fri, 27 Mar 2015 09:02:05 +0100
Message-ID: <CAOQYgR++rJ3s63xjDw+YjNh0-y2pjX-BxV41nJUFGOFn4uGHUQ@mail.gmail.com>
From: Henrik Villför <hvillfor@gmail.com>
To: Jouni Korhonen <jouni.nospam@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c29be85e68870512408c55"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dime/MjYrXamEaqTisq4o5EpboZfVZEg>
Cc: dime@ietf.org
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 08:02:12 -0000

Thank you Jouni,
I interpret your answer to say that from a standards and functional point
of view the Origin-realm and the domain part of the Origin-host may differ
but for (backward) compatibility reasons it is a good idea to keep them the
same.

Correct?

Regards,
Henrik




2015-03-26 6:07 GMT+01:00 Jouni Korhonen <jouni.nospam@gmail.com>:

> Hi,
>
> 3/25/2015, 1:18 AM, Henrik Villför kirjoitti:
>
>> Hi,
>>
>>    a follow up on the question below.
>>
>> Is there anything in the base specification requiring the realm in the
>> Origin-Realm AVP to be the same as the domain part of the Origin-Host AVP?
>>
>> Would the following be allowed?
>>
>> Origin-Realm: realmexample.com
>>
>> Origin-Host: node.domainexample.com
>>
>
> Based on my reading of RFC6733 yes.. but when reading RFC3588 no'ish. The
> subttle change between these two was:
>
> OLD:
>   DiameterIdentity  = FQDN
> NEW:
>   DiameterIdentity  = FQDN/Realm
>
> And when reading the text on a DiameterIdentity a Diameter node _should_
> (ok.. the should is not must..) only use one DiameterIdentity which means
> the FQDN in Origin-Host and Origin-Realm should be the same..
>
>  Also, although none of the examples of Diameter host identities in rfc
>> 6733 show an FQDN with a trailing dot it should be allowed, but a realm
>> may not end in a dot.
>>
>
> AFAIR the FQDN first appeared in RFC1206.. none of the FQDN examples use
> the trailing ".". Anyway, referring to RFC1034 and the "relative names" it
> is stated that:
>
> --
> Relative names are either taken relative to a well known origin, or to a
> list of domains used as a search list.  Relative names appear mostly at
> the user interface, where their interpretation varies from
> implementation to implementation, and in master files, where they are
> relative to a single origin domain name.  The most common interpretation
> uses the root "." as either the single origin or as one of the members
> of the search list, so a multi-label relative name is often one where
> the trailing dot has been omitted to save typing.
> --
>
> Thus it is expected that the resolver library (or equivalent) knows when
> to add the missing "." e.g. when the domain name is supposed to be a
> DiameterIdentity.
>
>  So, this should be allowed:
>>
>> Origin-Host: node.domainexample.com.
>>
>
> Irrespective of my above rant, I agree.
>
>  This should not be allowed:
>>
>> Origin-Realm: realmexample.com.
>>
>
> Agree (since the example shows a realm).
>
> - Jouni
>
>  (Sorry about the ugly cut'n'paste. Just joined the list and found the
>> recent post below in the archive.)
>>
>> Best Regards,
>>
>> Henrik Villför
>>
>> ---------
>>
>> Hi Lars,
>>
>> According to the base protocol, there is no such restriction. When the
>> DiameterIdentity format is used to identify a Diameter node, the only
>> requirement is that:
>>
>> * the DiameterIdentity value in Origin/Destination-Host AVP is an FQDN.
>>
>> * there is at least one peer table in the realm identified by the
>> Origin/Destination-Realm  AVP that contains the host identified by the
>> FQDN.
>>
>> So Example 2 is perfectly valid from a base protocol point of view, as
>> long as there is at least one node in "example.com <http://example.com>"
>> with a transport connection with the peer "node.site1.example.com
>> <http://node.site1.example.com>".
>>
>> Now, some Diameter applications may have defined specific rules
>> regarding the format of realm/host identity, with explicit
>> restrictions/limitations. It is then required to check if there is any
>> of these restrictions defined in the related specification.
>>
>> Regards,
>>
>> Lionel
>>
>> De : DiME [mailto:dime-bounces <mailto:dime-bounces> at ietf.org
>> <http://ietf.org>] De la part de Lars Jørgen Lillehovde Envoyé :
>> dimanche 15 mars 2015 12:54 À : dime at ietf.org <http://ietf.org> Objet
>> : [Dime] Allowed host and realm naming for a diameter node
>>
>> Hi,
>>
>> I'm trying to clarify the allowed naming convension for the host and
>> realm of a diameter node. This relates to the values used in the
>> Origin-Host AVP (AVP Code 264) and Origin-Realm AVP (AVP Code 296). I've
>> reviewed the Diameter RFCs and cannot find a definitive answer to this
>> issue.
>>
>> The reason for asking this question is that I'm in discussion with a
>> vendor of a Diameter Routing Agent (DRA) which claims that the host of a
>> diameter node has to be in the format host.realm.
>>
>> (1) Example of the only allowed format according to the vendor:
>>
>> Origin-Realm: example.com <http://example.com>
>>
>> Origin-Host: node.example.com <http://node.example.com>
>>
>> I want to clarify if multiple subdomains are allowed to be added in the
>> host without being present in the realm.
>>
>> (2) Example:
>>
>> Origin-Realm: example.com <http://example.com>
>>
>> Origin-Host: node.site1.example.com <http://node.site1.example.com>
>>
>> According to the vendor, the example 2 is not allowed. To have the host
>> as in example 2, the realm will have to be site1.example.com
>> <http://site1.example.com>.
>>
>> Could someone please clarify this naming issue or point me to the
>> standard where this is defined.
>>
>> Thank you.
>>
>> Best regards,
>>
>> Lars J. Lillehovde
>>
>> ____________________________________________________________
>> _____________________________________________________________
>>
>> Ce message et ses pieces jointes peuvent contenir des informations
>> confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
>> exploites ou copies sans autorisation. Si vous avez recu ce message par
>> erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les
>> pieces jointes. Les messages electroniques etant susceptibles
>> d'alteration, Orange decline toute responsabilite si ce message a ete
>> altere, deforme ou falsifie. Merci.
>>
>> This message and its attachments may contain confidential or privileged
>> information that may be protected by law; they should not be
>> distributed, used or copied without authorisation.
>>
>> If you have received this email in error, please notify the sender and
>> delete this message and its attachments.
>>
>> As emails may be altered, Orange is not liable for messages that have
>> been modified, changed or falsified.
>>
>> Thank you.
>>
>>
>>
>> _______________________________________________
>> DiME mailing list
>> DiME@ietf.org
>> https://www.ietf.org/mailman/listinfo/dime
>>
>>

v2.23.0 | Report a Bug | By Email