IETF Logo Mail Archive

[radext] Review: draft-ietf-radext-radiusdtls-bis-15 — Implementation Observations

"Premanand Seralathan (pseralat)" <pseralat@cisco.com> Tue, 17 March 2026 03:00 UTC

Return-Path: <pseralat@cisco.com>
X-Original-To: radext@mail2.ietf.org
Delivered-To: radext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2A1B1CBC97F9 for <radext@mail2.ietf.org>; Mon, 16 Mar 2026 20:00:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -11.886
X-Spam-Level:
X-Spam-Status: No, score=-11.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001, T_SPF_HELO_PERMERROR=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cisco.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R-1Ejamnoa7E for <radext@mail2.ietf.org>; Mon, 16 Mar 2026 20:00:57 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7423BCBC97F2 for <radext@ietf.org>; Mon, 16 Mar 2026 20:00:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=13754; q=dns/txt; s=iport01; t=1773716457; x=1774926057; h=from:to:subject:date:message-id:mime-version; bh=Rm3B8oqPDR7/m7eqlPj8xXcLxZ9eXyzDcAwp6/rfYtI=; b=N1bpuhUzBGJ5S/Ktrz/0kBi+HL1QK2UoBxFAVlEFuaqLj+CdL4av24mP DdVp0iDA4Spc3P1NaBnl1OEXXDmWj6txNapxvp2IEQoP0Yk2nAa0nzuEB QqODtrc2BFiYCq/s8NTqDlPENd9SOKnycJmYPkZ2kHBX/VcwUlfCK3oji v6EjMquhDoNfsSzpNfrSE3yF0LNH0zU8R2qDNFhSjfWfYuOZ1G15yFLrL 2kEL4mY524dYxE4iWGgpAp6YPjSJ7oZsU4HKCGf5+bfD1WZnZyIjRDcGN B6mcPb/dgK6JXBRz2YU/K7KdPvccnmedPFRRFkuCitXkf/jNb7JdrItC4 A==;
X-CSE-ConnectionGUID: aM1v3MozQt6BEI3I2kZ/mQ==
X-CSE-MsgGUID: CtAYn7r/RA2yLS/lI68O6Q==
X-IPAS-Result: A0BIEwALw7hp/4oQJK1agS6BK4E9MVMHgg8SiGwDhSyGWIIhl0aIVg8BAQENAlEEAQGFBwKNIgImNwYOAQIEAQEBAQMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGUAyGc3kBPUInBBsahH5WAwECp1MBgT0Ciip4gTSBAeAugU2FBINQASqBNQGEFDiDR3sHIBuBSUSBFUKCaD6EKxqEE4IvBIEOfxV6FB2BXIdggWKBZ4VigUQiAyYzLAFVExcLBwWBZgMqLy1uMh2BIz4XM1gbBwWEJA+IbXRtgRODXAMLbT0UIxQbAwSBNQWMZ4MUNmUEdTseSBQDERkPASeTAo97o3YKhByiDheEBJQVkWtnmQYigjahN4UHAgQCBAUCEAEBBjaBSCaBWXAVgyNRGQ/ZVYE1AQEHAgcNAwuBaIReiyQtgU4BAQ
IronPort-PHdr: A9a23:dAiWKBRmsdc3RH+udm4K5L2KDdpso47LVj580XJvo6hFfqLm+IztI wmCo/5sl1TOG47c7qEMh+nXtvX4UHcbqdaasX8EeYBRTRJNl8gMngIhDcLEQU32JfLndWo7S exJVURu+DewNk09JQ==
IronPort-Data: A9a23:YwjSTa4i7rEl7oahrdtSFQxRtHnGchMFZxGqfqrLsTDasY5as4F+v jcdCzzUPquPMWD0cotyOtix8k0F7MfRn4RnGlRuryBhZn8b8sCt6fZ1gavT04J+CuWZESqLO u1HMoGowPgcFyGa/lH2dOC98RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5 5Wo+KUzBHf/g2QqajlNtPrawP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoaSW +bZwbilyXjS9hErB8nNuu6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTaJLwXXxqZwChxLid/ jniWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I0DuKxPRL/tS4E4eNKhB5L1SBnN36 aIyBRFWT0qAtaWz+efuIgVsrpxLwMjDNYcbvDRkiDreF/tjGcmFSKTR7tge1zA17ixMNa+BP IxCN3w2MlKZOE0n1lQ/UPrSmM+wnXTlejlRtHqepLE85C7YywkZPL3FbISPIILaFZQP9qqej kna1lX/XQtdDvXF2B6+tXaN2L/owxquDer+E5X9rJaGmma73GUfBQ0KfVq2vff/jVSxM++zM GQd/i4o6Kx3/0uxQ5ylBluzoWWPuVgXXN84//AG1TxhA5H8um6xLmMFVTVGLtchsacLqfYCj zdlQ/uB6eRTjYCo
IronPort-HdrOrdr: A9a23:EMefqqgsHaAAUBuaklKVcJ9p5nBQX7V23DAbv31ZSRFFG/FwyP re/8jzhCWVtN9OYhAdcIi7SdS9qBPnmaKdkrNhQYtKPTOW8ldAQ7sSlrcKrweQfxEWldQtmJ uIEZIOcuEYZGIS5a2VkWvIdurIq+P3lpxA8N2ut0uFOjsaEp2IgT0JbTqzIwldfiUDL5w/E5 aX+8pAoBSdWVl/VK6GL0hAddLu4/nQmrzbQTNuPXMawTjLoSKj6bb8HRTd5REDTjNJz44l9G jOgyb56q+gv/zT8G6R64bU1ftrseqk7uEGKN2Hi8ATJDmpoB2vfp5dV7qLuy1wiP2z6X4x+e O87SsIDoBW0Tf8b2u1qRzi103LyzA18ULvzleenD/KvdH5fjQnEMBM7LgpMycxqnBQ/O2U4p g7nV5xhKAnSC8oWx6No+QgYisa1XZcZ0BS1tL7wUYvF7f2I4Uh0rD3tHklbqvoWhiKp7zO1I JVfZnhDDE8SyLCU1nJ+mZo29CiRXI1A1OPRVUDoNWc13xMkGl+1FZw/r1Xop4szuNLd3B/3Z WzDo140LVVCsMGZ6N0A+kMBcOxF2zWWBrJdGafO07uGq0LM2/E78ef2sR/2Mi6PJgTiJcikp XIV11V8WY0ZkL1EMWLmJlG6ArETmmxVSnkjste+596sLvhQ6eDC1zKdHk+18+75/kPCMzSXP i+fJpQHv/4NGPrXZ1E2gXvMqMiXUX2kPdlz+rTd2j+0P4jcLeaxtDzYbLWPv73HT4vR2P4BW FrZkmDGCxp1DHZZkPF
X-Talos-CUID: 9a23:3WM15GBq688+BFb6EyBCrVBPP8c3S2GD5lrxeG7iClQuTYTAHA==
X-Talos-MUID: 9a23:TpAaAA+InxQnBX17CCNkt9OQf+x0ypWoV1pKq7xcqu2/cihRZWe60g3iFw==
X-IronPort-Anti-Spam-Filtered: true
Received: from alln-l-core-01.cisco.com ([173.36.16.138]) by rcdn-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Mar 2026 03:00:50 +0000
Received: from rcdn-opgw-5.cisco.com (rcdn-opgw-5.cisco.com [72.163.7.169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by alln-l-core-01.cisco.com (Postfix) with ESMTPS id A273A18000184 for <radext@ietf.org>; Tue, 17 Mar 2026 03:00:50 +0000 (GMT)
X-CSE-ConnectionGUID: zfA1rfwZS76wlN2iMqAdGg==
X-CSE-MsgGUID: PhR80CTeR8G0JcOjchaswQ==
Authentication-Results: rcdn-opgw-5.cisco.com; dkim=pass (signature verified) header.i=@cisco.com
X-IronPort-AV: E=Sophos;i="6.23,124,1770595200"; d="scan'208,217";a="48738835"
Received: from mail-co1pr07cu00100.outbound.protection.outlook.com (HELO CO1PR07CU001.outbound.protection.outlook.com) ([40.93.10.88]) by rcdn-opgw-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 17 Mar 2026 03:00:50 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=c7dTcBpRXorvI0Dnt7PckRaJxNMPuEs8q/VnBdvn75cYaefUmtazW4aCIqsUf8DVcy8RN1+s77ngzTBQXoaiW+Dixagrfdu+sJnp50vgfogDrz7JHMTNpmEHCNEfQ72g1N5Z+3WDh7OtIl+hRMw0KJsjPAzqqtKxN53uX6LaHmsjsM17uZq2HRP0F88TGoOHR2EjJhlSaL3/d6nNvoiJ7g83Q6MIO/OXdmSQImwSpKPDIUJp1ggsk6znwWk3hO09rPQFomkmnq480ZUZQ/KVnx0dbBUur6cvfkoq1SdORZYC5P+/iXEm8QhS7x0uNeSDMuYyXFXO3xzdwRmNYgUoFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Rm3B8oqPDR7/m7eqlPj8xXcLxZ9eXyzDcAwp6/rfYtI=; b=PxDzn0NHQC2+pBfCTfSQoUzC9gcLurho4N6pcpmzXhMkRdV1dt3V6RSUe16hOsLkJF6eJO9rJA3tLDL9FwEQQVATsYxiaAlfb8QqLdzCoUIyj82DOeWNb1y3daRe/sg7DXGDNiHdTjT5W6aKwQEOzgobsN3t0ALlrbbRYVnSv6paV9UqiSiQMGy5jabziuNcwDavxa7OjBI8i8Suh57B4P/giKQ+4NYxk2LJhbUY+8EGbB2IFE6HfwVIO6iByoAhn13i9rdvIDHUdnjj9xMr+i2RiY2tQT1DRGOY84PmnxD61KXWX8CxntS64yQ+tORt/9NGoND4wI3bMa8SG+imPQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
Received: from BYAPR11MB3768.namprd11.prod.outlook.com (2603:10b6:a03:fa::20) by PH7PR11MB8034.namprd11.prod.outlook.com (2603:10b6:510:247::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9723.19; Tue, 17 Mar 2026 03:00:46 +0000
Received: from BYAPR11MB3768.namprd11.prod.outlook.com ([fe80::a807:12e:34ac:bdf9]) by BYAPR11MB3768.namprd11.prod.outlook.com ([fe80::a807:12e:34ac:bdf9%4]) with mapi id 15.20.9723.014; Tue, 17 Mar 2026 03:00:46 +0000
From: "Premanand Seralathan (pseralat)" <pseralat@cisco.com>
To: "radext@ietf.org" <radext@ietf.org>
Thread-Topic: Review: draft-ietf-radext-radiusdtls-bis-15 — Implementation Observations
Thread-Index: AQHctbmUdUoBZW/xYUOKWptS7b6+0g==
Date: Tue, 17 Mar 2026 03:00:46 +0000
Message-ID: <BYAPR11MB3768CB3E565B1287A96F3E15CC41A@BYAPR11MB3768.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BYAPR11MB3768:EE_|PH7PR11MB8034:EE_
x-ms-office365-filtering-correlation-id: 68f78366-edf5-4169-de04-08de83d162d8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|18002099003|56012099003|38070700021|8096899003;
x-microsoft-antispam-message-info: XdE4CHkhzc2MWg1FnuvATN7SLw1a2+Yd0lHs7TSAmGyIGmt7G7PdOEIG4lqxVD0SiCH9mhBtjfSrcnlreWXLtdR0gXtvC/5EduxgBy1n26egwpP/VHG0w/RLqizMNNBhLVwMyqZRwB9ODWsEY39f0W5ASX/cybf2ogW3vfR9vATwCv5pwq272lZCjaafR1tACJZ03yVrzR2sZPIFGWPc6gmcW+YyD3CZsbROEyUAAaYfWgYJyiVJrL5Y6x8WyqSwbqB3LE+AqrgU5+8XXw2MDXC7lHuyPgTN+/9gMwHdKqh/KTGcZmmY2wNphij7pCp2tpZ6ENFma63KFeCda1vy2OHqn9UkOst0tqbUmw1/8EO/egp6iTweiF1Bdy7I9dRf46VP5mgwhDCHrXYJpd3WgiZWEFSlb7l2uFHI3nQeqbR6HbJ3wNLVsCNQezFHD4KslBfyydOa5RyaytDCOHbA/yZLXCiEn67yllHR5Px9Z60EDC7hb0UhKfiKAX56Pm/7AEMebluSJKyq0cUuCCKY/i4CtVWmoSTOmL5YyDJQfnHojVKaXEACse7nY+yriopFPQ6RJlrS6hHllu10r4C/0aJVwDhzuXdYbAD0bpvzVsvGWhDeKxpl+oelFfaggvVvDcvm8RnIA/WXkVMjxtsLiiTysHgCQnbx6oVenUPXA7xuinFW33FRlcpgThtxkB0ZfDTtApWuDBkW6Mq348wqLDvFpPIJXws2K8RewiGP9ABajlWTSZ2pz7mD4Uhgb4/rh91ieAKodWjh+tcCcaYIiD3gFli2S/d7OlQq1ccmr/4=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BYAPR11MB3768.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(18002099003)(56012099003)(38070700021)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Ar3gxSCs3fgXBxVj6JCWlEqdOVk+urX2aWA+edaxBM42hLE8TEtreNLlT/7fERjSeIuVQVJD/LUTJyz0qiV5qbR4mRDH+/BfSJBzf/KyGB+fTI2BnpIsZR+DoUZDGkt4mn5QKifm/U3Y9HTZsyeaUhuUvBJz13xhZZfl+B+jj0SNYtRu8kd8xaOsGdwli1tOfCN0ivnKmxvKn2muGS/Lb5QuIcedW0qPVOiYr3T+/0HhC1GiQmvKjrfdz+sV+CyOhnk9ct75wW1p7SYq7RKZ6WwvOy9/27uYLUiQrZWTgFPAOmf3+dOrnYD8v45no2jUr6nsf8q/XxAQOkaJ0GXOXriOufC6u9Fo/CzBeiMlSz5cuOmKHQcT6L/B2D9BXIB6BL9sGbDXvO6kHvNgzo5CMK7zDlTRZ6xlXqBtgaeadcPp2YNEzr3yqudBxE/XT0LxOU3eUPnwzTF55WFFwRfmefHc+4Q48ukGkL9nmG1I5wTX61vl1Wgx81YSKU4baSW987hWbq4W98WZzmBa9H+RSdwaVq5JdRgG4YwmzECmcDYlJk5ctGqBX03xvCXzPgMEL8yYLAYtr1vEwIWfpeqPdGnETkTAzurHaDdcH18Tl0mobWrWOg4idohNF3RxIqeYxz+m0shMlY8fVebpoL2MhsMxvn9+cSQ+qJ/h3mzVJI3srM4VDRDZfhRtK1hUHFbHPqs97GVdk9Z4HpuireUmDozP03JgLuGPvMRF2gKT9urutjXE/uRsxX+UddQipNc4f2peNN5Hg5Nqev6/RUxxi9XfKI9yO7VzSTphLXG+28vt46ltcYhIIb3Os1UWmVaFhBFIexNlUd9bTtHIE9pzaS1GpkRXL3B1/d8odmnx8PoWjKVFj4P+zK1mKiJpv4PMZH6KZDD7gN4PVUwpDr6F3cTqVhAWzvGHMHzPOW+12J60hQqMKn+ykbzhbrTfMS9Hk2ozX+OvldjV+WBP96GS7EreTW1REydMoVcJvLS129hCQ06IF/k1LoU1sr/53ngeN+SgbgvTyAcJwTVamzGWZk1xVtXurSx/eyPevnyw+hASc65TC0eEaVOCGeCslpO/rKom4ikqqYzKW23CHeO1RiE5ECndIuBRPUCdRKGJneT6KMHr+SBI7W+nA1uEF2y5uPU034UTs39HL0EF1+s6hdvZPVX14mT3XFJg3YUS7Tp55AocLFoR0HeQR74HAn4/IdLbGJJhb5YnbJwo6190vQ4X1LUjA/llZPChFJhcTqFK9pG78aBwdKkkAfvSZLOX7vFuShBNNRJsGFcLv0OqT9iXSI8ZcAJnehzysoArbJG18rCgfXix3+Abj6w3OunYaVrpujwv8LU5UGi65GJUNDEd/lgmeDvG4WO/qgEAxhBUI6JBLztjmS4lIEPcjTbWAhsij1jlT1Bkg9tPaoCMU4qaPePy0EnJF7saq5lXJCMzWRTq1xKcBi/YMFNiOXbA307oBSuYnexgCYzyuSgyi/8Cxc6/I/im6YhrIbpAo1E3dc4PMIM6uwbhjGn6U0zpUZjEN4c7eBOpYziPMEkLHYPrY/JyOKcgQepS+/wg8a4pX+u65eTI6X1boCSBzXVqKzt3oGxwRHrIy1o/aZjTVCvLkQyRyhuSNXm4QvXS/ifjiZI5uMla0KtLgHdnjgQeGsOuP1YV6ORSa4o+DKrbqSWx+U9Qoa5p7bCt3Ap1TxzzY/extiuYIgZAL++TY5p5dNth5qvWZJ1zLXNyGHCKS7RMPqOSv2oCM5rV6mFnZyc=
Content-Type: multipart/alternative; boundary="_000_BYAPR11MB3768CB3E565B1287A96F3E15CC41ABYAPR11MB3768namp_"
MIME-Version: 1.0
X-Exchange-RoutingPolicyChecked: VtVAY6RHispoJQ+xzfTQJq/p9bIa0+q/tMi5Jhsb63hq6JoIt2SB3flC23YekCdoxqNEOBk7zHgmkYqDB95KKyRn4Jxz7fwJn4Hx3+Li1kPsokKo/SIQJU+zs1e3mAFmo4l109G452y6R265u0KJ4dLnxL9SBw1C3k/xyYTVDKCcMVdpflTdGq3mJaqWNvGUbhBIAt4b1S+69QMimSSJq+smYNCSzWXu8feU94qiJeAEgAAqP++9AYEvJRTan9QPH9K3Pl6h32xZF+jrgd3W89yx1pC+GSwhWzXT0VDsLOaRt9ehxh14DMI7aY7uGn4RddF4hzo9+zB8qDgd6pVGtg==
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3768.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 68f78366-edf5-4169-de04-08de83d162d8
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2026 03:00:46.2918 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TUy8udHxZabSjL1y5u7FqxgBvroP+G2HCkT8V3XHFKXODnR95bbQBMk2ZI5oEJn8a4O8CDmXDYV9cQ4erkQ6YQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB8034
X-Outbound-SMTP-Client: 72.163.7.169, rcdn-opgw-5.cisco.com
X-Outbound-Node: alln-l-core-01.cisco.com
Message-ID-Hash: MRETTDGKTOSY3MCOEXP3CQHZVWGISTMP
X-Message-ID-Hash: MRETTDGKTOSY3MCOEXP3CQHZVWGISTMP
X-MailFrom: pseralat@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [radext] Review: draft-ietf-radext-radiusdtls-bis-15 — Implementation Observations
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/9E5TgylzbsiwCBTlI71WH3sAc1U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

Hi all,
I've reviewed draft-ietf-radext-radiusdtls-bis-15 and have observations from implementing RADIUS/TLS in a production NAC platform.

1. Cipher Suite Minimum Requirements
Section 3.2 references RFC 9325 for TLS recommendations, which is appropriate. However, the draft only states that "negotiation of a cipher suite providing for confidentiality as well as integrity protection is REQUIRED" without explicitly recommending AEAD cipher suites (AES-GCM, ChaCha20-Poly1305) or discouraging non-AEAD suites (e.g., CBC-mode without encrypt-then-MAC). In practice, legacy NAS devices still attempt to negotiate weaker suites during the TLS handshake.
A brief note to prefer AEAD-based cipher suites, consistent with RFC 9325 Section 4.2, would strengthen the guidance for implementers who may not read RFC 9325 in full.

2. EKU Validation for Client Certificates
Section 3.3.1 covers certificate validation thoroughly but does not mention Extended Key Usage (EKU). In environments where a shared enterprise CA issues certificates for multiple purposes, a certificate intended for a web server could authenticate as a RADIUS client without EKU enforcement.
The recommendation to start with an empty CA trust base (Section 3.3.1) significantly mitigates this for private CA deployments. For shared CA environments, a recommendation that servers SHOULD validate id-kp-clientAuth in client certificates would provide defense-in-depth.

3. Migration Guidance (Section 7.7)
The guidance against reusing RADIUS/UDP shared secrets as TLS-PSK and the recommendation for separate configuration fields to prevent accidental reuse is practical and well-articulated — this will help avoid real-world misconfiguration.

4. TLS Key Rotation (Section 7.5)
Given that some RADIUS deployments maintain connections for days or weeks, it might be useful to include an informative guideline on maximum data volume or time before a key update or connection re-establishment is recommended.
Overall, this is a well-structured specification. The merge of RADIUS/TLS and RADIUS/DTLS into a single document is a significant improvement over the previous experimental RFCs.

Best regards,
Premanand Seralathan
Cisco Systems

v2.46.0 | Report a Bug | By Email | System Status