**Session Date/Time:** 24 Jul 2023 16:30

# radext

## Summary

This meeting of the Radius Extensions (radext) working group covered several topics including TLS/DTLS encryption for Radius, Radius 1.1, GLS PSK, Reverse COA, deprecating UDP/TCP, and new attributes for 5G authentication. Discussions involved mandatory implementations, port usage, MIBs, watchdogs, ALPN handling, security considerations, and alignment with 3GPP.

## Key Discussion Points

*   **TLS/DTLS Encryption (radius-dtls-tls):**
    *   Consensus was reached to make Radius TLS mandatory in the document, with a strong recommendation to implement DTLS as well.
    *   Discussion on whether to use a single port or separate ports for authentication and accounting. A weak consensus supported staying with a single port.
    *   Debate on whether to include MIBs, considering outdatedness and alternative approaches like conceptual counters. Decision deferred to mailing list discussion.
    *   Conflicting text on watchdogs was noted. Aaron volunteered to propose updated text for the mailing list.
    *   Use of ID 0 for status server requests was discussed, along with potential reference to Radius 1.1.
    *   Agreement to refer to RFC 9325 for updated TLS/DTLS application guidelines.

*   **Radius 1.1:**
    *   Discussion on signaling errors when ALPN is not supported. The suggestion to send a protocol error packet was considered.
    *   Suggestion to use TLS error codes instead of custom radius error packets.

*   **GLS PSK:**
    *   Document is nearing completion, with only minor wordsmithing required based on Fabian's comments on shared secrets vs pre-shared keys.

*   **Reverse COA:**
    *   Discussion about the document's state, with implementations in Aruba, Cisco, and FreeRadius.
    *   Agreement to make this a working group document and move to last call after minor updates, including aligning with Open Roaming's prefix usage.

*   **Deprecating UDP/TCP:**
    *   The document is largely done but needs a section on how to make UDP/TCP more secure when they are used.
    *   Agreement to propose the document for working group work item status after the meeting.
    *   Concerns about security hop-to-hop.

*   **New Attributes for 5G Authentication:**
    *   A new draft proposing new Radius attributes for 5G authentication was presented.
    *   Alan suggested requiring message authenticators and considering encryption of attributes.
    *   Margaret raised concerns about potential overlap with existing EAP methods and the need for 3GPP involvement.
    *   The importance of securing the method was acknowledged.

## Decisions and Action Items

*   **TLS/DTLS Encryption:**
    *   **Decision:** Radius TLS will be mandatory, DTLS strongly recommended.
    *   **Decision:** Single port usage retained.
    *   **Action Item:** Discuss MIBs on the mailing list.
    *   **Action Item:** Aaron to propose updated watchdog text on the mailing list.
    *   **Action Item:** Refer to RFC 9325.

*   **Reverse COA:**
    *   **Decision:** Proceed to last call after minor updates.
    *   **Action Item:** Revivify and update the document.

*   **Deprecating UDP/TCP:**
    *   **Action Item:** Propose the document as a working group work item.

*   **New Attributes for 5G Authentication:**
    *   **Action Item:** Add security considerations.
    *   **Action Item:** Clarify relationship with existing EAP methods and consult with 3GPP (Charles Eckel).

## Next Steps

*   Address action items from the meeting.
*   Discuss open questions on the mailing list.
*   Publish updated drafts for GLS PSK and Reverse COA.
*   Consider new work item for Deprecating UDP/TCP.
*   Engage with 3GPP regarding the 5G authentication attributes.