IETF Logo Mail Archive

[radext] draft-ietf-radext-nai-08 AD review

Benoit Claise <bclaise@cisco.com> Tue, 28 October 2014 22:51 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D35A1A03E3 for <radext@ietfa.amsl.com>; Tue, 28 Oct 2014 15:51:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHMBLoZCw_ZO for <radext@ietfa.amsl.com>; Tue, 28 Oct 2014 15:51:39 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFD3F1A00D7 for <radext@ietf.org>; Tue, 28 Oct 2014 15:51:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8742; q=dns/txt; s=iport; t=1414536699; x=1415746299; h=message-id:date:from:mime-version:to:subject; bh=EQbldYozwyZQ+0rS2g4HDKPPo/FCGU00a9UM+1tyuTk=; b=mT9zs1CUCuIr/gb6c85RMRkWfK9DxLFi5jnRT0mdwc7F8gcKRgOmfSEH n91NG9Fl6if8PWQ8ZsmxRB5QqjZcBTFFldlmqy2pWZRP0NqVZe23Jrcum m9FWtXTc/b+bP4mbyZUmIEdi90c9PLKF4X9m16p3yrhJuBpLPeXnINHTS 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AukEADUdUFStJssW/2dsb2JhbABcg2JYAYhgw3aBcIkCAQEBAQF9hQE9FhgDAgECAUsBDAgBARCILQ3FZQEBAQEGAQEBAQEdkESFFwWWVYJDhFCBbYYBjkiDeTwvAYJKAQEB
X-IronPort-AV: E=Sophos;i="5.04,805,1406592000"; d="scan'208,217";a="228878737"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP; 28 Oct 2014 22:51:37 +0000
Received: from [10.60.67.85] (ams-bclaise-8914.cisco.com [10.60.67.85]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s9SMpaqE013834; Tue, 28 Oct 2014 22:51:36 GMT
Message-ID: <54501DF8.3070802@cisco.com>
Date: Tue, 28 Oct 2014 23:51:36 +0100
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
To: draft-ietf-radext-nai@tools.ietf.org, "radext@ietf.org" <radext@ietf.org>
Content-Type: multipart/alternative; boundary="------------000808020402010900090000"
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/7fE7ecd6dHB_iNgi9Rot3mvL6Gw
Subject: [radext] draft-ietf-radext-nai-08 AD review
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 22:51:42 -0000

Dear all,

Here is my draft-ietf-radext-nai-08 AD review

_Technical:_
-

    AAA systems MUST therefore be
    able to handle user identifiers which are not in the NAI format.

    ...

    Systems MAY accept user identifiers in forms other than the NAI.

These are contradictory.
I believe that:
- those two sentences (or paragraphs) should be next to each others.
- the second sentence should stress "Non AAA systems"

    _Systems_MAY accept user identifiers in forms other than the NAI.
    This specification does not forbid that practice.  It only codifies
    the format and interpretation of the NAI.  We cannot expect to change
    existing protocols or practices.  We can, however, suggest that using
    a consistent form for a user identifier is of a benefit to the
    community.

    Where protocols carry identifiers which are expected to be
    transported over an AAA protocol, it is RECOMMENDED that the
    identifiers be in NAI format.  Where the identifiers are not in the
    NAI format, it is up to the_AAA systems_  to discover this, and to
    process them.  This document does not suggest how that is done.
    However, existing practice indicates that it is possible.

Be consistent between systems, non-AAA systems, and AAA systems

Editorial:

-
when you produce a new draft version, don't forget 
http://tools.ietf.org/wg/radext/trac/ticket/176

-

   Considerable interest exists for a set of features that fit within
    the general category of inter-domain authentiction

authentication

-
    Normalization Canonicalization

       These terms are defined in[RFC6365] Section 4  <http://tools.ietf.org/html/rfc6365#section-4>.  We incorporate
       the definitions here by reference.

Isn't "Normalization or Canonicalization"

- Like mentioned in the last bullet point below, all links should point 
to the RFC4282 sections, not to draft-ietf-radext-nai-08 sections.

    *  The requirement inSection 2.1  <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.1>  that realms are ASCII conflicts
       with the Extensible Authentication Protocol (EAP) and RADIUS,
       which are both 8-bit clean, and which both recommend the use of
       UTF-8 for identitifiers.

    *Section 2.4  <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4>  required mappings that are language-specific,
       and which are nearly impossible for intermediate nodes to perform
       correctly without information about that language.

    *Section 2.4  <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4>  requires normalization of user names, which
       may conflict with local system or administrative requirements.

    * The recommendations inSection 2.4  <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4>  for treatment of
       bidirectional characters have proven to be unworkable.

    * The prohibition against use of unassigned code points in
       Section 2.4  <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-2.4>  effectively prohibits support for new scripts.

    * No Authentication, Authorization, and Accounting (AAA)
       client, proxy, or server has implemented any of the requirements
       in[RFC4282] Section 2.4  <http://tools.ietf.org/html/rfc4282#section-2.4>, among other sections.



-


    5 <http://tools.ietf.org/html/draft-ietf-radext-nai-08#section-5>.
    Administration of Names


    In order to avoid creating any new administrative procedures,


    administration of the NAI realm namespace piggybacks on the
    administration of the DNS namespace.

There is a tag issue above. The section tag contains the first line of section 5.

Regards, Benoit

v2.23.0 | Report a Bug | By Email