Re: [radext] WGLC for draft-ietf-radext-dynamic-discovery-09

<> Wed, 15 January 2014 09:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D38C71AE02E for <>; Wed, 15 Jan 2014 01:24:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.298
X-Spam-Status: No, score=-1.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, WEIRD_PORT=0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WLiUl_GFpijE for <>; Wed, 15 Jan 2014 01:24:06 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3FC4C1ACCE9 for <>; Wed, 15 Jan 2014 01:24:06 -0800 (PST)
Received: from (unknown [xx.xx.xx.1]) by (ESMTP service) with ESMTP id CE6CB2641C2; Wed, 15 Jan 2014 10:23:53 +0100 (CET)
Received: from Exchangemail-eme1.itn.ftgroup (unknown []) by (ESMTP service) with ESMTP id AF15435C04E; Wed, 15 Jan 2014 10:23:53 +0100 (CET)
Received: from PEXCVZYM13.corporate.adroot.infra.ftgroup ([fe80::cc7e:e40b:42ef:164e]) by PEXCVZYH01.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0174.001; Wed, 15 Jan 2014 10:23:53 +0100
To: Jouni Korhonen <>, "" <>, Stefan Winter <>
Thread-Topic: [radext] WGLC for draft-ietf-radext-dynamic-discovery-09
Thread-Index: Ac8R04G9Q1ipdRVr6EqY0ZMy7ZuBfg==
Date: Wed, 15 Jan 2014 09:23:52 +0000
Message-ID: <>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
Content-Type: text/plain; charset="utf-8"
Content-ID: <7A23397472BD404E90AB0CC1A6C06BCD@adroot.infra.ftgroup>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-PMX-Version:, Antispam-Engine:, Antispam-Data: 2013.11.20.60015
Cc: "" <>, "" <>
Subject: Re: [radext] WGLC for draft-ietf-radext-dynamic-discovery-09
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Jan 2014 09:24:09 -0000

I can live with the answer on "aaa" even if I usually prefer to be self-explicit rather than resorting to deductive skills... that someone may not have :-)

Ok with your conclusion on auth-acc service tag.

Thank you for the discussion.



Envoyé depuis mon Sony Xperia SP d'Orange

Stefan Winter <> a écrit :

>> * I don't think "aaa" as a whole is owned by Diameter anyway... Even in the Diameter spec, there is a protocol tag for Diameter following the service tag. Both in combination make the NAPTR type "owned" by Diameter. And the old RFC3588 definition uses the monolithic "aaa+D2x"
>> string (where x varies, and the D hard-codes Diameter).
>> [LM] ==> I was just referring to the following in RFC6408: 
>>    IANA has reserved a value of "aaa" for Diameter in the "(S-NAPTR)
>>    Application Service Tag" registry created by [RFC3958].
>> It is not a problem of syntax (which is correct as I said) but more a question of the ambiguity around the prefix "aaa" for the (human) reader.
>Ah, now I see that in RFC6408. I didn't at first glance because the ABNF
>exclusively defines aaa+ap<int>.
>The raw "aaa" sneaks in later. I don't understand what it is trying to
>achieve (it is associated with "legacy" Diameter nodes which do not
>support RFC6408; but if they don't support RFC6408 then they are not
>going to use that tag; it's just as new as the aaa+apx ones - the
>original NAPTR tags in RFC3588 were only "AAA+D2S" and "AAA+D2T"). ??
>RFC6733 finally does the "right" thing and mentions "aaa" as the service
>tag, but that's still not going to help implementations which only do
>Anyway... that's not my business :-)
>Still no syntax problem, as the string "aaa" is still only a prefix of
>the strings used in the radext draft.
>I agree that an innocent reader might get a bit startled by the
>similarity. In most cases, the service tag will be immediately followed
>by the desired protocol though, which spells out "radius" or "diameter"
>in clear-text. That should make the matter clear to the human eye.
>Only in the case where a Diameter node uses no protocol indication
>(Section 5.2.e of RFC6408) then he sees a raw "aaa" indeed; but there's
>still no ambiguity: the radext draft has a mandatory protocol
>indication; a raw "aaa" can thus not have anything to do with RADIUS.
>I notice now, however, that the protocol tags are not sufficiently
>covered in the actual algorithm; the server needs to maintain state
>which transport it got from DNS so that he can later connect either via
>DTLS or TLS. I will make that clearer in the next rev.
>> Looking sideways, not even the Diameter S-NAPTR spec allows to concatenate multiple application IDs into one service tag, so... if you guys haven't found a use case for it in 3G big-scale, I don't think it's necessary or urgent?
>> [LM] ==> I think that the issue is slightly different for Diameter applications. In 3GPP, different applications usually point to different functional entities or multiple capabilities are grouped into the same application when used between the same entities. In the specific case of RADIUS, I was thinking that one could prefer to choose an Authentication server that supports also accounting when both functions are required, especially when you have to open TLS/DTLS connections with the remote server. This server might be prioritized among servers auth-only + servers acc-only. 
>Prioritisation is done by NAPTR's and SRV's order/preference fields and
>is in the discretion of the server operator. If the server operator of
>the "auth+acct" server wants clients to talk to that one with priority
>for both auth and acct, he will list this server with the same, highest
>preference in DNS for both service tags.
>It's not the client's decision to resort to a lower-priority server just
>because it feels like it.
>And as an extra thought: if multiple servers share the same priority,
>and only one of them could also do accounting, then the RADIUS client
>could still find out about it by evaluating the list of NAPTRs for
>aaa+auth and aaa+acct simultaneously, and seeing that they have the same
>replacement field content. He can then make an informed choice.
>FWIW, I would be against adding this extra choice into the I-D text. It
>is a very small corner case, and the algorithm is about finding an
>output for a given input. It's not about being clever to find a common
>output for two distinct inputs, which might by chance be identical (but
>this could only be found out later). Extending the scope to cover that
>would make things a bit blurry.
>Stefan Winter
>Stefan WINTER
>Ingenieur de Recherche
>Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
>de la Recherche
>6, rue Richard Coudenhove-Kalergi
>L-1359 Luxembourg
>Tel: +352 424409 1
>Fax: +352 422473
>PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
>recipient's key is known to me


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.