NAI
Click on the red underlined text to get to the source
... method for identifying users. This
document defines syntax for the Network Access Identifier (NAI).
Examples of implementations that use the NAI, and descriptions of its
...
... Network Access Identifier (NAI).
Examples of implementations that use the NAI, and descriptions of its
semantics, can be found in [RFC2194 ...
... 2486(-> 4282prop) [RFC2486], which
originally defined NAIs. Differences and enhancements compared to
RFC 2486(-> 4282prop) are listed in Appendix A.
...
... network access authentication. In roaming,
the purpose of the NAI is to identify the user as well as to
assist in the routing of the authentication request ...
... routing of the authentication request. Please note
that the NAI may not necessarily be the same as the user's e-mail
address or the user identity submitted in an application layer ...
... roaming, this function is accomplished via the
Network Access Identifier (NAI) submitted by the user to the NAS in
...
... network authentication. It is also expected that NASes
will use the NAI as part of the process of opening a new tunnel, in
order to determine the tunnel endpoint ...
... NAI Definition ...
...
The grammar for the NAI is given below, described in Augmented
Backus-Naur Form (ABNF) as documented in [RFC4234 ...
... NAI Length Considerations ...
...
Devices handling NAIs MUST support an NAI length of at least 72
octets. Support for an NAI length ...
...
Devices handling NAIs MUST support an NAI length of at least 72
octets. Support for an NAI length of 253 octets ...
... NAIs MUST support an NAI length of at least 72
octets. Support for an NAI length of 253 octets is RECOMMENDED.
However, the following implementation issues should be considered:
...
... However, the following implementation issues should be considered:
o NAIs are often transported in the User-Name attribute of the
Remote Authentication Dial-In User Service ...
... RFC2865], Section 5.1, states that "the
ability to handle at least 63 octets is recommended." As a
result, it may not be possible to transfer NAIs beyond 63 octets
through all devices. In addition, since only a single User-Name
attribute may be included in a RADIUS ...
... Diameter [RFC3588], which supports content lengths up to 2^24 - 9
octets. As a result, NAIs processed only by Diameter nodes can be
very long. Unfortunately, an NAI ...
... NAIs processed only by Diameter nodes can be
very long. Unfortunately, an NAI transported over Diameter may
eventually be translated to RADIUS ...
...
Interpretation of the username part of the NAI depends on the realm
in question. Therefore, the "username" part SHOULD be treated as
...
... domain (in the sense of Section 4) for that realm.
In some situations, NAIs are used together with a separate
authentication method that can transfer the username ...
... secure manner to increase privacy. In this case, NAIs MAY be
provided in an abbreviated form by omitting the username part.
...
... roaming purposes, it is typically necessary to locate the
appropriate backend authentication server for the given NAI before
the authentication conversation can proceed. As a result, the realm
...
... canonical representation. Internationalization of the realm portion
of the NAI is based on "Internationalizing Domain Names in
Applications (IDNA ...
... canonical representation, characters of the
username portion in an NAI MUST fulfill the ABNF in this
specification as well as the requirements ...
... correctly formed strings that follow Section 2.3 of [RFC4013].
Ensuring that NAIs conform to their ABNF is not sufficient; it is
also necessary to ensure that they do not contain prohibited
...
... Authentication, Authorization, and Accounting (AAA)
server. NAIs are sent over the wire in their canonical form, and
tasks such as normalization ...
... normalization do not typically need to be performed by
nodes that just pass NAIs around or receive them from the network.
End systems MUST also perform checking for prohibited output and
...
... code points. Other systems MAY perform such checks, when
they know that a particular data item is an NAI.
The realm name is an "IDN-unaware domain name slot ...
... As proposed in this document, the Network Access Identifier is of the
form user@realm. Please note that while the user portion of the NAI
is based on the BNF described in [RFC0821 ...
... Note also that the internationalization requirements for NAIs and
e-mail addresses are different, since the former need to be typed in
...
... home realm. Usually, the home realm appears in the realm
portion of the NAI, but in some cases a different realm can be used.
This may be useful, for instance, when the home realm is reachable
...
... have a mutual agreement that the usage is allowed. In particular,
NAIs MUST NOT use a different realm than the home realm unless the
sender ...
... configured.
Where these conditions are fulfilled, an NAI such as
user@homerealm.example.net
...
... "@" character; see Section 2.4 for details. When receiving such an
NAI, the other realm MUST convert the format back to
"user@homerealm.example.net" when passing the NAI forward, as well as
...
... NAI, the other realm MUST convert the format back to
"user@homerealm.example.net" when passing the NAI forward, as well as
applying appropriate AAA routing for the transaction ...
... the conversion, the result may still have one or more '!' characters
in the username. For instance, the NAI
other2.example.net!home.example.net!user@other1.example.net
...
... ABNF. The '!' character may appear in the username
portion of an NAI for other purposes as well, and in those cases, the
rules outlined here do not apply; the interpretation of the username
...
...
Since an NAI reveals the home affiliation of a user, it may assist an
attacker in further probing the username ...
... This specification adds the possibility of hiding the username part
in the NAI, by omitting it. As discussed in Section 2.3, this is
possible only when NAIs are used together with a separate
...
... in the NAI, by omitting it. As discussed in Section 2.3, this is
possible only when NAIs are used together with a separate
authentication method that can transfer the username ...
... privacy mechanism have
also been used with NAIs. For instance, some Extensible
Authentication Protocol (EAP) methods ...
... pseudonyms in the username part of the NAI [RFC3748]. While neither
of these approaches can protect the realm part, their advantage over
...
...
In order to avoid creating any new administrative procedures,
administration of the NAI realm namespace piggybacks on the
administration of the DNS namespace.
...
... DNS namespace.
NAI realm names are required to be unique, and the rights to use a
given NAI realm for roaming ...
... NAI realm names are required to be unique, and the rights to use a
given NAI realm for roaming purposes are obtained coincident with
acquiring the rights to use a particular Fully Qualified Domain Name ...
... Fully Qualified Domain Name
(FQDN). Those wishing to use an NAI realm name should first acquire
the rights to use the corresponding FQDN. Using an NAI realm ...
... NAI realm name should first acquire
the rights to use the corresponding FQDN. Using an NAI realm without
ownership of the corresponding FQDN creates ...
... routing information. Note also that there
is no requirement that the NAI represent a valid email address.
...
...
This document contains the following updates with respect to the
original NAI definition in RFC 2486(-> 4282prop) [RFC2486]:
...
... nodes. Many devices already allow this behaviour, however.
o A recommendation to support NAI length of at least 253 octets has
been added, and compatibility ...
... 253 octets has
been added, and compatibility considerations among NAI lengths in
this specification and various AAA protocols are discussed. Note
...
... this specification and various AAA protocols are discussed. Note
that long NAIs may not be acceptable to RFC 2486(-> 4282prop)-compliant nodes.
...
... o Several clarifications and improvements have been incorporated
into the ABNF specification for NAIs.
...
... problem
space, and to Farid Adrangi for suggesting the representation of
mediating networks in NAIs. Jonathan Rosenberg reported the BNF
error. Dale Worley suggested clarifications of the x and special BNF ...