Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
Henrik Villför <hvillfor@gmail.com> Fri, 27 March 2015 08:02 UTC
Return-Path: <hvillfor@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10E561A9128 for <dime@ietfa.amsl.com>; Fri, 27 Mar 2015 01:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.099
X-Spam-Level:
X-Spam-Status: No, score=-1.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7U4j_mfW6hFA for <dime@ietfa.amsl.com>; Fri, 27 Mar 2015 01:02:06 -0700 (PDT)
Received: from mail-oi0-x233.google.com (mail-oi0-x233.google.com [IPv6:2607:f8b0:4003:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 403351A9108 for <dime@ietf.org>; Fri, 27 Mar 2015 01:02:06 -0700 (PDT)
Received: by oifl3 with SMTP id l3so69981919oif.0 for <dime@ietf.org>; Fri, 27 Mar 2015 01:02:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eq1lq//ZaU+Vdy9TcBh06hyGMTCSPEMJA955SNgbD8E=; b=WmYBA/EDbQ5diBecHMnZlPS+d+OqnQbJgE7DZ0L3UXOSnLDppcCPREvzMYy1jjZIyC Vx5ZZJaenQj0BGITKNGUlxqNz1IpMbSFdornsKn00vsH0hiclQqT5FHr+16VMb9MWJKf 9gB138YppX+V70Rdeaje+sMQWq6e/gMFMLYI0vEsE8lWq0NQwu9XbjdJtu0XZigsRI67 20DuHV+cGGPQavEhiXspZ40CzU8KEGOm+Iw2fR2TjxbsY7b3V2uHfvbudrqB8CZ8m3s1 Vws++n+mpEpI11aI54EDBlafywZELXVAaW/E5KOz8tYEFIEOZXL0j8qZqGtrgaSwIVU7 r7bw==
MIME-Version: 1.0
X-Received: by 10.182.210.197 with SMTP id mw5mr15568106obc.26.1427443325756; Fri, 27 Mar 2015 01:02:05 -0700 (PDT)
Received: by 10.182.116.234 with HTTP; Fri, 27 Mar 2015 01:02:05 -0700 (PDT)
In-Reply-To: <551393FF.1090700@gmail.com>
References: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com> <551393FF.1090700@gmail.com>
Date: Fri, 27 Mar 2015 09:02:05 +0100
Message-ID: <CAOQYgR++rJ3s63xjDw+YjNh0-y2pjX-BxV41nJUFGOFn4uGHUQ@mail.gmail.com>
From: Henrik Villför <hvillfor@gmail.com>
To: Jouni Korhonen <jouni.nospam@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c29be85e68870512408c55"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dime/MjYrXamEaqTisq4o5EpboZfVZEg>
Cc: dime@ietf.org
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 08:02:12 -0000
Thank you Jouni, I interpret your answer to say that from a standards and functional point of view the Origin-realm and the domain part of the Origin-host may differ but for (backward) compatibility reasons it is a good idea to keep them the same. Correct? Regards, Henrik 2015-03-26 6:07 GMT+01:00 Jouni Korhonen <jouni.nospam@gmail.com>: > Hi, > > 3/25/2015, 1:18 AM, Henrik Villför kirjoitti: > >> Hi, >> >> a follow up on the question below. >> >> Is there anything in the base specification requiring the realm in the >> Origin-Realm AVP to be the same as the domain part of the Origin-Host AVP? >> >> Would the following be allowed? >> >> Origin-Realm: realmexample.com >> >> Origin-Host: node.domainexample.com >> > > Based on my reading of RFC6733 yes.. but when reading RFC3588 no'ish. The > subttle change between these two was: > > OLD: > DiameterIdentity = FQDN > NEW: > DiameterIdentity = FQDN/Realm > > And when reading the text on a DiameterIdentity a Diameter node _should_ > (ok.. the should is not must..) only use one DiameterIdentity which means > the FQDN in Origin-Host and Origin-Realm should be the same.. > > Also, although none of the examples of Diameter host identities in rfc >> 6733 show an FQDN with a trailing dot it should be allowed, but a realm >> may not end in a dot. >> > > AFAIR the FQDN first appeared in RFC1206.. none of the FQDN examples use > the trailing ".". Anyway, referring to RFC1034 and the "relative names" it > is stated that: > > -- > Relative names are either taken relative to a well known origin, or to a > list of domains used as a search list. Relative names appear mostly at > the user interface, where their interpretation varies from > implementation to implementation, and in master files, where they are > relative to a single origin domain name. The most common interpretation > uses the root "." as either the single origin or as one of the members > of the search list, so a multi-label relative name is often one where > the trailing dot has been omitted to save typing. > -- > > Thus it is expected that the resolver library (or equivalent) knows when > to add the missing "." e.g. when the domain name is supposed to be a > DiameterIdentity. > > So, this should be allowed: >> >> Origin-Host: node.domainexample.com. >> > > Irrespective of my above rant, I agree. > > This should not be allowed: >> >> Origin-Realm: realmexample.com. >> > > Agree (since the example shows a realm). > > - Jouni > > (Sorry about the ugly cut'n'paste. Just joined the list and found the >> recent post below in the archive.) >> >> Best Regards, >> >> Henrik Villför >> >> --------- >> >> Hi Lars, >> >> According to the base protocol, there is no such restriction. When the >> DiameterIdentity format is used to identify a Diameter node, the only >> requirement is that: >> >> * the DiameterIdentity value in Origin/Destination-Host AVP is an FQDN. >> >> * there is at least one peer table in the realm identified by the >> Origin/Destination-Realm AVP that contains the host identified by the >> FQDN. >> >> So Example 2 is perfectly valid from a base protocol point of view, as >> long as there is at least one node in "example.com <http://example.com>" >> with a transport connection with the peer "node.site1.example.com >> <http://node.site1.example.com>". >> >> Now, some Diameter applications may have defined specific rules >> regarding the format of realm/host identity, with explicit >> restrictions/limitations. It is then required to check if there is any >> of these restrictions defined in the related specification. >> >> Regards, >> >> Lionel >> >> De : DiME [mailto:dime-bounces <mailto:dime-bounces> at ietf.org >> <http://ietf.org>] De la part de Lars Jørgen Lillehovde Envoyé : >> dimanche 15 mars 2015 12:54 À : dime at ietf.org <http://ietf.org> Objet >> : [Dime] Allowed host and realm naming for a diameter node >> >> Hi, >> >> I'm trying to clarify the allowed naming convension for the host and >> realm of a diameter node. This relates to the values used in the >> Origin-Host AVP (AVP Code 264) and Origin-Realm AVP (AVP Code 296). I've >> reviewed the Diameter RFCs and cannot find a definitive answer to this >> issue. >> >> The reason for asking this question is that I'm in discussion with a >> vendor of a Diameter Routing Agent (DRA) which claims that the host of a >> diameter node has to be in the format host.realm. >> >> (1) Example of the only allowed format according to the vendor: >> >> Origin-Realm: example.com <http://example.com> >> >> Origin-Host: node.example.com <http://node.example.com> >> >> I want to clarify if multiple subdomains are allowed to be added in the >> host without being present in the realm. >> >> (2) Example: >> >> Origin-Realm: example.com <http://example.com> >> >> Origin-Host: node.site1.example.com <http://node.site1.example.com> >> >> According to the vendor, the example 2 is not allowed. To have the host >> as in example 2, the realm will have to be site1.example.com >> <http://site1.example.com>. >> >> Could someone please clarify this naming issue or point me to the >> standard where this is defined. >> >> Thank you. >> >> Best regards, >> >> Lars J. Lillehovde >> >> ____________________________________________________________ >> _____________________________________________________________ >> >> Ce message et ses pieces jointes peuvent contenir des informations >> confidentielles ou privilegiees et ne doivent donc pas etre diffuses, >> exploites ou copies sans autorisation. Si vous avez recu ce message par >> erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les >> pieces jointes. Les messages electroniques etant susceptibles >> d'alteration, Orange decline toute responsabilite si ce message a ete >> altere, deforme ou falsifie. Merci. >> >> This message and its attachments may contain confidential or privileged >> information that may be protected by law; they should not be >> distributed, used or copied without authorisation. >> >> If you have received this email in error, please notify the sender and >> delete this message and its attachments. >> >> As emails may be altered, Orange is not liable for messages that have >> been modified, changed or falsified. >> >> Thank you. >> >> >> >> _______________________________________________ >> DiME mailing list >> DiME@ietf.org >> https://www.ietf.org/mailman/listinfo/dime >> >>
- [Dime] realm vs domain (was: Allowed host and rea… Henrik Villför
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain (was: Allowed host and… Henrik Villför
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain Iliya Peregoudov
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni.nosmap
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain (was: Allowed host and… Dave Dolson
- Re: [Dime] realm vs domain (was: Allowed host and… Lars Jørgen Lillehovde
- Re: [Dime] realm vs domain (was: Allowed host and… John Basha