[radext] Re: Éric Vyncke's Discuss on draft-ietf-radext-radiusdtls-bis-15: (with DISCUSS and COMMENT)
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Wed, 04 March 2026 09:33 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: radext@mail2.ietf.org
Delivered-To: radext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 27D56C40A8D7; Wed, 4 Mar 2026 01:33:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -10.286
X-Spam-Level:
X-Spam-Status: No, score=-10.286 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001, T_SPF_HELO_PERMERROR=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cisco.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NFGgESZV77F; Wed, 4 Mar 2026 01:33:05 -0800 (PST)
Received: from aer-iport-7.cisco.com (aer-iport-7.cisco.com [173.38.203.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D9783C40A8D0; Wed, 4 Mar 2026 01:33:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=15847; q=dns/txt; s=iport01; t=1772616785; x=1773826385; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=wHHkjv/SgsJf/+oyr2QLEHNhENK5YoDaUgJxTH5W9rY=; b=Q/e0C0jCPPbqmauDElrqdqR1/rAXl48BjgOP4wrb8mjpSRQH3icGZs7O nnkEOvZ6ImEbWRsx+eiaHVWal6Lim1xjhUPqh/Sfie/vTDmS0uh657l+u eSWrcgPf6mkpcRUXi+RYO++NMC/RCJvzlqjudQ/HD9gg3La8Pb+xdW165 9vtkS8y3+sl8AOw63KiFHSH9jO6ngBuP63uMcSS7bRGexxoT7LAprq6Tz BOYN8fsUrOWf0ycGFj8/s0stXQ3oszcdB8fiL51XJ8ssGzVrLAw+/+7IG OTtyDO/ol3hbX6r7O5HThFuOuwPtvJmbh3GE7/zqyHT5JmGzyT7w0ybN0 A==;
X-CSE-ConnectionGUID: T6ztXsV4QGGd13VmANCDxA==
X-CSE-MsgGUID: lEc/vhVmQ56cXONxZAaKUA==
X-IPAS-Result: A0BSDQDt+qdp/9BK/pBRCYEJJYJoMSopB4EAgQ8SSYgjA4UsiHkDl0OGa4FrDwEBAQ0CRA0EAQGFBwKNHwImOBMBAgQBAQEBAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4YVCDINhloBAQEBAgESZwULAgEIGCcHMRQRAgQBDQUIDgUHgmGCHS8nAwECDgabbAGBPQKKKniBNIEBg1oDDwMYJtt7BoFNhFyDXRsBKklshBU7hD8nG4FJRIEVQoJoPoJhAgOBMRICGoQTgi8Egg0VehQdiQKBB4FiITuGNFJyIgMmMywBVRMXCwcFgSNDAyovLSNLBS0dgSMhHRcUH1gbBwUSISqBdHiCAQ+GaXkDLl4aDiICKhJcSj4LWgWBbwMLbT03FBsDBIE1BY0EQxk+gTERaxUvJgRTCU4BfSgHDxkLA0CSQziPQ4F8jGOTZIEzCoQcjB6VcBeEBI0TA4Z/kWtnmQYijWeVYASFKQIEAgQFAhABAQY2gUklgUERB3AVGiGCZ1IZD4MuizF2AQKCfIRgvxN4AjoCBwEKAQEDCQGTZgEB
IronPort-PHdr: A9a23:EMBchhBczqpu+o1dilnpUyQVXRdPi9zP1kY98JErjfdJaqu8usmkN 03E7vIrh1jMDs3X6PNB3vLfqLuoGXcB7pCIrG0YfdRSWgUEh8Qbk01oAMOMBUDhav+/Ryc7B 89FElRi+hmG
IronPort-Data: A9a23:UciYuKleGXrN6NihZ2G9BUTo5gz/J0RdPkR7XQ2eYbSJt1+Wr1Gzt xIbDWiBMq6Nazb0fYgkb460/EgBv8PVm9A3HARr/n9mFltH+JHPbTi7wugcHM8zwunrFh8PA xA2M4GYRCwMZiaC4E/raf658SUUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii+aEu/Dha++2k Y20+ZS31GONgWYubDpPs/nb8nuDgdyr0N8mlg1mDRx0lAe2e0k9VPo3Oay3Jn3kdYhYdsbSb /rD1ryw4lTC9B4rDN6/+p6jGqHdauePVeQmoiM+t5mK2nCulARrukoIHKZ0hXNsttm8t4sZJ OOhGnCHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqHLWyOE/hlgMK05FbFG6PpHGl8Sz NM3JGlWUBWqocma0JvuH4GAhux7RCXqFIoSoDRkiDreF/tjGc+FSKTR7tge1zA17ixMNa+CO 4xDNGYpM0iGOUUfUrsUIMpWcOOAi2fudTZbpXqepLE85C7YywkZPL3FbYaII4TWGp49ckCwo k/NuHr5PBQjaYKU+R2j4kCFj8zytHauMG4VPPjinhJwu3Wf3GUdFFgXWEe15OOwhkOuR5dFI kAV5zEisawpsUaqVfH8UgG25nmesXY0WtdLHMU75R2DjK3O7G6xHGEIQy5dQN0rqMFwQiYlv mJlhPvgCCYqtPieTmiQs+/L6zizIiMSa2QFYEfoUDc43jUqm6lq5jrnRdd4G6nzhdrwcQwcC RjQxMTir93/VfI26pg=
IronPort-HdrOrdr: A9a23:j8RoKqzp/xflxqfLnrkhKrPxPugkLtp133Aq2lEZdPULSL36qy n+ppQmPEHP6Qr5AEtQ5+xoWJPtfZvdnaQFh7X5To3SLTUO2VHYY72KgrGSuQEIdxeOktK1kJ 0QDJSWa+eAQ2SS7/yKnTVQeuxIqLLogcLY4Ns2jU0dMT2CAJsQljuRfzzraXGeMzM2fabReq DsgfZvln6LQ1hSRMK9AXUOQujEoPP2tL+OW3Q7Li9iwjOjyRez5pDHMzXw5HojegIK7aYp8G DDnQC83aO+rvG9xCbb0m/Y/75WlNHixtYrPr3MtiESEFrRozftQL4kd6yJvTgzru3qwk0tis PwrxApONk2w2/Nf0muyCGdmDXI4XIL0TvP2FWYiXzsrYjSXzQhEfdMgopfb1/w91cghtdhy6 hGtljp9aa/TCmw2RgV1eK4EC2CpXDE50bKVtRj1kC3ZLFuLIO5a7ZvpH+9Xq1wRx4So7pXYN WGRPusl8q+N2nqL0wwegJUsYGRtrNZJGbdfmES/sOSyDRYh3Z/0g8Rw9EehG4J8NYnR4BD/P msCNUjqFhidL5fUUtGPpZLfeKnTmjWBR7cOmObJlrqUKkBJnLWspbypLE4/vujdpAExIY73M 2paiIViUciP0b1TcGe1pxC9R7ABG27QDT208lbo5x0oKf1SrbnOTCKDFouj8yjqfMCBdCzYY f/BLtGR/v4aWf+E4dA2APzH5FUNHkFScUQ/s02Xlqfy/i7Y7ECdtarBso7CICdZgrMAFmPd0 crTXz2PoFa4kigR3//hwK5YQKeRqXWx+MFLJTn
X-Talos-CUID: 9a23:ITwTUmml06sQRSyLP6jF3oDB+Q7XOUGD3mvgOHHkMElGROTOd1q53ohIg+M7zg==
X-Talos-MUID: 9a23:a36ThAmcV6QIgOlUyYbxdnpmGcwv/aSQDXlQz542nO+UBwV5GAq02WE=
X-IronPort-Anti-Spam-Filtered: true
Received: from aer-l-core-07.cisco.com ([144.254.74.208]) by aer-iport-7.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 04 Mar 2026 09:33:03 +0000
Received: from rcdn-opgw-5.cisco.com (rcdn-opgw-5.cisco.com [72.163.7.169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by aer-l-core-07.cisco.com (Postfix) with ESMTPS id C9C4F1800024F; Wed, 4 Mar 2026 09:33:02 +0000 (GMT)
X-CSE-ConnectionGUID: AvjGuhN4ST6EsJlm6+0CBQ==
X-CSE-MsgGUID: ZjvnVbotRLeahaIkYbHESQ==
Authentication-Results: rcdn-opgw-5.cisco.com; dkim=pass (signature verified) header.i=@cisco.com
X-IronPort-AV: E=Sophos;i="6.21,323,1763424000"; d="scan'208,217";a="47152570"
Received: from mail-bl2pr08cu00106.outbound.protection.outlook.com (HELO BL2PR08CU001.outbound.protection.outlook.com) ([40.93.4.14]) by rcdn-opgw-5.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 04 Mar 2026 09:32:56 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=eg/VQvzPi2uOxRS/6RumSDDGo1tLfL7A/wv6mCIUxUDVzJj62UJf4JuF1a1Eje3/YswXaCg7mfOzMON+1t187VnYLPKpfERrdCGB4K7Q3Hn5U9p0SJD/AaYqOsIYrn/uMOjppL9991+VY9E+hbCqe6GeBsBLVyTmSUq/k6v+InX8pDoR/Eq3GpVw/KNYhL5PRoT2Udll1XQMHD7K88Vkp598VYIk8x7VWCyyLmW7OpkVmN2UaJP0wX5mM66x/c/wVNZGVE8nY6N6KZGA7aFuWqVgP99Y3HDsW5IUZbQ+8QJ1I5gaqrA2uxjksoo7xgkDjKCV11qEHRfBB9yG23fUKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wHHkjv/SgsJf/+oyr2QLEHNhENK5YoDaUgJxTH5W9rY=; b=naL/PEEtBxVloz1UujrXTry2fdQeeDbbOiuyhADoPveKdt8yaod8HIkW6ZApuZwg99wSSDprqfl1dGrDvDgbn63fR3HYb5YKG3VgmHEPy6lpFYpxhSy4th/IFFpXaXp50yNeV71/1KxzdGhoahmZcH853CBRYvb+o4Hpq9xx5pQSGsyV+9lUaQGwzQ1cAdKWbVTVsSaqZvSs5D7jSsky07KLU39KDANsfMz8tPvnK63JV4CYcw8F1EVFdwEmbfTGV5MB3Zl0hkEtP54MOK/PXf7cXgHZiVc6Tn3ibjBHRZuH6FOzE4HiibO9f2W9mdrmyXeVZy6GVcQtNcFPtdKLLw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by MN2PR11MB4565.namprd11.prod.outlook.com (2603:10b6:208:26a::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9678.17; Wed, 4 Mar 2026 09:32:54 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::258a:9418:efab:8cb8]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::258a:9418:efab:8cb8%7]) with mapi id 15.20.9678.016; Wed, 4 Mar 2026 09:32:54 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Jan-Frederik Rieckers <rieckers@dfn.de>, The IESG <iesg@ietf.org>
Thread-Topic: Éric Vyncke's Discuss on draft-ietf-radext-radiusdtls-bis-15: (with DISCUSS and COMMENT)
Thread-Index: AQHcqmw1rkTzjZYh8kSybjT9upXx67WeHj5k
Date: Wed, 04 Mar 2026 09:32:54 +0000
Message-ID: <PH0PR11MB496668CBB216E15134B971D2A97CA@PH0PR11MB4966.namprd11.prod.outlook.com>
References: <177211264609.2652055.8198177672201735309@dt-datatracker-6ff7c68975-7k42g> <0bab2bae-eab6-4092-88eb-6491a22956d7@dfn.de>
In-Reply-To: <0bab2bae-eab6-4092-88eb-6491a22956d7@dfn.de>
Accept-Language: fr-BE, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR11MB4966:EE_|MN2PR11MB4565:EE_
x-ms-office365-filtering-correlation-id: 1c538e35-b376-44a3-5669-08de79d10332
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|8096899003|38070700021|13003099007|7053199007;
x-microsoft-antispam-message-info: Skb1r+Wx+hLxwNUWyGVM5mUVKLtFtEY73JU6lbhDiU+wmiD5uJk17m2+eXNrWW+chf+LMoapxk3CNpfRDXyTlEADMQwLlCgs7nHPMAj5QSYz/JuB677b5yo+vvmU9Az503mHWbTUlTxgDnuXpruHeJOyh3Iyb03C9DMQyYPaYnMprN4Jkigu4ldyaIb6KqFnpiIN1fzgDxPzS3XkTN7MtyradPmRy8bi0pv4La6RMuwpjMaqCi8FSN5PftN8WNguAOtZKp4mEdMf2hj+wbfbpvehKTYBWMVKk6u6ijccbmtN+wT744O6XhenJb8blUL0bUFhN/44Uytssj1l3Vd3T7vCJ2nRNPeokmrqZkbkTkKN2ZuLOFMstTBmO0Yz5KwlfNUPuI3WYx6+q8w8DjnOCse+SEWymKdQD9YJ5yMcxmZfEIOAsmGbzi0ci8xZ6vJfXT0Qvwf42ew69p+3NbAVQp5drP9YdBv/P5jlEm1aQRDcTTkTjNeAboBi3ISbtvW8bFzvgMXjkV/0w9gXYg0qVeDd0GOj9WBfvPm/1To+G0tXfY80UUrCh+cJfl+5SgFhmh64FQHf0V/farR+OItKSbl5CNV4roG2YEh6YFHhSLJr8l8Ir/WyUwROGjSxZUtGbsZ1bOj/+WmRhOzFk/KwHmye85vw1rIRCDGP2L9qxOr1AzEa9/b1HOuqkAK1YC+zBky1mIaePDNb/JbWCrFYVEV9oeV79YHMihBZviZ/cB8gVm5YUICitzR8WYOWMgJz
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR11MB4966.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(8096899003)(38070700021)(13003099007)(7053199007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DVTWx8zw57qKrC0gglh3qNvn8ODdiAFISc6BZU5yhwplcwCOyCDLtTFq9dS9EV7EQI4l4kH44XUMDDQ5oF554w8ae8JI4O24C1AbshSXj2HObx1v22Q9vssJ51saVyHeK70fC/UFRewNVlDlTaTFqvtryTv/oEw5I88ZN7RY9wW35jAF0kvrZ+nm2En3ABJog1gBh3ak6UhSaUC7ngMjJ74T1B5pl2W2lHn0Cs09kpFYWyXq2WhDaz/jgDUCuJlWz5S1SpoV7AVBPpIzEjxgoPrYLTzjSMgSELLimuTgPfqWbUR8vQk6Le2o3rtfKjldHrVuJjs9BcyumZJvE2ZHy/25acpaauohi3zq/3y12ZNQUESL6VBQMTIAsP6Yh0sxAVdw1RJbLcmnzgNba9wm04/dfSVE0j5yGYCYbtdlhClOr2DYwL3x32vNZNakxVNqfJ9I/Gtr2B11i9WBWH28m/v2zmzOtIiEaxlPLkt28keN/9MAHhmCVRWoHc5CTzGOtEp7IVKr/KOTqg2koXFSbN4UOrexxovfZnsEwyeSkvGsdNXyzZuimvswcuzd1/4JyTZaCqqWOQzhZ45xJ1vIl+LvZ/AkoO8jD17Qx6npE492MbYs2mAhcih9ZslLWRTNXk23yg+Tjz1XPMopTWO2hteTuizsKHORUvbol5pJ5EhiLLw8Y/frvpoCTSlAi0/48ZK1A0yF7HMnWNDrCzVastvMknZqKDBB1e6E5JsqHcHfF2aBEkNNjvLiXGyRbNBFXQeN+ifypKUwK260seGjbvTVlZAXOJoHg9pkRXL2Ahi1bHfLzqDTopUr6R/Zcmqt4txKwfrTlOc5oPsqPJNlHYkHeX1NGirXYqeiseSY9DX08KTZ0tv9VbvzH/3tfsuLfDozHwN51M/y4+hb1YnDMrKVOblyqlKVci1naD90Y02qOMdkHE8td5GoV/+VW7mB1jCzEbvms+C0CaZrY1CFcNOKZB2ajGUIPnLWxJWpn9yTD5lzXKyrS/EeWhrZ6Vfs8W6u7XC9xZuIfEjjqEPpxwXzzYEHC0DWPVwZNjLxpbeYbzTHuor3MH4prXiXJdB0L3q57sqi1I9lFAbgMPmBFRroltNDRUhIf9icGV6sxrbtWN2yf7VfwUB18k0X2l+2fDsy7g6PFmjTc5IVMzHdOTk1pr78+X0FRfHHq5lrnlyOSobsHYOzY0+dOVjQGbRCdfYHYhpbf3idwGiHPvKSMZUXpFh4gsq9vnRvP7yolApCl4sq6EJdYDJ5s3LJaAofa4hCoYSXTSam6dM/LCj7sYWY434t59+f+RUuNw+osAo3fX+363CZtfIMocvM9uyk1SwYkkFtlceX9HaEyRa/9sl/lmASP/+7Mtt2p5MRHLiolK3W05PQ8zbRJGrMHKvA3awCdfHe4Dkm/8WLeJO9/JVk4oekcMksu7mierfUmcx+dcq6nyBWJE4LsytuL3llWl2dkbOfotvMcwu2ixKSshDZX+FaaKMsWc06oQMrRBVGcW1FjD4eHDNLyZuC4EMqAd7vpC7VFXI3rwaXYnkpH7tMWje8PbqWQdlQL70nqUIozWt6KHw3zz6+A1zhZIOrzLMQaXWcF28+Tv9gPyS8L0E8Y6CS0G5wE0qwIcKE6mC+i3v0uXbOkVLg2QdoAERQ+lr02swkHBIiO8jh0yrJHeexSRB6aIczZIAmh8B/1e7urcjYa79tRYp0awMM6yUQDd+b47GaszbbHNB9Hqa8FA==
Content-Type: multipart/alternative; boundary="_000_PH0PR11MB496668CBB216E15134B971D2A97CAPH0PR11MB4966namp_"
MIME-Version: 1.0
X-Exchange-RoutingPolicyChecked: mVjCAfVRChmIKVkDiwBQ1KNvCmcOmrAyKklFgPUCHj/qcdbgKPEMvjH7UbWGlVTzakhvVpyEF51f5fcgmxyznxqI0lNkaB7T3qgEXKHojupOJ6k4HFB61r8uwUPGIqDnhLn5nBFTvQk0lyTklvbPQEs6JudRZKDNuqpmiUnxfLuA44Mz//xJYinhll5Cxae/NtaTHrPQbU4hau8jLoBZFcsF1HXPsAnBvuuNxF7+Ayq5zjD4oNkbRe+iBuH43gkgWuGYM+xUOmlXX3A35HoJ9FdcfXq81TZwKBE6w98lzU4S+YFMGjazsUvRu05o8I+FKSXXh95yQAwWSUHsozIZGA==
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1c538e35-b376-44a3-5669-08de79d10332
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Mar 2026 09:32:54.1347 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2qeMV2s5GygWpGXjmHRyibXLln0LD+IzXr9HjASoPdj1GL2aB9+1g72AhRrh749fmhsWIJephBBHl0q4DTxIOA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4565
X-Outbound-SMTP-Client: 72.163.7.169, rcdn-opgw-5.cisco.com
X-Outbound-Node: aer-l-core-07.cisco.com
Message-ID-Hash: 4LESZSJ7QYCVUPUNNHTNCZOABIS54MBS
X-Message-ID-Hash: 4LESZSJ7QYCVUPUNNHTNCZOABIS54MBS
X-MailFrom: evyncke@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-radext-radiusdtls-bis@ietf.org" <draft-ietf-radext-radiusdtls-bis@ietf.org>, "radext@ietf.org" <radext@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [radext] Re: Éric Vyncke's Discuss on draft-ietf-radext-radiusdtls-bis-15: (with DISCUSS and COMMENT)
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/uNcPylIgajNFC9oZiIe3CaEGxOs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Hello Janfred, Thanks for your message. I am currently on PTO, so, I may not be able to review a -16 with the fixes before the telechat but it seems that we are converging to a solution. For the first point, I now understand what you mean, but as the current text is really not clear, please rephrase it (e.g., by including "without any non-protected negotiations such as done by SMTP STARTTTLS) Regards -éric On 02/03/2026, 17:44, "Jan-Frederik Rieckers" <rieckers@dfn.de> wrote: Hi Éric, thanks from me too for your review. Comments inline. Cheers, Janfred On 2/26/26 14:30, Éric Vyncke via Datatracker wrote: > ### Section 3.2 > > `RadSec clients MUST establish a (D)TLS session immediately upon connecting to > a new server.` why "immediately" ? Does it mean that they should first try with > plain RADIUS ? The subsequent paragraphs give some hints, but a PS must be > crystal clear. The idea here is that there should be nothing else than TLS/DTLS, so no STARTTLS-like behavior, no signalling of capabilities, ... I'm unsure how to describe this other than how we put it there. > ### Section 3.12 > > What is `server IP` ? Please avoid readers guessing that it is "server IP > address", especially in a PS. Also occuring in other places. I'm so sorry, usually I'm the one nitpicking on others when they say "IP" but mean "IP address". I've found some other occurrences and fixed it there too, hopefully I caught all of them. > ## COMMENTS (non-blocking) > > ### Section 3 > > s/Client implementations *SHOULD implement both, but* MUST implement at least > one of RADIUS/TLS or RADIUS/DTLS./Client implementations MUST implement at > least one of RADIUS/TLS or RADIUS/DTLS./ Clearer and avoiding a SHOULD. The suggestion removes the recommendation that clients should implement both. Maybe it would be clearer to read to say: Client implementations MUST implement at least one of RADIUS/TLS or RADIUS/DTLS, and SHOULD implement both. > ### Section 3.1 > > The legend of table 1 is rather useless ;-) also use it in the text. I've fixed this and added a title to the table as well as a reference in the text. > ### Section 3.3.1 (and others) > > A lot of "SHOULD" without any guidance... Why not "MUST" ? See also > https://datatracker.ietf.org/doc/statement-iesg-statement-on-clarifying-the-use-of-bcp-14-key-words/ I'll look over each SHOULD and see if a reasoning can be added. > > What is a source IP address as opposed to "IP address" in `For clients > configured by their source IP address` ? Please remove "source". What we mean is "The IP address the client connects from" as opposed to "the IP address on the current host the client connects to". It should be clear from context what we mean if we remove "source" and only write "configured by their IP address". > ### Section 3.5 > > Again a "SHOULD" without guidance to the implementers in `RadSec clients and > servers SHOULD implement session resumption.` .... In this case specifically, the context is given before. (reduced effort for new connections when the connection closed when idle). Personally, I find it hard not to over-explain (and have a too long document) but still giving enough context for people who haven't been deploying this protocol for years/decades. > ### Section 6.4 > > Unsure whether this section is required. Nice experience return by early > implementers probably, but unsure whether it belongs to a PS. This is not just deployment experience, but has also implications. Especially the possibility of network delay changes the meaning of attributes. Acct-Delay-Time was updated on each retransmission in RADIUS/UDP, so any network delay (due to packet loss and retransmission) was visible with an increase of Acct-Delay-Time. With RADIUS/TLS based on TCP, this has now been removed, and we felt it was important to note this. > > ### Section 6.5.1 > > s/IP address version (IPv4 or IPv6)/IP *protocol* version (IPv4 or IPv6)/ fixed. > ### Section 9 > > Please add a URI to the registry, e.g., > https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml > > Also, it seems that the format of the bullet list is broken (at least on my > browser). Both fixed. -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de<mailto:rieckers@dfn.de> | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Alina Hain VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Éric Vyncke's Discuss on draft-ietf-rade… Éric Vyncke via Datatracker
- [radext] Re: Éric Vyncke's Discuss on draft-ietf-… Valery Smyslov
- [radext] Re: Éric Vyncke's Discuss on draft-ietf-… Margaret Cullen
- [radext] Re: Éric Vyncke's Discuss on draft-ietf-… Jan-Frederik Rieckers
- [radext] Re: Éric Vyncke's Discuss on draft-ietf-… Eric Vyncke (evyncke)