IETF Logo Mail Archive

Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)

Jouni Korhonen <jouni.nospam@gmail.com> Thu, 26 March 2015 05:07 UTC

Return-Path: <jouni.nospam@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2AC31ACD0A for <dime@ietfa.amsl.com>; Wed, 25 Mar 2015 22:07:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.1
X-Spam-Level:
X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_45=0.6, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4_aHrnKkB7ri for <dime@ietfa.amsl.com>; Wed, 25 Mar 2015 22:07:16 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C16371ACD08 for <dime@ietf.org>; Wed, 25 Mar 2015 22:07:15 -0700 (PDT)
Received: by wgra20 with SMTP id a20so51188466wgr.3 for <dime@ietf.org>; Wed, 25 Mar 2015 22:07:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=cfP8gx7VDtHzy3GJUfHGK2xGY7T0n9AxhvFc44cTFtw=; b=rQBGgMU9cxBIBan95SPl/6VXTsuPdgzUnZckaLFfXfqcpaBG1YoTm8aggAjuWA0UGd MwkdBUhJUo3qcLx33A4TXm1YnXeYM8iQt4iu+7UZllsKeymnVBzKvVGoCQcAfFWdMgwF kXuMHDevX8Z9u2RgtcjlRO/zfPoXqHfraKAIdnCI7KgW1tuu+w3P9/mln/EKfSd1oM2+ TeeLAydWieItA8BoiWnNHimrItkNlFkD5JPzaD9GJVHzjOGgb3cabCTUvFLvPDTHRxGC ZeJuG5bMTCz3eWYOIi92HqJk95sM9XzfVlo8KGmXZ7+yvWhekmRJLwYsdsU3PWE+QmZs HnOQ==
X-Received: by 10.180.87.165 with SMTP id az5mr34530921wib.29.1427346434523; Wed, 25 Mar 2015 22:07:14 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:136:e852:f487:438c:7085? ([2001:67c:370:136:e852:f487:438c:7085]) by mx.google.com with ESMTPSA id hd10sm23525690wib.7.2015.03.25.22.07.12 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Mar 2015 22:07:13 -0700 (PDT)
Message-ID: <551393FF.1090700@gmail.com>
Date: Wed, 25 Mar 2015 22:07:11 -0700
From: Jouni Korhonen <jouni.nospam@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Henrik Villför <hvillfor@gmail.com>, dime@ietf.org
References: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com>
In-Reply-To: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dime/QByypdyILpa4SYiFdaANQDHBta0>
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 05:07:17 -0000

Hi,

3/25/2015, 1:18 AM, Henrik Villför kirjoitti:
> Hi,
>
>    a follow up on the question below.
>
> Is there anything in the base specification requiring the realm in the
> Origin-Realm AVP to be the same as the domain part of the Origin-Host AVP?
>
> Would the following be allowed?
>
> Origin-Realm: realmexample.com
>
> Origin-Host: node.domainexample.com

Based on my reading of RFC6733 yes.. but when reading RFC3588 no'ish. 
The subttle change between these two was:

OLD:
   DiameterIdentity  = FQDN
NEW:
   DiameterIdentity  = FQDN/Realm

And when reading the text on a DiameterIdentity a Diameter node _should_ 
(ok.. the should is not must..) only use one DiameterIdentity which 
means the FQDN in Origin-Host and Origin-Realm should be the same..

> Also, although none of the examples of Diameter host identities in rfc
> 6733 show an FQDN with a trailing dot it should be allowed, but a realm
> may not end in a dot.

AFAIR the FQDN first appeared in RFC1206.. none of the FQDN examples use 
the trailing ".". Anyway, referring to RFC1034 and the "relative names" 
it is stated that:

--
Relative names are either taken relative to a well known origin, or to a
list of domains used as a search list.  Relative names appear mostly at
the user interface, where their interpretation varies from
implementation to implementation, and in master files, where they are
relative to a single origin domain name.  The most common interpretation
uses the root "." as either the single origin or as one of the members
of the search list, so a multi-label relative name is often one where
the trailing dot has been omitted to save typing.
--

Thus it is expected that the resolver library (or equivalent) knows when 
to add the missing "." e.g. when the domain name is supposed to be a 
DiameterIdentity.

> So, this should be allowed:
>
> Origin-Host: node.domainexample.com.

Irrespective of my above rant, I agree.

> This should not be allowed:
>
> Origin-Realm: realmexample.com.

Agree (since the example shows a realm).

- Jouni

> (Sorry about the ugly cut'n'paste. Just joined the list and found the
> recent post below in the archive.)
>
> Best Regards,
>
> Henrik Villför
>
> ---------
>
> Hi Lars,
>
> According to the base protocol, there is no such restriction. When the
> DiameterIdentity format is used to identify a Diameter node, the only
> requirement is that:
>
> * the DiameterIdentity value in Origin/Destination-Host AVP is an FQDN.
>
> * there is at least one peer table in the realm identified by the
> Origin/Destination-Realm  AVP that contains the host identified by the FQDN.
>
> So Example 2 is perfectly valid from a base protocol point of view, as
> long as there is at least one node in "example.com <http://example.com>"
> with a transport connection with the peer "node.site1.example.com
> <http://node.site1.example.com>".
>
> Now, some Diameter applications may have defined specific rules
> regarding the format of realm/host identity, with explicit
> restrictions/limitations. It is then required to check if there is any
> of these restrictions defined in the related specification.
>
> Regards,
>
> Lionel
>
> De : DiME [mailto:dime-bounces <mailto:dime-bounces> at ietf.org
> <http://ietf.org>] De la part de Lars Jørgen Lillehovde Envoyé :
> dimanche 15 mars 2015 12:54 À : dime at ietf.org <http://ietf.org> Objet
> : [Dime] Allowed host and realm naming for a diameter node
>
> Hi,
>
> I'm trying to clarify the allowed naming convension for the host and
> realm of a diameter node. This relates to the values used in the
> Origin-Host AVP (AVP Code 264) and Origin-Realm AVP (AVP Code 296). I've
> reviewed the Diameter RFCs and cannot find a definitive answer to this
> issue.
>
> The reason for asking this question is that I'm in discussion with a
> vendor of a Diameter Routing Agent (DRA) which claims that the host of a
> diameter node has to be in the format host.realm.
>
> (1) Example of the only allowed format according to the vendor:
>
> Origin-Realm: example.com <http://example.com>
>
> Origin-Host: node.example.com <http://node.example.com>
>
> I want to clarify if multiple subdomains are allowed to be added in the
> host without being present in the realm.
>
> (2) Example:
>
> Origin-Realm: example.com <http://example.com>
>
> Origin-Host: node.site1.example.com <http://node.site1.example.com>
>
> According to the vendor, the example 2 is not allowed. To have the host
> as in example 2, the realm will have to be site1.example.com
> <http://site1.example.com>.
>
> Could someone please clarify this naming issue or point me to the
> standard where this is defined.
>
> Thank you.
>
> Best regards,
>
> Lars J. Lillehovde
>
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
> exploites ou copies sans autorisation. Si vous avez recu ce message par
> erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les
> pieces jointes. Les messages electroniques etant susceptibles
> d'alteration, Orange decline toute responsabilite si ce message a ete
> altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged
> information that may be protected by law; they should not be
> distributed, used or copied without authorisation.
>
> If you have received this email in error, please notify the sender and
> delete this message and its attachments.
>
> As emails may be altered, Orange is not liable for messages that have
> been modified, changed or falsified.
>
> Thank you.
>
>
>
> _______________________________________________
> DiME mailing list
> DiME@ietf.org
> https://www.ietf.org/mailman/listinfo/dime
>

v2.23.0 | Report a Bug | By Email