Re: [Dime] Question on realm validity in answer messages
Ivan Skytte Jørgensen <isj-dime@i1.dk> Thu, 08 May 2014 10:02 UTC
Return-Path: <isj-dime@i1.dk>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD8F21A0547 for <dime@ietfa.amsl.com>; Thu, 8 May 2014 03:02:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.071
X-Spam-Level: ***
X-Spam-Status: No, score=3.071 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_DK=1.009, HELO_MISMATCH_DK=1.7, HOST_MISMATCH_NET=0.311, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B62GA1p038Pa for <dime@ietfa.amsl.com>; Thu, 8 May 2014 03:02:05 -0700 (PDT)
Received: from i1.dk (188-176-48-94-static.dk.customer.tdc.net [188.176.48.94]) by ietfa.amsl.com (Postfix) with ESMTP id 0ADAD1A0648 for <dime@ietf.org>; Thu, 8 May 2014 03:01:59 -0700 (PDT)
Received: from i1.dk (isjsys5 [127.0.0.1]) by i1.dk (Postfix) with ESMTP id BD3065C00A2 for <dime@ietf.org>; Thu, 8 May 2014 12:01:53 +0200 (CEST)
Received: from isjsys.int.i1.dk (isjsys [10.0.0.2]) by i1.dk (Postfix) with ESMTP for <dime@ietf.org>; Thu, 8 May 2014 12:01:53 +0200 (CEST)
Received: from isjsys.localnet (localhost [IPv6:::1]) by isjsys.int.i1.dk (Postfix) with ESMTP id 8461F60EAE for <dime@ietf.org>; Thu, 8 May 2014 12:01:53 +0200 (CEST)
From: Ivan Skytte Jørgensen <isj-dime@i1.dk>
To: dime@ietf.org
Date: Thu, 08 May 2014 12:01:53 +0200
Message-ID: <45154619.JSnkTfiJ8Y@isjsys>
User-Agent: KMail/4.11.5 (Linux/3.11.10-7-desktop; KDE/4.11.5; x86_64; ; )
In-Reply-To: <0EFE155B2AF9B44A9537DA67801704F96B3341E2@ROCK5.qtel.ad.pri>
References: <0EFE155B2AF9B44A9537DA67801704F96B3341E2@ROCK5.qtel.ad.pri>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: http://mailarchive.ietf.org/arch/msg/dime/R7KgjQVNfgvpG96QVaQSLpj20R4
Subject: Re: [Dime] Question on realm validity in answer messages
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 10:02:06 -0000
On Thursday 08 May 2014 05:44:18 Marco Stura wrote: > Dear all, > > I'm facing the following situation. > [proxy modifies destination-realm ni requests, but doesn't modify origin-realm in the answer coming back] ... > However, to say the least, this configuration is quite bizarre and the client IMHO is right to terminate the session as this behavior may looks to the client like an answer from a malicious node. But I don't remember any discussion on this aspects back at the Diameter protocol development time..... > > Any opinion on this scenario? I have always found the Origin-Realm AVP of dubious value. Checks on acceptable origins/paths of an answer is done on the Route-Record AVP - not the origin-host/origin-realm. On the other hand, the proxy in your example modifies the destination-realm in the request, so logically it should modify the origin-realm in the answer. /isj
- [Dime] Question on realm validity in answer messa… Marco Stura
- Re: [Dime] Question on realm validity in answer m… Ivan Skytte Jørgensen
- Re: [Dime] Question on realm validity in answer m… Dave Dolson
- Re: [Dime] Question on realm validity in answer m… Jouni Korhonen
- Re: [Dime] Question on realm validity in answer m… Marco Stura
- Re: [Dime] Question on realm validity in answer m… Jouni Korhonen