IETF Logo Mail Archive

Re: [radext] I-D Action: draft-ietf-radext-nai-07.txt

Bernard Aboba <bernard_aboba@hotmail.com> Wed, 24 September 2014 05:21 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 145F41A8A93 for <radext@ietfa.amsl.com>; Tue, 23 Sep 2014 22:21:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.685
X-Spam-Level:
X-Spam-Status: No, score=-2.685 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y9Sap8QYK5LW for <radext@ietfa.amsl.com>; Tue, 23 Sep 2014 22:21:53 -0700 (PDT)
Received: from BLU004-OMC2S28.hotmail.com (blu004-omc2s28.hotmail.com [65.55.111.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E509C1A8A8A for <radext@ietf.org>; Tue, 23 Sep 2014 22:21:52 -0700 (PDT)
Received: from BLU181-W49 ([65.55.111.73]) by BLU004-OMC2S28.hotmail.com with Microsoft SMTPSVC(7.5.7601.22724); Tue, 23 Sep 2014 22:21:51 -0700
X-TMN: [8eRvHJ368Tq6pwTfEJvscyb8a9J9MVdK]
X-Originating-Email: [bernard_aboba@hotmail.com]
Message-ID: <BLU181-W49D35210C476942763DD6D93B10@phx.gbl>
Content-Type: multipart/alternative; boundary="_42774d64-b6a4-4ac8-800e-ff731a0e6535_"
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: Alan DeKok <aland@deployingradius.com>, "radext@ietf.org" <radext@ietf.org>
Date: Tue, 23 Sep 2014 22:21:51 -0700
Importance: Normal
In-Reply-To: <BLU181-W718EA808CC22B97BBC93E793B10@phx.gbl>
References: <20140923232150.1601.20067.idtracker@ietfa.amsl.com>, , <542210D8.10900@deployingradius.com>, <BLU181-W718EA808CC22B97BBC93E793B10@phx.gbl>
MIME-Version: 1.0
X-OriginalArrivalTime: 24 Sep 2014 05:21:51.0840 (UTC) FILETIME=[72952E00:01CFD7B7]
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/lxH4Zto7csrmc7QDq8qR8r0jciw
Subject: Re: [radext] I-D Action: draft-ietf-radext-nai-07.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Sep 2014 05:21:55 -0000

BTW, I realize that there is better advise elsewhere in the draft... but given that, the paragraph below really is superfluous. 

From: bernard_aboba@hotmail.com
To: aland@deployingradius.com; radext@ietf.org
Date: Tue, 23 Sep 2014 22:07:10 -0700
Subject: Re: [radext] I-D Action: draft-ietf-radext-nai-07.txt




I would not say that the revision addresses all concerns.   Some of the advice is quite brittle: 
   For example, much of the common realm routing can be done on the
   "utf8-realm" portion of NAI, through simple checks for equality.
   This routing can be done even if the AAA proxy is unaware of
   internalized domain names.  All that is required is for the AAA proxy
   to be able to enter, store, and compare 8-bit data.
Realm routing based on 8-bit data comparisons has never worked reliably, since it fails even with latin character sets given inconsistent capitalization, let alone when international character sets are used.  Given that normalization on the end system is not common today, blessing 8-bit comparisons for realm routing is a bad idea - since if followed it would be likely to result in continuing problems with routing of internationalized realms. 
In this particular case, there are more reliable ways to do the comparison that should be discussed. 

> Date: Tue, 23 Sep 2014 20:31:20 -0400
> From: aland@deployingradius.com
> To: radext@ietf.org
> Subject: Re: [radext] I-D Action: draft-ietf-radext-nai-07.txt
> 
>   I believe this revision addresses all open concerns.  Maybe we could
> do a last call before the next meeting?
> 
> internet-drafts@ietf.org wrote:
> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> >  This draft is a work item of the RADIUS EXTensions Working Group of the IETF.
> > 
> >         Title           : The Network Access Identifier
> >         Author          : Alan DeKok
> > 	Filename        : draft-ietf-radext-nai-07.txt
> > 	Pages           : 25
> > 	Date            : 2014-09-23
> > 
> > Abstract:
> >    In order to provide inter-domain authentication services, it is
> >    necessary to have a standardized method that domains can use to
> >    identify each other's users.  This document defines the syntax for
> >    the Network Access Identifier (NAI), the user identity submitted by
> >    the client prior to accessing network resources. This document is a
> >    revised version of RFC 4282, which addresses issues with
> >    international character sets, as well as a number of other
> >    corrections to the previous document.
> > 
> > 
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-radext-nai/
> > 
> > There's also a htmlized version available at:
> > http://tools.ietf.org/html/draft-ietf-radext-nai-07
> > 
> > A diff from the previous version is available at:
> > http://www.ietf.org/rfcdiff?url2=draft-ietf-radext-nai-07
> > 
> > 
> > Please note that it may take a couple of minutes from the time of submission
> > until the htmlized version and diff are available at tools.ietf.org.
> > 
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> > 
> > _______________________________________________
> > radext mailing list
> > radext@ietf.org
> > https://www.ietf.org/mailman/listinfo/radext
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
 		 	   		  

_______________________________________________
radext mailing list
radext@ietf.org
https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email