IETF Logo Mail Archive

Re: [radext] I-D Action: draft-ietf-radext-nai-02.txt

Stefan Winter <stefan.winter@restena.lu> Tue, 19 March 2013 15:20 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ACCB11E80DE for <radext@ietfa.amsl.com>; Tue, 19 Mar 2013 08:20:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.149
X-Spam-Level:
X-Spam-Status: No, score=-2.149 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, J_CHICKENPOX_31=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JTUnJK3zMZF9 for <radext@ietfa.amsl.com>; Tue, 19 Mar 2013 08:20:20 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) by ietfa.amsl.com (Postfix) with ESMTP id 4523D11E80D9 for <radext@ietf.org>; Tue, 19 Mar 2013 08:20:20 -0700 (PDT)
Received: from smtprelay.restena.lu (localhost [127.0.0.1]) by smtprelay.restena.lu (Postfix) with ESMTP id A139B10584 for <radext@ietf.org>; Tue, 19 Mar 2013 16:20:19 +0100 (CET)
Received: from aragorn.restena.lu (unknown [IPv6:2001:a18:1:8:28d9:750b:eb74:2493]) by smtprelay.restena.lu (Postfix) with ESMTPS id 9338A1057F for <radext@ietf.org>; Tue, 19 Mar 2013 16:20:19 +0100 (CET)
Message-ID: <5148822F.5070708@restena.lu>
Date: Tue, 19 Mar 2013 16:20:15 +0100
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: radext@ietf.org
References: <20130128155031.8392.45953.idtracker@ietfa.amsl.com> <5147172F.8090100@restena.lu> <08fd01ce23f5$cf8d0b90$6ea722b0$@augustcellars.com> <tslfvzsvd24.fsf@mit.edu> <091f01ce240a$6705a860$3510f920$@augustcellars.com> <51476C2C.5070000@deployingradius.com> <5148192B.90507@restena.lu> <514868A0.2040207@deployingradius.com>
In-Reply-To: <514868A0.2040207@deployingradius.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="----enig2CRJCFWICVSIIWKRIKPUN"
X-Virus-Scanned: ClamAV
Subject: Re: [radext] I-D Action: draft-ietf-radext-nai-02.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2013 15:20:21 -0000

Hi,

>   Yes.  Keep reading.  It also says that realm names MUST be registrable
> as names within DNS.  Which (eventually) means NFC.
> 
>   The text you quote is left over from an earlier version of the draft,
> before I worked through the DNS documents.  It will be updated in the
> next rev.

Okay.

>   I vote a "hell no" to discarding packets with malformed NAI.
> 
>   For me, a malformed NAI only means that it's not an NAI.  EXAMPLE\user
>  is a perfectly valid RADIUS User-Name.  It should *not* be forbidden by
> the NAI document.

Then I'd suggest making this very explicit. E.g. replace the previous
sentence with

"See [RFC5198] and section 2.6 of this specification for a discussion of
normalization. Strings which are not in Normal Form Composed (NFC) are
not valid NAIs and SHOULD NOT be treated as such."


>> It may be that the home server does not "need" the non-normalised junk
>> :-) It may just be that a supplicant thinks it's wise to send it; and
>> since the contents of the attribute can't be altered in-flight, this
>> junk will stay in the packet until it arrives at the home server.
> 
>   That's not what I got from his message, but OK.

You mean my initial mail with the hypothetical example? Well it was
about that; I had the assumption in my mind that these multiple
representations of the realm are imposed by stubborn supplicants; so if
a server wants to authenticate users using this supplicant, it has to
negotiate that this is a recognised representation of the string and add
it to its server-side config. Not the other way around; sorry if that
was unclear.

I don't think servers are the main problem when it comes to
normalisation (or just valid UTF-8 in the first place). I have much more
concerns about ignorant supplicants.

>> My argument was that it may not even reach the home server if proxies
>> aren't allowed to do some sort of "sane" lookup of the packet content
>> vs. their local configuration.
> 
>   They are allowed.  They do this today.  Proxy routing can be done on
> EXAMPLE\user.
> 
>   The point of the NAI draft is to (a) fix RFC 4282, (b) define the NAI
> correctly, and (c) encourage people to use it instead of broken
> alternatives.
> 
>   There are no plans for a RADIUS police force who will shut down
> non-complaint implementations.  They just won't get the benefit of
> standardization.

Okay; well it's already good that NAI => NFC is indeed hard-wired into
the spec.

>> That verification may ultimately require normalisation by the home
>> server. It's true that this is site-specific; but in the presence of
>> proxies the problematic bit is to reach that home site in the first place.
> 
>   That's blaming the messenger.
> 
>   The problem is really the supplicants that inject multiple versions of
> the same domain.

With the multitude of end-user computing devices in the wild, and the
varying amounts of care firmware writers spend into their supplicant
code, I'm sure there'll be a whole zoo of representations of
internationalised domain names on the supplicant side :-(

>> My issue is: does realm A', which is extremely similar to A in that it
>> differs only in string representation, also go to server A? Or is it
>> discarded by the proxy due to being unknown (i.e. not byte-wise equal to
>> the configured realm A)? Or sent to a "last resort"? If NFC(A') = A, and
>> if that is looked up in the routing table, a lot good is done in terms
>> of forwardability, IMHO.
> 
>   I'm OK with proxies doing deeper inspection or normalization of the
> NAI.  I'm against the *requirement* that they do this.

Well if it's a NAI it does not need to be noramlised any more :-)

Would it be okay to *RECOMMEND* that UTF-8 which is not in NFC should be
normalised prior to "doing something" in terms of lookup in the config?

Greetings,

Stefan Winter

>  RFC 4282
> requires it.  Requiring non-NFS from the supplicants means that proxies
> are required to massage the NAI before they use it.
> 
>   Alan DeKok.
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

v2.46.0 | Report a Bug | By Email | System Status