Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
Jouni Korhonen <jouni.nospam@gmail.com> Thu, 26 March 2015 05:07 UTC
Return-Path: <jouni.nospam@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2AC31ACD0A for <dime@ietfa.amsl.com>; Wed, 25 Mar 2015 22:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.1
X-Spam-Level:
X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_45=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4_aHrnKkB7ri for <dime@ietfa.amsl.com>; Wed, 25 Mar 2015 22:07:16 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C16371ACD08 for <dime@ietf.org>; Wed, 25 Mar 2015 22:07:15 -0700 (PDT)
Received: by wgra20 with SMTP id a20so51188466wgr.3 for <dime@ietf.org>; Wed, 25 Mar 2015 22:07:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=cfP8gx7VDtHzy3GJUfHGK2xGY7T0n9AxhvFc44cTFtw=; b=rQBGgMU9cxBIBan95SPl/6VXTsuPdgzUnZckaLFfXfqcpaBG1YoTm8aggAjuWA0UGd MwkdBUhJUo3qcLx33A4TXm1YnXeYM8iQt4iu+7UZllsKeymnVBzKvVGoCQcAfFWdMgwF kXuMHDevX8Z9u2RgtcjlRO/zfPoXqHfraKAIdnCI7KgW1tuu+w3P9/mln/EKfSd1oM2+ TeeLAydWieItA8BoiWnNHimrItkNlFkD5JPzaD9GJVHzjOGgb3cabCTUvFLvPDTHRxGC ZeJuG5bMTCz3eWYOIi92HqJk95sM9XzfVlo8KGmXZ7+yvWhekmRJLwYsdsU3PWE+QmZs HnOQ==
X-Received: by 10.180.87.165 with SMTP id az5mr34530921wib.29.1427346434523; Wed, 25 Mar 2015 22:07:14 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:136:e852:f487:438c:7085? ([2001:67c:370:136:e852:f487:438c:7085]) by mx.google.com with ESMTPSA id hd10sm23525690wib.7.2015.03.25.22.07.12 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Mar 2015 22:07:13 -0700 (PDT)
Message-ID: <551393FF.1090700@gmail.com>
Date: Wed, 25 Mar 2015 22:07:11 -0700
From: Jouni Korhonen <jouni.nospam@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Henrik Villför <hvillfor@gmail.com>, dime@ietf.org
References: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com>
In-Reply-To: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dime/QByypdyILpa4SYiFdaANQDHBta0>
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 05:07:17 -0000
Hi, 3/25/2015, 1:18 AM, Henrik Villför kirjoitti: > Hi, > > a follow up on the question below. > > Is there anything in the base specification requiring the realm in the > Origin-Realm AVP to be the same as the domain part of the Origin-Host AVP? > > Would the following be allowed? > > Origin-Realm: realmexample.com > > Origin-Host: node.domainexample.com Based on my reading of RFC6733 yes.. but when reading RFC3588 no'ish. The subttle change between these two was: OLD: DiameterIdentity = FQDN NEW: DiameterIdentity = FQDN/Realm And when reading the text on a DiameterIdentity a Diameter node _should_ (ok.. the should is not must..) only use one DiameterIdentity which means the FQDN in Origin-Host and Origin-Realm should be the same.. > Also, although none of the examples of Diameter host identities in rfc > 6733 show an FQDN with a trailing dot it should be allowed, but a realm > may not end in a dot. AFAIR the FQDN first appeared in RFC1206.. none of the FQDN examples use the trailing ".". Anyway, referring to RFC1034 and the "relative names" it is stated that: -- Relative names are either taken relative to a well known origin, or to a list of domains used as a search list. Relative names appear mostly at the user interface, where their interpretation varies from implementation to implementation, and in master files, where they are relative to a single origin domain name. The most common interpretation uses the root "." as either the single origin or as one of the members of the search list, so a multi-label relative name is often one where the trailing dot has been omitted to save typing. -- Thus it is expected that the resolver library (or equivalent) knows when to add the missing "." e.g. when the domain name is supposed to be a DiameterIdentity. > So, this should be allowed: > > Origin-Host: node.domainexample.com. Irrespective of my above rant, I agree. > This should not be allowed: > > Origin-Realm: realmexample.com. Agree (since the example shows a realm). - Jouni > (Sorry about the ugly cut'n'paste. Just joined the list and found the > recent post below in the archive.) > > Best Regards, > > Henrik Villför > > --------- > > Hi Lars, > > According to the base protocol, there is no such restriction. When the > DiameterIdentity format is used to identify a Diameter node, the only > requirement is that: > > * the DiameterIdentity value in Origin/Destination-Host AVP is an FQDN. > > * there is at least one peer table in the realm identified by the > Origin/Destination-Realm AVP that contains the host identified by the FQDN. > > So Example 2 is perfectly valid from a base protocol point of view, as > long as there is at least one node in "example.com <http://example.com>" > with a transport connection with the peer "node.site1.example.com > <http://node.site1.example.com>". > > Now, some Diameter applications may have defined specific rules > regarding the format of realm/host identity, with explicit > restrictions/limitations. It is then required to check if there is any > of these restrictions defined in the related specification. > > Regards, > > Lionel > > De : DiME [mailto:dime-bounces <mailto:dime-bounces> at ietf.org > <http://ietf.org>] De la part de Lars Jørgen Lillehovde Envoyé : > dimanche 15 mars 2015 12:54 À : dime at ietf.org <http://ietf.org> Objet > : [Dime] Allowed host and realm naming for a diameter node > > Hi, > > I'm trying to clarify the allowed naming convension for the host and > realm of a diameter node. This relates to the values used in the > Origin-Host AVP (AVP Code 264) and Origin-Realm AVP (AVP Code 296). I've > reviewed the Diameter RFCs and cannot find a definitive answer to this > issue. > > The reason for asking this question is that I'm in discussion with a > vendor of a Diameter Routing Agent (DRA) which claims that the host of a > diameter node has to be in the format host.realm. > > (1) Example of the only allowed format according to the vendor: > > Origin-Realm: example.com <http://example.com> > > Origin-Host: node.example.com <http://node.example.com> > > I want to clarify if multiple subdomains are allowed to be added in the > host without being present in the realm. > > (2) Example: > > Origin-Realm: example.com <http://example.com> > > Origin-Host: node.site1.example.com <http://node.site1.example.com> > > According to the vendor, the example 2 is not allowed. To have the host > as in example 2, the realm will have to be site1.example.com > <http://site1.example.com>. > > Could someone please clarify this naming issue or point me to the > standard where this is defined. > > Thank you. > > Best regards, > > Lars J. Lillehovde > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc pas etre diffuses, > exploites ou copies sans autorisation. Si vous avez recu ce message par > erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les > pieces jointes. Les messages electroniques etant susceptibles > d'alteration, Orange decline toute responsabilite si ce message a ete > altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; they should not be > distributed, used or copied without authorisation. > > If you have received this email in error, please notify the sender and > delete this message and its attachments. > > As emails may be altered, Orange is not liable for messages that have > been modified, changed or falsified. > > Thank you. > > > > _______________________________________________ > DiME mailing list > DiME@ietf.org > https://www.ietf.org/mailman/listinfo/dime >
- [Dime] realm vs domain (was: Allowed host and rea… Henrik Villför
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain (was: Allowed host and… Henrik Villför
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain Iliya Peregoudov
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni.nosmap
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain (was: Allowed host and… lionel.morand
- Re: [Dime] realm vs domain (was: Allowed host and… Jouni Korhonen
- Re: [Dime] realm vs domain (was: Allowed host and… Dave Dolson
- Re: [Dime] realm vs domain (was: Allowed host and… Lars Jørgen Lillehovde
- Re: [Dime] realm vs domain (was: Allowed host and… John Basha