IETF Logo Mail Archive

[radext] Review of draft-ietf-radext-nai-03

Bernard Aboba <bernard_aboba@hotmail.com> Sun, 09 June 2013 01:15 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AB2121F9644 for <radext@ietfa.amsl.com>; Sat, 8 Jun 2013 18:15:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.482
X-Spam-Level:
X-Spam-Status: No, score=-102.482 tagged_above=-999 required=5 tests=[AWL=0.116, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MuylaMTBvPMP for <radext@ietfa.amsl.com>; Sat, 8 Jun 2013 18:15:18 -0700 (PDT)
Received: from blu0-omc2-s35.blu0.hotmail.com (blu0-omc2-s35.blu0.hotmail.com [65.55.111.110]) by ietfa.amsl.com (Postfix) with ESMTP id 975AF21F963C for <radext@ietf.org>; Sat, 8 Jun 2013 18:15:12 -0700 (PDT)
Received: from BLU169-W136 ([65.55.111.72]) by blu0-omc2-s35.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 8 Jun 2013 18:15:12 -0700
X-TMN: [BfKERReIuhLgPJihW/jV1zZOh/rP4GD/zPl0D9J7Z9U=]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU169-W136C0681F857DF43804AC17939B0@phx.gbl>
Content-Type: multipart/alternative; boundary="_25ed61ba-60a1-478f-9fa1-c710bb798e2e_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: "radext@ietf.org" <radext@ietf.org>
Date: Sat, 08 Jun 2013 18:15:11 -0700
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 09 Jun 2013 01:15:12.0678 (UTC) FILETIME=[CA9E4460:01CE64AE]
Subject: [radext] Review of draft-ietf-radext-nai-03
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jun 2013 01:15:24 -0000

While the document now seems to recognize reality in several places, the recognition has not reflected itself uniformly in the normative statements.  So, overall, the draft contradicts itself in multiple places. 
 
For example, the document recognizes that existing network access client implementations don't normalize the NAI (e.g. don't use NFC), so that normalization by a AAA proxy MAY be required.  
 
At the same time, it insists that byte-by-byte comparisons be done on NAI realms. 
 
Those two points of view aren't compatible with each other.   If we can't rely on normalization by clients or NAS devices then AAA proxies doing realm comparisons need to do normalization first or the comparisons won't be reliable.   
 
Another contradiction relates to the format of user identifiers used in non-network access protocols like SIP and HTTP. 
 
The document admits that they could use escaping, and won't normalize the NAI as recommended prior to sending it. 
 
This of course implies that the escaped characters need to be converted prior to comparison, which the document does note.  
 
But this contradicts the byte-by-byte comparison statements (as well as the "normalize before sending" statement).  
 
It also seems to contradict the "use NAI in other protocols" recommendation, since we can't have an expectation that all protocols using AAA will have user identities that conform to the NAI. 
 
Overall, my suggestion is that the document needs to re-think the approach. 
 
While it is OK to require the NAI to be provided in UTF-8 form,  normalization via NFC is so uncommon that requiring it to occur on the end host does not pass the smell test. 
 
Since it is unlikely that network access clients or NAS devices will change their behavior, it seems to me that AAA proxies making realm comparisons (e.g. for realm routing) need to be prepared to normalize the realms first.  The steps involved in doing this should be described in the document. 
 
Also, while I don't disagree with the statements made about "NAI decoration" the term "deprecation" isn't explicitly used, though that seems clearly to be what is meant.  So if we are really trying to put the decoration practice to bed, we should say so (like obsoleting the relevant documents).

v2.30.2 | Report a Bug | By Email | System Status