IETF 125, Shenzhen
Thursday, March 19, 2026, 16:30 - 18:00 CST (8:30 - 10:00 GMT/UTC)
Chairs: Margaret Cullen
Valery Smyslov
Note takers: Christian Giese
Administrivia and WG Status: (Chairs, 5 min)
- Note Well and IPR statements
- Agenda bashing
(Datagram) Transport Layer Security (D)TLS Encryption for RADIUS (Janfred, 20 min)
draft-ietf-radext-radiusdtls-bis
- Finally in IESG review with some comments from IESG already
addressed in latest version
- A lot of comments from IESG members
- Planned to push version 16 in the next days after IETF125 iwhen most
of the comments are resolved
- Comments that PMTUD may not be an issue here, since it is not making
it worst compared to without RadSec
- Proposal to publish new version without controversal changes
- If there are no futher technical changes, no further WG last call
needed
Deprecating Insecure Practices in RADIUS (Alan, 5 min)
draft-ietf-radext-deprecating-radius
- Question if rate limit should be added here
- The term rate limit needs to be precise in term of PPS or
outstanding requests per client
A Review of RADIUS Security and Privacy (Alan, 10 min)
draft-dekok-radext-review-radius
- Call for the WG adoption soon
A syntax for the RADIUS Connect-Info attribute used in Wi-Fi networks (Mark, 10 min)
draft-grayson-connectinfo
- In the proposed charter text
Proxy Best Practices for the Remote Authentication Dial In User Service (RADIUS) Protocol (Alan, 10 min)
draft-dekok-proxy-bcp
- In the proposed charter text, but can also be fin in the current
charter
Standardising Protocol-Error (Alan, 10 min)
draft-dekok-protocol-error
- In the proposed charter text
Closing: (Chairs, 5 min)
- Chairs asked Christopher (new AD) to start re-chartering ASAP
- Discussion about PAP and CHAP from Broadband market, hard to get rid
from CPE perspective
- Question about feedback from Broadband Forum
Auto-generated minutes
(https://ietfminutes.org/minutes/ietf125/radext.html)
Session Date/Time: 19 Mar 2026 08:30
Summary
The RADEXT working group met at IETF 125 to discuss the progress of the
RADIUS/(D)TLS-bis (RadSec) specification through the IESG review
process, the deprecation of insecure RADIUS practices, and several new
initiatives awaiting a formal rechartering of the group. Key topics
included addressing IESG "DISCUSS" comments on RadSec, technical
strategies for rate-limiting unauthenticated RADIUS traffic, and the
security implications of legacy authentication methods like CHAP and
MS-CHAP in modern networks.
Key Discussion Points
RADIUS/(D)TLS-bis (RadSec) Status
Presenter: Jan-Frederik Rieckers
Slides: Update on RADIUS/(D)TLS-bis (RadSec)
Deprecating Insecure Practices in RADIUS
Presenter: Alan DeKok
Draft: draft-ietf-radext-deprecating-radius
Slides: Deprecating Insecure Practices
- Document Split: The draft has been split; the security rationale
is now in a separate review document, and operational best practices
are moved to a Proxy BCP draft.
- Rate Limiting: New text added regarding rate limiting to prevent
DoS attacks.
- Discussion: Margaret Cullen supported the inclusion of rate
limiting, noting that eduroam experiences high traffic spikes from
misbehaving supplicants when an Identity Provider (IdP) is offline.
Alan DeKok noted that while IEEE 802.1X suggests limits, they are
rarely enforced in practice. Christian Giese emphasized that
limiting outstanding requests is often more effective than simple
packets-per-second (PPS) limits.
Review of RADIUS Security
Presenter: Alan DeKok
Slides: Review of RADIUS Security
- Authentication Analysis: Alan DeKok provided an analysis of CHAP
and MS-CHAP, arguing they should be considered equivalent to
cleartext. Due to the small search space for the initial ID in CHAP,
dictionary attacks are computationally trivial.
- Industry Context: Christian Giese and Steffen Fries noted that
while these methods are insecure, they remain deeply embedded in the
broadband (BNG/CPE) and power system industries. Alan DeKok
clarified that the draft permits these over secure transports (e.g.,
RadSec or within TLS tunnels).
RADIUS Connect-Info and WBA Integration
Presenter: Mark Grayson
Slides: Connect-Info radext IETF 125
- Status: The draft is being prepared for adoption pending the
RADEXT recharter.
- Updates: The syntax now differentiates between legacy Hostapd
attributes and new key-value pairs. All non-connection-related pairs
were removed to focus on 802.11 specifics. A new security section
addresses the privacy implications of reporting RSSI, which can be
used for location inference.
Protocol-Error and Proxy BCP
Presenter: Alan DeKok
Slides: Protocol-Error / Proxy BCP
- Protocol-Error: Aims to replace "silent discard" with a NAK to
improve network stability and troubleshooting. Testing during the
hackathon confirmed interoperability with legacy clients.
- Proxy BCP: Intended to provide the first formal guidance on
RADIUS proxying, failover, and load balancing since RFC 2865. The
document is currently an outline and requires more technical
content.
Decisions and Action Items
- RadSec: Authors will publish version -16 addressing IESG
comments and nits. PMTU text will likely be moved to the Proxy BCP.
- Adoption Call: The chairs will issue a formal adoption call for
the "Review of RADIUS Security" draft.
- Rechartering: Outgoing AD Paul Wouters and incoming AD
Christopher Inacio will coordinate the finalization of the new WG
charter, which includes milestones for WBA-related documents and
proxy guidance.
Next Steps
- Finalize RadSec addresses for IESG clearance.
- Issue Working Group Last Call (WGLC) for
draft-ietf-radext-deprecating-radius following its next update.
- Initiate adoption calls for WBA Connect-Info and Protocol-Error
drafts once the recharter is approved (expected by late April).
- Develop further content for the Proxy BCP draft.