RFC Errata
RFC 7542, "The Network Access Identifier", May 2015
Source of RFC: radext (sec)See Also: RFC 7542 w/ inline errata
Errata ID: 5462
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Alan DeKok
Date Reported: 2018-08-14
Verifier Name: Benjamin Kaduk
Date Verified: 2019-12-11
Section 3 says:
The "utf8-realm" SHOULD be supplied by the "next hop" or "home" system that also supplies the routing information necessary for packets to reach the next hop.
It should say:
The "utf8-realm" SHOULD be supplied by the "next hop" or "home" system that also supplies the routing information necessary for packets to reach the next hop. The final home system SHOULD validate the NAI in the received packet against the list of Realms hosted by the home system. If no match is found, the request SHOULD be rejected.
Notes:
It doesn't explicitly say that home systems only authenticate users for their own realms. It may help to have this stated explicitly.
Some text will also be added to draft-ietf-radext-coa-proxy in order to make this clearer.