**Session Date/Time:** 28 Mar 2023 08:00 # radext ## Summary The radext working group held its first meeting, focusing on reviewing the charter, milestones, and various draft documents. Key topics included reverse CoA, A negotiation for TLS/DTLS, TLS profiles, deprecating insecure RADIUS, status realm/loop detection, extending the RADIUS ID, and an overview of Bluetooth roaming with RADIUS. Several documents are being considered for working group adoption, contingent on review and feedback from the community. The group stressed the need for participants to read the drafts and provide input on the mailing list. ## Key Discussion Points * **Charter and Milestones:** Reviewed and clarified the scope of the working group and its objectives for the near future. * **Reverse CoA:** Discussed the use case of sending CoA packets down a TLS tunnel when NAT prevents direct communication, especially for roaming federation. Mark aWell cautioned against assuming that realm is always used in operator ID, referencing open roaming W under namespace tag four in the one twenty six attributes. * **A Negotiation:** Explored a mechanism for RADIUS over TLS/DTLS that removes the dependence on MD5, utilizing a 32-bit request/reply token and flags to indicate secure transport. Jan D suggested a strict transport security flag for privacy concerns. Ken mentioned that user passwords aren't always UTF8 format which could cause issues if treated as text, recommending the transport as binary instead. * **TLS Profiles:** Discussed the need for guidance on using TLS with RADIUS (TLS P) and updating existing RFCs (6614, 7360). Jan fred emphasized P is one use case for those using UDP and want to move to a mechanism they know by using Pk piece to be able to reuse it. Allan suggested merging the DTLS draft into the TLS draft. Concerns were raised about potential conflicts between TLS versions mandated in different documents (TLS P vs. RFC 6614). Allan brought up session resumption. * **Deprecating Insecure RADIUS:** Highlighted the security risks of sending UDP packets over the internet using weak shared secrets and proposed transitioning to TLS or IPsec. * **Status Realm/Loop Detection:** Presented a document addressing loop detection and prevention in multi-hop RADIUS networks. The addition of a timestamp to status realm responses was discussed, with some arguing for its usefulness. * **Extending RADIUS ID:** Examined the limitations of the 8-bit RADIUS ID and explored options for extending it, including the challenges of negotiation and the potential benefits of relying on TLS/A for a larger ID space. ## Decisions and Action Items * **Call for Adoption:** A call for adoption will be made on the mailing list for the reverse CoA draft, A draft, TLS documents, and the status realm draft. * **Reverse CoA Draft:** Incorporate Mark aWell's comments regarding operator ID and roaming federation. * **A Draft:** Consider adding strict transport security flag. The text type for user password attribute needs to be more specific and what to do when the format is incorrect. * **TLS Draft:** Allan will merge DTLS draft into TLS draft. Resolve potential conflicts between TLS versions mandated in different documents (TLS P vs. RFC 6614) on the mailing list. Allan to add something for security considerations with Session resumption. * **Status Realm Draft:** Investigate adding a timestamp to the status realm responses and what data type to use. * **Extending RADIUS ID:** Consider dropping this and move to TLS/A. * **IANA Packet Type Code:** Clarify with the IESG regarding the process for requesting a packet type code for the status realm. ## Next Steps * Participants should review the draft documents discussed and provide feedback on the mailing list within the next two weeks. * The working group chairs will initiate calls for adoption on the mailing list for the discussed drafts. * The working group will continue to work towards the milestones outlined in the charter.