[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: REMINDER: Call for review of the "NAI-based Peer Discovery" document for acceptance as a RADEXT WG work item
sorry for the late reply, inline.
> Section 2.2: says:
> For a given NAI-based input realm,
> NAI is... ? The document doesn't define this term, and doesn't
> reference RFC 4282 (NAI definition).
I will issue a new draft soon and will include the reference.
> the following algorithm is used to
> determine the AAA server to contact:
> 1. Transform input realm into punycode.
> This recommendation is correct for DNS, but is problematic in practice.
> The recommendations in RFC 4282 define how the above transformation is
> done. *BUT* those recommendations have serious problems.
> Would it be possible to simply rely on the DNS library to do the
> correct conversion, and name resolution? This document could then
> describe how to mangle the NAI as a string, and that string then gets
> passed to the DNS library for additional punycode mangling, and finally
Sounds good to me. The mangling would be: find first @ in User-Name,
chop off behind @, toss remainder to DNS library and hope for an answer.
Is that what you had in mind?
> Section 3 talks about bidding down attacks. These attacks can be
> largely mitigated by additional per-client configuration on the server.
> See the DTLS document for discussion of this topic.
Hmm... The whole purpose of dynamic discovery is that the need for
per-client config becomes obsolete. I agree that pinpointing individual
clients to a desired transport would mitigate the bidding-down. But the
number of clients is not necessarily known beforehand. I would be
delighted if we'd find a solution for the generic case. But my head is
not overflowing of ideas to that end, honestly.
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
Tel: +352 424409 1
Fax: +352 422473
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.