[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: REMINDER: Call for review of the "NAI-based Peer Discovery" document for acceptance as a RADEXT WG work item

To: Alan DeKok <aland@deployingradius.com>
Subject: Re: REMINDER: Call for review of the "NAI-based Peer Discovery" document for acceptance as a RADEXT WG work item
From: Stefan Winter <stefan.winter@restena.lu>
Date: Mon, 29 Jun 2009 14:27:18 +0200
Cc: Bernard Aboba <bernard_aboba@hotmail.com>, "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
In-reply-to: <4A320A94.10105@deployingradius.com>
References: <BLU137-W5CB663739E104C4D04493936F0@phx.gbl> <4A320A94.10105@deployingradius.com>
User-agent: Thunderbird 2.0.0.19 (X11/20081227)

Hello,

sorry for the late reply, inline.

> Section 2.2: says:
>
>    For a given NAI-based input realm,
>
> NAI is... ?  The document doesn't define this term, and doesn't
> reference RFC 4282 (NAI definition).
>   

I will issue a new draft soon and will include the reference.

>    ...
>    the following algorithm is used to
>    determine the AAA server to contact:
>
>    1.   Transform input realm into punycode.
>    ...
>
>  This recommendation is correct for DNS, but is problematic in practice.
>  The recommendations in RFC 4282 define how the above transformation is
> done.  *BUT* those recommendations have serious problems.
>
>   Would it be possible to simply rely on the DNS library to do the
> correct conversion, and name resolution?  This document could then
> describe how to mangle the NAI as a string, and that string then gets
> passed to the DNS library for additional punycode mangling, and finally
> lookup.
>   

Sounds good to me. The mangling would be: find first @ in User-Name,
chop off behind @, toss remainder to DNS library and hope for an answer.
Is that what you had in mind?

> Section 3 talks about bidding down attacks.  These attacks can be
> largely mitigated by additional per-client configuration on the server.
>  See the DTLS document for discussion of this topic.
>   

Hmm... The whole purpose of dynamic discovery is that the need for
per-client config becomes obsolete. I agree that pinpointing individual
clients to a desired transport would mitigate the bidding-down. But the
number of clients is not necessarily known beforehand. I would be
delighted if we'd find a solution for the generic case. But my head is
not overflowing of ideas to that end, honestly.

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: REMINDER: Call for review of the "NAI-based Peer Discovery" document for acceptance as a RADEXT WG work item
  - From: Alan DeKok <aland@deployingradius.com>

References:
- REMINDER: Call for review of the "NAI-based Peer Discovery" document for acceptance as a RADEXT WG work item
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: REMINDER: Call for review of the "NAI-based Peer Discovery" document for acceptance as a RADEXT WG work item
  - From: Alan DeKok <aland@deployingradius.com>

Prev by Date: Re: Crypto-agility requirements: Backward Compatibility (from Issue 303)
Next by Date: Re: REMINDER: Call for review of the "NAI-based Peer Discovery" document for acceptance as a RADEXT WG work item
Previous by thread: Re: REMINDER: Call for review of the "NAI-based Peer Discovery" document for acceptance as a RADEXT WG work item
Next by thread: Re: REMINDER: Call for review of the "NAI-based Peer Discovery" document for acceptance as a RADEXT WG work item
Index(es):
- Date
- Thread