[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAIbis effects (Was: Re: NAI decoration: User Identity issues)

To: Bernard Aboba <aboba@internaut.com>
Subject: NAIbis effects (Was: Re: NAI decoration: User Identity issues)
From: Jari Arkko <jarkko@piuha.net>
Date: Fri, 16 Jul 2004 10:10:33 +0300
Cc: "Blair T. Bullock" <bbullock@ipass.com>, "Adrangi, Farid" <farid.adrangi@intel.com>, radiusext@ops.ietf.org
In-reply-to: <Pine.LNX.4.56.0407150849080.26725@internaut.com>
Organization: None
References: <CD5572397B5672479F1B97001233661006C11237@EXCHANGE1.corp.ipass.com> <Pine.LNX.4.56.0407141525450.30511@internaut.com> <40F6120A.1010207@piuha.net> <Pine.LNX.4.56.0407150849080.26725@internaut.com>
Reply-to: jarkko@piuha.net
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316

Bernard Aboba wrote:

And then a question from your NAIbis draft editor: does
this resolve the issue that Farid raised earlier about
suffix-based decoration being rewritten by proxies and
then returned in an Access-Accept, causing problems for
the accounting requests? I think it does, but it seems
that we may have to, in addition, publish an RFC 3579 errata
to indicate that returned User-Name attributes should not
be used for accounting requests. Comments?

I'd say that it is at the descretion of the RADIUS server whether to
return the User-Name in the Access-Accept or not.  If it is returned, the
NAS includes it in accounting requests.  If not, it uses the original
User-Name, + Class + Billable Identity if those are available.  I don't
think there's any need for an RFC 3579 errata.


Fair enough (and the document to change would be RFC 2865 as it
specified the general behavior). But don't you think the reader
should be alerted to this potential feature interaction in some
document? Maybe in the naibis document? In fact,  we have two
choices:

1) Warn the reader about this interaction, and suggest not
using returned user name and routing syntax at the same
time.

2) Require intermediaries to redo the routing syntax
when the user name comes back in an Access-Accept.

I think the latter makes more sense. Here's the new text
in 2486bis (7th paragraph):

http://www.arkko.com/publications/nai/naibis.html#realmcons

--Jari

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: NAIbis effects (Was: Re: NAI decoration: User Identity issues)
  - From: Bernard Aboba <aboba@internaut.com>

References:
- RE: NAI decoration: User Identity issues
  - From: "Blair T. Bullock" <bbullock@ipass.com>
- RE: NAI decoration: User Identity issues
  - From: Bernard Aboba <aboba@internaut.com>
- Re: NAI decoration: User Identity issues
  - From: Jari Arkko <jari.arkko@piuha.net>
- Re: NAI decoration: User Identity issues
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: RFC 2865 compatibility
Next by Date: Privacy (Was: Re: NAI decoration: User Identity issues)
Previous by thread: Re: NAI decoration: User Identity issues
Next by thread: Re: NAIbis effects (Was: Re: NAI decoration: User Identity issues)
Index(es):
- Date
- Thread