Re: [radext] Review of draft-ietf-radext-nai-03
Alan DeKok <aland@deployingradius.com> Sun, 09 June 2013 13:12 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8086521F87E1 for <radext@ietfa.amsl.com>; Sun, 9 Jun 2013 06:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8TkX+ZN7s0l for <radext@ietfa.amsl.com>; Sun, 9 Jun 2013 06:12:14 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5BCA421F8976 for <radext@ietf.org>; Sun, 9 Jun 2013 06:12:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 455E92240D88; Sun, 9 Jun 2013 15:12:11 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ait9jIlb00Q2; Sun, 9 Jun 2013 15:12:09 +0200 (CEST)
Received: from Thor-2.local (bas1-ottawa11-1176224179.dsl.bell.ca [70.27.193.179]) by power.freeradius.org (Postfix) with ESMTPSA id 5C0162240C73; Sun, 9 Jun 2013 15:12:09 +0200 (CEST)
Message-ID: <51B47F28.3020701@deployingradius.com>
Date: Sun, 09 Jun 2013 09:12:08 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Bernard Aboba <bernard_aboba@hotmail.com>
References: <BLU169-W136C0681F857DF43804AC17939B0@phx.gbl>, <51B3E6FB.5040606@deployingradius.com> <BLU169-W56D7E99BC62DD745D09C87939B0@phx.gbl>
In-Reply-To: <BLU169-W56D7E99BC62DD745D09C87939B0@phx.gbl>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Review of draft-ietf-radext-nai-03
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jun 2013 13:12:20 -0000
Bernard Aboba wrote: > [BA] If you can't depend on the contents of the User-Name attribute > being normalized, then I don't think you can recommend byte-by-byte > comparison, because it won't work reliably. Perhaps the only reason we > haven't been bitten by this already is because there are so many > internationalization problems in existing implementations that > internationalized NAIs aren't used that often. The document is consistent in that it suggests end hosts should normalize the NAI. Proxies can then do byte-by-byte comparisons. And I agree that i18n issues largely haven't come up. Where I've seen them occur, people use non-UTF8 character sets, and don't do roaming. > [BA] While you're probably right about that, I don't think we need to > bite off all of the problem in this document. All we are really trying > to do is address the misconceptions of RFC 4282, to prevent it from > doing further damage. The document is very close to accomplishing > that, but it is simultaneously also trying to fight other dragons. It's a bit pointless to define an NAI without suggested uses. > [BA] It is indeed cheerful to consider how widely ignored RFC 4282 is. > But I wonder whether it is ignored because people realized it was > nonsense, or because they hadn't encountered enough internalized NAIs to > notice how nonsensical it was. A bit of both, I think. > [BA] My question was whether "escaped" NAIs ever show up in the RADIUS > User-Name attribute, Never never never never never. I hope I'm being clear on that. :) > Speaking of which, are there any RFC 5090 implementations? I've heard of one from a minor switch vendor. > [BA] I agree that it isn't an NAI. And in reading RFC 5090 it seems > like HTTP/SIP input wouldn't affect the User-Name attribute where an NAI > would be expected to be. But I'm not sure, because I've never seen an > RFC 5090 implementation to know for certain. The point for me is "user identifier" is a separate concept from "how user identifier is transported in a protocol". For RADIUS, they're the same, because it's UTF8-clean. HTTP isn't, so it escapes characters during transport. > Aside from network access protocols (e.g. PPP, EAP, IKEv2, L2TP, etc.) > and AAA protocols (RADIUS, Diameter) what other protocols can transport > NAIs? IMHO, any protocol which requires user identifiers. It's ridiculous that each protocol has its own format for user identifiers. > Also, if an application layer protocol uses an identifier that isn't an > NAI, I am wondering whether we shouldn't require that this identifier > NOT be placed in the RADIUS User-Name attribute so that it won't confuse > things further. Reading RFC 5090, I'm half convinced that we missed a > bullet there (particularly if it wasn't implemented). Spreading the rot from other protocols into RADIUS isn't a good idea. If the other protocol thinks it's a user identifier, it should go into the RADIUS User-Name attribute. It's then up to the RADIUS server to decide it's not an NAI, and then to do whatever ad-hoc nonsense is necessary in order to authenticate the users. Alan DeKok.
- [radext] Review of draft-ietf-radext-nai-03 Bernard Aboba
- Re: [radext] Review of draft-ietf-radext-nai-03 Alan DeKok
- Re: [radext] Review of draft-ietf-radext-nai-03 Bernard Aboba
- Re: [radext] Review of draft-ietf-radext-nai-03 Alan DeKok
- Re: [radext] Review of draft-ietf-radext-nai-03 Sam Hartman