[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Private NAIs (Was: Re: rfc2486bis)
Thanks Blair for your comments. I'll first respond to your
question about private vs. DNS registered NAI realms:
In the roaming world, while the 'private' peering of RADIUS servers
would allow for a non-FQDN to be used for the purposes of routing, i.e.
user@foo or even user@XZY, the common practice is to use a FQDN i.e.
FYI: Allowing user@foo is a mistake in the -00 document and will be
corrected in -01. The cause of the mistake was a correction
that attempted to avoid the infinite loop in the original
BNF but opened up a little bit too much freedom :-(
user@foo.com or foo.bar.com or foo.org,etc. However, there is no
reasonable expectation that the FQDN be actually registered or owned by
the home network and placed in DNS. Since the peering is ambiguous and
often private, I could just as well claim coke.com for my users or use
some semblance of a FQDN, registered or not. Obviously using a private
IP would be bad, but using non DNS methods like blair@216.239.97.170 is
valid, right? So why not a non-FQDN blair@myhome if the private RADIUS
peering recognizes it. Any thoughts on guidelines for this?
RFC 2486 does say that there is a requirement that the FQDNs
be owned by the home network:
This document defines a new namespace that will need to be
administered, namely the NAI realm namespace. In order to to avoid
creating any new administrative procedures, administration of the NAI
realm namespace will piggyback on the administration of the DNS
namespace.
NAI realm names are required to be unique and the rights to use a
given NAI realm for roaming purposes are obtained coincident with
acquiring the rights to use a particular fully qualified domain name
(FQDN). Those wishing to use an NAI realm name should first acquire
the rights to use the corresponding FQDN. Using an NAI realm without
ownership of the corresponding FQDN creates the possibility of
conflict and therefore is to be discouraged.
So I think its pretty clear that the NAI realms should be registered
via usual domain name procedures. However, the text in RFC 2486 leaves
_some_ room for interpretation, as it first says "required" and then
"should" and finally for no ownership it says "discouraged". Perhaps
this text should be clarified in the bis version, e.g., made to a SHOULD
or even a MUST. Or are you Blair arguing that it should be relaxed?
--Jari
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>