Markdown Version | Session Recording

Session Date/Time: 24 Jul 2023 16:30

radext

Summary

This meeting of the Radius Extensions (radext) working group covered several topics including TLS/DTLS encryption for Radius, Radius 1.1, GLS PSK, Reverse COA, deprecating UDP/TCP, and new attributes for 5G authentication. Discussions involved mandatory implementations, port usage, MIBs, watchdogs, ALPN handling, security considerations, and alignment with 3GPP.

Key Discussion Points

• TLS/DTLS Encryption (radius-dtls-tls):

  • Consensus was reached to make Radius TLS mandatory in the document, with a strong recommendation to implement DTLS as well.
  • Discussion on whether to use a single port or separate ports for authentication and accounting. A weak consensus supported staying with a single port.
  • Debate on whether to include MIBs, considering outdatedness and alternative approaches like conceptual counters. Decision deferred to mailing list discussion.
  • Conflicting text on watchdogs was noted. Aaron volunteered to propose updated text for the mailing list.
  • Use of ID 0 for status server requests was discussed, along with potential reference to Radius 1.1.
  • Agreement to refer to RFC 9325 for updated TLS/DTLS application guidelines.

• Radius 1.1:

  • Discussion on signaling errors when ALPN is not supported. The suggestion to send a protocol error packet was considered.
  • Suggestion to use TLS error codes instead of custom radius error packets.

• GLS PSK:

  • Document is nearing completion, with only minor wordsmithing required based on Fabian's comments on shared secrets vs pre-shared keys.

• Reverse COA:

  • Discussion about the document's state, with implementations in Aruba, Cisco, and FreeRadius.
  • Agreement to make this a working group document and move to last call after minor updates, including aligning with Open Roaming's prefix usage.

• Deprecating UDP/TCP:

  • The document is largely done but needs a section on how to make UDP/TCP more secure when they are used.
  • Agreement to propose the document for working group work item status after the meeting.
  • Concerns about security hop-to-hop.

• New Attributes for 5G Authentication:

  • A new draft proposing new Radius attributes for 5G authentication was presented.
  • Alan suggested requiring message authenticators and considering encryption of attributes.
  • Margaret raised concerns about potential overlap with existing EAP methods and the need for 3GPP involvement.
  • The importance of securing the method was acknowledged.

Decisions and Action Items

• TLS/DTLS Encryption:

  • Decision: Radius TLS will be mandatory, DTLS strongly recommended.
  • Decision: Single port usage retained.
  • Action Item: Discuss MIBs on the mailing list.
  • Action Item: Aaron to propose updated watchdog text on the mailing list.
  • Action Item: Refer to RFC 9325.

• Reverse COA:

  • Decision: Proceed to last call after minor updates.
  • Action Item: Revivify and update the document.

• Deprecating UDP/TCP:

  • Action Item: Propose the document as a working group work item.

• New Attributes for 5G Authentication:

  • Action Item: Add security considerations.
  • Action Item: Clarify relationship with existing EAP methods and consult with 3GPP (Charles Eckel).

Next Steps

• Address action items from the meeting.
• Discuss open questions on the mailing list.
• Publish updated drafts for GLS PSK and Reverse COA.
• Consider new work item for Deprecating UDP/TCP.
• Engage with 3GPP regarding the 5G authentication attributes.