Markdown Version | Transcript | Session Recording | Session Materials

Session Date/Time: 19 Mar 2026 08:30

RADEXT

Summary

The RADEXT working group met at IETF 125 to discuss the progress of the RADIUS/(D)TLS-bis (RadSec) specification through the IESG review process, the deprecation of insecure RADIUS practices, and several new initiatives awaiting a formal rechartering of the group. Key topics included addressing IESG "Discuss" comments on RadSec, technical strategies for rate-limiting unauthenticated RADIUS traffic, and the security implications of legacy authentication methods like CHAP and MS-CHAP in modern networks.

Key Discussion Points

RADIUS/(D)TLS-bis (RadSec) Status

Presenter: Jan-Frederik Rieckers Slides: Update on RADIUS/(D)TLS-bis (RadSec)

• Status: The draft is currently in IESG review with three active "Discuss" positions.
• Technical Changes:
  • ALPN text added for compatibility with RADIUS 1.1.
  • Reassessing connection validity upon trust base changes is now a MUST.
  • Terminology updated from "IPs/Ports" to "IP addresses/port numbers."
• IESG Discuss Issues:
  • Éric Vyncke: Requested clarification on "immediate" TLS establishment (i.e., no STARTTLS-style negotiation).
  • Mike Bishop: Discussed 5-tuple vs. Connection ID (CID) for DTLS tracking. The group noted that if 5-tuple is used, specific security checks must be mandated to prevent migration outside allowed IP ranges.
  • Gorry Fairhurst: Raised concerns regarding accounting delay time and Path MTU (PMTU) discovery.
• PMTU Discussion: Margaret Cullen suggested moving the PMTU discussion to the Proxy BCP document, as the issue is general to RADIUS over UDP and not specific to RadSec. Christian Giesee agreed that RadSec does not worsen the existing MTU issues beyond DTLS overhead.

Deprecating Insecure Practices in RADIUS

Presenter: Alan DeKok Draft: draft-ietf-radext-deprecating-radius Slides: Deprecating Insecure Practices

• Document Split: The draft has been split; the security rationale is now in a separate review document, and operational best practices are moved to a Proxy BCP draft.
• Rate Limiting: New text added regarding rate limiting to prevent DoS attacks.
• Discussion: Margaret Cullen supported the inclusion of rate limiting, noting that eduroam experiences high traffic spikes from misbehaving supplicants when an Identity Provider (IdP) is offline. Alan DeKok noted that while IEEE 802.1X suggests limits, they are rarely enforced in practice. Christian Giesee emphasized that limiting outstanding requests is often more effective than simple packets-per-second (PPS) limits.

Review of RADIUS Security

Presenter: Alan DeKok Slides: Review of RADIUS Security

• Authentication Analysis: Alan DeKok provided an analysis of CHAP and MS-CHAP, arguing they should be considered equivalent to cleartext. Due to the small search space for the initial ID in CHAP, dictionary attacks are computationally trivial.
• Industry Context: Christian Giesee and Steffen Fries noted that while these methods are insecure, they remain deeply embedded in the broadband (BNG/CPE) and power system industries. Alan DeKok clarified that the draft permits these over secure transports (e.g., RadSec or within TLS tunnels).

RADIUS Connect-Info and WBA Integration

Presenter: Mark Grayson Slides: Connect-Info radext IETF 125

• Status: The draft is being prepared for adoption pending the RADEXT recharter.
• Updates: The syntax now differentiates between legacy Hostapd attributes and new key-value pairs. All non-connection-related pairs were removed to focus on 802.11 specifics. A new security section addresses the privacy implications of reporting RSSI, which can be used for location inference.

Protocol-Error and Proxy BCP

Presenter: Alan DeKok Slides: Protocol-Error / Proxy BCP

• Protocol-Error: Aims to replace "silent discard" with a NAK to improve network stability and troubleshooting. Testing during the hackathon confirmed interoperability with legacy clients.
• Proxy BCP: Intended to provide the first formal guidance on RADIUS proxying, failover, and load balancing since RFC 2865. The document is currently an outline and requires more technical content.

Decisions and Action Items

• RadSec: Authors will publish version -16 addressing IESG comments and nits. PMTU text will likely be moved to the Proxy BCP.
• Adoption Call: The chairs will issue a formal adoption call for the "Review of RADIUS Security" draft.
• Rechartering: Outgoing AD Paul Wouters and incoming AD Christopher Morrow will coordinate the finalization of the new WG charter, which includes milestones for WBA-related documents and proxy guidance.

Next Steps

1. Finalize RadSec addresses for IESG clearance.
2. Issue Working Group Last Call (WGLC) for draft-ietf-radext-deprecating-radius following its next update.
3. Initiate adoption calls for WBA Connect-Info and Protocol-Error drafts once the recharter is approved (expected by late April).
4. Develop further content for the Proxy BCP draft.

Related Documents

draft-ietf-radext-deprecating-radius