[radext] Re: Mohamed Boucadair's Yes on draft-ietf-radext-radiusdtls-bis-15: (with COMMENT)
Jan-Frederik Rieckers <rieckers@dfn.de> Tue, 07 April 2026 13:09 UTC
Return-Path: <rieckers@dfn.de>
X-Original-To: radext@mail2.ietf.org
Delivered-To: radext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 49118D773A35; Tue, 7 Apr 2026 06:09:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775567387; bh=Glh1S4+N7zFCs/aJjb0JLtao51AsOA8L6gZkqwQgc6Y=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=YjOHfro2jvBOGQMdKnE1YdQrRuDRyMmhyaitJ2iro3Q5MPC2TSoFYxNeJxMZILqnl MGT9kHcjCCdW6lhXVZfdjwJfT/7eCfJ7TzWg1bG6jhH/C9OFiWu3dnAl/TkgqCsfvo f0QPHB8dEdfwL8pknEr4e1mLT1R+q7WU7iu8Ki88=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52kZE8956oFh; Tue, 7 Apr 2026 06:09:46 -0700 (PDT)
Received: from c1004.mx.srv.dfn.de (c1004.mx.srv.dfn.de [194.95.239.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0CD8CD773A2D; Tue, 7 Apr 2026 06:09:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:organization:from:from :content-language:references:subject:subject:user-agent :mime-version:date:date:message-id:received; s=s1; t=1775567384; x=1777381785; bh=Glh1S4+N7zFCs/aJjb0JLtao51AsOA8L6gZkqwQgc6Y=; b= NqhhwOHTnYIY7m4Fx1gWAw9tiVGZtYgXVH9gwpfUNRgnPvx0kjVHx/rxD4P3Vs1+ g2TbmFPAWZv6H2Ngcy1T4xhrhL5TtuStPeY1hKbpthDfAFX54ACR4Y13ycyu/trB p+zeMj+l9+ojr6gFM4M+zkINUZweeepZkh/aXDt3hsg=
Received: from mail.dfn.de (mail.dfn.de [IPv6:2001:638:d:c102::150]) by c1004.mx.srv.dfn.de (Postfix) with ESMTPS id 26778120113; Tue, 7 Apr 2026 15:09:44 +0200 (CEST)
Received: from [IPV6:2001:638:d:10b1::9] (unknown [IPv6:2001:638:d:10b1::9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id E15FC39B; Tue, 7 Apr 2026 15:09:43 +0200 (CEST)
Message-ID: <1218c613-9d49-4dc5-809b-6779dc7903af@dfn.de>
Date: Tue, 07 Apr 2026 15:09:41 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Mohamed Boucadair <mohamed.boucadair@orange.com>, The IESG <iesg@ietf.org>
References: <177235674024.3245188.9830704777013957267@dt-datatracker-6ff7c68975-7k42g>
Content-Language: en-US
From: Jan-Frederik Rieckers <rieckers@dfn.de>
X-Enigmail-Draft-Status: N11222
Organization: DFN e.V.
In-Reply-To: <177235674024.3245188.9830704777013957267@dt-datatracker-6ff7c68975-7k42g>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms030104040302050907010306"
Message-ID-Hash: QMQXBTIZENDJN7XZK3D6PTJLQ54OIWMV
X-Message-ID-Hash: QMQXBTIZENDJN7XZK3D6PTJLQ54OIWMV
X-MailFrom: rieckers@dfn.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [radext] Re: Mohamed Boucadair's Yes on draft-ietf-radext-radiusdtls-bis-15: (with COMMENT)
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/HE0iu2DQNEjVksBvG8QnntJHlBM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Hi Mohamed, thanks for your review and your comments, I've added my replies below. On 3/1/26 10:19, Mohamed Boucadair via Datatracker wrote: > # Source port number selection > > CURRENT (3.1): > The client source port used for > RadSec connections is not fixed -- it is typically an ephemeral port > picked by the client Operating System. > > Can this also mention the mechanism in RFC6056? > > If randomization is followed, then this would help with this: > > Section 6.5.2 > > RADIUS/DTLS clients SHOULD NOT send both RADIUS/UDP and RADIUS/DTLS > packets to different servers from the same source socket. We could add a reference to RFC 6056. Personally, my observation of current implementations is that selection of source ports is done on OS layer, so adding 6056 does not bring benefits to this document, instead it suggests that implementations should deal with the source port selection themselves instead of using the existing APIs provided by the OS. (But that's only my personal opinion, I can be persuaded.) > > # keepalive > > CURRENT: > RadSec implementations MUST utilize the existence of a TCP, TLS or > DTLS connection where applicable in addition to the application-layer > watchdog defined in [RFC3539], Section 3.4 when determining the > liveness of each connection. > > I guess by “utilize the existence” you meant implement some > heartbeat/keepalives. > > For TCP, please note that rfc9293#3.8.4 says: > > Implementers MAY include "keep-alives" in their TCP implementations > (MAY-5), although this practice is not universally accepted. > > I don’t see an issue with the behavior in the spec given that 3539 requires > anyway the following: > > AAA protocols MUST support > an application layer watchdog message. What we mean there is not keepalives, but really the existence, as in: if the other end sends a TCP FIN or RST or a TLS close notification, or the OS times out the connection by itself if it hasn't seen any traffic in some time and requests are unanswered, then the connection does not exist any more. And if the connection does not exist any more, the watchdog is useless and will come to the same result, only with a delay. > # Logging > > Some events are better logged for operational needs. For example, the following > events (and similar) should be logged > > CURRENT: > That is, the implementation SHOULD send a TLS close > notification and, in the case of RADIUS/TLS, the underlying TCP > connection MUST be closed if any of the following circumstances are > seen: I've opened a github issue on this, right now I think we only have one mention of logging in the whole document. > # server IP? I've already replaced IP with IP address and port with port number in the editor's copy on github, it will be included in the next I-D. > # Same behavior > > Section 3.1 > RadSec endpoints MUST NOT use the old RADIUS/UDP or RADIUS/TCP ports > for RADIUS/DTLS or RADIUS/TLS. > > Section 3.12 > Implementations MUST NOT exchange both insecure and secure traffic on > the same UDP or TCP port. It is RECOMMENDED that implementations > make it impossible for such a configuration to be created. > > These are covering the same points. May be consider having this discussion in > one single place. > > Alternatively, consider linking both such as: > > NEW > RadSec endpoints MUST NOT use the old RADIUS/UDP or RADIUS/TCP ports > for RADIUS/DTLS or RADIUS/TLS. See also Section 3.12. They are not covering the exact same points. Section 3.1 forbids using 1812/1813 (and the old non-standard 1645/1646) for RadSec, independent on whether the RADIUS server is accepting RADIUS/UDP or RADIUS/TCP over these ports. But the wording "old RADIUS/UDP ..." may be suboptimal, I'll see if we can make that more clear. > # packets, records, and datagrams > > CURRENT: > RADIUS/DTLS endpoints MUST send exactly one RADIUS packet per DTLS > record. This ensures that the RADIUS packets do not get fragmented > at a point where a re-ordering of UDP packets would result in > decoding failures. The DTLS specification mandates that a DTLS > record must not span multiple UDP datagrams. We note that a single > UDP datagram may, however, contain multiple DTLS records. RADIUS/ > DTLS endpoints MAY use this behavior to send multiple RADIUS packets > in one UDP packet. > > Maybe add a pointer to rfc9147#section-4.3? > > I would delete “we note”. Thanks for the hint, it's updated in the editor's copy and will be included in the next I-D version. Cheers, Janfred -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Alina Hain VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Mohamed Boucadair's Yes on draft-ietf-ra… Mohamed Boucadair via Datatracker
- [radext] Re: Mohamed Boucadair's Yes on draft-iet… Margaret Cullen
- [radext] Re: Mohamed Boucadair's Yes on draft-iet… Jan-Frederik Rieckers
- [radext] Re: Mohamed Boucadair's Yes on draft-iet… mohamed.boucadair