IETF Logo Mail Archive

Re: [radext] Review of draft-ietf-radext-nai-03

Alan DeKok <aland@deployingradius.com> Sun, 09 June 2013 13:12 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8086521F87E1 for <radext@ietfa.amsl.com>; Sun, 9 Jun 2013 06:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8TkX+ZN7s0l for <radext@ietfa.amsl.com>; Sun, 9 Jun 2013 06:12:14 -0700 (PDT)
Received: from power.freeradius.org (power.freeradius.org [88.190.25.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5BCA421F8976 for <radext@ietf.org>; Sun, 9 Jun 2013 06:12:13 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by power.freeradius.org (Postfix) with ESMTP id 455E92240D88; Sun, 9 Jun 2013 15:12:11 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at power.freeradius.org
Received: from power.freeradius.org ([127.0.0.1]) by localhost (power.freeradius.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ait9jIlb00Q2; Sun, 9 Jun 2013 15:12:09 +0200 (CEST)
Received: from Thor-2.local (bas1-ottawa11-1176224179.dsl.bell.ca [70.27.193.179]) by power.freeradius.org (Postfix) with ESMTPSA id 5C0162240C73; Sun, 9 Jun 2013 15:12:09 +0200 (CEST)
Message-ID: <51B47F28.3020701@deployingradius.com>
Date: Sun, 09 Jun 2013 09:12:08 -0400
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: Bernard Aboba <bernard_aboba@hotmail.com>
References: <BLU169-W136C0681F857DF43804AC17939B0@phx.gbl>, <51B3E6FB.5040606@deployingradius.com> <BLU169-W56D7E99BC62DD745D09C87939B0@phx.gbl>
In-Reply-To: <BLU169-W56D7E99BC62DD745D09C87939B0@phx.gbl>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "radext@ietf.org" <radext@ietf.org>
Subject: Re: [radext] Review of draft-ietf-radext-nai-03
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jun 2013 13:12:20 -0000

Bernard Aboba wrote:
> [BA] If you can't depend on the contents of the User-Name attribute
> being normalized, then I don't think you can recommend byte-by-byte
> comparison, because it won't work reliably.   Perhaps the only reason we
> haven't been bitten by this already is because there are so many
> internationalization problems in existing implementations that
> internationalized NAIs aren't used that often.

  The document is consistent in that it suggests end hosts should
normalize the NAI.  Proxies can then do byte-by-byte comparisons.

  And I agree that i18n issues largely haven't come up.  Where I've seen
them occur, people use non-UTF8 character sets, and don't do roaming.

> [BA] While you're probably right about that, I don't think we need to
> bite off all of the problem in this document.  All we are really trying
> to do is address the misconceptions of RFC 4282, to prevent it from
> doing further damage.   The document is very close to accomplishing
> that, but it is simultaneously also trying to fight other dragons.

  It's a bit pointless to define an NAI without suggested uses.

> [BA] It is indeed cheerful to consider how widely ignored RFC 4282 is. 
> But I wonder whether it is ignored because people realized it was
> nonsense, or because they hadn't encountered enough internalized NAIs to
> notice how nonsensical it was.

  A bit of both, I think.

> [BA]  My question was whether "escaped"  NAIs ever show up in the RADIUS
> User-Name attribute,

  Never never never never never.  I hope I'm being clear on that. :)

> Speaking of which, are there any RFC 5090 implementations? 

  I've heard of one from a minor switch vendor.

> [BA] I agree that it isn't an NAI.  And in reading RFC 5090 it seems
> like HTTP/SIP input wouldn't affect the User-Name attribute where an NAI
> would be expected to be.  But I'm not sure, because I've never seen an
> RFC 5090 implementation to know for certain.

  The point for me is "user identifier" is a separate concept from "how
user identifier is transported in a protocol".  For RADIUS, they're the
same, because it's UTF8-clean.  HTTP isn't, so it escapes characters
during transport.

> Aside from network access protocols (e.g. PPP, EAP, IKEv2, L2TP, etc.)
> and AAA protocols (RADIUS, Diameter) what other protocols can transport
> NAIs? 

  IMHO, any protocol which requires user identifiers.

  It's ridiculous that each protocol has its own format for user
identifiers.

> Also, if an application layer protocol uses an identifier that isn't an
> NAI, I am wondering whether we shouldn't require that this identifier
> NOT be placed in the RADIUS User-Name attribute so that it won't confuse
> things further.  Reading RFC 5090, I'm half convinced that we missed a
> bullet there (particularly if it wasn't implemented). 

  Spreading the rot from other protocols into RADIUS isn't a good idea.
 If the other protocol thinks it's a user identifier, it should go into
the RADIUS User-Name attribute.

  It's then up to the RADIUS server to decide it's not an NAI, and then
to do whatever ad-hoc nonsense is necessary in order to authenticate the
users.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email