IETF Logo Mail Archive

Re: [Dime] Dime WG at IETF 113 / Vienna ??

Alan DeKok <aland@deployingradius.com> Thu, 10 March 2022 13:39 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE3273A089C for <dime@ietfa.amsl.com>; Thu, 10 Mar 2022 05:39:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FceealrOpRLS for <dime@ietfa.amsl.com>; Thu, 10 Mar 2022 05:39:47 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB97C3A0854 for <dime@ietf.org>; Thu, 10 Mar 2022 05:39:46 -0800 (PST)
Received: from smtpclient.apple (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 277354EF; Thu, 10 Mar 2022 13:39:39 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <20220310070355.GC24851@openfortress.nl>
Date: Thu, 10 Mar 2022 08:39:38 -0500
Cc: Diameter Maint/Ext <dime@ietf.org>, adriaan@cnossos.nl, henri@mansoft.nl
Content-Transfer-Encoding: quoted-printable
Message-Id: <4ADABF6A-51D7-4018-99B6-D4A42C0A9777@deployingradius.com>
References: <20220310070355.GC24851@openfortress.nl>
To: Rick van Rein <rick@OPENFORTRESS.NL>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dime/YhrCgnPUOMEMH-Bwj1fvZUixD34>
Subject: Re: [Dime] Dime WG at IETF 113 / Vienna ??
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2022 13:39:53 -0000

On Mar 10, 2022, at 2:03 AM, Rick van Rein <rick@OPENFORTRESS.NL> wrote:

  So far as I know DIME is mostly done.  There's no new work being planned.

> Documents:
> https://datatracker.ietf.org/doc/html/draft-vanrein-internetwide-realm-crossover

  Section 3 says:

   However, the NAI
   defaults to realm-internal use but BYOID always needs to express the
   domain, so the root of the grammar tree is different:

 The "realm-internal" phrase isn't defined anywhere.  From what I can guess, this claim isn't correct.

  RFC 7542 forbids the use of non-domain NAIs, e.g. "fred@sales".

  RFC 7542 allows for the use of domain names which can be resolved publicly (example.com), or ones which don't need to be resolved publicly (internal.example.com).  It's up to the domain to control which one is used.

  RFC 7542 Section 3 explicitly allows for routing to be done on a portion of the the domain name, a system gets "fred@internal.example.com", and has a route for "example.com".  The users request is then routed to "example.com".

  So there appears to be no need for any new definitions.  Just use the format and methods which have already been defined.  Inter-domain auth routing is a solved problem.  The problem which isn't solved is *why* people would do it.

  Section 3 of your document also says:

   The utf8-username and utf8-realm are both considered to be case-
   insensitive, 

  This is not correct.  The utf8-realm is case sensitive, but RFC 7542 Section 3 says:

   As noted earlier,
   intermediate nodes may not have access to the same locale information
   as the system that injected the NAI into the AAA routing systems.
   Therefore, almost all "case insensitive" comparisons can be wrong.

  i.e. the uff8-username is explicitly defined to be site-local.  See Section 2.4:

   Interpretation of the username part of the NAI depends on the realm
   in question.  Therefore, the utf8-username portion SHOULD be treated
   as opaque data when processed by nodes that are not a part of the
   home domain for that realm.

  i.e. suggesting any content for the utf8-username is likely to not succeed.

> https://datatracker.ietf.org/doc/draft-vanrein-diameter-sasl/

  I already commented on the feasibility of a Diameter-bases global routing system in EMU a while ago.  My opinions haven't changed since then.

  If your proposal requires every domain to run a Diameter server, then it's dead in the water.  It's just not going to happen.

  Many people were pushing business-to-business roaming in the late 1990s.  It still hasn't happened.   For ISPs and Telcos, it's taken them ~15 years of work to see the value of something like OpenRoaming.

  History shows that no one sees a value in B2B roaming.  I would suggest concentrating on convincing people it has value, and also to switch to technologies which have a hope of being deployed.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email