[radext] Re: Review: draft-dekok-radext-review-radius-00 — Cipher Suite and EKU Considerations
"Premanand Seralathan (pseralat)" <pseralat@cisco.com> Thu, 12 March 2026 19:17 UTC
Return-Path: <pseralat@cisco.com>
X-Original-To: radext@mail2.ietf.org
Delivered-To: radext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 11E6CC904DB0 for <radext@mail2.ietf.org>; Thu, 12 Mar 2026 12:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -11.886
X-Spam-Level:
X-Spam-Status: No, score=-11.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001, T_SPF_HELO_PERMERROR=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cisco.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ehWyZibmPDZo for <radext@mail2.ietf.org>; Thu, 12 Mar 2026 12:17:31 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A9BC6C904DA3 for <radext@ietf.org>; Thu, 12 Mar 2026 12:17:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=24550; q=dns/txt; s=iport01; t=1773343051; x=1774552651; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=VEjURR/jx6zwRU7jc9ta8gjR8nDSmxbFHC9ag3W9x2o=; b=lKxJ5JGw1noqVh7Df9tRQMYSK0oToe0gjCWh+E3okjYEsfVm1uXgkW17 XA3R3WoCakYvnzyvzhEPYw7F5teP2mHGaHWcS7iBcc1F70eBzaMKYa/SY BuUYRzBkcw/HlcqWZS0VCDYy6/PmsDkAaqxDAW0YFNPL9ljmMOadqmPQv YeaDl9acsXY9/vBdHRsmNUCMR05HDeo140VrX4ria0FE27VVxiUcamw7N UP8PALE1QiSrSyWlEBP4/CDhTcXXQg6Mh6bd5s8P/5em+LFJQIoG6hLuJ 8ANTjlw/Nrl7stP0SVCmR/XtsIe4OwJ80cIE/UaIR8+wGsrexfRs46r3F A==;
X-CSE-ConnectionGUID: tAl9d9Z0TIqDvfG1i7h3hQ==
X-CSE-MsgGUID: SH/+t/MWRm2tWmwvS/nrUw==
X-IPAS-Result: A0BAEADzD7Np/4r/Ja1agS6CaDFTB4EAgSFJhFeDTAOFLIh5A5FKhXk8gTuEdIERA1cPAQEBDQJKBwQBAYUHAhaNDAImOBMBAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQEBAQIBEhFWBQsCAQgYJwMCAgIvFAYLAgQOBQgagmGCHS8nAwECDkWjTgGBPQKKKnqBMoEBg2xB3AGBTYhUASqBNQMOg3QQhHonG4FJRIEVQoFmgQI+gmEBAQIBgRUTARIBCRo8P4JeOoIvBIINFXoUHQSBWIVCBoFGgmkePIZbUnIiAyYzLAFVExcLBwWBI0MDgQYjSwUtHYEjIR0XFB9YGwcFEiEqgUR4ggEPhmh5Ay5eGg4iAigRXEo+C1IFgi0CIAMLbT0UIxQbAwSBNQWNDUMZPYFBAQIOYGUBA1EBASABASYzXwseEAEYCwQCk0oOE4Mwi2BHjhiVFwqEHIwelXAXhASBV5lFiiU/Z4YikmSCWIheglOHXY1ZLg+FGgIEAgQFAhABAQY2fkslOTBwcBWCJH4JSRkPjigGFRyDQoUTw2Z4AgE5AgcBCgEBAwkBgVWQFg8XB4FOAQE
IronPort-PHdr: A9a23:+VGXJxOYwKNYuEJaV04l6nc2WUAX0o4cdiYc7p4hzrVWfbvmpNLpP VfU4rNmi1qaFYnY6vcRk+PNqOigQm0P55+drWoPOIJBTR4LiMga3kQgDceJBFe9LavCZC0hF 8MEX1hgl0w=
IronPort-Data: A9a23:uolN36lKlaFXMdCfob29plno5gzBJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xIaCzqHOqyDZWPyc4tzOYSy/E8B65SEyddqGwE/rCA9QVtH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaC4E/raf658SUUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii+aEu/Dha++2k Y20+Za31GONgWYubDpPsvjb8XuDgdyr0N8mlg1mDRx0lAe2e0k9VPo3Oay3Jn3kdYhYdsbSb /rD1ryw4lTC9B4rDN6/+p6jGqHdauePVeQmoiM+t5mK2nCulARrukoIHKZ0hXNsttm8t4sZJ OOhGnCHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqHLWyOE/hlgMK05FZEx/rd7UFMWy d0BBC4DQUmC2OLtwIvuH4GAhux7RCXqFJkUtnclyXTSCuwrBMiaBa7L/tRfmjw3g6iiH96HO JFfMmUpNkmdJUQUaj/7C7pm9AusrmHkfidRrFuJjaE2+GPUigd21dABNfKLK4DWHJwFwBzwS mTuxES+QQ1dEeOlzGCZzXezmNSImznGR9dHfFG/3rsw6LGJ/UQJAREbRUeToPSlhAi5Qd03F qAP0jAloa538AmgScPwGkXh5nWFpRUbHdFXFoXW9T2w90Yd2C7AbkAsRT9aY9tgv8gzLQHGH HfQ9z81LVSDaIGodE8=
IronPort-HdrOrdr: A9a23:EdCTR6FTN3ZsRA+NpLqF+pLXdLJyesId70hD6qkvc203TiXIra CTdaogtCMc0AxhJk3I+ertBEGBKUmsk6KdkrNhTItKPTOW91dAQ7sSl7cKrweQfxEWs9Qtqp uIEJIORuEYb2IK8PoSiTPQe71Psbv3lZxAx92us0uFJjsaEp2Imj0JcTpzZXcGPDWua6BJc6 a0145snRblU3IRaciwG3kCWMb+h/CjrvjbSC9DLSQKrC2Vgx2VyJOSKXWl9yZbfyJEwL8k/2 SAqArk+6Wlvci8zx/Xx0XT455VlNaJ8KoDOCWLsKcoAwSprjztSJVqWrWEsjxwivqo8kwWnN 7FpAplF9hv6lvKF1vF4ifF6k3F6nID+nXiwViXjT/IusriXg83DMJHmMZwbgbZ0Uw9p9txuZ g7nV5x9qAnSC8orh6NoOQgZCsa0HZcZkBSyNL7ukYvFbf2roUh9bD3snklS6voVxiKmLzPWN Mef/00oswmMW9zqxvizzRSKBvGZAVoIj6WBkcFocCbyD5QgTRwyFYZ3tUWmjMa+Is6UIQs3Z WPDk1ErsAHciYtV9M3OM4RBc+sTmDdSxPFN2yfZVzhCaEcInrI75r6+q886u2mcIEBiMJaou WMbHpI8WopP07+A8yH25NGthjLXWWmRDzojsVT/YJwtLHwTKfidSeDVFctmc29pOh3OLyXZ9 +jfJZNR/PzJ2rnHohEmwX4RplJMHEbFNYYv94qMmj+6/4j6reawNAzXMyjU4YFSwxUL1/XEz 8GRnzpKM1L80CsXWWQummiZ5rEQD2Kwa5N
X-Talos-CUID: 9a23:W7j1/WPKo0JM1+5DRABjpUJFKJgZU2Tx0nn/ek7nCT1pcejA
X-Talos-MUID: 9a23:Sc8kRwZf0bJoaeBTjB+rxy0lEfhS5v6yN0USj65BvdO5Knkl
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-l-core-01.cisco.com ([173.37.255.138]) by alln-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 12 Mar 2026 19:17:30 +0000
Received: from alln-opgw-3.cisco.com (alln-opgw-3.cisco.com [173.37.147.251]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id A227D180001E8 for <radext@ietf.org>; Thu, 12 Mar 2026 19:17:30 +0000 (GMT)
X-CSE-ConnectionGUID: 2pkDGWpnSh+O02WpNW/dOw==
X-CSE-MsgGUID: 7USDyEq9QkikvUhW0it/GQ==
Authentication-Results: alln-opgw-3.cisco.com; dkim=pass (signature verified) header.i=@cisco.com
X-IronPort-AV: E=Sophos;i="6.23,116,1770595200"; d="scan'208,217";a="46739533"
Received: from mail-bl2pr08cu00100.outbound.protection.outlook.com (HELO BL2PR08CU001.outbound.protection.outlook.com) ([40.93.4.8]) by alln-opgw-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 12 Mar 2026 19:17:30 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=KNaSY7ks6YIhVS/a/TAw4YEg7vLAkEKQ7Nd/G78lHmaDSWX1OFiaiIDLXFK149bprqgUW6Crn7bKITG0q9pJa04VCHcWtd4aoGX9mwOO3clX1b0ZyG8sH5vRXyGh/XkfSpAYR6zZNJ0OQHJN2jh4uz5wHsX3dXV5F1fHF8ezV/Xao2S/I/vpn8cuJ7tyHh5nPE7S470LKX0uLYNo0lE9A8L8zPUae/7HC1uMC/s771zu3WjD+s09hSU6yRtGSSDk8sY44lpIRnHUI/rknlX111Ig+/birZzHsXqYwAZbBBDpertMbbo4MXlTs8dXvLmRq0scK2sgJTDjhtLUQvS3Fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VEjURR/jx6zwRU7jc9ta8gjR8nDSmxbFHC9ag3W9x2o=; b=aqmSAy0+yFLRQN8Cmp+QNjZGaO6xFsRcRfbZBhvR7HUsnK1KMR5BSgftvL06GpMUqmVrtXxFCIjzmwXkJwPeEYvlC94zdiEiOEALn7vNb1Llrgg1B12WFhbN2r40T/sKCceB+nmanC/cong2JGKWTSP5W7/qtg94g55/3Ms7QTG80+dqYe8v4Pzxwo8iufH1NMh+yE3tlL0A6VXZOjxZSx0cQnEjRxPENA6pBP+kfKw7ENryBGjwKx6iR0u9HrOZOhIzoLZ+CRHEUHGS38G5PY0r2qRVsZ+q4ptTzX0vttmrHQks+nXZ4DlEuu9OtQhWZURk8FRFi96AtBH89ztGXg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
Received: from BYAPR11MB3768.namprd11.prod.outlook.com (2603:10b6:a03:fa::20) by SA2PR11MB5148.namprd11.prod.outlook.com (2603:10b6:806:11e::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9723.4; Thu, 12 Mar 2026 19:17:28 +0000
Received: from BYAPR11MB3768.namprd11.prod.outlook.com ([fe80::a807:12e:34ac:bdf9]) by BYAPR11MB3768.namprd11.prod.outlook.com ([fe80::a807:12e:34ac:bdf9%4]) with mapi id 15.20.9723.000; Thu, 12 Mar 2026 19:17:28 +0000
From: "Premanand Seralathan (pseralat)" <pseralat@cisco.com>
To: Alan DeKok <alan.dekok=40inkbridge.io@dmarc.ietf.org>
Thread-Topic: [radext] Review: draft-dekok-radext-review-radius-00 — Cipher Suite and EKU Considerations
Thread-Index: AQHcsjfr/Avx4iPkrku88U0AkgIUnbWrQyOAgAACGr0=
Date: Thu, 12 Mar 2026 19:17:28 +0000
Message-ID: <BYAPR11MB3768B34853FC1DB0C350CC07CC44A@BYAPR11MB3768.namprd11.prod.outlook.com>
References: <BYAPR11MB37685C028520F6EBC5E3568CCC44A@BYAPR11MB3768.namprd11.prod.outlook.com> <8CA5AE80-286F-4CAF-AFD4-2730B4F88AC4@inkbridge.io>
In-Reply-To: <8CA5AE80-286F-4CAF-AFD4-2730B4F88AC4@inkbridge.io>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BYAPR11MB3768:EE_|SA2PR11MB5148:EE_
x-ms-office365-filtering-correlation-id: 27f49c38-d089-4ec0-c7b3-08de806c0032
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700021|13003099007|56012099003|22082099003|18002099003|7053199007|8096899003;
x-microsoft-antispam-message-info: Aoizq0cWzDqQVwGYGtsMJl1H7FH4zDbJEfje//mtycesRHEZTqlfbmdPYaEAGuWJBCTKi6viT8ciudyAgwEn28gN/RRUdKzL5nj4wutQTKDatYpUuA2GlXfoULmBQNDjy8lCruYmyZzhwpKNZnZ4uC6deyXSvuQZTYqwrnH09pWsnN1bbiHFmLQq/Qd+NQQYFfFIQWrQiEqokdJn9KuFJbaIpuV4rCSem6IdjB+HwvhTpc0NVvg0fxfX7WXJwfHrSOgPGNE54bHqUEyiZOseN8UwNvINAPZA/gu8OU1CobrTBOTQXfRjJ3R49QtK68p+h+ufVmirZn9OhwiubATkuAOyfJZ9yb6simaXCrL3dHciUtQe9+wOGuBT82zyldCGUJSifHMxR+1FvBYX1Dianmz/mB8EJ/5VS6k3c6OhguRXI2RzQQQOaR0a6gdSUxcau6EnEys8pG5WPPYxlUoqbruYDiXOFHK/QGInj0j2y4xA9TxNddkO37RQDMMcbX8mNnqe1HSVpuH/F78HgLAezNUC+jpaG6zUzFyAJQH7t0RGuD+IgxVG+uhFntPvTdZ2WYynGUatdsU7u1hihqOIkl7DiblItGW2nuZaLcxd0SRFyieAOUue8GkLZGDenwbO33NtnYzAjmori5g4RCBLas40uJa/yHEfUebhE1ZxZnOrAqLfCBeMQp6Vri1NczCbRE2NvlVTZlEHzTfA0rcI8qH7CwksulhXSGTqPjdqNwZRv5xCdQvOZub1SP9HBLL5
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BYAPR11MB3768.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700021)(13003099007)(56012099003)(22082099003)(18002099003)(7053199007)(8096899003);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qJENNruWgqO8enbySjUiYX3CWDYhZu9Pbo5PbTF0aOsag+7VuHdzmcXOCBHqfNMh+nbJJEYgFyLpU11HdhCI4XcSTcYY0tuf/Pfuq0VGIAp94aOnHKLa/M2Rtlg+k38rg8o3GOqsrc/ccUXHduDr23gzDtlRGliuq2mG19p3fcno8kZTS33qCLvTQ0zxlfHG/l0Sn0Zison8BUzaYc2414alqtKLgCVZRi/acySeU6VJ1JMxrDZLUolit6VPwEUzgY+ayy23Szrzbh+xDtmpWSylDpd6ddRFe6LiSZwv2cp8B5AQ+tF61ny10i09YSPv6JbwxO75HpQMMZuoKCYVNtEFTFYjJ6n9tmvDUS4calTS+0Sp88tbwjimgYI1Xw37UxTJOXa4+qicLTY4TsJr8uuQj6UJRf39NliHxswHvKUXV3+822L50Gve/fiiHIAK+psisojJSviIG8zajgT5+mYzYmYCW8Q5a8vWffDh0Kth0dqbRwv7q8rbSp6WKYcwC2o9k6EuAnmFi5BM87yPHTr/vJqJyn/Jh1JvDgIJSmG0AqGUnpsnj2y1hJOXhTzgx+O2yjIJxCMtU+99EPgF/LTwI5cPIVWFVTaMEhN3dZCAK2nJNYjXoj428DVfzXaXVO5m0/0Lo/iXfAU0wXvHtSm1SK4CED1I/ZYoj8UwUUSFHkjG2fNvQncsjPuv+/A8mc1bkDgXU0y1N6r3L6GSlCDQemNCj8px8QQVx+amlRidQlErYjV3mIfOkkiYVV8gJi5UDukwGXGnaX/ODemHLjEt+y+zi8dXJgFBx9GZ3hgxXKPZK/dtO0z0NOPV2eLkIURuq+a2vfo0bLVdWSYgIdJZCWD4+BSwZN7Q8JD0s7JM9JqSfOx1oECRN3quNOeL5nz1SdaOHYc0KXsC1+hnFHxq4Jluj1JrOsKQ/zooGhVPZweb/7DAizMTMIp9RK3mCezLlNqSE6PC3AFukMiD5e1ISdXpVzXgTUiFLsNKlG5fKwRtvHDz92p8Z2sNmhfKqap8+FjkILi/HhaFCk7HWXZR3/4drRK9B9cqqk1C7jV/5cbuyMRP7cGZqG81sGMnwQTFXKwZSEcYN8yXdEKIpdkVhgJ1dSthrJkmnFbg/ctBBGcYxFlfV6UzL2gRuJieurSxbg1/kUqZDs7wvWZBnNqfx2vfgLY6OYwmZcoTaitobTH+8HmQnd+y9M7vcOIToXyFmL4BDFQB51ofBEjbva80s7OFQjLu1G0U5+GfMY2amKYpJWVq+TOXH+3iO2IRaNX+5nstZ2IHbIon53QvK1l93JH5EVXvnBwlbLAIKVnZ9QCWIESRoIRpq6a65DmzrcwhOp0yLvVml6LmsE93+XjKfzTiX84ojM77OHzW4ZgiNQ6i6Ch72XWU9LcMNh0LcnshHY0h93yY0Jmsnu1lUCQi4J9DITXI9dNrMgObqt9p0MGQKq7qOgNcxDqT9HJiOREdLMmYnKdqXxpbeZU/WoPJQ0lzyNJxCOUy8s5b5eYwqvBeGntjmy6BttFaWt9zhrW54PRrn6vKrNncGvGNb46bQcs8i45t0q/AHP0tKOvpWoV1lrcbfd89YUk7WkHXbwFxirOobKbRw/Xqiha5i4E2qHH5Z2ENPy3QvX9krlCVqaEUHN17c58xqNa87IewrOEUU+prqigyDea0e2hiJTtYhn4MDA7Iq7roqCopEmk/we3tsvGBGGqSGVlEaSee1KeJVk3i7lQ5EtAZ6CesSu3VRnOnmhUMNf6ke2OQfIU=
Content-Type: multipart/alternative; boundary="_000_BYAPR11MB3768B34853FC1DB0C350CC07CC44ABYAPR11MB3768namp_"
MIME-Version: 1.0
X-Exchange-RoutingPolicyChecked: Qfkk11bEZAAEIRlt6RdzSNu6aeZ2kdihznKJX0HuRyAd2raUko339EMnmhSiCkd6xCDl9v0yv0CL5ZU+BD5SnpipB5yffkl8a1bsmDGhrs0+MgeRoveS83k4O7GUkgqm32h2N7rzGnyUOQG6bRRiIq74ibwOG6+XjKQl7i9JqsiykghwjwhlT/7dJfzEz10p+l9IfpGRd7pSS37xlfFj2BEkX0oTQUIBxibwSgWr6C3+xz3AZmC7+/nnBWyYx8DNkqkxtG0pMFQSg+bvo5x7Zu0RK2yR5+DS2gGQuaZtec5I3O1fJnrFxX3aLaehP3NDmxm0bACSJNyPhOdQkvxDyA==
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB3768.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 27f49c38-d089-4ec0-c7b3-08de806c0032
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2026 19:17:28.0812 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 82GeOah4K2kWmLqQRcK284X1XjPQ+XtcR/G8o6ZS3IhYzIjkUtOpMYOi10joVb6BUQP3671xksR9podcSiAzvA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR11MB5148
X-Outbound-SMTP-Client: 173.37.147.251, alln-opgw-3.cisco.com
X-Outbound-Node: rcdn-l-core-01.cisco.com
Message-ID-Hash: KFOJVQCXJREZGFZCYUXENZVP2CSOZN4U
X-Message-ID-Hash: KFOJVQCXJREZGFZCYUXENZVP2CSOZN4U
X-MailFrom: pseralat@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "radext@ietf.org" <radext@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [radext] Re: Review: draft-dekok-radext-review-radius-00 — Cipher Suite and EKU Considerations
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/O4ng2NwhXD5XS51YeIu9KNOMaIw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Thank you, Alan, for the detailed response. The TLSbis document's approach to cipher suite requirements and certificate trust makes sense as the normative home for these recommendations. I agree that separating the review document's scope from the standards-track TLSbis avoids conflicting guidance. The point about private CAs reducing EKU risk is well taken — in practice, organizations that deploy dedicated private CAs for their RADIUS infrastructure do have much tighter control over certificate purpose. The concern is more acute in environments where a shared enterprise CA issues certificates for multiple services, but as you note, the TLSbis recommendation to start with an empty CA trust base and require explicit administrator configuration addresses this at the root. I'll review the TLSbis document and provide any additional feedback there if appropriate. Regards, Premanand Seralathan On 3/12/26, 12:10 PM, "Alan DeKok" <alan.dekok=40inkbridge.io@dmarc.ietf.org> wrote: On Mar 12, 2026, at 11:51 AM, Premanand Seralathan (pseralat) <pseralat=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>> wrote: > I've reviewed draft-dekok-radext-review-radius-00 and would like to raise two additional security considerations that I believe warrant discussion in this document. Thanks for the review. > 1. Cipher Suite Enforcement for RADIUS/TLS Deployments > Section 1.4 correctly notes that "simply using IPsec or TLS is not enough," but the discussion focuses on forward secrecy and proxy trust. The document does not address the risk of weak cipher suite negotiation in RADIUS/TLS deployments. > In large-scale enterprise NAC deployments, it is common to encounter legacy NAS devices (switches, wireless controllers) that still support or prefer weak TLS cipher suites — CBC-mode ciphers without AEAD, RSA key exchange without Perfect Forward Secrecy, or even export-grade ciphers. If the RADIUS server does not enforce a strict cipher suite policy, TLS negotiation may silently downgrade to a weaker cipher, undermining the security guarantees that the migration to RADIUS/TLS is intended to provide. Much of the discussion around RADIUS/TLS security and cipher suites is in the TLSbis document: https://datatracker.ietf.org/doc/html/draft-ietf-radext-radiusdtls-bis-15#name-dtls-requirements i.e. we don't want this draft to conflict with the normative / standards-track document which specifies RADIUS/TLS. > I would suggest that Section 1.4 (or a new subsection) include a recommendation that RADIUS/TLS implementations SHOULD enforce minimum cipher suite requirements — specifically preferring AEAD ciphers (AES-GCM, ChaCha20-Poly1305) and key exchange methods providing forward secrecy (ECDHE). This aligns with the recommendations in RFC 9325 (formerly BCP 195). I think it's better to just have this document point to the TLSbis document. I'll do some updates. > >From practical experience implementing FIPS 140-2/140-3 compliance and TLS hardening in a production NAC platform, the transition from MD5-based RADIUS/UDP to RADIUS/TLS only achieves its security objectives when cipher suite selection is also controlled. Agreed. > 2. Extended Key Usage (EKU) Validation for RADIUS/TLS Client Certificates > The document references certificate validation issues in Section 1.3, noting that implementations have "historically often skipped certificate validation." However, it does not discuss the specific risk of missing or unenforced Extended Key Usage (EKU) constraints on RADIUS client certificates. I think this text is again best dealt with in the TLSbis document. > When RADIUS/TLS is used, the RADIUS client (NAS) authenticates to the server using a TLS client certificate. If the server does not enforce the presence of the id-kp-clientAuth EKU in the client certificate, then any certificate issued by a trusted CA — including certificates intended for web servers (id-kp-serverAuth), email signing, or other purposes — could potentially be used to impersonate a legitimate RADIUS client. There are a whole bunch of issues related to EKU usage and validation. But the most important one is to not use public CAs. The TLSbis document discusses this: https://datatracker.ietf.org/doc/html/draft-ietf-radext-radiusdtls-bis-15#name-authentication-using-x509-c ... RadSec endpoints SHOULD NOT be pre-configured with a set of trusted CAs by the vendor or manufacturer that are enabled by default. Instead, the endpoints SHOULD start off with an empty CA set as the trust base. The addition of a CA SHOULD be done only when manually configured by the administrator. This does not preclude vendors or manufacturers including their set of trusted CAs in their products, but the enabling of those lists should require an explicit act by an administrator. ... There main reason for that requirement is that the public CAs are used to trust _servers_. i.e. I want to know that I'm accessing the right "google.com <http://google.com/>". But the clients are (pretty much) entirely unauthenticated. The RADIUS trust model is different. Both parties have to trust each other. There are vanishingly few reasons for a RADIUS server to trust random client certificates. In general, it's best for organizations to use a private CA. That way they can control the issuance of client and server certificates. They can also control the EKUs in the certs. If both parties are using a private CA, then the issue of EKUs becomes much less relevant. > This risk is amplified in enterprise environments where a single CA infrastructure issues certificates for multiple purposes. Without strict EKU enforcement, the security boundary between RADIUS client authentication and other certificate uses is effectively absent. > I would suggest that the document include a recommendation that RADIUS/TLS server implementations SHOULD validate the EKU of client certificates and reject connections from certificates lacking the appropriate EKU for client authentication. Text about EKUs should be in the TLSbis document. I'll update the "review" document to minimize any possible conflict between the two documents. Alan DeKok.
- [radext] Review: draft-dekok-radext-review-radius… Premanand Seralathan (pseralat)
- [radext] Re: Review: draft-dekok-radext-review-ra… Alan DeKok
- [radext] Re: Review: draft-dekok-radext-review-ra… Premanand Seralathan (pseralat)