Re: [radext] Call for WG Adoption for draft-dekok-radext-nai-02; The Network Access Identifier
Bernard Aboba <bernard_aboba@hotmail.com> Sat, 22 December 2012 13:24 UTC
Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F71D21F8ABC for <radext@ietfa.amsl.com>; Sat, 22 Dec 2012 05:24:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.548
X-Spam-Level:
X-Spam-Status: No, score=-103.548 tagged_above=-999 required=5 tests=[AWL=1.050, BAYES_00=-2.599, GB_I_LETTER=-2, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3vb4o2s9a2w for <radext@ietfa.amsl.com>; Sat, 22 Dec 2012 05:24:30 -0800 (PST)
Received: from blu0-omc4-s19.blu0.hotmail.com (blu0-omc4-s19.blu0.hotmail.com [65.55.111.158]) by ietfa.amsl.com (Postfix) with ESMTP id F39FB21F8ABA for <radext@ietf.org>; Sat, 22 Dec 2012 05:24:29 -0800 (PST)
Received: from BLU002-W53 ([65.55.111.135]) by blu0-omc4-s19.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 22 Dec 2012 05:24:29 -0800
X-EIP: [AxNKBi7eUwangLpufxXAG7fFtzFDaczN]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU002-W53B65F53797B213935F82593350@phx.gbl>
Content-Type: multipart/alternative; boundary="_1b2e9cc6-b081-478c-b1c1-eb0e27c94c30_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: Jouni Korhonen <jouni.nospam@gmail.com>, "radext@ietf.org" <radext@ietf.org>
Date: Sat, 22 Dec 2012 05:24:29 -0800
Importance: Normal
In-Reply-To: <4C9E0CE0-D42E-4E2B-8772-08DCDD276064@gmail.com>
References: <0AA5F862-FC51-43E8-9099-2F3F15406164@gmail.com> <50CCB073.1090009@freeradius.org>, <50D33A12.9040608@cisco.com> <50D34419.7090005@deployingradius.com>, <4C9E0CE0-D42E-4E2B-8772-08DCDD276064@gmail.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 22 Dec 2012 13:24:29.0592 (UTC) FILETIME=[ABF5B980:01CDE047]
Cc: Benoit Claise <bclaise@cisco.com>, Alan DeKok <aland@deployingradius.com>
Subject: Re: [radext] Call for WG Adoption for draft-dekok-radext-nai-02; The Network Access Identifier
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Dec 2012 13:24:31 -0000
> @Alan: resubmit the current document as a draft-ietf-* as soon as > possible. > > We will continue pursuing the one document approach (based on the > current charter). Of course WG is now free to decide anything on > the content as long as there is consensus and it fits to the > charter. [BA] When re-submitting the document as draft-ietf-*, please utilize the pre-5378 boilerplate, since the document contains text from RFC 4282 and RFC 2486. Also, some notes: Section 1.4 The motivation to revise [RFC4282] began with internationalization concerns raised in the context of [EDUROAM]. Section 2.1 of [RFC4282] defines ABNF for realms which limits the realm grammar to English letters, digits, and the hyphen "-" character. The intent appears to have been to encode, compare, and transport realms with the ToASCII operation defined in [RFC5890]. There are a number of problems with this approach: [BA] One big problem with the RFC 4282 ABNF, is that it is not aligned with internationalization of the DNS. You might note this in the first bullet since it is referred to elsewhere. Section 2.1 See [RFC5198] for a discussion of normalization; implementations of this specification MUST use the Normal Form Composed (NFC) for NAIs. [BA] I would recommend carrying over the text from RFC 5335: See [RFC5198] for a discussion of normalization; the use of normalization form NFC is RECOMMENDED. Section 2.3 Devices handling NAIs MUST support an NAI length of at least 72 octets. Devices SHOULD support an NAI length of 253 octets. However, the following implementation issues should be considered: [BA] It should be pointed out that when using UTF-8 that the NAI octet length constraint may result in a more severe constraint on the number of UTF-8 characters. Section 2.4 Omitting the username part is RECOMMENDED over using a fixed username part, such as "anonymous", since it provides an unambiguous way to determine whether the username is intended to uniquely identify a single user. [BA] I might consider changing (or deleting) this sentence, since in practice, I believe that use of a fixed username part is more popular than omitting the username part. Section 2.5 o Realms MUST be of the form that can be registered as a Fully Qualified Domain Name (FQDN) within the DNS name system. [BA] Delete "name system". Section 2.6 All normalization MUST be performed by end systems that take "local" text as input. That is, text that is in an encoding other than UTF-8, or that has locale-specific variations. In a network access setting, such systems are typically the client (e.g. EAP supplicant) and the Authentication, Authorization, and Accounting (AAA) server. [BA] As used in this section, "normalization" appears to go beyond the conversion of Unicode characters to canonical form. I might rewrite this to say "Conversion to Unicode as well as normalization is expected to be performed by end systems that take "local" text as input." All other AAA systems (proxies, etc.) MUST NOT perform normalization. These other systems do not have access to locale and character set information that is available to end systems. [BA] Suggest rewriting to say "Since AAA proxies do not have access to locale and character set information that is available to end systems, they are typically incapable of converting local input to Unicode." EAP supplicants MUST normalize user names that get placed in the EAP- Response/Identity field. They MUST NOT copy localized text into that field. This normalization SHOULD be performed once, and then cached for subsequent use. [BA] Since RFC 4282 was published, RADIUS has been extended to cover application protocols such as in RFC 5090 (SIP and HTTP) and ABFAB. As a result, the advice needs to be generalized. Suggest rewriting to "Copying of localized text into fields that can subsequently be placed into the RADIUS User-Name attribute is problematic since this can result in a AAA proxy encountering non-UTF8 characters within what it expects to be an NAI, resulting in potential difficulties in realm routing. As an example, RFC 3579 Section 2.1 states: the NAS MUST copy the contents of the Type-Data field of the EAP-Response/Identity received from the peer into the User-Name attribute As a result, AAA proxies expect the contents of the EAP-Response/Identity sent by an EAP supplicant to consist of UTF-8 characters, not localized text." Section 2.9 The "realm" portion of the NAI is intended to be compatible with domain names used in DNS systems. However, the "realm" portion within AAA systems is intended to be a UTF-8 string, not an ASCII string as with the DNS protocol. Therefore, AAA systems transporting NAIs in an AAA protocol MUST NOT encode the "utf8-realm" portion using the ToAscii function. That function creates strings that may be transported over DNS, and it is not appropriate for use within an AAA protocol. [BA] Since the DNS protocol is 8-bit clean, I suggest the above text be modified as follows: 'The "realm" portion of the NAI is intended to be compatible with Internationalized Domain Names [RFC5890]. Since the "realm" portion as transported within the RADIUS User-Name attribute is composed of U-labels, not A-labels, there is no reason for a NAS to apply the ToAscii function to the "realm" portion of an NAI prior to placing the NAI into a RADIUS User-Name attribute.' When the realm portion of the NAI is used as the basis for name lookups within the DNS system, the ToASCII operation defined in [RFC5890] MAY be used to convert internationalized realm names to ASCII. This function is normally handled by a DNS resolver library on the local system. When this function is not handled by a DNS resolver library, the AAA system MAY perform the ToAscii conversion itself, before passing the modified realm name to the DNS resolver library. [BA] As noted in RFC 6055, resolver APIs are not DNS-specific. So I would use the term "resolver API" rather than DNS resolver library. Recommend the following text: When the realm portion of the NAI is used as the basis for name resolution, it may be necessary to convert internationalized realm names to ASCII using the ToASCII operation defined in [RFC5890]. As noted in [RFC6055] Section 2, resolver APIs are not necessarily DNS-specific, so that the ToASCII operation needs to be applied carefully: Applications that convert an IDN to A-label form before calling getaddrinfo() will result in name resolution failures if the Punycode name is directly used in such protocols. Having libraries or protocols to convert from A-labels to the encoding scheme defined by the protocol (e.g., UTF-8) would require changes to APIs and/or servers, which IDNA was intended to avoid. As a result, applications that assume that non-ASCII names are resolved using the public DNS and blindly convert them to A-labels without knowledge of what protocol will be selected by the name resolution library, have problems. Section 2.10.1 o Re-writing of the User-Name in AAA servers means that it may not match the EAP-Response/Identity fields. This mismatch may cause the home AAA server to reject the request as being malformed. [BA[ AAA servers should not be comparing the RADIUS User-Name attribute to the EAP-Response/Identity field, so I would suggest that this bullet be deleted.
- [radext] Call for WG Adoption for draft-dekok-rad… Jouni Korhonen
- Re: [radext] Call for WG Adoption for draft-dekok… Alan DeKok
- Re: [radext] Call for WG Adoption for draft-dekok… Jim Schaad
- Re: [radext] Call for WG Adoption for draft-dekok… Benoit Claise
- Re: [radext] Call for WG Adoption for draft-dekok… Alan DeKok
- Re: [radext] Call for WG Adoption for draft-dekok… Jouni Korhonen
- Re: [radext] Call for WG Adoption for draft-dekok… Bernard Aboba
- Re: [radext] Call for WG Adoption for draft-dekok… Alan DeKok
- Re: [radext] Call for WG Adoption for draft-dekok… Alan DeKok