[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Private NAIs (Was: Re: rfc2486bis)

To: "Blair T. Bullock" <bbullock@ipass.com>
Subject: Private NAIs (Was: Re: rfc2486bis)
From: Jari Arkko <jari.arkko@piuha.net>
Date: Tue, 23 Mar 2004 13:58:48 +0200
Cc: radiusext@ops.ietf.org
In-reply-to: <CD5572397B5672479F1B9700123366100266C0A6@EXCHANGE1.corp.ipass.com>
Organization: None
References: <CD5572397B5672479F1B9700123366100266C0A6@EXCHANGE1.corp.ipass.com>
Reply-to: jari.arkko@piuha.net
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

Thanks Blair for your comments. I'll first respond to your
question about private vs. DNS registered NAI realms:

In the roaming world, while the 'private' peering of RADIUS servers
would allow for a non-FQDN to be used for the purposes of routing, i.e.
user@foo or even user@XZY, the common practice is to use a FQDN i.e.


FYI: Allowing user@foo is a mistake in the -00 document and will be
corrected in -01. The cause of the mistake was a correction
that attempted to avoid the infinite loop in the original
BNF but opened up a little bit too much freedom :-(

user@foo.com or foo.bar.com or foo.org,etc. However, there is no reasonable expectation that the FQDN be actually registered or owned by the home network and placed in DNS. Since the peering is ambiguous and often private, I could just as well claim coke.com for my users or use some semblance of a FQDN, registered or not. Obviously using a private IP would be bad, but using non DNS methods like blair@216.239.97.170 is valid, right? So why not a non-FQDN blair@myhome if the private RADIUS peering recognizes it. Any thoughts on guidelines for this?


RFC 2486 does say that there is a requirement that the FQDNs
be owned by the home network:

   This document defines a new namespace that will need to be
   administered, namely the NAI realm namespace. In order to to avoid
   creating any new administrative procedures, administration of the NAI
   realm namespace will piggyback on the administration of the DNS
   namespace.

   NAI realm names are required to be unique and the rights to use a
   given NAI realm for roaming purposes are obtained coincident with
   acquiring the rights to use a particular fully qualified domain name
   (FQDN).  Those wishing to use an NAI realm name should first acquire
   the rights to use the corresponding FQDN. Using an NAI realm without
   ownership of the corresponding FQDN creates the possibility of
   conflict and therefore is to be discouraged.

So I think its pretty clear that the NAI realms should be registered
via usual domain name procedures. However, the text in RFC 2486 leaves
_some_ room for interpretation, as it first says "required" and then
"should" and finally for no ownership it says "discouraged". Perhaps
this text should be clarified in the bis version, e.g., made to a SHOULD
or even a MUST. Or are you Blair arguing that it should be relaxed?

--Jari


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Private NAIs (Was: Re: rfc2486bis)
  - From: Bernard Aboba <aboba@internaut.com>

References:
- RE: rfc2486bis
  - From: "Blair T. Bullock" <bbullock@ipass.com>

Prev by Date: RE: rfc2486bis
Next by Date: RE: rfc2486bis
Previous by thread: RE: rfc2486bis
Next by thread: Re: Private NAIs (Was: Re: rfc2486bis)
Index(es):
- Date
- Thread