Re: [radext] Fwd: New Version Notification for draft-dekok-radext-deprecating-radius-02.txt

Margaret Cullen <> Wed, 26 July 2023 15:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6DB0FC16B5B0 for <>; Wed, 26 Jul 2023 08:27:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.962
X-Spam-Status: No, score=-5.962 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fBWOqBi_JBjV for <>; Wed, 26 Jul 2023 08:27:55 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id DECA0C16953F for <>; Wed, 26 Jul 2023 08:27:55 -0700 (PDT)
Received: by with SMTP id d9443c01a7336-1b89d47ffb6so36738005ad.2 for <>; Wed, 26 Jul 2023 08:27:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20221208; t=1690385274; x=1690990074; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=ARvayiiCiVNjE9FQBhq5UPhMPfq0PVIQHygcHCOAMV0=; b=saRPAGXBIZJLsR06PUUF2CnRusIqKf0W5Bp9bzaKdJwV9EJsfI8CyVYkDcS7MIpfrH ETMm+f5B840ukt4J2RT8TsCom/OmrZurtlBb8ht437PVH4gR2em+OjmijqpiVz87CXWZ 0XJorg0uf1j9EJsh+9VEOD/szWEe8uhLpa4CjBNdsX9zuB5PYKfxL881cvCILRwHKWxm UDfPz2m4ehWGXVmtdotw9rY5/j9AnaX5eYeeq3qnP9nRxLEz+/bjbqVSJRGZOwpD2NvJ +eSf5kmzePa+J8rnsPl4vsUyaauC/lyPIv1JjPPf+PoVarwSwhF5xGVxRcWdpVH+a8fT H4qA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20221208; t=1690385274; x=1690990074; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ARvayiiCiVNjE9FQBhq5UPhMPfq0PVIQHygcHCOAMV0=; b=VdwMyRCSBnDNQfk9LmIagnD8Gyd52f2gYb8xOQM5iPXgam/pgjLgIX5G2SoQVNNPSp 0iPQ5k74BA3Rb8cuT5tFYmSlDLLgY2BmPSmc4HoPBwthp4q2M9w0Wk2NCBsa0Cv4VKDs tCAMBLHE0ELdcBsEy2wpVm3pYETve7wSlBfOJ7OOR4zKi49UoqSQaLbFgkljXFx2WCaE ixV7Mux1NXPTVUDwE5AfJTuPeAWSbD/Bj+u1T9Ynz0TfXj95MpM7KdZjlVhQQM9RUDfY ta5IRjYGqJHeBDAxUI7DAN+5jU3jek40IcPUMoxFK9zX6OddXu/JpfGnI9MEml8eEoPv 5uIA==
X-Gm-Message-State: ABy/qLbTeukC/lu1WTB4k/a35PQ6miaoNyIfNIon4w/YZas/9XHQ+3nZ xuuDtkfa96fouOLK+T3qvd0fGeeE9FI=
X-Google-Smtp-Source: APBJJlH6SldUISL3z6Yv+/w7n66eeL5CEU++nVXdxCpn6fQ+lYE/vc6KKkRJJLGoSx9jSPE39PLnWA==
X-Received: by 2002:a17:903:2441:b0:1b9:e9b2:124b with SMTP id l1-20020a170903244100b001b9e9b2124bmr2103595pls.64.1690385274047; Wed, 26 Jul 2023 08:27:54 -0700 (PDT)
Received: from ([2607:fb90:9fad:d123:9c20:7f4a:e146:be84]) by with ESMTPSA id io19-20020a17090312d300b001b8ad8382a4sm3339156plb.216.2023. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 26 Jul 2023 08:27:53 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-C1C7B96E-62ED-4CBE-AB63-31E1CC4F17CD"
Content-Transfer-Encoding: 7bit
From: Margaret Cullen <>
Mime-Version: 1.0 (1.0)
Date: Wed, 26 Jul 2023 08:27:42 -0700
Message-Id: <>
References: <>
In-Reply-To: <>
To: Alan DeKok <>
X-Mailer: iPhone Mail (20F75)
Archived-At: <>
Subject: Re: [radext] Fwd: New Version Notification for draft-dekok-radext-deprecating-radius-02.txt
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Jul 2023 15:27:56 -0000

Thank you for incorporating my feedback. 

IMO, the document now offers a more complete/balanced view of the security of current deployments, while still making it clear why RADIUS/UDP and RADIUS/TCP should not continue to be used over insecure networks. 


On Jul 25, 2023, at 5:38 PM, Alan DeKok <> wrote:

  I've added substantial text on how to make existing uses of RADIUS more secure.  e.g. use EAP when proxying outside of your local network.

  Thanks to Margaret and the WG for making concrete suggestions at the meeting in SF.

Begin forwarded message:

Subject: New Version Notification for draft-dekok-radext-deprecating-radius-02.txt
Date: July 25, 2023 at 5:27:20 PM PDT
To: "Alan DeKok" <>

A new version of I-D, draft-dekok-radext-deprecating-radius-02.txt
has been successfully submitted by Alan DeKok and posted to the
IETF repository.

Name: draft-dekok-radext-deprecating-radius
Revision: 02
Title: Deprecating RADIUS/UDP and RADIUS/TCP
Document date: 2023-07-25
Group: Individual Submission
Pages: 24
URL:  " class="" rel="nofollow">
Status:" class="" rel="nofollow">
Html: " class="" rel="nofollow">
Htmlized:" class="" rel="nofollow">
Diff: " class="" rel="nofollow">

  RADIUS crypto-agility was first mandated as future work by RFC 6421.
  The outcome of that work was the publication of RADIUS over TLS (RFC
  6614) and RADIUS over DTLS (RFC 7360) as experimental documents.
  Those transport protocols have been in wide-spread use for many years
  in a wide range of networks.  They have proven their utility as
  replacements for the previous UDP (RFC 2865) and TCP (RFC 6613)
  transports.  With that knowledge, the continued use of insecure
  transports for RADIUS has serious and negative implications for
  privacy and security.

  This document formally deprecates the use of the User Datagram
  Protocol (UDP) and of the Transmission Control Protocol (TCP) as
  transport protocols for RADIUS.  These transports are permitted
  inside of secure networks, but their use even in that environment is
  strongly discouraged.  For all other environments, the use of secure
  transports such as IPsec or TLS is mandated.

The IETF Secretariat

radext mailing list