[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bang-path routing

To: Bernard Aboba <bernard_aboba@hotmail.com>
Subject: Re: Bang-path routing
From: Alan DeKok <aland@deployingradius.com>
Date: Fri, 24 Oct 2008 10:55:12 +0200
Cc: radiusext@ops.ietf.org
In-reply-to: <BLU137-W203286CCEFF28BFDD23C2893280@phx.gbl>
References: <48F36CC4.8010103@deployingradius.com> <BLU137-DAV75D724C414A181A19BC4293360@phx.gbl> <48FC4A85.1060801@deployingradius.com> <BLU137-DAV104B8E8A986B77A6DB3F5E932F0@phx.gbl> <48FCF3BA.90505@deployingradius.com> <BLU137-DAV1B2E0E1D873BD056B2BE6932F0@phx.gbl> <4900494F.8080705@deployingradius.com> <BLU137-W203286CCEFF28BFDD23C2893280@phx.gbl>
User-agent: Thunderbird 2.0.0.17 (X11/20080925)

Bernard Aboba wrote:
> I think the issue is *when* the NAI is normalized.  For example is the
> RADIUS server expected to do the normalization, or is it the client?

  I don't think anyone other than the client has access to locale
information.  I think the client must convert the NAI to normalized
UTF-8.  I don't think this is too hard.  It only needs to be done once,
when the user name && realm are entered (or when the locale changes).

> Some references to John Klensin's RFCs on registry behavior would probably
> be appropriate.

  OK.

> What's wierd is that the ABNF actually includes support for UTF-8
> characters.
> Last time I looked, this appeared to be supported for *both* the
> username and
> the realm.

  Nope.  Only for the User-Name, from 4282:

   realm       =  1*( label "." ) label
   label       =  let-dig *(ldh-str)
   ldh-str     =  *( alpha / digit / "-" ) let-dig
   let-dig     =  alpha / digit
   alpha       =  %x41-5A  ; 'A'-'Z'
   alpha       =/ %x61-7A  ; 'a'-'z'
   digit       =  %x30-39  ; '0'-'9'

  Characters with the high bit set are forbidden in realm names.

> One might want to normalize the realm prior to doing the lookup in the
> realm table.

  Normalize... to what?  How can the intermediate nodes know what
normalization rules to apply?

> Unfortunately, not *all* DNS libraries do the right thing.  For example,
> GetAddrInfoW() currently sends UTF-8 queries on the wire, not punycode.
> On *NIX systems, I've seen applications use libidn to do the conversion
> prior to calling name resolution APIs.

  Ugh.  I guess this needs to be mentioned, too.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: RADIUS User-Name versus EAP Identity
  - From: "Bernard Aboba" <Bernard_Aboba@hotmail.com>
- Bang-path routing
  - From: Alan DeKok <aland@deployingradius.com>
- RE: Bang-path routing
  - From: "Bernard Aboba" <Bernard_Aboba@hotmail.com>
- Re: Bang-path routing
  - From: Alan DeKok <aland@deployingradius.com>
- RE: Bang-path routing
  - From: "Bernard Aboba" <Bernard_Aboba@hotmail.com>
- Re: Bang-path routing
  - From: Alan DeKok <aland@deployingradius.com>
- RE: Bang-path routing
  - From: Bernard Aboba <bernard_aboba@hotmail.com>

Prev by Date: Re: I-D Action:draft-ietf-radext-radsec-02.txt
Next by Date: RADEXT WG last call on RADSEC Document
Previous by thread: RE: Bang-path routing
Next by thread: RE: Bang-path routing
Index(es):
- Date
- Thread