IETF Logo Mail Archive

[radext] Re: IPR confirmation for draft-ietf-radext-radiusdtls-bis

Heikki Vatiainen <hvn@radiatorsoftware.com> Mon, 16 February 2026 17:57 UTC

Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@mail2.ietf.org
Delivered-To: radext@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id AD4CCB86AA00 for <radext@mail2.ietf.org>; Mon, 16 Feb 2026 09:57:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XIQdMJYIkoKZ for <radext@mail2.ietf.org>; Mon, 16 Feb 2026 09:57:11 -0800 (PST)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6A421B86A9F3 for <radext@ietf.org>; Mon, 16 Feb 2026 09:57:11 -0800 (PST)
Received: by mail-wr1-x42f.google.com with SMTP id ffacd0b85a97d-436e87589e8so4233553f8f.3 for <radext@ietf.org>; Mon, 16 Feb 2026 09:57:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1771264624; cv=none; d=google.com; s=arc-20240605; b=Qu2oQBjD2Gmu4UIByr3QtcfAxyYqNbvSnk8hoa4UtQXJ7SPnJ4qKHyeus1Lf2tUSXf fj5rg3zpQ5qXSOI3O/YY9M3YgGtalCCsYQHpfsouPOIu0FUPY/J3koEIzzx2VIlaCRYf ss0HhufzYGvHfco19/E+6j3C6q2+ZUfGaWDmNsbMOP/vVUJluLBYkVmXTAIGqPyuRIMH EuSCZAJ6GGYA1LYmQk/7qjWVgFkUIUoTJM2WPS66sxkcxV2Ag2BrmHCiwsbKRYhj9CG7 eVa6pbULCvWXjsS4RHRoOso3c1uRhqlG+1GVvGA200CnJtP2jLR3ziDC4wJ5xoASGxHe yTMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=ntH9Cw2AR0dmNuh27TFNJUj16/blP2XMEgyiBdbozU4=; fh=0ieaCYj3fPeeBjt4iOs0PmHIhK6tlamE/7T19RaRv9Q=; b=dwCTKUGOmeurHwkgC63OzhHXIRJpItq6ut6cFzhqSbtQ2uXsTSwcvpBt2UEWqx27wm KFc1Mx41Uk9QOiAIvD1ehtbXuTcop5dVzVPfBt1l1OpVut38V5i6IR5F0CPOZ91Hp96s HNW8XykEvpTQ5xYKDlSTypOx7LgF5DREleQoppdti1bNoem/f1zkjqPledgbqdZAuD0a F99imNnlev7VxL5usVJLFKHYNYMyw/WAscMQvQwe8dLSOjf9t+mzXAxfj2O1rfrpdely OtIHqonKMajDO8GT/Zo9U5pbMfoqFPffqvNurXvUUaJO9jCtZgh5wQYz3o8VwK+1IB4N JE1w==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20230601.gappssmtp.com; s=20230601; t=1771264624; x=1771869424; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ntH9Cw2AR0dmNuh27TFNJUj16/blP2XMEgyiBdbozU4=; b=lPFUvibKBbF8KDiU35Q1sfb0WPAbEBbHT0+Cj/SHEKq1KsJYoAa5NsszMASTVHp6Sd RjAhnnC0C4ON5bXeKPG5yNAmNPo568wh1AHuTszy3NDq4Rk5hxL6jFmT0FZavV8uzNjc dafq480mRMfT00/fz5FB+i2vxhURmgH872OPP7NMXIRtWhhu5lVPj5eDqV8qU0KVdR7V 7MUZpjgB+GdKbIibmfGw7tE2nu3VuapgfbRTH/ynwPrJPvxe92d1XZCCDXdyyNYiFMq3 rCLh97qtd+kgoTcWc7zgTo7TP+b4UyCN9iD9bXgJ0wXlTNOAWt8qEHo9z246ygNBz4GI z/mQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771264624; x=1771869424; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ntH9Cw2AR0dmNuh27TFNJUj16/blP2XMEgyiBdbozU4=; b=edN9PhI3X9L0tjYC5rWKeAMtlV+kgOxFr9FtaOsDlE944mnETveDv/56/8pG/B7quO wcQ05hEWHHAJsgIY2DeqZcdeA0Gp9x8sVEJp121vAb8OztOmaZxAQ+WmqYmVkR7t2ptH FFCglJM7XzIS2ZUESx4K/QBnnmSV3MxogsdJpNyJwb5TDyEbhJdTFzXuY2zCmu40vmdv gdXqTkVziFP4ByMn3BYgvFWGyxmEeSbScEIvwvT09PbwPTpvwkRzK3xlhErHWrawXEOB +fgnthYhCwJYJBtAqlKhHS3ygxF9ffaOxwPbLk5PGN3Qhk11f3Ei/isa19BC+l7b8eAk ip8w==
X-Gm-Message-State: AOJu0Yz5Joi1zxmCq86d3X9QwgsiTVwAMmDSgZxLWbjaYosAp4h4Byd7 PGeULpeI3x7+Owr+1SB3UNB9llwYE2paFi8lrXxL5Su6BzpuKJnM6ILCcF1ZxdrVSCap8TqmnYE Tls+iwB9a1x71j881Deiwv98V07nfDUr4kdcoKa4n
X-Gm-Gg: AZuq6aKF5E9Ar9hBOXeoDUjb5YQfkGJ4i4uWyZbgH4tWLFAIxzahD+MHmtDo3XD4bbZ OWiOm4WGFNmtpL4HId1z+UUJwsTfr12vhvQKd+ootewWfjSyXtyboVhiioB1s3c1BIiPsBn7N2I 7EXpRMl8ZIGIfxDmrdxuLm+dbb2cU0+pPXbu0jinjIq/NtFRXwxjtJYQaLBVgYdNtNcwBxKAnGD Er0JtfcOCHzSMvJhbND8lzilpr30wZtXHhjKw55YtiKw3k1wuQq0kGaLUTJ7Y327DyAqLxzK3TL nuBfOyWh
X-Received: by 2002:a05:6000:2dc1:b0:436:18e5:48 with SMTP id ffacd0b85a97d-437978d54f4mr20856855f8f.15.1771264624155; Mon, 16 Feb 2026 09:57:04 -0800 (PST)
MIME-Version: 1.0
References: <016601dc8baa$ebbdd4e0$c3397ea0$@smyslov.net>
In-Reply-To: <016601dc8baa$ebbdd4e0$c3397ea0$@smyslov.net>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Mon, 16 Feb 2026 19:56:47 +0200
X-Gm-Features: AaiRm50SvuuzWhnmN3kTaDS4dmqmBe11Ru7FKlIFjb0BaauXi-LDlSP2fbhFcqY
Message-ID: <CAA7Lko-hG9zM4Wf_ioUL+soOAzV1iOYxcjf_04Wy1oMjafO+gA@mail.gmail.com>
To: Valery Smyslov <valery@smyslov.net>
Content-Type: multipart/alternative; boundary="000000000000b9ee9b064af4ae70"
Message-ID-Hash: PARV3D4MY2KX23K52E5KEPGJ5WSYJNKX
X-Message-ID-Hash: PARV3D4MY2KX23K52E5KEPGJ5WSYJNKX
X-MailFrom: hvn@radiatorsoftware.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org, draft-ietf-radext-radiusdtls-bis@ietf.org, radext-chairs@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [radext] Re: IPR confirmation for draft-ietf-radext-radiusdtls-bis
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/vrv7ldSDMCxUg7yBSnaFYOhKuaY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

On Thu, 22 Jan 2026 at 19:48, Valery Smyslov <valery@smyslov.net> wrote:


> As a shepherd I also have a question to the broader RADIUS community:
> are you aware of any existing implementations that follow recommendations
> from this document?
>

We have two different implementations, one using OpenSSL for TLS and the
other that uses Rust's rustls. DTLS 1.3 is not available in neither, but
OpenSSL does support DTLS 1.2 and hopefully soon 1.3. At the moment we
don't support DTLS even with the OpenSSL backed implementation.

TLS session resumption is a bit of a question. RadSec connections tend to
be long-running as opposed to connections with TLS based EAP methods, as an
example. Especially it's usefulness with TLS-PSK is unclear. The TLS
libraries implement resumption, so it's there when it's needed. It could be
helpful when there's a surge of certificate authenticated connections, so
this is subject to be revisited.

Because the draft allows a lot of TLS features, we plan to have some
restrictions. For example, not supporting TLS re-negotiation even for
certificate re-assessment. The draft at the moment allows, as an extreme
example, DTLS 1.2 with PSK where client initiates re-negotiation. It may be
used for rekeying, but a new connection is simpler.

In short: RadSec with TLS and certificates followed by TLS and PSKs look
like the main uses. DTLS is being watched on. DTLS 1.3 is a bit new.

-- 
Heikki Vatiainen
hvn@radiatorsoftware.com

v2.46.0 | Report a Bug | By Email | System Status