IETF Logo Mail Archive

Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)

John Basha <john.basha@ericsson.com> Thu, 02 April 2015 06:58 UTC

Return-Path: <john.basha@ericsson.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DFB91B2B64 for <dime@ietfa.amsl.com>; Wed, 1 Apr 2015 23:58:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.001
X-Spam-Level:
X-Spam-Status: No, score=-3.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_45=0.6, J_CHICKENPOX_56=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q8pB33QEt4Fc for <dime@ietfa.amsl.com>; Wed, 1 Apr 2015 23:58:23 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB6BE1B2B62 for <dime@ietf.org>; Wed, 1 Apr 2015 23:58:22 -0700 (PDT)
X-AuditID: c1b4fb3a-f79146d0000070a3-80-551ce88ceb6c
Received: from ESESSHC007.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id E4.F6.28835.C88EC155; Thu, 2 Apr 2015 08:58:21 +0200 (CEST)
Received: from ESESSMB203.ericsson.se ([169.254.3.126]) by ESESSHC007.ericsson.se ([153.88.183.39]) with mapi id 14.03.0210.002; Thu, 2 Apr 2015 08:58:20 +0200
From: John Basha <john.basha@ericsson.com>
To: Dave Dolson <ddolson@sandvine.com>, Jouni Korhonen <jouni.nospam@gmail.com>, "lionel.morand@orange.com" <lionel.morand@orange.com>
Thread-Topic: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
Thread-Index: AQHQZtVXo3E0+Y3Toky225tf8HpvuZ0uJwCAgAi7fKD///nKAIABCY1AgABAzwCAACHIcIAAOHWAgAASnoCAAMKg8A==
Date: Thu, 02 Apr 2015 06:58:19 +0000
Message-ID: <EEF22AB1A43B1F49A1AA33231F387F8917582F57@ESESSMB203.ericsson.se>
References: <CAOQYgR++8P_GFq-dRP4nqSDNg9y7duCiBRF=qZ9HGmS997GsQw@mail.gmail.com> <551393FF.1090700@gmail.com> <25531_1427823666_551ADC32_25531_3828_1_6B7134B31289DC4FAF731D844122B36EEF739B@PEXCVZYM13.corporate.adroot.infra.ftgroup> <F3FB37E6-3DD1-4F88-8F6F-E137D1387118@gmail.com> <31522_1427879576_551BB697_31522_12397_1_6B7134B31289DC4FAF731D844122B36EF095B5@PEXCVZYM13.corporate.adroot.infra.ftgroup> <551C053C.3090703@gmail.com> <4977_1427910590_551C2FBD_4977_3059_1_6B7134B31289DC4FAF731D844122B36EF12509@PEXCVZYM13.corporate.adroot.infra.ftgroup> <551C50EF.2030300@gmail.com> <E8355113905631478EFF04F5AA706E9830BB09CC@wtl-exchp-2.sandvine.com>
In-Reply-To: <E8355113905631478EFF04F5AA706E9830BB09CC@wtl-exchp-2.sandvine.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.149]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmkeLIzCtJLcpLzFFi42KZGfG3Rrf3hUyowfZ3TBZblz1kt5jbu4LN Yv+6BiaL29szHVg8ds66y+6xZMlPJo+WZyfZPL5u3s4awBLFZZOSmpNZllqkb5fAldGz7DV7 QcsSxopz3d/YGxhfzGfsYuTkkBAwkZh++iaULSZx4d56ti5GLg4hgaOMEvtfr4ZyFjNKzP98 mBWkik1AS6L30wl2kISIQBejxKtX88DamQWUJWbveMAOYgsLxEkcP7AbrEFEIF7i0s5/zBB2 lsTrGYfAalgEVCT+rz0P1ssr4Ctx920/K8S2mawSC46vZQFJcAoESJy9vg6smRHovu+n1jBB LBOXuPVkPhPE3QISS/acZ4awRSVePv7HCmErSaw9vB1oDgdQvabE+l36EK2KElO6H7JD7BWU ODnzCcsERrFZSKbOQuiYhaRjFpKOBYwsqxhFi1OLi3PTjYz0Uosyk4uL8/P08lJLNjECY+3g lt9WOxgPPnc8xCjAwajEw/vglkyoEGtiWXFl7iFGaQ4WJXFeO+NDIUIC6YklqdmpqQWpRfFF pTmpxYcYmTg4pRoYF998v11hw8XscyfDt0/QNQ0KX1a5Ye/7hKK991q5EjiqRPLLVBQ5ZnG3 Pws5YLhirsb/PzOPKSz10Uzh7+F9x8JXV7KpcKuK2dTfa0t/l83lnrBt5rRm303v5y5I3OSj wCgte7Ut1NOAzSgwXtOnfNW7HMnHm/Tr+99brThi0DJP+P/Ol3fylFiKMxINtZiLihMBMZYv h5YCAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/dime/qKaim8ihEnwi3SNNcJjYyzqjTho>
Cc: "dime@ietf.org" <dime@ietf.org>
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 06:58:27 -0000

I go with Dave here. I have seen many implementations where we do not put any restriction on deciding the host or realm names like the way it is mentioned below.

It has been decided by operators based on the domain name they have.


-----Original Message-----
From: DiME [mailto:dime-bounces@ietf.org] On Behalf Of Dave Dolson
Sent: Thursday, April 02, 2015 12:18 AM
To: Jouni Korhonen; lionel.morand@orange.com
Cc: dime@ietf.org
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)

In our implementation, we do not place these kinds of constraints on host or realm names. It is the operator's choice as to whether or not host and realm match DNS names.
When all Diameter connections are pre-configured, there is no need for dynamic connection to a new agent by resolving hosts in DNS.


-----Original Message-----
From: DiME [mailto:dime-bounces@ietf.org] On Behalf Of Jouni Korhonen
Sent: Wednesday, April 01, 2015 4:11 PM
To: lionel.morand@orange.com
Cc: dime@ietf.org
Subject: Re: [Dime] realm vs domain (was: Allowed host and realm naming for a diameter node)

I do not quite agree on your described use of DiameterIdentities - the part of using different domain part. It would be great to hear from implementations whether they are able to cope with that or not before going any further.

- Jouni

4/1/2015, 10:49 AM, lionel.morand@orange.com kirjoitti:
> If the FQDN is used as x-Realm AVP, the host MUST be anyway defined as an absolute domain name under the realm normally used as x-realm value ad registered in the DNS (or configured in the receiving Diameter nodes). Otherwise, the routing will fail.
> Even in this (weird) case, the FQDN may be defined in a subdomain of 
> domain name of the x-Realm AVP value expected in the Diameter messages 
> (cf. initial question)
>
> Now, when FQDN are ONLY used for x-Host AVP values (as it should be), there is no limitation regarding the domain name used for the x-Host AVP and for the x-Realm AVP value. For instance, this provides flexibility for the naming of the diameter nodes in the internal network (that can used a private naming plane) while ensuring consistency on the domain name used by external networks (using a standard naming plane).
>
> Lionel
>
> -----Message d'origine-----
> De : Jouni Korhonen [mailto:jouni.nospam@gmail.com] Envoyé : mercredi 
> 1 avril 2015 16:48 À : MORAND Lionel IMT/OLN Cc : Henrik Villför; 
> dime@ietf.org Objet : Re: [Dime] realm vs domain (was: Allowed host 
> and realm naming for a diameter node)
>
> You still need to care for implementations that do put FQDN into Origin-Realm (or Destination-Realm).
>
> - Jouni
>
> 4/1/2015, 2:12 AM, lionel.morand@orange.com kirjoitti:
>> Hi Jouni,
>>
>> Some magic might exist somewhere to fix some weird implementation, 
>> for sure. But the RFC6733 was actually meant to fix in a generic way 
>> those issues. Therefore, if someone comes to say that using FQDN as 
>> realm is correct according to RFC3588, I would only say "please refer 
>> to the
>> RFC6733 to see what should be the correct implementation of the base 
>> protocol" :)
>>
>> Lionel
>>
>> -----Message d'origine-----
>> De : Jouni.nosmap [mailto:jouni.nospam@gmail.com] Envoyé : mardi 31 
>> mars 2015 21:06 À : MORAND Lionel IMT/OLN Cc : Henrik Villför; 
>> dime@ietf.org Objet : Re: [Dime] realm vs domain (was: Allowed host 
>> and realm naming for a diameter node)
>>
>>
>>
>> Sent from a smart phone.. Mind the typos..
>>
>>> <lionel.morand@orange.com> <lionel.morand@orange.com> kirjoitti 31.3.2015 kello 10.41:
>>>
>>> Hi,
>>>
>>> Please see below.
>>>
>>> Lionel
>>>
>>> -----Message d'origine-----
>>> De : DiME [mailto:dime-bounces@ietf.org] De la part de Jouni 
>>> Korhonen Envoyé : jeudi 26 mars 2015 06:07 À : Henrik Villför; 
>>> dime@ietf.org Objet : Re: [Dime] realm vs domain (was: Allowed host 
>>> and realm naming for a diameter node)
>>>
>>> Hi,
>>>
>>> 3/25/2015, 1:18 AM, Henrik Villför kirjoitti:
>>>> Hi,
>>>>
>>>>     a follow up on the question below.
>>>>
>>>> Is there anything in the base specification requiring the realm in 
>>>> the Origin-Realm AVP to be the same as the domain part of the Origin-Host AVP?
>>>>
>>>> Would the following be allowed?
>>>>
>>>> Origin-Realm: realmexample.com
>>>>
>>>> Origin-Host: node.domainexample.com
>>>
>>> Based on my reading of RFC6733 yes.. but when reading RFC3588 no'ish.
>>> The subttle change between these two was:
>>>
>>> OLD:
>>>     DiameterIdentity  = FQDN
>>> NEW:
>>>     DiameterIdentity  = FQDN/Realm
>>>
>>> And when reading the text on a DiameterIdentity a Diameter node _should_ (ok.. the should is not must..) only use one DiameterIdentity which means the FQDN in Origin-Host and Origin-Realm should be the same..
>>>
>>> [LM]> not sure to understand what the text above means. In RFC3588, the definition in sect 4.3 was clearly an error as the text in sect 6.4 sect 6.6 was already saying that:
>>>
>>>     The Origin-Realm AVP (AVP Code 296) is of type DiameterIdentity.
>>>     This AVP contains the Realm of the originator of any Diameter message
>>>     and MUST be present in all messages.
>>
>> We need to remembet that with Diameter realm is piggybacked in DNS. So if your Origin-Realm is an FQDN and you just extract the domain part of it when using it, you achieved the same as realm. This to work properly requires some magic sauce.. which e.g. for certain deployments is described in system specific specs.
>>
>>>
>>>     The Destination-Realm AVP (AVP Code 283) is of type DiameterIdentity,
>>>     and contains the realm the message is to be routed to.
>>>
>>> [LM]> So a DiameterIdentity was meant to be either an FQDN or a Realm, depending of its use as x-Host or x-Realm AVP value. If someone was implementing the Diameter identity of a realm as an FQDN, it would be an error. And this was fixed with RFC6733.
>>
>> I would bet there is stuff out there..
>>
>> - jouni
>>
>>
>>>
>>>> Also, although none of the examples of Diameter host identities in 
>>>> rfc
>>>> 6733 show an FQDN with a trailing dot it should be allowed, but a 
>>>> realm may not end in a dot.
>>>
>>> AFAIR the FQDN first appeared in RFC1206.. none of the FQDN examples use the trailing ".". Anyway, referring to RFC1034 and the "relative names"
>>> it is stated that:
>>>
>>> --
>>> Relative names are either taken relative to a well known origin, or to a list of domains used as a search list.  Relative names appear mostly at the user interface, where their interpretation varies from implementation to implementation, and in master files, where they are relative to a single origin domain name.  The most common interpretation uses the root "." as either the single origin or as one of the members of the search list, so a multi-label relative name is often one where the trailing dot has been omitted to save typing.
>>> --
>>>
>>> Thus it is expected that the resolver library (or equivalent) knows when to add the missing "." e.g. when the domain name is supposed to be a DiameterIdentity.
>>>
>>>> So, this should be allowed:
>>>>
>>>> Origin-Host: node.domainexample.com.
>>>
>>> Irrespective of my above rant, I agree.
>>>
>>>> This should not be allowed:
>>>>
>>>> Origin-Realm: realmexample.com.
>>>
>>> Agree (since the example shows a realm).
>>>
>>> - Jouni
>>>
>>>> (Sorry about the ugly cut'n'paste. Just joined the list and found 
>>>> the recent post below in the archive.)
>>>>
>>>> Best Regards,
>>>>
>>>> Henrik Villför
>>>>
>>>> ---------
>>>>
>>>> Hi Lars,
>>>>
>>>> According to the base protocol, there is no such restriction. When 
>>>> the DiameterIdentity format is used to identify a Diameter node, 
>>>> the only requirement is that:
>>>>
>>>> * the DiameterIdentity value in Origin/Destination-Host AVP is an FQDN.
>>>>
>>>> * there is at least one peer table in the realm identified by the 
>>>> Origin/Destination-Realm  AVP that contains the host identified by the FQDN.
>>>>
>>>> So Example 2 is perfectly valid from a base protocol point of view, 
>>>> as long as there is at least one node in "example.com <http://example.com>"
>>>> with a transport connection with the peer "node.site1.example.com 
>>>> <http://node.site1.example.com>".
>>>>
>>>> Now, some Diameter applications may have defined specific rules 
>>>> regarding the format of realm/host identity, with explicit 
>>>> restrictions/limitations. It is then required to check if there is 
>>>> any of these restrictions defined in the related specification.
>>>>
>>>> Regards,
>>>>
>>>> Lionel
>>>>
>>>> De : DiME [mailto:dime-bounces <mailto:dime-bounces> at ietf.org 
>>>> <http://ietf.org>] De la part de Lars Jørgen Lillehovde Envoyé :
>>>> dimanche 15 mars 2015 12:54 À : dime at ietf.org <http://ietf.org> 
>>>> Objet
>>>> : [Dime] Allowed host and realm naming for a diameter node
>>>>
>>>> Hi,
>>>>
>>>> I'm trying to clarify the allowed naming convension for the host 
>>>> and realm of a diameter node. This relates to the values used in 
>>>> the Origin-Host AVP (AVP Code 264) and Origin-Realm AVP (AVP Code 296).
>>>> I've reviewed the Diameter RFCs and cannot find a definitive answer 
>>>> to this issue.
>>>>
>>>> The reason for asking this question is that I'm in discussion with 
>>>> a vendor of a Diameter Routing Agent (DRA) which claims that the 
>>>> host of a diameter node has to be in the format host.realm.
>>>>
>>>> (1) Example of the only allowed format according to the vendor:
>>>>
>>>> Origin-Realm: example.com <http://example.com>
>>>>
>>>> Origin-Host: node.example.com <http://node.example.com>
>>>>
>>>> I want to clarify if multiple subdomains are allowed to be added in 
>>>> the host without being present in the realm.
>>>>
>>>> (2) Example:
>>>>
>>>> Origin-Realm: example.com <http://example.com>
>>>>
>>>> Origin-Host: node.site1.example.com <http://node.site1.example.com>
>>>>
>>>> According to the vendor, the example 2 is not allowed. To have the 
>>>> host as in example 2, the realm will have to be site1.example.com 
>>>> <http://site1.example.com>.
>>>>
>>>> Could someone please clarify this naming issue or point me to the 
>>>> standard where this is defined.
>>>>
>>>> Thank you.
>>>>
>>>> Best regards,
>>>>
>>>> Lars J. Lillehovde
>>>>
>>>> ___________________________________________________________________
>>>> _ _ _ ___________________________________________________
>>>>
>>>> Ce message et ses pieces jointes peuvent contenir des informations 
>>>> confidentielles ou privilegiees et ne doivent donc pas etre 
>>>> diffuses, exploites ou copies sans autorisation. Si vous avez recu 
>>>> ce message par erreur, veuillez le signaler a l'expediteur et le 
>>>> detruire ainsi que les pieces jointes. Les messages electroniques 
>>>> etant susceptibles d'alteration, Orange decline toute 
>>>> responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>>>>
>>>> This message and its attachments may contain confidential or 
>>>> privileged information that may be protected by law; they should 
>>>> not be distributed, used or copied without authorisation.
>>>>
>>>> If you have received this email in error, please notify the sender 
>>>> and delete this message and its attachments.
>>>>
>>>> As emails may be altered, Orange is not liable for messages that 
>>>> have been modified, changed or falsified.
>>>>
>>>> Thank you.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> DiME mailing list
>>>> DiME@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dime
>>>
>>> _______________________________________________
>>> DiME mailing list
>>> DiME@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dime
>>>
>>> ____________________________________________________________________
>>> _ _ ___________________________________________________
>>>
>>> Ce message et ses pieces jointes peuvent contenir des informations 
>>> confidentielles ou privilegiees et ne doivent donc pas etre 
>>> diffuses, exploites ou copies sans autorisation. Si vous avez recu 
>>> ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>>>
>>> This message and its attachments may contain confidential or 
>>> privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
>>> If you have received this email in error, please notify the sender and delete this message and its attachments.
>>> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>>> Thank you.
>>>
>>
>> _____________________________________________________________________
>> _ ___________________________________________________
>>
>> Ce message et ses pieces jointes peuvent contenir des informations 
>> confidentielles ou privilegiees et ne doivent donc pas etre diffuses, 
>> exploites ou copies sans autorisation. Si vous avez recu ce message 
>> par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>>
>> This message and its attachments may contain confidential or 
>> privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
>> If you have received this email in error, please notify the sender and delete this message and its attachments.
>> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>> Thank you.
>>
>
> ______________________________________________________________________
> ___________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations 
> confidentielles ou privilegiees et ne doivent donc pas etre diffuses, 
> exploites ou copies sans autorisation. Si vous avez recu ce message 
> par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or 
> privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>

_______________________________________________
DiME mailing list
DiME@ietf.org
https://www.ietf.org/mailman/listinfo/dime
_______________________________________________
DiME mailing list
DiME@ietf.org
https://www.ietf.org/mailman/listinfo/dime

v2.23.0 | Report a Bug | By Email