RADEXT, IETF 119, Brisbane

Wednesday, March 20, 2024, 13:00 - 14:30 AEST (03:00 - 04:30 UTC)

Chairs: Margaret Cullen, Valery Smyslov
Note takers: Jonathan Hammell

Agenda

1. Administrivia and WG Status: (Chairs, 10 min)
2. (Datagram) Transport Layer Security (D)TLS Encryption for RADIUS
   (Janfred, 25 min), draft-ietf-radext-radiusdtls-bis
3. Reverse CoA in RADIUS (Alan, 5 min),
   draft-ietf-radext-reverse-coa
4. Deprecating Insecure Practices in RADIUS (Alan, 10 min),
   draft-ietf-radext-deprecating-radius
5. WBA OpenRoaming Wireless Federation (Mark, 10 min),
   draft-tomas-openroaming
6. RADIUS Attributes for 3GPP 5G AKA Authentication Method (Sri, 10
   min), draft-gundavelli-radext-5g-auth
7. AOB: 15 min
8. Closing: (Chairs, 5 min)

Minutes

Administrivia and WG Status

(Datagram) Transport Layer Security (D)TLS Encryption for RADIUS

Presentation by Janfred Rieckers.

Open question: TLS and DTLS mandatory for servers and TLS or DTLS for
clients?

Open question: Make TLSv1.3 mandatory?

Alan DeKok: There are a number of reasons to make both mandatory. There
aren't that many servers in comparison to clients. Clients will have the
option and the upgrade path.

Valery Smyslov: Follow guidance in RFC 9325. Applications should support
both TLS v1.2 and v1.3. Protocols should support TLS v1.3.

Margaret Cullen: What is the state of widely-available TLS v1.3
implementations?

Janfred: Unaware of DTLS v1.3 support.

Alan: OpenSSL support TLS v1.3 over TCP. Don't think they support DTLS
v1.3, but they do support v1.2. Following Valery's recommendation would
allow client support to come later and servers will upgrade.

Margaret: Will DTLS 1.3 fallback gracefully to 1.2?

Janfred: I think so, but not sure.

Valery: Follow 9325 to have TLS v1.2 MUST, v1.3 SHOULD

Janfred: Will look through RFC 9325 and copy recommendations into this
draft.

Need more reviews!

Should be finished once more reviews have been received.

Margaret: Can we get a SEC DIR review sooner rather than later.

Paul Wouters: SEC DIR review is random and one person. May need wider
discussion to settle on these issues. Suggested sending it to the TLS
WG.

Margaret: Sounds like a good idea.

Valery: I can send it to the UTA WG.

Margaret: Before going to WGLC, best to get some TLS folks to look at
it.

Janfred: Still need to update the document to incorporate Alan's review.
Should be able to do that shortly, then it can go out for TLS review.
Will send a message to the chairs once updates are completed.

Reverse CoA in RADIUS

Presentation by Alan DeKok.

Multiple implementations exist. Document does not depend on other
documents.

Paul (individual): Why waiting for additional review when it is already
shipping in implementations by big vendors.

Alan: You're right. Let's go for WGLC.

Margaret (individual): I have read it. I think it is ready for WGLC.

Chairs to issue WGLC.

Deprecating Insecure Practices in RADIUS

Presentation by Alan DeKok.

Document not quite done, but closer.

Good idea to publish along with TLSbis.

Margaret: Suggest other things than just use DTLS. Burning need to
publish this as soon as possible. If DTLS will take more than a month,
don't wait.

Janfred: Getting this out quickly is a good incentive to finish the
TLSbis quickly. We should publish them together.

Alan: One of the new things in TLSbis is that the application-layer TLS
things are described elsewhere (RFC 9325).

Alan: MSCHAP is broken.

Margaret: MSCHAP is not better than plaintext passwords. We see it
occasionally over the network. Would nice to have a reference that says
not to use it.

Alan: Once a few updates are made, will be ready for WGLC. Agree with
Janfred to try to get TLSbis completed at the same time.

WBA OpenRoaming Wireless Federation

Presentation by Mark Grayson.

Paul: Reference to RFC 4035 for DNSSEC is out of date. It should be BCP
237/RFC 9364.

Janfred: Happy to discuss offline SubjectAltName versus i-realm. Public
CAs will probably never issue certs with i-realm since they are focused
on WebPKI.

Juan-Carlos Zuniga: Cochair of MEDINAS. Lots of good discussion of this
draft, but feel that RADEXT is a better place to work on it.

Alan: Not sure if RADEXT is the right group to officially support this.
EduRoam went through a WG, but wasn't officially a WG document.
Similarly, RADEXT could review it, but the draft could be published via
the ISE.

Margaret: We shouldn't recharter RADEXT until current work it done.
Could it be AD sponsored?

Paul: No formal decision yet. There are high-priority charter items that
need to be completed first. After that, could talk about rechartering

Margaret: Will not adopt as a WG item now since we are not going to
recharter now. Author should talk with Paul and others about waiting or
publishing as independent.

Valery: Note that if it is WG-adopted, then authors are passing control
over the specification from WBA to IETF. Independent submission might be
the best way for WBA to remain in control. RADEXT can review the draft
as participants are able.

RADIUS Attributes for 3GPP 5G AKA Authentication Method

Presentation by Sri Gundavelli.

Looking for feedback and hoping it can be WG adopted.

Alan: I've read the document and it looks straightforward. May want to
add message authenticator. Largely uncontraversial as it is not changing
the RADIUS protocol.

Margaret (individual): I read it before the last meeting. Also think it
is straightforward.

Margaret: Need to get the DTLS document out first before rechartering
and adopting more work.

Roland Schott: Haven't read it yet. Is your work inspired by BBF
activity? Does EMF support RADIUS?

Sri: Haven't looked into BBF recently. Can we support SIM-based
architecture? EMF support is not automatic. 5G and WiFi are similar
environments. Just need to configure the credentials in one place.

Roland: Plan to read the draft.

AOB

Alan: Please review the TLS draft!