IETF Logo Mail Archive

Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)

Dave Dolson <ddolson@sandvine.com> Wed, 01 April 2015 21:18 UTC

Return-Path: <ddolson@sandvine.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF2A11A064C for <dime@ietfa.amsl.com>; Wed, 1 Apr 2015 14:18:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.71
X-Spam-Level:
X-Spam-Status: No, score=-0.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_45=0.6, J_CHICKENPOX_56=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hlqAKFlu-ZSk for <dime@ietfa.amsl.com>; Wed, 1 Apr 2015 14:18:07 -0700 (PDT)
Received: from mail1.sandvine.com (mail1.sandvine.com [64.7.137.165]) by ietfa.amsl.com (Postfix) with ESMTP id D09001A03AA for <dime@ietf.org>; Wed, 1 Apr 2015 14:18:06 -0700 (PDT)
Received: from WTL-EXCHP-2.sandvine.com ([fe80::68ac:f071:19ff:3455]) by WTL-EXCHP-3.sandvine.com ([::1]) with mapi id 14.03.0195.001; Wed, 1 Apr 2015 17:18:06 -0400
From: Dave Dolson <ddolson@sandvine.com>
To: Jouni Korhonen <jouni.nospam@gmail.com>, "lionel.morand@orange.com" <lionel.morand@orange.com>
Thread-Topic: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
Thread-Index: AQHQZtVX5n1tB/xwgki5U/RW1kODHJ0uetGAgAiuTICAABe+AIAA7JuAgABdwQCAADKqAIAAJ5OA///N/zA=
Date: Wed, 01 Apr 2015 21:18:05 +0000
Message-ID: <E8355113905631478EFF04F5AA706E9830BB09CC@wtl-exchp-2.sandvine.com>
References: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com> <551393FF.1090700@gmail.com> <25531_1427823666_551ADC32_25531_3828_1_6B7134B31289DC4FAF731D844122B36EEF739B@PEXCVZYM13.corporate.adroot.infra.ftgroup> <F3FB37E6-3DD1-4F88-8F6F-E137D1387118@gmail.com> <31522_1427879576_551BB697_31522_12397_1_6B7134B31289DC4FAF731D844122B36EF095B5@PEXCVZYM13.corporate.adroot.infra.ftgroup> <551C053C.3090703@gmail.com> <4977_1427910590_551C2FBD_4977_3059_1_6B7134B31289DC4FAF731D844122B36EF12509@PEXCVZYM13.corporate.adroot.infra.ftgroup> <551C50EF.2030300@gmail.com>
In-Reply-To: <551C50EF.2030300@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.200.63]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dime/jXU8xHUUNiS_Z5wU0maRMraVY80>
Cc: "dime@ietf.org" <dime@ietf.org>
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 21:18:09 -0000

In our implementation, we do not place these kinds of constraints on host or realm names. It is the operator's choice as to whether or not host and realm match DNS names.
When all Diameter connections are pre-configured, there is no need for dynamic connection to a new agent by resolving hosts in DNS.


-----Original Message-----
From: DiME [mailto:dime-bounces@ietf.org] On Behalf Of Jouni Korhonen
Sent: Wednesday, April 01, 2015 4:11 PM
To: lionel.morand@orange.com
Cc: dime@ietf.org
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)

I do not quite agree on your described use of DiameterIdentities - the 
part of using different domain part. It would be great to hear from 
implementations whether they are able to cope with that or not before 
going any further.

- Jouni

4/1/2015, 10:49 AM, lionel.morand@orange.com kirjoitti:
> If the FQDN is used as x-Realm AVP, the host MUST be anyway defined as an absolute domain name under the realm normally used as x-realm value ad registered in the DNS (or configured in the receiving Diameter nodes). Otherwise, the routing will fail.
> Even in this (weird) case, the FQDN may be defined in a subdomain of domain name of the x-Realm AVP value expected in the Diameter messages (cf. initial question)
>
> Now, when FQDN are ONLY used for x-Host AVP values (as it should be), there is no limitation regarding the domain name used for the x-Host AVP and for the x-Realm AVP value. For instance, this provides flexibility for the naming of the diameter nodes in the internal network (that can used a private naming plane) while ensuring consistency on the domain name used by external networks (using a standard naming plane).
>
> Lionel
>
> -----Message d'origine-----
> De : Jouni Korhonen [mailto:jouni.nospam@gmail.com]
> Envoyé : mercredi 1 avril 2015 16:48
> À : MORAND Lionel IMT/OLN
> Cc : Henrik Villför; dime@ietf.org
> Objet : Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
>
> You still need to care for implementations that do put FQDN into Origin-Realm (or Destination-Realm).
>
> - Jouni
>
> 4/1/2015, 2:12 AM, lionel.morand@orange.com kirjoitti:
>> Hi Jouni,
>>
>> Some magic might exist somewhere to fix some weird implementation, for
>> sure. But the RFC6733 was actually meant to fix in a generic way those
>> issues. Therefore, if someone comes to say that using FQDN as realm is
>> correct according to RFC3588, I would only say "please refer to the
>> RFC6733 to see what should be the correct implementation of the base
>> protocol" :)
>>
>> Lionel
>>
>> -----Message d'origine-----
>> De : Jouni.nosmap [mailto:jouni.nospam@gmail.com] Envoyé : mardi 31
>> mars 2015 21:06 À : MORAND Lionel IMT/OLN Cc : Henrik Villför;
>> dime@ietf.org Objet : Re: [Dime] realm vs domain (was: Allowed host
>> and realm naming for a diameter node)
>>
>>
>>
>> Sent from a smart phone.. Mind the typos..
>>
>>> <lionel.morand@orange.com> <lionel.morand@orange.com> kirjoitti 31.3.2015 kello 10.41:
>>>
>>> Hi,
>>>
>>> Please see below.
>>>
>>> Lionel
>>>
>>> -----Message d'origine-----
>>> De : DiME [mailto:dime-bounces@ietf.org] De la part de Jouni Korhonen
>>> Envoyé : jeudi 26 mars 2015 06:07 À : Henrik Villför; dime@ietf.org
>>> Objet : Re: [Dime] realm vs domain (was: Allowed host and realm
>>> naming for a diameter node)
>>>
>>> Hi,
>>>
>>> 3/25/2015, 1:18 AM, Henrik Villför kirjoitti:
>>>> Hi,
>>>>
>>>>     a follow up on the question below.
>>>>
>>>> Is there anything in the base specification requiring the realm in
>>>> the Origin-Realm AVP to be the same as the domain part of the Origin-Host AVP?
>>>>
>>>> Would the following be allowed?
>>>>
>>>> Origin-Realm: realmexample.com
>>>>
>>>> Origin-Host: node.domainexample.com
>>>
>>> Based on my reading of RFC6733 yes.. but when reading RFC3588 no'ish.
>>> The subttle change between these two was:
>>>
>>> OLD:
>>>     DiameterIdentity  = FQDN
>>> NEW:
>>>     DiameterIdentity  = FQDN/Realm
>>>
>>> And when reading the text on a DiameterIdentity a Diameter node _should_ (ok.. the should is not must..) only use one DiameterIdentity which means the FQDN in Origin-Host and Origin-Realm should be the same..
>>>
>>> [LM]> not sure to understand what the text above means. In RFC3588, the definition in sect 4.3 was clearly an error as the text in sect 6.4 sect 6.6 was already saying that:
>>>
>>>     The Origin-Realm AVP (AVP Code 296) is of type DiameterIdentity.
>>>     This AVP contains the Realm of the originator of any Diameter message
>>>     and MUST be present in all messages.
>>
>> We need to remembet that with Diameter realm is piggybacked in DNS. So if your Origin-Realm is an FQDN and you just extract the domain part of it when using it, you achieved the same as realm. This to work properly requires some magic sauce.. which e.g. for certain deployments is described in system specific specs.
>>
>>>
>>>     The Destination-Realm AVP (AVP Code 283) is of type DiameterIdentity,
>>>     and contains the realm the message is to be routed to.
>>>
>>> [LM]> So a DiameterIdentity was meant to be either an FQDN or a Realm, depending of its use as x-Host or x-Realm AVP value. If someone was implementing the Diameter identity of a realm as an FQDN, it would be an error. And this was fixed with RFC6733.
>>
>> I would bet there is stuff out there..
>>
>> - jouni
>>
>>
>>>
>>>> Also, although none of the examples of Diameter host identities in
>>>> rfc
>>>> 6733 show an FQDN with a trailing dot it should be allowed, but a
>>>> realm may not end in a dot.
>>>
>>> AFAIR the FQDN first appeared in RFC1206.. none of the FQDN examples use the trailing ".". Anyway, referring to RFC1034 and the "relative names"
>>> it is stated that:
>>>
>>> --
>>> Relative names are either taken relative to a well known origin, or to a list of domains used as a search list.  Relative names appear mostly at the user interface, where their interpretation varies from implementation to implementation, and in master files, where they are relative to a single origin domain name.  The most common interpretation uses the root "." as either the single origin or as one of the members of the search list, so a multi-label relative name is often one where the trailing dot has been omitted to save typing.
>>> --
>>>
>>> Thus it is expected that the resolver library (or equivalent) knows when to add the missing "." e.g. when the domain name is supposed to be a DiameterIdentity.
>>>
>>>> So, this should be allowed:
>>>>
>>>> Origin-Host: node.domainexample.com.
>>>
>>> Irrespective of my above rant, I agree.
>>>
>>>> This should not be allowed:
>>>>
>>>> Origin-Realm: realmexample.com.
>>>
>>> Agree (since the example shows a realm).
>>>
>>> - Jouni
>>>
>>>> (Sorry about the ugly cut'n'paste. Just joined the list and found
>>>> the recent post below in the archive.)
>>>>
>>>> Best Regards,
>>>>
>>>> Henrik Villför
>>>>
>>>> ---------
>>>>
>>>> Hi Lars,
>>>>
>>>> According to the base protocol, there is no such restriction. When
>>>> the DiameterIdentity format is used to identify a Diameter node, the
>>>> only requirement is that:
>>>>
>>>> * the DiameterIdentity value in Origin/Destination-Host AVP is an FQDN.
>>>>
>>>> * there is at least one peer table in the realm identified by the
>>>> Origin/Destination-Realm  AVP that contains the host identified by the FQDN.
>>>>
>>>> So Example 2 is perfectly valid from a base protocol point of view,
>>>> as long as there is at least one node in "example.com <http://example.com>"
>>>> with a transport connection with the peer "node.site1.example.com
>>>> <http://node.site1.example.com>".
>>>>
>>>> Now, some Diameter applications may have defined specific rules
>>>> regarding the format of realm/host identity, with explicit
>>>> restrictions/limitations. It is then required to check if there is
>>>> any of these restrictions defined in the related specification.
>>>>
>>>> Regards,
>>>>
>>>> Lionel
>>>>
>>>> De : DiME [mailto:dime-bounces <mailto:dime-bounces> at ietf.org
>>>> <http://ietf.org>] De la part de Lars Jørgen Lillehovde Envoyé :
>>>> dimanche 15 mars 2015 12:54 À : dime at ietf.org <http://ietf.org>
>>>> Objet
>>>> : [Dime] Allowed host and realm naming for a diameter node
>>>>
>>>> Hi,
>>>>
>>>> I'm trying to clarify the allowed naming convension for the host and
>>>> realm of a diameter node. This relates to the values used in the
>>>> Origin-Host AVP (AVP Code 264) and Origin-Realm AVP (AVP Code 296).
>>>> I've reviewed the Diameter RFCs and cannot find a definitive answer
>>>> to this issue.
>>>>
>>>> The reason for asking this question is that I'm in discussion with a
>>>> vendor of a Diameter Routing Agent (DRA) which claims that the host
>>>> of a diameter node has to be in the format host.realm.
>>>>
>>>> (1) Example of the only allowed format according to the vendor:
>>>>
>>>> Origin-Realm: example.com <http://example.com>
>>>>
>>>> Origin-Host: node.example.com <http://node.example.com>
>>>>
>>>> I want to clarify if multiple subdomains are allowed to be added in
>>>> the host without being present in the realm.
>>>>
>>>> (2) Example:
>>>>
>>>> Origin-Realm: example.com <http://example.com>
>>>>
>>>> Origin-Host: node.site1.example.com <http://node.site1.example.com>
>>>>
>>>> According to the vendor, the example 2 is not allowed. To have the
>>>> host as in example 2, the realm will have to be site1.example.com
>>>> <http://site1.example.com>.
>>>>
>>>> Could someone please clarify this naming issue or point me to the
>>>> standard where this is defined.
>>>>
>>>> Thank you.
>>>>
>>>> Best regards,
>>>>
>>>> Lars J. Lillehovde
>>>>
>>>> ____________________________________________________________________
>>>> _ _ ___________________________________________________
>>>>
>>>> Ce message et ses pieces jointes peuvent contenir des informations
>>>> confidentielles ou privilegiees et ne doivent donc pas etre
>>>> diffuses, exploites ou copies sans autorisation. Si vous avez recu
>>>> ce message par erreur, veuillez le signaler a l'expediteur et le
>>>> detruire ainsi que les pieces jointes. Les messages electroniques
>>>> etant susceptibles d'alteration, Orange decline toute responsabilite
>>>> si ce message a ete altere, deforme ou falsifie. Merci.
>>>>
>>>> This message and its attachments may contain confidential or
>>>> privileged information that may be protected by law; they should not
>>>> be distributed, used or copied without authorisation.
>>>>
>>>> If you have received this email in error, please notify the sender
>>>> and delete this message and its attachments.
>>>>
>>>> As emails may be altered, Orange is not liable for messages that
>>>> have been modified, changed or falsified.
>>>>
>>>> Thank you.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> DiME mailing list
>>>> DiME@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dime
>>>
>>> _______________________________________________
>>> DiME mailing list
>>> DiME@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dime
>>>
>>> _____________________________________________________________________
>>> _ ___________________________________________________
>>>
>>> Ce message et ses pieces jointes peuvent contenir des informations
>>> confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
>>> exploites ou copies sans autorisation. Si vous avez recu ce message
>>> par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>>>
>>> This message and its attachments may contain confidential or
>>> privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
>>> If you have received this email in error, please notify the sender and delete this message and its attachments.
>>> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>>> Thank you.
>>>
>>
>> ______________________________________________________________________
>> ___________________________________________________
>>
>> Ce message et ses pieces jointes peuvent contenir des informations
>> confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
>> exploites ou copies sans autorisation. Si vous avez recu ce message
>> par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>>
>> This message and its attachments may contain confidential or
>> privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
>> If you have received this email in error, please notify the sender and delete this message and its attachments.
>> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>> Thank you.
>>
>
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>

_______________________________________________
DiME mailing list
DiME@ietf.org
https://www.ietf.org/mailman/listinfo/dime

v2.23.0 | Report a Bug | By Email