<?xml version='1.0'encoding='utf-8'?>encoding='UTF-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.21 (Ruby 2.6.10) --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-radext-tls-psk-12" number="9813" category="bcp" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true"version="3">version="3" xml:lang="en" updates="" obsoletes=""> <!--xml2rfc v2v3 conversion 3.24.0[rfced] The title of the document has been updated as follows. "TLS-PSK" has been expanded as "TLS Pre-Shared Key"; however, please let us know if it should be expanded otherwise both here and in the rest of the document. Original: Operational Considerations for RADIUS and TLS-PSK Option A (current title): Operational Considerations for RADIUS and TLS Pre-Shared Key (TLS-PSK) Option B (using the phrase from the abstract): Operational Considerations for Using TLS Pre-Shared Keys (TLS-PSKs) with RADIUS Option C (more similar to the title of RFC 4279): Operational Considerations for RADIUS and TLS Pre-Shared Key (TLS-PSK) Cipher Suites [Note: RFC 4279 has been cited for "TLS-PSK" in RFCs 6614, 6940, and 7593.] --> <!--[rfced] This document has been assigned a new BCP number. Please let us know if this is not correct (i.e., it should be part of an existing BCP). See the complete list of BCPs here: https://www.rfc-editor.org/bcps --> <front> <title abbrev="RADIUS and TLS-PSK">Operational Considerations for RADIUS andTLS-PSK</title>TLS Pre-Shared Key (TLS-PSK)</title> <seriesInfo name="RFC" value="9813"/> <seriesInfoname="Internet-Draft" value="draft-ietf-radext-tls-psk-12"/>name="BCP" value="243"/> <author initials="A." surname="DeKok" fullname="Alan DeKok"> <organization>InkBridge Networks</organization> <address> <email>alan.dekok@inkbridge.io</email> </address> </author> <date year="2025"month="January" day="21"/> <area>Internet</area> <workgroup>RADEXT Working Group</workgroup> <keyword>Internet-Draft</keyword>month="June"/> <area>SEC</area> <workgroup>radext</workgroup> <!-- [rfced] Please insert any keywords (beyond those that appear in the title) for use on https://www.rfc-editor.org/search. --> <keyword>example</keyword> <abstract><?line 49?><t>This document provides implementation and operational considerations for usingTLS-PSKTLS Pre-Shared Keys (TLS-PSKs) with RADIUS/TLS(RFC6614)(RFC 6614) and RADIUS/DTLS(RFC7360).(RFC 7360). The purpose of the document is to help smooth the operational transition from the use oftheRADIUS/UDP to RADIUS/TLS.</t> </abstract><note removeInRFC="true"> <name>About This Document</name> <t> Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-radext-tls-psk/"/>. </t> <t> Discussion of this document takes place on the RADEXT Working Group mailing list (<eref target="mailto:radext@ietf.org"/>), which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/radext/"/>. Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/radext/"/>. </t> <t>Source for this draft and an issue tracker can be found at <eref target="https://github.com/radext-wg/radext-tls-psk.git"/>.</t> </note></front> <middle><?line 53?><section anchor="introduction"> <name>Introduction</name> <t>The previous specifications "Transport Layer Security (TLS) Encryption for RADIUS" <xref target="RFC6614"/> and "Datagram Transport Layer Security (DTLS) as a Transport Layer for RADIUS" <xref target="RFC7360"/> defined how (D)TLS can be used as a transport protocol for RADIUS. However, those documents do not provide guidance for usingTLS-PSKTLS Pre-Shared Keys (TLS-PSKs) with RADIUS. This document provides that missing guidance, and gives implementation and operational considerations.</t> <t>To clearly distinguish the various secrets and keys, this document uses "shared secret" to mean "RADIUS shared secret", andPre-Shared"Pre-Shared Key(PSK)(PSK)" to meansecret"secret keyswhichthat are used withTLS-PSK.</t>TLS-PSK".</t> <t>The purpose of the document is to help smooth the operational transition from the use of the insecure RADIUS/UDP to the use of the much more secure RADIUS/TLS. While using PSKs is often less preferable to using public/or private keys, the operational model of PSKs follows the legacy RADIUS "shared secret" model. As such, it can be easier for implementers and operators to transition to TLS when that transition is offered as a series of small changes.</t><t>The intent for TLS-PSK<t>TLS-PSK is intended to be used in networks where the addresses ofclientclients andserverservers are known, as with RADIUS/UDP. This situation is similar to theuse-caseuse case of RADIUS/UDP with shared secrets. TLS-PSK is not suitable for situations where clients dynamically discover servers, as there is no way for the client to dynamically determine which PSK should be used with a new server (or vice versa). In contrast,<xref target="RFC7585"/>dynamic discovery <xref target="RFC7585"/> allows for a client or server to authenticate a previously unknown server or client, as the parties can be issued a certificate by a known Certification Authority (CA).</t> <t>TLS-PSKs have the same issue of symmetric information between client and server: both parties know the secret key. A client could, in theory, pretend to be a server. In contrast, certificates are asymmetric, where it is impossible for the parties to assume theothersother's identity. Further discussion of this topic is contained in[]{#sharing}.</t><xref target="sharing"/>.</t> <t>Unless it is explicitly called out that a recommendation applies to TLSaloneortoDTLS alone, each recommendation applies to both TLS and DTLS.</t> </section> <section anchor="terminology"> <name>Terminology</name><t>The<t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.<?line -6?></t><ul spacing="normal"> <li> <t>External PSK</t> </li> </ul> <ul empty="true"> <li> <t>A<dl spacing="normal" newline="true"> <dt>External PSK</dt><dd>A PSK (along with a related PSK Identity)whichthat is administratively configured. That is, onewhichthat is external toTLS,TLS and is not created by the TLSsubsystem.</t> </li> </ul> <ul spacing="normal"> <li> <t>Resumption PSK</t> </li> </ul> <ul empty="true"> <li> <t>Asubsystem.</dd> <dt>Resumption PSK</dt><dd>A PSK (along with a related PSK Identity)whichthat is created by the TLS subsystem and/or application, for use withresumption.</t> </li> </ul>resumption.</dd> </dl> </section> <section anchor="justification-of-psk"> <name>Justification ofPSK.</name>PSK</name> <t>TLS deployments usually rely on certificates in most common uses. However, we recognize that it may be difficult to fully upgrade client implementations to allow for certificates to be used with RADIUS/TLS and RADIUS/DTLS. These upgrades involve not only implementing TLS, but can also require significant changes to administration interfaces and application programming interfaces (APIs) in order to fully support certificates.</t> <t>For example, unlike shared secrets, certificates expire. This expiration means that a working system using TLS can suddenly stop working. Managing this expiration can require additional notification APIs on RADIUS clients and serverswhichthat were previously not required when shared secrets were used.</t> <t>Certificates also require the use of certification authorities(CAs),(CAs) and chains of certificates. RADIUS implementations using TLS therefore have to track not just a small shared secret, but also potentially many large certificates. The use of TLS-PSK can therefore provide a simpler upgrade path for implementations to transition from RADIUS shared secrets to TLS.</t> <t>In terms of ongoing maintenance, it is generally simpler to maintain servers than clients. For one, there are many fewer servers than clients. Servers are also typically less resource constrained, and often run on general-purpose operating systems, where maintenance can be automated usingwidely-availablewidely available tools.</t> <t>In contrast, clients are often numerous, resource constrained, andare morelikely to be closed or proprietary systems with limited interfaces. As a result, it can be difficult to update these clients when a root CA expires. The use of TLS-PSK in such an environment may therefore offer management efficiencies.</t> </section> <section anchor="general-discussion-of-psks-and-psk-identities"> <name>General Discussion of PSKs and PSK Identities</name> <t>Before we define any RADIUS-specific use of PSKs, we must first review the current standards for PSKs, and give general advice on PSKs and PSK Identities.</t> <t>The requirements in this section apply to both client and server implementationswhichthat use TLS-PSK. Client-specific and server-specific issues are discussed in more detail later in this document.</t> <section anchor="guidance-for-psks"> <name>Guidance for PSKs</name> <t>We first give requirements for creating and managing PSKs, followed by usability guidance, and then a discussion of RADIUS shared secrets and their interaction with PSKs.</t> <section anchor="psk-requirements"> <name>PSK Requirements</name> <t>Reuse of a PSK in multiple versions of TLS (e.g., TLS 1.2 and TLS 1.3) is considered unsafe(<xref(see <xref section="E.7" sectionFormat="comma" target="RFC8446"/>). Where TLS 1.3 binds the PSK to a particular key derivationfunction,function (KDF), TLS 1.2 does not. This binding means that it is possible to use the same PSK in different hashes, leading to the potential for attacking the PSK by comparing the hash outputs. While there are no known insecurities, these uses are not known to be secure, and should therefore be avoided. For this reason, an implementationMUST NOT<bcp14>MUST NOT</bcp14> use the same PSK for TLS 1.3 and for earlier versions of TLS. The exact manner in which this requirement is enforced is implementation-specific. One possibility is to have two different PSKs. Another possibility is to forbid the use of TLS versions less than TLS 1.3</t> <t><xref target="RFC9258"/> adds akey derivation function (KDF)KDF to the import interface of (D)TLS 1.3, which binds the externally provided PSK to the protocol version. That process is preferred to anyTOFUtrust-on-first-use (TOFU) mechanism. In particular, that document:</t><ul empty="true"> <li><!-- DNE: blockquote from Section 1 of [RFC9258]. --> <blockquote> <t>... describes a mechanism for importing PSKs derived from external PSKs by including the target KDF, (D)TLS protocol version, and an optional context string to ensure uniqueness. This process yields a set of candidate PSKs, each of which are bound to a target KDF and protocol, that are separate from those used in (D)TLS 1.2 and prior versions. This expands what would normally have been a single PSK and identity into a set of PSKs and identities.</t></li> </ul></blockquote> <t>An implementationMUST NOT<bcp14>MUST NOT</bcp14> use the same PSK for TLS 1.3 and for earlier versions of TLS. This requirement prevents reuse of a PSK with multiple TLS versions, which prevents the attacks discussed in <xref section="E.7" sectionFormat="comma" target="RFC8446"/>. The exact manner in which this requirement is enforced is implementation-specific. One possibility is to have two different PSKs. Another possibility is to forbid the use of TLS versions less than TLS 1.3.</t> <t>ImplementationsMUST<bcp14>MUST</bcp14> follow the directions of <xref section="6" sectionFormat="comma" target="RFC9257"/> for the use of external PSKs in TLS. That document provides extremely useful guidance on generating and using PSKs.</t> <!-- [rfced] What specific text does "base32 in the example below" refer to? May we update to provide a more clear pointer for the reader? Original: That is, a PSK with high entropy may be expanded via some construct (e.g., base32 as in the example below) in order to make it easier for people to interact with. --> <t>ImplementationsMUST<bcp14>MUST</bcp14> support PSKs of at least 32 octets in length, andSHOULD<bcp14>SHOULD</bcp14> support PSKs of 64 octets or more. As the PSKs are generally hashed before being used in TLS, the useful entropy of a PSK is limited by the size of the hash output. This output may be 256, 384, or 512 bits in length. Nevertheless, it is good practice for implementations to allow entry of PSKs of more than 64 octets, as the PSK may be in a form other than bare binary data. Implementationswhichthat limit the PSK to a maximum of 64 octets are likely to use PSKswhichthat have much less than 512 bits of entropy. That is, a PSK with high entropy may be expanded via some construct (e.g., base32 as in the example below) in order to make it easier for people to interact with. Where 512 bits of entropy are input to an encoding construct, the output may be larger than 64 octets.</t> <t>ImplementationsMUST<bcp14>MUST</bcp14> require that PSKs be at least 16 octets in length. That is, short PSKsMUST NOT<bcp14>MUST NOT</bcp14> be permitted to be used, and PSKsMUST<bcp14>MUST</bcp14> be random. The strength of the PSK is not determined by the length of the PSK, but instead by the number of bits of entropywhichthat it contains. People are not good at creating data with high entropy, so a source of cryptographically secure random numbersMUST<bcp14>MUST</bcp14> be used.</t> <t>Where user passwords are generally intended to be remembered and entered by people on a regular basis, PSKs are intended to be entered once, and then automatically saved in a system configuration. As such, due to the limited entropy of passwords, they are not acceptable for use with TLS-PSK, and would only be acceptable for use with a password-authenticated key exchange (PAKE) TLS method <xref target="RFC8492"/>. ImplementationsMUST<bcp14>MUST</bcp14> therefore support entry and storage of PSKs as undistinguished octets.</t> <t>We also incorporate by reference the requirements of <xref section="10.2" sectionFormat="comma" target="RFC7360"/> when using PSKs.</t> <t>It may be tempting for servers to implement a"trust on first use" (TOFU)TOFU policy with respect to clients. Such behavior isNOT RECOMMENDED.<bcp14>NOT RECOMMENDED</bcp14>. When servers receive a connection from an unknown client, theySHOULD<bcp14>SHOULD</bcp14> log the PSK Identity, source IP address, and any other informationwhichthat may be relevant. An administrator can then later look at the logs and determine the appropriate action to take.</t> </section> <section anchor="usability-guidance"> <name>Usability Guidance</name> <t>PSKsarein their purest form are opaque tokens, represented as an undistinguished series of octets. Where PSKs are expected to be managed automatically by scripted methods, this format is acceptable. However, in some cases it is necessary for administrators to share PSKs, in which casehumanly readablehuman-readable formats may be useful. ImplementationsSHOULD<bcp14>SHOULD</bcp14> support entering PSKs as both binarydata,data and via ahumanly readablehuman-readable form such as hex encoding.</t> <t>ImplementationsSHOULD<bcp14>SHOULD</bcp14> use ahumanly readablehuman-readable form ofPKSsPSKs for interfaceswhichthat are intended to be used by people, andSHOULD<bcp14>SHOULD</bcp14> allow for binary data to be entered via an application programming interface (API). ImplementationsSHOULD<bcp14>SHOULD</bcp14> also allow for PSKs to be displayed in theabove-mentionedhexencoding,encoding mentioned above, so that administrators can manually verify that a particular PSK is being used.</t> <t>When using PSKs, administratorsSHOULD<bcp14>SHOULD</bcp14> use PSKs of at least 24octets,octets that are generated using a source of cryptographically secure random numbers. Implementers needing a secure random number generator should see <xref target="RFC8937"/> forforfurther guidance. PSKs are not passwords, and administrators should not try to manually create PSKs.</t> <t>In order to guide implementers and administrators, we give example commands belowwhichthat generate random PSKs from a locally secure source. While some commands may not work on somesystemssystems, one of the commands should succeed. The intent here is to document a concise and simple example of creating PSKswhichthat are bothsecure,secure andhumanly manageable.human-manageable. This document does not mandate that the PSKs follow thisformat,format or any other format.</t><artwork><![CDATA[<sourcecode type=""><![CDATA[ openssl rand -base64 16 dd if=/dev/urandom bs=1 count=16 | base64 dd if=/dev/urandom bs=1 count=16 | base32 dd if=/dev/urandom bs=1 count=16 | (hexdump -ve '/1 "%02x"' && echo)]]></artwork>]]></sourcecode> <t>Only one of the above commands should berun,run; there is no need to run all of them. Each command reads 128 bits (16 octets) of random data from a secure source, and encodes it as printable/and readable ASCII. This form of PSK will be accepted by any implementationwhichthat supports at least 32 octets for PSKs. Larger PSKs can be generated by changing the "16" number to a larger value. The above derivation assumes that the random source returns one bit of entropy for every bit of randomnesswhichthat is returned. Sources failing that assumption areNOT RECOMMENDED.</t><bcp14>NOT RECOMMENDED</bcp14>.</t> </section> <section anchor="interaction-between-psks-and-radius-shared-secrets"> <name>InteractionbetweenBetween PSKs and RADIUS Shared Secrets</name> <t>Any shared secret used for RADIUS/UDP or RADIUS/TLSMUST NOT<bcp14>MUST NOT</bcp14> be used for TLS-PSK.</t> <t>It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that RADIUS clients and servers track all used shared secrets and PSKs, and then verify that the following requirements all hold true:</t> <ul spacing="normal"> <li> <t>no shared secret is used for more than one RADIUS client</t> </li> <li> <t>no PSK is used for more than one RADIUS client</t> </li> <li> <t>no shared secret is used as a PSK</t> </li> </ul> <t>Note that the shared secret of "radsec" given in <xref target="RFC6614"/> can be used across multiple clients, as that value is mandated by the specification. The intention here is to recommend best practices for administrators who enter site-local shared secrets.</t> <t>There may beuse-casesuse cases for using one shared secret across multiple RADIUS clients. There may similarly beuse-casesuse cases for sharing a PSK across multiple RADIUS clients. Details of the possible attacks on reused PSKs are given in <xref section="4.1" sectionFormat="comma" target="RFC9257"/>.</t> <t>There are no knownuse-casesuse cases for using a PSK as a shared secret, orvice-versa.</t>vice versa.</t> <t>ImplementationsMUST<bcp14>MUST</bcp14> reject configuration attempts that try to use the same value for the PSK and shared secret. To prevent administrative errors, implementations should not have interfaceswhichthat confuse PSKs and sharedsecrets,secrets orwhichthat allow both PSKs and shared secrets to be entered at the same time. There is too much of a temptation for administrators to enter the same value in both fields, which would violate the limitations given above. Similarly, using a "shared secret" field as a way for administrators to enter PSKs is bad practice. The PSK entry fields need to be labeled as being related to PSKs, and not to shared secrets.</t> </section> </section> <section anchor="psk-identities"> <name>PSK Identities</name> <t><xref section="5.1" sectionFormat="comma" target="RFC4279"/> requires that PSK Identities be encoded in UTF-8 format. However, <xref section="4.2.11" sectionFormat="comma" target="RFC8446"/> describes the "Pre-Shared Key Extension" and defines the ticket as an opaque string: "opaqueidentity<1..2^16-1>;".identity<1..2<sup>16</sup>-1>;". This PSK is then used in <xref section="4.6.1" sectionFormat="comma" target="RFC8446"/> for resumption.</t> <t>These definitions appear to be in conflict. This conflict is addressed in <xref section="6.1.1" sectionFormat="comma" target="RFC9257"/>, which discusses requirements for encoding and comparison of PSK Identities. SystemsMUST<bcp14>MUST</bcp14> follow the directions of <xref section="6.1.1" sectionFormat="comma" target="RFC9257"/> when using or comparing PSK Identities for RADIUS/TLS. ImplementationsMUST<bcp14>MUST</bcp14> follow the recommendations of <xref target="RFC8265"/> for handling PSK Identity strings.</t> <t>In general, implementers should allow for external PSK Identities to follow <xref target="RFC4279"/> and be UTF-8, while PSK Identities provisioned as part of resumption are automatically provisioned, and therefore follow <xref target="RFC8446"/>.</t> <t>Note that the PSK Identity is sent in the clear, and is therefore visible to attackers. Where privacy is desired, the PSK Identity could be either an opaque token generated cryptographically, or perhaps in the form of a Network Access Identifier (NAI) <xref target="RFC7542"/>, where the "user" portion is an opaque token. For example, an NAI could be "68092112@example.com". If the attacker already knows that the client is associated with "example.com", then using that domain name in the PSK Identity offers no additional information. In contrast, the "user" portion needs to be both unique to the client and private, so using an opaque tokenthereis a more secure approach.</t> <t>ImplementationsMUST<bcp14>MUST</bcp14> support PSK Identities of 128 octets, andSHOULD<bcp14>SHOULD</bcp14> support longer PSK Identities. We note that while TLS provides for PSK Identities of up to2^16-12<sup>16</sup>-1 octets in length, there are few practical uses for extremely long PSK Identities.</t> <t>It is up to administrators and implementations as to how they differentiate external PSK Identities from session resumption PSK Identities used in TLS 1.3 session tickets. While <xref section="6.1.2" sectionFormat="comma" target="RFC9257"/> suggests the identities should be unique, it offers no concrete steps for how this differentiation may be done.</t> <t>One approach could be to have externally provisioned PSK Identities contain an NAI such as what is described above, while session resumption PSK Identities contain large blobs of opaque, encrypted, and authenticated text. It should then be relatively straightforward to differentiate the two types of identities. One is UTF-8, the other is not. One is unauthenticated, the other is authenticated.</t> <t>ServersMUST<bcp14>MUST</bcp14> assign and/or track session resumption PSK Identities in a waywhichthat facilities the ability to distinguish those identities from externally configured PSK Identities, andwhichthat enables them to both find and validate the session resumption PSK. See{}(#resumption)<xref target="resumption"/> below for more discussion of issues around resumption.</t> <t>A sample validation flow for TLS-PSK Identities could be performed via the following steps:</t><ul empty="true"> <li><!-- [rfced] Section 4.2: We have made some updates to the numbered list at the end of this section, in order to make the list items more parallel. Please review and let us know any further updates. --> <ol spacing="normal"type="1"><li> <t>PSKtype="1"> <li>PSK Identities provided via an administration interface are enforced to be only UTF-8 on both client andserver.</t> </li> <li> <t>Theserver.</li> <li>The client treats session tickets received from the server as opaqueblobs.</t> </li> <li> <t>Whenblobs.</li> <li>When the server issues session tickets for resumption, the server ensures that they are not validUTF-8.</t> </li> <li> <t>OneUTF-8.</li> <li>One way to do this is to use stateless resumption with a forced non-UTF-8 key_name per <xref section="4" sectionFormat="comma" target="RFC5077"/>, such as by setting one octet to0x00.</t> </li> </ol> <t>5 When0x00.</li> <li> <t>When receiving TLS, the server receives a Client-Hello containing a PSK, and checks if the identity is validUTF-8.</t> <ul empty="true">UTF-8:</t> <ol type="%p%d."> <li><t>5.1. If<t>If yes, it searches for apre-configuredpreconfigured clientwhichthat matches that identity.</t><ul empty="true"> <li> <t>5.1.1. If<ol type="5.1.%d."> <li>If the identity is found, it authenticates the client viaPSK.</t> <t>5.1.2. elsePSK.</li> <li>Else, the identity is invalid, and the server closes theconnection.</t>connection.</li> </ol> </li></ul> <t>5.2 If the identity is not UTF-8,<li> <t>If not, try resumption, which is usuallybehandled by a TLS library.</t><ul empty="true"> <li> <t>5.2.1 If<ol type="5.2.%d."> <li>If the TLS library verifies the session ticket, then resumption has happened, and the connection isestablished.</t> <t>5.2.2. elseestablished.</li> <li>Else, the server ignores the session ticket, and performs a normal TLS handshake with acertificate.</t> </li> </ul>certificate.</li> </ol> </li></ul></ol> </li></ul></ol> <t>This validation flow is only suggested. Other validation methods are possible.</t> <section anchor="security-of-psk-identities"> <name>Security of PSK Identities</name> <t>We note that the PSK Identity is a field created by the connecting client. Since the client is untrusted until both the identity and PSK have been verified, both of those fieldsMUST<bcp14>MUST</bcp14> be treated as untrusted. That is, a well-formed PSK Identity is likely to be in UTF-8 format, due to the requirements of <xref section="5.1" sectionFormat="comma" target="RFC4279"/>. However, implementationsMUST<bcp14>MUST</bcp14> support managing PSK Identities as a set of undistinguished octets.</t> <!-- [rfced] For readability, may we format this sentence as a list? Original: For example, the identity may have incorrect UTF-8 format; or it may contain data which forms an injection attack for SQL, LDAP, REST or shell meta characters; or it may contain embedded NUL octets which are incompatible with APIs which expect NUL terminated strings. Perhaps: For example, the identity may: * have an incorrect UTF-8 format, * contain data that forms an injection attack for SQL, the Lightweight Directory Access Protocol (LDAP), Representational State Transfer (REST), or shell meta characters, or * contain embedded NUL octets that are incompatible with APIs that expect NUL terminated strings. --> <t>It is not safe to use a raw PSK Identity to look up a corresponding PSK. The PSK may come from an untrustedsource,source and may contain invalid or malicious data. For example, the identity may have incorrect UTF-8 format; or it may contain datawhichthat forms an injection attack for SQL,LDAP, RESTLightweight Directory Access Protocol (LDAP), Representational State Transfer (REST), or shell meta characters; or it may contain embedded NUL octetswhichthat are incompatible with APIswhichthat expect NUL terminated strings. The identity may also be up to 65535 octets long.</t> <t>As such, implementationsMUST<bcp14>MUST</bcp14> validate the identity prior to it being used as a lookup key. When the identity is passed to an external API (e.g., database lookup), implementationsMUST<bcp14>MUST</bcp14> either escape any characters in the identitywhichthat are invalid for that API, or else reject the identity entirely. The exact form of any escaping depends on the API, and we cannot document all possible methods here. However, a few basic validation rules are suggested, as outlined below. Any identitywhichthat is rejected by these validation rulesMUST<bcp14>MUST</bcp14> cause the server to close the TLS connection.</t> <t>The suggested validation rules for identities used outside of resumption are as follows:</t> <ul spacing="normal"> <li> <t>IdentitiesMUST<bcp14>MUST</bcp14> be checked to see if they have been provisioned as a resumption PSK. If so, then the session can be resumed, subject to any policies around resumption.</t> </li> <li> <t>Identities longer than a fixed maximumSHOULD<bcp14>SHOULD</bcp14> be rejected. The limit is implementation dependent, butSHOULD NOT<bcp14>SHOULD NOT</bcp14> be less than 128, andSHOULD NOT<bcp14>SHOULD NOT</bcp14> be more than 1024. There is no purpose to allowing extremely long identities, and allowing them does little more than complicate implementations.</t> </li> <li> <t>Identities configured by administratorsSHOULD<bcp14>SHOULD</bcp14> be in UTF-8 format, andSHOULD<bcp14>SHOULD</bcp14> be in the<xref target="RFC7542"/>NAIformat.format from <xref target="RFC7542"/>. While <xref section="4.2.11" sectionFormat="comma" target="RFC8446"/> defines the PSK Identity as "opaqueidentity<1..2^16-1>",identity<1..2<sup>16</sup>-1>", it is useful for administrators to managehumanly-readablehuman-readable identities in a recognizableformat. <br/><br/> Thisformat.</t> <t>This suggestion makes it easier to distinguish TLS-PSK Identities from TLS 1.3 resumption identities. It also allows implementations to more easily filter out unexpected or bad identities, and then to close inappropriate TLS connections.</t> </li> </ul> <t>It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that implementations extend these rules with any additional validationwhich arethat is found to be useful. For example, implementations and/or deployments could both generate PSK Identities in a particular format for passing to client systems, and then also verify that any received identity matches that format. For example, a site could generate PSK Identitieswhichthat are composed of characters in the local language. The site could then reject identitieswhichthat contain characters from other languages, even if those characters are valid UTF-8.</t> <t>The purpose of these rules is to help administrators and implementers more easily manage systems using TLS-PSK, while also minimizing complexity and protecting from potentialattackersattackers' traffic. The rules follow a principle of "discard bad traffic quickly", which helps to improve system stability and performance.</t> </section> </section> <section anchor="sharing"> <name>PSK and PSK Identity Sharing</name> <t>While administrators may desire to share PSKs and/or PSK Identities across multiple systems, such usage isNOT RECOMMENDED.<bcp14>NOT RECOMMENDED</bcp14>. Details of the possible attacks on reused PSKs are given in <xref section="4.1" sectionFormat="comma" target="RFC9257"/>.</t> <t>ImplementationsMUST<bcp14>MUST</bcp14> support the ability to configure a unique PSK and PSK Identity for each possible client-server relationship. This configuration allows administrators desiring security to use unique PSKs for each such relationship. This configuration is also compatible with the practice of administrators who wish tore-usereuse PSKs and PSK Identities where local policies permit.</t> <t>ImplementationsSHOULD<bcp14>SHOULD</bcp14> warn administrators if the same PSK Identity and/or PSK is used for multiple client-server relationships.</t> </section> <section anchor="psk-lifetimes"> <name>PSK Lifetimes</name> <t>Unfortunately, <xref target="RFC9257"/> offers no guidance on PSK lifetimes other than to note in Section4.2<xref target="RFC9257" sectionFormat="bare" section="4.2"/> that:</t><ul empty="true"> <li><!-- Note to PE: Quote from [RFC9257] is correct. --> <blockquote> <t>Forward security may be achieved by using a PSK-DH mode or by using PSKs with short lifetimes.</t></li> </ul></blockquote> <t>It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that PSKs be rotated regularly. We offer no additional guidance on how often this process should occur. Changing PSKs has a non-zero cost. It is therefore up to administrators to determine how best to balance the cost of changing the PSK against the cost of a potential PSK compromise.</t> <t>TLS-PSKMUST<bcp14>MUST</bcp14> use modes such as PSK-DH or ECDHE_PSK <xref target="RFC5489"/>whichthat provide forward secrecy. Failure to use such modes would mean that compromise of a PSK would allow an attacker to decrypt all sessionswhichthat had used that PSK.</t> <t>As the PSKs are looked up by identity, the PSK IdentityMUST<bcp14>MUST</bcp14> also be changed when the PSK changes.</t> <t>ServersSHOULD<bcp14>SHOULD</bcp14> track when a connection was last received for a particular PSK Identity, andSHOULD<bcp14>SHOULD</bcp14> automatically invalidate credentials when a client has not connected for an extended period of time. This process helps to mitigate the issue of credentials being leaked when a device is stolen or discarded.</t> </section> </section> <section anchor="guidance-for-radius-clients"> <name>Guidance for RADIUS Clients</name><t>Client<!-- [rfced] For clarity, may we update the second part of this sentence to repeat "expose"? This helps to avoid misreading "fields" as a verb. Original: The client implementation can then expose a user interface flag which is "TLS yes / no", and then also fields which ask for the PSK Identity and PSK itself. Perhaps: The client implementation can then expose a user interface flag that is "TLS yes / no", and also expose fields that ask for the PSK Identity and PSK itself. --> <!-- [rfced] Regarding this text in Section 5: a) May we update the first sentence to avoid repetition of "TLS 1.3"? b) This exact text appears again in Section 6 (i.e., for clients and servers). Please review and confirm it is correct for this text to appear twice in this document. Original: For TLS 1.3, Implementations MUST support "psk_dhe_ke" Pre-Shared Key Exchange Mode in TLS 1.3 as discussed in [RFC8446], Section 4.2.9 and in [RFC9257], Section 6. Implementations MUST implement the recommended cipher suites in [RFC9325], Section 4.2 for TLS 1.2, and in [RFC8446], Section 9.1 for TLS 1.3. In order to future-proof these recommendations, we give the following recommendations: * Implementations SHOULD use the "Recommended" cipher suites listed in the IANA "TLS Cipher Suites" registry, - for TLS 1.3, the use "psk_dhe_ke" PSK key exchange mode, - for TLS 1.2 and earlier, use cipher suites which require ephemeral keying. Perhaps: For TLS 1.3, implementations MUST support the "psk_dhe_ke" Pre-Shared Key Exchange Mode as discussed in [RFC8446], Section 4.2.9 and in [RFC9257], Section 6. Implementations MUST implement the recommended cipher suites in [RFC9325], Section 4.2 for TLS 1.2 and in [RFC8446], Section 9.1 for TLS 1.3. In order to future-proof these recommendations, we give the following recommendations. * Implementations SHOULD use the "Recommended" cipher suites listed in the IANA "TLS Cipher Suites" registry: - For TLS 1.3, use the "psk_dhe_ke" PSK key exchange mode. - For TLS 1.2 and earlier, use cipher suites that require ephemeral keying. --> <t>Client implementations <bcp14>MUST</bcp14> allow the use of a pre-shared key (PSK) for RADIUS/TLS. The client implementation can then expose a user interface flag which is "TLS yes / no", and then also fieldswhichthat ask for the PSK Identity and PSK itself.</t> <t>For TLS 1.3,Implementations MUSTimplementations <bcp14>MUST</bcp14> support the "psk_dhe_ke" Pre-Shared Key Exchange Mode in TLS 1.3 as discussed in <xref section="4.2.9" sectionFormat="comma" target="RFC8446"/> and in <xref section="6" sectionFormat="comma" target="RFC9257"/>. ImplementationsMUST<bcp14>MUST</bcp14> implement the recommended cipher suites in <xref section="4.2" sectionFormat="comma" target="RFC9325"/> for TLS1.2,1.2 and in <xref section="9.1" sectionFormat="comma" target="RFC8446"/> for TLS 1.3. In order to future-proof these recommendations, we give the followingrecommendations:</t>recommendations.</t> <ul spacing="normal"> <li> <t>ImplementationsSHOULD<bcp14>SHOULD</bcp14> use the "Recommended" cipher suites listed in the IANA "TLS Cipher Suites"registry,registry: </t> <ul spacing="normal"> <li><t>for<t>For TLS 1.3,theuse the "psk_dhe_ke" PSK key exchangemode,</t>mode.</t> </li> <li><t>for<t>For TLS 1.2 and earlier, use cipher suiteswhichthat require ephemeral keying.</t> </li> </ul> </li> </ul> <t>If a client initiated a connection using a PSK with TLS 1.3 by including the pre-shared key extension, itMUST<bcp14>MUST</bcp14> close the connection if the server did not also select the pre-shared key to continue the handshake.</t> <section anchor="psk-identities-1"> <name>PSK Identities</name> <t>This section offers advice on both requirements for PSKIdentities,Identities and on usability.</t> <section anchor="psk-identity-requirements"> <name>PSK Identity Requirements</name> <t><xref target="RFC6614"/> is silent on the subject of PSK Identities, which is an issue that we correct here. Guidance is required on the use of PSK Identities, as the need to manage identities associated withPSKPSKs is a new requirement forNASboth Network Access Server (NAS) managementinterfaces,interfaces andis a new requirement forRADIUS servers.</t> <t>RADIUS systems implementing TLS-PSKMUST<bcp14>MUST</bcp14> support identities as per <xref section="5.3" sectionFormat="comma"target="RFC4279"/>,target="RFC4279"/> andMUST<bcp14>MUST</bcp14> enable configuring TLS-PSK Identities in management interfaces as per <xref section="5.4" sectionFormat="comma" target="RFC4279"/>.</t> <t>The historic methods of signing RADIUS packets have not yet been broken, but they are believed to be much less secure than modern TLS. Therefore, when a RADIUS shared secret is used to sign RADIUS/UDP or RADIUS/TCP packets, that shared secretMUST NOT<bcp14>MUST NOT</bcp14> be used with TLS-PSK. If the secrets were to be reused, then an attack on historic RADIUS cryptography could be trivially leveraged to decrypt TLS-PSK sessions.</t> <t>With TLS-PSK, RADIUS/TLS clientsMUST<bcp14>MUST</bcp14> permit the configuration of a RADIUS server IP address or host name, because dynamic server lookups <xref target="RFC7585"/> can only be used if servers use certificates.</t> </section> <section anchor="usability-guidance-1"> <name>Usability Guidance</name> <t>In order to prevent confusion between shared secrets and TLS-PSKs, management interfaces and APIs need to label PSK fields as "PSK" or "TLS-PSK", rather than as "shared secret".</t> </section> </section> </section> <section anchor="guidance-for-radius-servers"> <name>Guidance for RADIUS Servers</name> <t>In order to support clients with TLS-PSK, server implementationsMUST<bcp14>MUST</bcp14> allow the use of a pre-shared key (TLS-PSK) for RADIUS/TLS.</t> <t>Systemswhichthat act as both client and server at the same timeMUST NOT<bcp14>MUST NOT</bcp14> share or reuse PSK Identities between incoming and outgoing connections. Doing so would open up the systems to attack, as discussed in <xref section="4.1" sectionFormat="comma" target="RFC9257"/>.</t> <t>For TLS 1.3,Implementations MUSTimplementations <bcp14>MUST</bcp14> support the "psk_dhe_ke" Pre-Shared Key Exchange Mode in TLS 1.3 as discussed in <xref section="4.2.9" sectionFormat="comma" target="RFC8446"/> and in <xref section="6" sectionFormat="comma" target="RFC9257"/>. ImplementationsMUST<bcp14>MUST</bcp14> implement the recommended cipher suites in <xref section="4.2" sectionFormat="comma" target="RFC9325"/> for TLS1.2,1.2 and in <xref section="9.1" sectionFormat="comma" target="RFC8446"/> for TLS 1.3. In order to future-proof these recommendations, we give the followingrecommendations:</t>recommendations.</t> <ul spacing="normal"> <li> <t>ImplementationsSHOULD<bcp14>SHOULD</bcp14> use the "Recommended" cipher suites listed in the IANA "TLS Cipher Suites"registry,registry: </t> <ul spacing="normal"> <li><t>for<t>For TLS 1.3, use the "psk_dhe_ke" PSK key exchangemode,</t>mode.</t> </li> <li><t>for<t>For TLS 1.2 and earlier, use cipher suiteswhichthat require ephemeral keying.</t> </li> </ul> </li> </ul> <t>The following section(s) describe guidance for RADIUS server implementations and deployments. We first give an overview of current practices, and then extend and/or replace those practices for TLS-PSK.</t> <section anchor="current-practices"> <name>Current Practices</name> <t>RADIUS identifies clients by source IP address(<xref(see <xref target="RFC2865"/> and <xref target="RFC6613"/>) or by client certificate(<xref(see <xref target="RFC6614"/> and <xref target="RFC7585"/>). Neither of these approaches work for TLS-PSK. This section describes current practices and mandates behavior for serverswhichthat use TLS-PSK.</t> <t>A RADIUS/UDP server is typically configured with a set of information per client, which includes at least the source IP address and shared secret. When the server receives a RADIUS/UDP packet, it looks up the source IP address, finds a client definition, and therefore the shared secret. The packet is then authenticated (or not) using that shared secret.</t><t>That<!-- [rfced] Is "clients" meant to be singular possessive or plural possessive in the text below? Original: That is, the IP address is treated as the clients identity, and the shared secret is used to prove the clients authenticity and shared trust. The set of clients forms a logical database "client table", with the IP address as the key. Perhaps (singular possessive): That is, the IP address is treated as the client's identity, and the shared secret is used to prove the client's authenticity and shared trust. The set of clients forms a logical database "client table" with the IP address as the key. --> <t>That is, the IP address is treated as the clients identity, and the shared secret is used to prove the clients authenticity and shared trust. The set of clients forms a logical database "client table" with the IP address as the key.</t> <t>A server may be configured with additional site-local policies associated with that client. For example, a client may be marked up as being aWiFiWi-Fi Access Point,ora VPN concentrator, etc. Different clients may be permitted to send different kinds of requests, where some may send Accounting-Request packets, and other clients may not send accounting packets.</t> </section> <section anchor="practices-for-tls-psk"> <name>Practices for TLS-PSK</name> <t>We define practices for TLS-PSK by analogy with the RADIUS/UDPuse-case,use case and by extending the additional policies associated with the client. The PSK Identity replaces the source IP address as the client identifier. The PSK replaces the shared secret as proof of client authenticity and shared trust. However, systems implementing RADIUS/TLS <xref target="RFC6614"/> and RADIUS/DTLS <xref target="RFC7360"/>MUST<bcp14>MUST</bcp14> still use the shared secret as discussed in those specifications. Any PSK is only used by the TLSlayer,layer and has no effect on the RADIUS datawhichthat is being transported. That is, the RADIUS data transported in a TLS tunnel is the same no matter if client authentication is done via PSK or by client certificates. The encoding of the RADIUS data is entirely unaffected by the use (or not) of PSKs and client certificates.</t> <t>In order to securely support dynamic source IP addresses for clients, we also require that servers limit clients based on a network range. The alternative would be to suggest that RADIUS servers allow any source IP address to connect and try TLS-PSK, which could be a security risk. When RADIUS servers do no source IP address filtering, it is easier for attackers to send malicious traffic to the server. An issue with a TLS library or even a TCP/IP stack could permit the attacker to gain unwarranted access. In contrast, when IP address filtering is done, attackers generally must first gain access to a secure network before attacking the RADIUS server.</t> <t>Even where<xref target="RFC7585"/>dynamic discovery <xref target="RFC7585"/> is not used, the use of TLS-PSK across unrelated organizations requires that those organizations share PSKs. Such sharing makes it easier for a client to impersonate a server, and vice versa. In contrast, when certificates are used, such impersonations are impossible. It is thereforeNOT RECOMMENDED<bcp14>NOT RECOMMENDED</bcp14> to use TLS-PSK across organizational boundaries.</t> <t>When TLS-PSK is used in an environment where both client and server are part of the same organization, then impersonations only affect that organization. As TLS offers significant advantages over RADIUS/UDP, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that organizations use RADIUS/TLS with TLS-PSK to replace RADIUS/UDP for all systems managed within the same organization. While such systems are generally located inside of private networks, there are no known security issues with using TLS-PSK for RADIUS/TLS connections across the public Internet.</t> <t>If a client system is compromised, its complete configuration is exposed to the attacker. Exposing a client certificate means that the attacker can pretend to be the client. In contrast, exposing a PSK means that the attackercan notcannot only pretend to be the client, but can also pretend to be the server.</t> <t>The main benefit of TLS-PSK, therefore, is that its operational processes are similar to that used for managing RADIUS/UDP, while gaining the increased security of TLS. However, it is still beneficial for servers to perform IP address filtering, in order to further limit their exposure to attacks.</t> <section anchor="ip-filtering"> <name>IP Filtering</name> <t>A server supporting this specificationMUST<bcp14>MUST</bcp14> perform IP address filtering on incoming connections. There are few reasons for a server to have a default configurationwhichthat allows connections from any source IP address.</t> <t>A TLS-PSK serverMUST<bcp14>MUST</bcp14> be configurable with a set of "allowed" network ranges from which clients are permitted to connect. Any connection from outside of the allowed range(s)MUST<bcp14>MUST</bcp14> be rejected before any PSK Identity is checked. It isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that servers support IP address filtering even when TLS-PSK is not used.</t> <t>The "allowed" network ranges could be implemented as a global list, or one or more network ranges could be tied to a client or clients. The intent here is to allow connections to be filtered by source IPaddress,address and to allow clients to be limited to a subset of network addresses. The exact method and representation of that filtering is up to an implementation.</t> <t>Conceptually, the set of IP addresses and ranges, along with permitted clients and theircredentials formscredentials, form a logical "client table"whichthat the server uses to both filter and authenticate clients. The client table should contain information such as allowed network ranges, PSK Identity and associated PSK, credentials for another TLS authentication method, or flagswhichthat indicate that the server should require a client certificate.</t> <t>Once a server receives a connection, it checks the source IP address against the list of all allowed IP addresses or ranges in the client table. If none match, the connectionMUST<bcp14>MUST</bcp14> be rejected. That is, the connectionMUST<bcp14>MUST</bcp14> be from an authorized source IP address.</t> <t>Once a connection has been established, the serverMUST NOT<bcp14>MUST NOT</bcp14> process any application data inside of the TLS tunnel until the client has been authenticated. Instead, the server normally receives a TLS-PSK Identity from the client. The server then uses this identity to look up the client in the client table. If there is no matching client, the serverMUST<bcp14>MUST</bcp14> close the connection. The server then also checks if this client definition allows this particular source IP address. If the source IP address is not allowed, the serverMUST<bcp14>MUST</bcp14> close the connection.</t> <t>Where the server does not receive TLS-PSK from the client, it proceeds with another authentication method such as client certificates. Such requirements are discussed elsewhere, most notably in <xref target="RFC6614"/> and <xref target="RFC7360"/>.</t> <t>An implementation may perform two independent IP addresslookups. First,lookups: first to check if the connection is allowed at all, and second to check if the connection is authorized for this particular client. One or both checks may be used by a particular implementation. The two sets of IP addresses can overlap, and implementationsSHOULD<bcp14>SHOULD</bcp14> support that capability.</t> <t>Depending on the implementation, one or more clients may share a list of allowed network ranges. Alternately, the allowed network ranges for two clients can overlap only partially, or not at all. All of these possibilitiesMUST<bcp14>MUST</bcp14> be supported by the server implementation.</t> <t>For example, a RADIUS server could be configured tobeaccept connections from a source network of 192.0.2.0/24 or 2001:DB8::/32. The server could therefore discard any TLS connection requestwhichthat comes from a source IP address outside of that network. In that case, there is no need to examine the PSK Identity or to find the client definition. Instead, the IP source filtering policy would deny the connection before any TLS communication had been performed.</t> <t>As some clients may have dynamic IP addresses, it is possible foraone PSK Identity to appear at different source IP addresses over time. In addition, as there may be many clients behind one NAT gateway, there may be multiple RADIUS clients using one public IP address. RADIUS serversMUST<bcp14>MUST</bcp14> support multiple PSK Identifiers at one source IP address.</t> <t>That is, a server needs to support multiple different clients within one network range, multiple clients behind a NAT, and one client having different IP addresses over time. All of thoseuse-casesuse cases are common and necessary.</t> <t>The following section describes these requirements in more detail.</t> </section> <section anchor="psk-authentication"> <name>PSK Authentication</name> <t>Once the source IP address has been verified to be allowed for this particular client, the server authenticates the TLS connection via the PSK taken from the client definition. If the PSK is verified, the server then accepts theconnection,connection and proceeds with RADIUS/TLS as per <xref target="RFC6614"/>.</t> <t>If the PSK is not verified, then the serverMUST<bcp14>MUST</bcp14> close the connection. While TLS provides for fallback to other authentication methods such as client certificates, there is no reason for a client to be configured simultaneously with multiple authentication methods.</t> <t>A clientMUST<bcp14>MUST</bcp14> use only one authentication method for TLS. An authentication method is either TLS-PSK, client certificates, or some other method supported by TLS.</t> <t>That is, client configuration is relatively simple: use a particular set of credentials to authenticate to a particular server. While clients may support multiple servers and fail-over or load-balancing, that configuration is generally orthogonal to the choice of which credentials to use.</t> </section> <section anchor="resumption"> <name>Resumption</name> <t>It isNOT RECOMMENDED<bcp14>NOT RECOMMENDED</bcp14> that servers enable resumption for sessionswhichthat use TLS-PSK. There are few practical benefits to supportingresumption,resumption and many complexities.</t> <t>However, some systems will need to support bothTLS-PSK,TLS-PSK and other TLS-based authentication methods such as certificates, while also supporting session resumption. It is therefore vital for servers to be able to distinguish theuse-caseuse case of TLS-PSK withpre-configuredpreconfigured identities from TLS-PSKwhichthat is being used for resumptions.</t> <t>The above discussion of PSK Identities is complicated by the use of PSKs for resumption in TLS 1.3. A serverwhichthat receives a PSK Identity via TLS typically cannot query the TLS layer to see if this identity is for a resumed session (which is possibly for another TLS authentication method), or is instead a static pre-provisioned identity. This confusion complicates server implementations.</t> <t>One way for a server to tell the difference between the two kinds of identities is via construction. Identities used for resumption can be constructed via a fixed format, such as what is recommended by <xref section="4" sectionFormat="comma" target="RFC5077"/>. A static pre-provisioned identity could be in the format of an NAI, as given in <xref target="RFC7542"/>. An implementation could therefore examine the incomingidentity,identity and determine from the identity alone what kind of authentication was being performed.</t> <t>An alternative way for a server to distinguish the two kinds of identities is to maintain two tables. One table would contain static identities, as the logical client table described above. Another table could be the table of identities handed out for resumption. The server would then look up any PSK Identity in one table, and if it is not found, query the other one.AnEither an identity would be found in a table, in which case it can beauthenticated. Or,authenticated, or the identity would not be found in either table, in which case it is unknown, and the serverMUST<bcp14>MUST</bcp14> close the connection.</t> <t>As suggested in <xref target="RFC8446"/>, TLS-PSK peersMUST NOT<bcp14>MUST NOT</bcp14> store resumption PSKs or tickets (and associated cached data) for longer than 604800 seconds (7days)days), regardless of the PSK or ticket lifetime.</t> <t>Since resumption in TLS 1.3 uses PSKIdentiesIdentities and keys, it isNOT RECOMMENDED<bcp14>NOT RECOMMENDED</bcp14> to permit resumption of sessions when TLS-PSK is used. The use of resumption offers additional complexity with minimaladdition benefit.</t>additional benefits.</t> <t>Where resumption is allowed with TLS-PSK, systemsMUST<bcp14>MUST</bcp14> cache data during the initial full handshakesufficientsufficiently enough to allow authorization decisions to be made during resumption. If the cached data cannot be retrieved securely, resumptionMUST NOT<bcp14>MUST NOT</bcp14> be done. Instead, the systemMUST<bcp14>MUST</bcp14> perform a full handshake.</t> <t>The datawhichthat needs to be cached is typically information such as the original PSK Identity, along with any policies associated with that identity.</t> <t>Information from the original TLS exchange (e.g., the original PSK Identity) as well as related information (e.g., source IP addresses) may change between the initial full handshake and resumption. This change creates a "time-of-check time-of-use" (TOCTOU) security vulnerability. A malicious or compromised client could supply one set of data during the initialauthentication,authentication and a different set of data during resumption, potentially allowing them to obtain access that they should not have.</t> <t>If any authorization or policy decisions were made with information that has changed between the initial full handshake and resumption, and ifchangechanges may lead to a different decision, such decisionsMUST<bcp14>MUST</bcp14> be reevaluated. SystemsMUST<bcp14>MUST</bcp14> also reevaluate authorization and policy decisions during resumption, based on the information given in the new connection. ServersMAY<bcp14>MAY</bcp14> refuse to perform resumption where the information supplied during resumption does not match the information supplied during the original authentication. If a safe decision is not possible, serversMUST<bcp14>MUST</bcp14> instead continue with a full handshake.</t> </section> <section anchor="interaction-with-other-tls-authentication-methods"> <name>Interaction withotherOther TLSauthentication methods</name>Authentication Methods</name> <t>When a server supports both TLS-PSK and client certificates, itMUST<bcp14>MUST</bcp14> be able to accept authenticated connections from clientswhichthat may use either type of credentials, perhaps even from the same source IP address and at the same time. That is, servers are required to both authenticate theclient,client and also to filter clients by source IP address. These checks both have to match in order for a client to be accepted.</t> </section> </section> </section> <section anchor="privacy-considerations"> <name>Privacy Considerations</name> <t>We make no changesoverto <xref target="RFC6614"/> and <xref target="RFC7360"/>.</t> </section> <section anchor="security-considerations"> <name>Security Considerations</name> <t>The primary focus of this document is addressing security considerations for RADIUS.</t> <t>Previous specifications discuss security considerations for TLS-PSK in detail. We refer the reader to <xref section="E.7"sectionFormat="comma"sectionFormat="of" target="RFC8446"/>, <xref target="RFC9257"/>, and <xref target="RFC9258"/>. Those documents are newer than <xref target="RFC6614"/> and <xref target="RFC7360"/>,andthereforeand therefore raise issueswhichthat were not considered during the initial design of RADIUS/TLS and RADIUS/DTLS.</t> <t>Using TLS-PSK across the wider Internet for RADIUS can have different security considerations than for other protocols. For example, if TLS-PSK was for client/server communication with HTTPS, then having a PSK be exposed or broken could affect oneusersuser's traffic. In contrast, RADIUS contains credentials and personally identifiable information (PII) for many users. As a result, an attacker being able to see inside of a TLS-PSK connection for RADIUS would result in substantial amounts of PII being leaked, possibly including passwords.</t> <t>When modes providing forward secrecy are used(e.g.(e.g., ECDHE_PSK as seen in <xref target="RFC5489"/> and <xref target="RFC8442"/>), such attacks are limited to future sessions, and historical sessions are still secure.</t> </section> <section anchor="iana-considerations"> <name>IANA Considerations</name><t>There are<t>This document has no IANAconsiderations in this document.</t> <t>RFC Editor: This section may be removed before final publication.</t>actions.</t> </section> </middle> <back> <!-- [rfced] Informative reference RFC 5077 has been obsoleted by RFC 8446. We recommend replacing RFC 5077 with RFC 8446. However, if RFC 5077 must be referenced, we suggest mentioning RFC 8446 (e.g., "RFC 5077 has been obsoleted by RFC 8446.") See Section 4.8.6 in the RFC Style Guide (RFC 7322). --> <references anchor="sec-combined-references"> <name>References</name> <references anchor="sec-normative-references"> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6614.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7360.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2865.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4279.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8265.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9257.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9325.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> </references> <references anchor="sec-informative-references"> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5077.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6613.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7585.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8937.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9258.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8492.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7542.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5489.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8442.xml"/> </references> </references> <sectionanchor="acknowledgments">anchor="acknowledgments" numbered="false"> <name>Acknowledgments</name> <t>Thanks to the many reviewers in the RADEXTworking groupWorking Group for positive feedback.</t> </section><section anchor="changelog"> <name>Changelog</name> <ul spacing="normal"> <li> <t>00 - initial version</t> </li> <li> <t>01 - update examples</t> </li> </ul> </section> </middle> <back> <references anchor="sec-combined-references"> <name>References</name> <references anchor="sec-normative-references"> <name>Normative References</name> <reference anchor="RFC6614"> <front> <title>Transport Layer Security (TLS) Encryption for RADIUS</title> <author fullname="S. Winter" initials="S." surname="Winter"/> <author fullname="M. McCauley" initials="M." surname="McCauley"/> <author fullname="S. Venaas" initials="S." surname="Venaas"/> <author fullname="K. Wierenga" initials="K." surname="Wierenga"/> <date month="May" year="2012"/> <abstract> <t>This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6614"/> <seriesInfo name="DOI" value="10.17487/RFC6614"/> </reference> <reference anchor="RFC7360"> <front> <title>Datagram Transport Layer Security (DTLS) as a Transport Layer for RADIUS</title> <author fullname="A. DeKok" initials="A." surname="DeKok"/> <date month="September" year="2014"/> <abstract> <t>The RADIUS protocol defined in RFC 2865 has limited support for authentication</back> </rfc> <!-- [rfced] Abbreviations andencryption of RADIUS packets. The protocol transports data in the clear, although some parts ofTerminology: a) We note "pre-shared key" appears frequently after thepackets can have obfuscated content. Packets may be replayed verbatim by an attacker, and client-server authenticationabbreviation "PSK" isbased on fixed shared secrets. This document specifies how the Datagram Transport Layer Security (DTLS) protocol may be used as a fix for these problems. It also describes how implementationsintroduced. May we update instances ofthis proposal can coexist with current RADIUS systems.</t> </abstract> </front> <seriesInfo name="RFC" value="7360"/> <seriesInfo name="DOI" value="10.17487/RFC7360"/> </reference> <reference anchor="RFC2865"> <front> <title>Remote Authentication Dial In User Service (RADIUS)</title> <author fullname="C. Rigney" initials="C." surname="Rigney"/> <author fullname="S. Willens" initials="S." surname="Willens"/> <author fullname="A. Rubens" initials="A." surname="Rubens"/> <author fullname="W. Simpson" initials="W." surname="Simpson"/> <date month="June" year="2000"/> <abstract> <t>This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires"pre-shared key" toauthenticateitslinks and a shared Authentication Server. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="2865"/> <seriesInfo name="DOI" value="10.17487/RFC2865"/> </reference> <reference anchor="RFC4279"> <front> <title>Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)</title> <author fullname="P. Eronen" initials="P." role="editor" surname="Eronen"/> <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/> <date month="December" year="2005"/> <abstract> <t>This document specifies three sets of new ciphersuites for the Transport Layer Security (TLS) protocolabbreviation after it is first expanded? b) FYI, we changed "PKSs" tosupport authentication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys, shared"PSKs" inadvance amongthecommunicating parties. The first set of ciphersuites uses only symmetric key operations for authentication. The second set uses a Diffie-Hellman exchange authenticated withtext below. Please review whether this is correct. Original: Implementations SHOULD use apre-shared key, and the third set combines public key authentication of the server with pre-shared key authenticationhumanly readable form ofthe client. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4279"/> <seriesInfo name="DOI" value="10.17487/RFC4279"/> </reference> <reference anchor="RFC8174"> <front> <title>AmbiguityPKSs... c) Per Section 3.6 ofUppercase vs Lowercase inRFC2119 Key Words</title> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <date month="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may7322 ("RFC Style Guide"), abbreviations should beused in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference> <reference anchor="RFC8265"> <front> <title>Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords</title> <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/> <author fullname="A. Melnikov" initials="A." surname="Melnikov"/> <date month="October" year="2017"/> <abstract> <t>This document describes updated methods for handling Unicode strings representing usernamesexpanded upon first use. How should "PSK-DH" andpasswords. The previous approach was known"ECDHE_PSK" be expanded below? Original: TLS-PSK MUST use modes such asSASLprep (RFC 4013) and was based on Stringprep (RFC 3454). The methods specified in this documentPSK-DH or ECDHE_PSK [RFC5489] which providea more sustainable approach to the handling of internationalized usernames and passwords. This document obsoletes RFC 7613.</t> </abstract> </front> <seriesInfo name="RFC" value="8265"/> <seriesInfo name="DOI" value="10.17487/RFC8265"/> </reference> <reference anchor="RFC9257"> <front> <title>Guidance for External Pre-Shared Key (PSK) Usage in TLS</title> <author fullname="R. Housley" initials="R." surname="Housley"/> <author fullname="J. Hoyland" initials="J." surname="Hoyland"/> <author fullname="M. Sethi" initials="M." surname="Sethi"/> <author fullname="C. A. Wood" initials="C. A." surname="Wood"/> <date month="July" year="2022"/> <abstract> <t>This document provides usage guidance for external Pre-Shared Keys (PSKs) in Transport Layer Security (TLS) 1.3forward secrecy. Perhaps: TLS-PSK MUST use modes such asdefined in RFC 8446. It lists TLS security properties provided by PSKs under certain assumptions, then it demonstrates how violations of these assumptions lead to attacks. Advice for applications to help meet these assumptions is provided. This document also discussesPSKuse cases and provisioning processes. Finally, it lists the privacy and security propertiesDiffie-Hellman (PSK-DH) or Elliptic Curve Diffie-Hellman Exchange with PSK (ECDHE_PSK) [RFC5489] thatare not provided by TLS 1.3 when external PSKs are used.</t> </abstract> </front> <seriesInfo name="RFC" value="9257"/> <seriesInfo name="DOI" value="10.17487/RFC9257"/> </reference> <reference anchor="RFC9325"> <front> <title>Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title> <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/> <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/> <author fullname="T. Fossati" initials="T." surname="Fossati"/> <date month="November" year="2022"/> <abstract> <t>Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are used to protect data exchanged over a wide range of application protocols and can also form the basisprovide forward secrecy. d) FYI, we added expansions upon first use forsecure transport protocols. Overtheyears, the industry has witnessed several serious attacks on TLS and DTLS, including attacks onabbreviations below. Please review each expansion in themost commonly used cipher suites and their modes of operation. Thisdocumentprovides the latest recommendations for ensuring the security of deployed services that use TLS and DTLS. These recommendations are applicablecarefully to ensure correctness. Lightweight Directory Access Protocol (LDAP) Representational State Transfer (REST) Network Access Server (NAS) --> <!-- [rfced] FYI, we fixed themajority of use cases.</t> <t>RFC 7525, an earlier version of the TLS recommendations, was published when the industry was transitioninglinks toTLS 1.2. Years later, this transition is largely complete, and TLS 1.3 is widely available. This document updatestheguidance given the new environment and obsoletes RFC 7525. In addition, this document updates RFCs 5288 and 6066 in view of recent attacks.</t> </abstract> </front> <seriesInfo name="BCP" value="195"/> <seriesInfo name="RFC" value="9325"/> <seriesInfo name="DOI" value="10.17487/RFC9325"/> </reference> <reference anchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname="S. Bradner" initials="S." surname="Bradner"/> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words are usedsections as follows. Please review tosignify the requirements in the specification. These words are often capitalized. This document definesensure thesewords as they should be interpretedupdates are correct. Original: Further discussion of this topic is contained inIETF documents. This document specifies an Internet Best Current Practices[]{#sharing}. See {}(#resumption) below forthe Internet Community, and requestsmore discussionand suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> </references> <references anchor="sec-informative-references"> <name>Informative References</name> <reference anchor="RFC5077"> <front> <title>Transport Layer Security (TLS) Session Resumption without Server-Side State</title> <author fullname="J. Salowey" initials="J." surname="Salowey"/> <author fullname="H. Zhou" initials="H." surname="Zhou"/> <author fullname="P. Eronen" initials="P." surname="Eronen"/> <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/> <date month="January" year="2008"/> <abstract> <t>This document describes a mechanism that enables the Transport Layer Security (TLS) server to resume sessions and avoid keeping per-client session state. The TLS server encapsulates the session state into a ticket and forwards it to the client. The client can subsequently resume a session using the obtained ticket. This document obsoletes RFC 4507. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5077"/> <seriesInfo name="DOI" value="10.17487/RFC5077"/> </reference> <reference anchor="RFC6613"> <front> <title>RADIUS over TCP</title> <author fullname="A. DeKok" initials="A." surname="DeKok"/> <date month="May" year="2012"/> <abstract> <t>The Remote Authentication Dial-In User Server (RADIUS) protocol has, until now, required the User Datagram Protocol (UDP) as the underlying transport layer. This document defines RADIUS over the Transmission Control Protocol (RADIUS/TCP), in order to address handlingof issuesrelated to RADIUS over Transport Layer Security (RADIUS/TLS). It permits TCP to be used as a transport protocol for RADIUS only when a transport layer such as TLS or IPsec provides confidentiality and security. This document defines an Experimental Protocol for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="6613"/> <seriesInfo name="DOI" value="10.17487/RFC6613"/> </reference> <reference anchor="RFC7585"> <front> <title>Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Based on the Network Access Identifier (NAI)</title> <author fullname="S. Winter" initials="S." surname="Winter"/> <author fullname="M. McCauley" initials="M." surname="McCauley"/> <date month="October" year="2015"/> <abstract> <t>This document specifies a means to find authoritative RADIUS servers for a given realm. Itaround resumption. Current: Further discussion of this topic isusedcontained inconjunction with either RADIUS over Transport Layer Security (RADIUS/TLS) or RADIUS over Datagram Transport Layer Security (RADIUS/DTLS).</t> </abstract> </front> <seriesInfo name="RFC" value="7585"/> <seriesInfo name="DOI" value="10.17487/RFC7585"/> </reference> <reference anchor="RFC8446"> <front> <title>The Transport Layer Security (TLS) Protocol Version 1.3</title> <author fullname="E. Rescorla" initials="E." surname="Rescorla"/> <date month="August" year="2018"/> <abstract> <t>This document specifies version 1.3Section 4.3. See Section 6.2.3 below for more discussion ofthe Transport Layer Security (TLS) protocol. TLS allows client/server applicationsissues around resumption. --> <!-- [rfced] We updated artwork tocommunicate over the Internetsourcecode ina waySection 4.1.2. Please confirm that this isdesigned to prevent eavesdropping, tampering, and message forgery.</t> <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t> </abstract> </front> <seriesInfo name="RFC" value="8446"/> <seriesInfo name="DOI" value="10.17487/RFC8446"/> </reference> <reference anchor="RFC8937"> <front> <title>Randomness Improvements for Security Protocols</title> <author fullname="C. Cremers" initials="C." surname="Cremers"/> <author fullname="L. Garratt" initials="L." surname="Garratt"/> <author fullname="S. Smyshlyaev" initials="S." surname="Smyshlyaev"/> <author fullname="N. Sullivan" initials="N." surname="Sullivan"/> <author fullname="C. Wood" initials="C." surname="Wood"/> <date month="October" year="2020"/> <abstract> <t>Randomness is a crucial ingredient for Transport Layer Security (TLS) and related security protocols. Weak or predictable "cryptographically secure" pseudorandom number generators (CSPRNGs) can be abused or exploited for malicious purposes. An initial entropy source that seeds a CSPRNG mightcorrect. In addition, please consider whether the "type" attribute of any sourcecode element should beweak or broken as well, which can also lead to critical and systemic security problems. This document describes a wayset and/or has been set correctly. The current list of preferred values forsecurity protocol implementations to augment their CSPRNGs using long-term private keys. This improves randomness from broken or otherwise subverted CSPRNGs.</t> <t>This document"type" isa product of the Crypto Forum Research Group (CFRG) inavailable at <https://www.rfc-editor.org/rpc/wiki/doku.php?id=sourcecode-types>. If theIRTF.</t> </abstract> </front> <seriesInfo name="RFC" value="8937"/> <seriesInfo name="DOI" value="10.17487/RFC8937"/> </reference> <reference anchor="RFC9258"> <front> <title>Importing External Pre-Shared Keys (PSKs) for TLS 1.3</title> <author fullname="D. Benjamin" initials="D." surname="Benjamin"/> <author fullname="C. A. Wood" initials="C. A." surname="Wood"/> <date month="July" year="2022"/> <abstract> <t>This document describescurrent list does not contain aninterface for importing external Pre-Shared Keys (PSKs) into TLS 1.3.</t> </abstract> </front> <seriesInfo name="RFC" value="9258"/> <seriesInfo name="DOI" value="10.17487/RFC9258"/> </reference> <reference anchor="RFC8492"> <front> <title>Secure Password Ciphersuites for Transport Layer Security (TLS)</title> <author fullname="D. Harkins" initials="D." role="editor" surname="Harkins"/> <date month="February" year="2019"/> <abstract> <t>This memo defines several new ciphersuites for the Transport Layer Security (TLS) protocolapplicable type, feel free tosupport certificateless, secure authentication using only a simple, low-entropy password. The exchange is called "TLS-PWD". The ciphersuites are all based on an authentication and key exchange protocol, named "dragonfly",suggest additions for consideration. Note thatis resistant to offline dictionary attacks.</t> </abstract> </front> <seriesInfo name="RFC" value="8492"/> <seriesInfo name="DOI" value="10.17487/RFC8492"/> </reference> <reference anchor="RFC7542"> <front> <title>The Network Access Identifier</title> <author fullname="A. DeKok" initials="A." surname="DeKok"/> <date month="May" year="2015"/> <abstract> <t>In order to provide inter-domain authentication services,it isnecessary to have a standardized method that domains can usealso acceptable toidentify each other's users. This document defines the syntax forleave theNetwork Access Identifier (NAI), the user identifier submitted by"type" attribute not set. --> <!-- [rfced] Please review theclient prior to accessing resources. This document is a revised version"Inclusive Language" portion ofRFC 4282. It addresses issues with international character setsthe online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> andmakes a numberlet us know if any changes are needed. Updates ofother corrections to RFC 4282.</t> </abstract> </front> <seriesInfo name="RFC" value="7542"/> <seriesInfo name="DOI" value="10.17487/RFC7542"/> </reference> <reference anchor="RFC5489"> <front> <title>ECDHE_PSK Cipher Suitesthis nature typically result in more precise language, which is helpful forTransport Layer Security (TLS)</title> <author fullname="M. Badra" initials="M." surname="Badra"/> <author fullname="I. Hajjeh" initials="I." surname="Hajjeh"/> <date month="March" year="2009"/> <abstract> <t>This document extends RFC 4279, RFC 4492, and RFC 4785 and specifies a set of cipher suitesreaders. Note thatuseour script did not flag any words in particular, but this should still be reviewed as apre-shared key (PSK) to authenticate an Elliptic Curve Diffie-Hellman exchange with Ephemeral keys (ECDHE). These cipher suites provide Perfect Forward Secrecy (PFS). This memo provides information for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="5489"/> <seriesInfo name="DOI" value="10.17487/RFC5489"/> </reference> <reference anchor="RFC8442"> <front> <title>ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites for TLS 1.2 and DTLS 1.2</title> <author fullname="J. Mattsson" initials="J." surname="Mattsson"/> <author fullname="D. Migault" initials="D." surname="Migault"/> <date month="September" year="2018"/> <abstract> <t>This document defines several new cipher suites for version 1.2 of the Transport Layer Security (TLS) protocol and version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. These cipher suites are based on the Ephemeral Elliptic Curve Diffie-Hellman with Pre-Shared Key (ECDHE_PSK) key exchange together with the Authenticated Encryption with Associated Data (AEAD) algorithms AES-GCM and AES-CCM. PSK provides light and efficient authentication, ECDHE provides forward secrecy, and AES-GCM and AES-CCM provide encryption and integrity protection.</t> </abstract> </front> <seriesInfo name="RFC" value="8442"/> <seriesInfo name="DOI" value="10.17487/RFC8442"/> </reference> </references> </references> </back> <!-- ##markdown-source: H4sIADP/j2cAA+1963IcyXXm/36KWkysTSi6QQK809JIEEF66OGQMAnu2OHw KrK7sxslVFe16gJMS8t9ln2WfbI918yT2dWYkcOK/WOFZRFAVVbmyZPn+p2T s9ls0pd95V8VH7e+dX3Z1K4qXjd1Vy7l565YNW3x6fzi3ZfPhauXxdX7z7PL z99P3Hze+ttXY39aNovabWDUZetW/az0/WrWuqX/qZ/1VTfbdjez07PJpOvh pT+4qqnh0b4d/KTctvSvrj979Ojlo7OJa717Vbyre9/Wvp/crel7b/7lqvix aW/Kel38Y9sM28nNXXxqdoFfnSxc/6qYL7aTbphvyq6DtVzttvCld2+u3k4m 2/JVAf/5pli4uhg6X7i2dbviQbkqXFUVO98dF7Dwa9ddF9e+9ZOi6JvFK/wD /LNr2r71q+4VDbH0KzdUfQdP6N93G/4z/jhxQ3/dtK8mk1lR1vDL85Piwn/f 3MCDTKfzCiahv2raNS7m5vdtuVz74oPv72CtOKrfuLJ6BfNz9cnS3zQ3vyvr mzk9dlI2k0ndtBvYtFv/Ch7+9Pb1s2enT+Sfzx8/eyT/PHvx7Kn888nZ85fy zxenz/XZF2fhgZdnT5/rPx+fwW8nZb3KvvL00fPn8YOP9YNPX+ggL548eab/ fPn4eRz6BYx36+uBRlrjRur2ws+8Vmab3yELnQBh8Lmyvx7m+pfZ3fphylon 8ABQejYr3LzrW7eAn66uy64Arhw2vu6LbdvcAn93RbnZVh5/RZxOLNyYc7DY PwdDhzwnfF7cwVSE/x/C74oHQvNjGkr+cKF/wS04PimKq2tfbId22wDTNaui hx/D1ErioWtfbYtu0zQwPP7ZTgpWBLOi+a7aZkN/H+JI8tEvF5c4UJzbCZNk Uy6XlZ9MvsHT0jbLYYEjIYFgTnCcy2boim7rF+WqXMi6j67wk1vg+OK92/m2 +OwXQ1v2cFhg4OPiTb1od1ueURAVR0Xxl78IOb5+JXocXbjerVu3KQ4PeEEj uq5wew/ZsWlopCcMDYevrP2yuG7u4P1jpDYe6TmRZclj9WEs2Hs4xk1lhoMt +a6587e+nQIJcVd0O5BniroJHFOsh3Lp6oW/nxdoj0cZrr92fUHCCN7UwaZE nTUcqL+SI2FPr5piUXnXVrtiWXY9DDuUHTPNrWt5N/2i9bAUHOvG7zpcpJ0c UAn2uLsGUbuUh4+QdzYeqHgk0j39M8/4svWzz/z77z3sHVDhOLzIT9IHi7vr cnEN8lV2hCglZDsR1vtbHQcQt8hb+bnIntoMML9NA4+lT+O5KYofr8vKy27D lDucVbPqfV1Uvuvw2KxgPnN4Bkbmx7bDvCoXxUP4Y3nreh8In05+0yx9hZOg YVdNVTV3HT1V+bVb7FS35rtD78HMzmF3YerTouyV573rSjksgZd82xlOaloi qiEc/ISn5u4alkQcav5Ga4X16UnqfFt6/B1sCOrJxbWr176TfSzhY7Bt+HU9 F7yFehrLuqhFn+H3gNS4WrdctkBKHndRlTgGThg+BqeSOOembu7qKc7BCl3Y Tj1sMN/B6ZS7clNWrjVbPVs43m/DCDRSQtoOR4sTx6PfDWVPm4uLCh/R2fNk 4TTtQJGDxKz4IC4anDdPv6NZ9/Q4jVncgZ2Bo+HUZLUw0WQID5u2AbEmZwfn 0103Q7UMlKTJO6DmnZLpAQx5W4Jwwo861DQg5FFkwHZ2/bT4N9HK/66fCjPd ocmDrIezcjqnRleAs0MTBn6JSiFqCpjpUNPO6JPwDr+tiy62ru2RY4Q/QfYN yEvFwsPvVzzeHCbAO1y8Dr/GrTwnw4k0w+vzY2Qy3pwO7LJb5p0ODCgelZhy t9n4voW1BTulwe/2dx6Ye4+1wEBEoaJzxCnwoEF64SnT9xa4AVPkYXimaXdT JAQw/FI43MmoJxnhzVI7YmYXpjkVPipJ1sGJbUA3KLdZ8uEWwCI3vOgG2Qme X+KW9DjJt0OLv6MtHcjYZeFGx2+L9OhoRo50JSzh3/79L98g74O4+gqE/VKT MON5+J+2IL7AMdgVyI/wQjP0LBpc0fpFA7Ovl6KitvAsTRA3pyBrHtkAJnwR fjEFuQRsfPBV3gZ4fIJ7c8H2yjfFFR2CpmrWO5YvsCEFCI8lKKwfvny+AkVE /1t8+Ej//vTmn7+8+/TmAv/9+bvz9+/DPybyxOfvPn55fxH/Fd98/fGHH958 uOCX4bdF8qvJ0Q/n/yp67+jj5dW7jx/O3x8xK1hlirvLzICisCX+QMk5Ae2/ aMs50/73ry//7/85fQJmzH9De/z09CXYMfwDmuHwA8pi/lpTwy7wj7DBuwkQ DfQ9jkLi121BPFUsY0BCwAlCfjqZ/Pq3FYqP2bPffjuZTH5VvPkJnSPQOeif Tb4FpkaZ8gB3Z62ypPWVw+niX94Jax2LBIJFuiVsRokmNRr/yBtNvSrXoC+X JIQd8s60aILUIk6Sz7KO4SWJZIUjRp+D0488jcwCrlq363q/OcE5f/LA8GxY /sdnfd9XcDYPUeQhI7LImYpp53n4NkyBGPKfwDON0okVN0slENnbqtmx1Th0 A4nxFqkEDyYCAHZu03QoTTabhlxP0DrBAL3zdErWdflnzycOjuQGFAaw1LJc wSDgaCI1VwN+Ydiu0ftRCZWajyw1ULLTopJZGJ2cezGZ78IeCxBEvoUruG0q EL+4icSe4bNiEE+L+cAWCbBmAwv601CicVXCsnACKEvZbqAZGr5C9Y0HZ+UW no0WszdoR6P/sMHPmMcenF++A28dCAuigdUVU6cbtmT025XDdr0FYvifHE56 CgqsKm98ZgZkMhvkIcxfLQ36iSeEpm6ngvFOIhLCW8E9IEJ0wxJ4E+cE4lgf hRF/cLVb44N9NjS+pIQD+6gUkxFobtQjrBv5S8xENUaiflPb+w51jNHauHMy +JLtvnT9/AJyB5DrdaK+7IYaM3qR6G0nehulO2ju7pgPPmw6GOTp48j9uoCc fSMJyXxaoYXOip/s18UNLeSPcChR95I9mqyD+ZCmvG3QMi3pWG5cvSvAPFz7 fB5XcUFqBuI+xK+rI+jQxITJtuEEbh2cosTsjmcwd1LGnKpORCQQHIwHNP+I UCDoGiTCxpFtzf4ia+m1r8GeJz6XuaDzhc/BfwMDAHOq4YMrRN4nhcwGKeor IsfK30WLNX/ps/yabBekZr/biqVKVgNIyWZowfJE/xQWizaGaC/yk9qhRjaV Cc+Ct8euUDgynVpDZrFqNwJHNRsS5MwUd7AL1W7mbh0Y+ux7NVXHxDOWl56I 1stUatDTLRyC6T2TJqLgbqNkgDWyrFxUDUpLoB8wAfh1vndgOMvMWYhW4Hb0 pOJVNrGT5kiPVL111BJhPmyXaAf3JGd10nQu4VXwe4vX5yKEDnApbjg6sTC2 r2/LtqnJHEHFEZmXHDncbrcmBi08TgE+Bv/tSL/9I+9QcZFYkWRwk8cfVWyJ cc3f87igszgIUyAnMXPPNIikM8VBSL1t8LiuyrZDEXRbera4we1ucUoUE3Zo 4eFZ4pc0PKIMBPKQ/By2C8amJu6oyClWymqrwXEL1ucu2J77Xmd+jlmS4mo0 dlEUr+mtuNb4evwd+SbMgmKcsxFIHAaOHjBwgRZMu2dN4pbAntiYE653MvnR CwGJKskqSdGjyYOHBKezUQXDtOQgA9tDQ+fmZYXeVRqK6pnxUldiXGbJ42XL PO+YtHQY8Hu0gm9ocz6ZWU4mn7ywhSuEfTdwFEqgOHmvRHBm7+KBP1mfTOmf pydnmmeAfz8+FqeGQmIoGerOrXzxgKKDGHSeYmSRZvTm5PnXr8cUzEEBIwMU 87JespuKs0BbhB0uOJdgY6O3ASNjBIdE91Av2ETUuSwbT6asWgY4HAnraBaw qA5uHUWIjOMqi0dh4In/Md/gYZ8q72goiWAE9cUuet+D8mOrgceYozW+2ZI7 R7+kvAV4bduBJDjHsKLMrxvxtyVARqdmKgKIIoL8VC+PsQjk6BgziYQjonRB IX3bwFYsRc0QLwMrdg25MnlsUx23fYJI+Ih2CD+FP2OMEwNbGXeckDAEY26B wq6u+RTxUZXvB7YjfwSjAgu/FG/bzCcc2JPiY+1lx/h0SBSSDI+7xmwWsXhx XpM7PvIKfGteLq2ZhMsKSyDdSapWVjuZEOtiZgRj5sslqo4DXFg8+P7i7bHy B0YOwNANige/JcFwGHcqFInsrn4ZSEAxaZZ6BIjdNEouc1X/Dn6/oDCBhj3x 2OGxAbl/9fHtF+B8NOzLbsMxkHiYpnwcVLS9Qm/u5OSkUL8YVxpeVjsKlhSC rkQC+BoZUN54sx0yf1kvqmGpzN+jbdcXQKCpUiFfkWh6EG3bGFvvYVzQQK0c PF93GAwe6vJPA2ierjvhY65U2JW+WnJQtCejFoYsSZGzrKWYB/w+xr/nzcDR ImfmSDPR+QmdHMWigXw4mgS2my4GUcPensnbZRPPxknwUxzu9x0OeEenlRKE uOnEzHNPch7tqYpPHnnn4kMjMzVxcUHTllbLnv+tjjUvwZ5edF9IxbWp7iBl E7SHPWDK9uFNijWT7OxSXXxIY4ix9Z8sX/5aAfOfKGHQQM7sGtowNgs4+QLL WfS6GSqQnkfKPAPZpOFJ+Wh6Hss67KE58jELBk8jxTB80Xnw1GNaLTgJwXyJ aZdDU1cnnz6NXNGj8gTj6PFZ0Sx6z6Zf5et1f82nXkJ/+YvPnujzsDi0zth4 FxXLGjH6XKSoMRwvyg+nqaeTQiBCHlyfx1zrdmfsnS74ChKX6jDeI+koo7v1 IPBPGgg6ewqM+vjFkynO9OnpGQh2u0p46QNGk2AsZIDgLzYNSgq00cSaPBgu wgnvwqmH/yVjlRgpUClE+HFBMjGMSuLIG45Q8xtzknxlje4SSEeHqmHUtiaS pNbYxv1UboZNuj0ucc2QBWmaPAidIkroReYPJEJW5b2wEUsjR67L9XXYLlkU y1HYqtsSpGGzUY9xAJkgxuncdR7YzYmX4TW8BK8DOdPQ1MbdULzfZOq2vtmy cahWNM0mmKsj8ycilDUyBelf+P2iIQUYJif5xoRzKOrRZjt56GTFMI+TU4I2 nh6v02d7x8sSFexDPVtBJcDrWwzp971fmgjkVD04eRR+3cJvGjQiSP7Cemh8 PSAmPRcyZeEkVfmjHAUCQ7cHm1qfqofNHPNVqz3CSuS413QJCuBL3iC1iekk uT46WsjW+wwERCAFymEGNBAQJ4EhzO21hE8k38zLlUlFKkgAjpkAfgBOcV3H CZBUGlG8ZBmoiuIVh8LcA5CWcsBMIWG1hiILfk1+DnAv7liUctlo+nqTeYgc ktGVuFsWfk4DoJoeIJay2erl4NXQVCloJGRYIic8AtHdYuG3MRUbQvTijfPE 2MyhoDTy6oFXXPjIzOY1CR8BR5dj08WDy/Pv3xyT5tx4ML+WoAx/S3bCyzMy DUYPTXSIVL+wMCWfqW9at/bRnOrAuDS4DaSxnsgfJdQGlm3TwjiSJyWr26Ou 7PMAh2prxMVEbX366ORMEkqZMg1CATZrS2y8akwIsInqAQh2RKg85BuOPAAt j4oHaPMfg1lSlYtdSJiAnUNCycQPURzPPYhmNFPh5Gb5NRZ0MWYJBojHyIZD HqplIWQFI1ZPMs6aZyYmEZVeNdEl1lzQVA/gu0sFGqjxvxM1ZXPFfPyFMi0o 0FtX92SD2UQFRlk4MFxL8KZqmhuUCcTVzZpt5ZjHJ9Nzy5FD3EqJlOAxAH0g cZIvISCjQZ/JxBxKibRsQWJ0PatZCmxu3Z/oRN34muKaYO92eGYZslHv8VjE cAi3qZ4J3wKVB1QPAoBDhsvsxAM3ou+2xef4gCi2iKlJOcNwAi3KCqOVpEcd RhrYOoFthp1BG4EiHJbUxIwUeBLHKpjgBOq4HmB+lG1zSz3r8PlON5GNsJHz mtmBJOaCvwmko8CgMVyYbdAKcOMflRhsV1z7n4JCHtGu8mFCnR4YCUXE9585 nmdSXdGVzGQ0mZ5Bvid2bswAmrVkop0WVf98so1ybceHaUkiK36QKMlfAhbc Vm7HOoJOw7y59TPKGjaE3zM0I83JjnDKCHjogFycXgVeKlc7Tb+ZwJ3YB9Eo ZyVqBeA0H9nsyZ4ncRZtXnFPQh7iP6DeLfVQ2tXeL2Wokcf1iyiaOeTWeS8O 68vHz8UXo/8KBES9qROj0QnEGBUrib90/TI4PojqigxVoTOn0IPeMLYsfsrv A83SoSnqT5FqtYox9U2hCTKPhamVsrp8xsSR0AeBmtCTSR7CmmKTy5h46nEV mGNFfUV/1TQNgVPYMgwvKFkHkFUCZQhINkVtIT4rYDxQKy1KPLyo02n1YWnE BmIVGq+Egz8INzMhVD35LF5FSKbIUY0w4zOSInLBReqi2x6ELrmEUbPxL2HX /jf8Z9JsQUN0FVG4mKHTAj7A6bPJZAmncvWbh0t/+3AQ8s+735wi4qnufwOW /v8q+Olf/Ojjs1/06AM49cthsy1mwB5///C0OPrvj85+Ovr74u/+rvCL6+aY Jz75WBOSImweCY+9LUSNPdSa22SwHZ4u3D7MQWKCmAdA1+INhudkCJK+XXF6 9oL9gQfBuznGN2T2JDiFJRNWnIqZDdKLFZrDKCFmYlGgP4yy/fzz63fvdJeD oCfvE+YWTFaW5biNWXSNuUk0VjcW61CxCx95z84ecYpkHaP4wowB2rkaMz06 fXakIodcb3EVb101eDkUTHUTjGZIWhe5UgglMrH1/dDWfOqArNbLouAfQQ/l D/wmRlkjdoffpzP5mUaE5TkwkGjKKPS7ABDCA5ZblWxUvTOJKQUChmCmZLUE xvyZs1oY1tylmS7WrxEzTvjR+BP6CNbLDU+HVCHZ27AkMz9ewz3YDYY4INPS eCOpt5gfJUvUKkTcDRYPSK7EUcARrxtM3rRYejH5FZ6TdLllF9cQYz+4j8l8 +VVRt7/8hfFvEb6YgF4fGivp0qeBVY5aOKt+cURKpQ7xWyk1SMD/i7YBhgrR YaGyhK5gfOJunIHI1xiPszUQiU5APjJqIWAa4aNdH+Jr3ZgZe3fdsMWFQGI/ I62WA5Apc00YCDVeZ2wmx5IDpGpKlHydKVPx9GVMgUZXI6MLHFTiYT87ZnFB yetOZXJIcmqIvak5Vr808dNkx9K48pOT069fw/qTLOUYFWSWlH9JQT+Cg54R DvpwcOuP6KcmQQqcOfrCKtDaEGCE9U0okcEMI0JWEqHm40jqRhMOGWKy8G1L 5lAedjWmF0Uv9+x9nGQwTPe+2dGKxc4ge4AsjQMPZ4a/njFcW19ufOAV4u6G I6kUtybKuFDms++hMWeH0eRo1TybFeXKNCPDYZrbsqkE9sKBIKEHMwkpG5T8 yrDTsPF5PQQNzqyg2PpD09MCjrmLsXA53rihHKvhyQbTgeKmYKqyjGKvQlGn fWOEMBnPzf6JFgiEhc4Q/2P5XeT/p8j/Kqm7EHU1r/HGoZFBXtSXq7ezF2ri Gfd6JJv15OTs5PSUqqU030pKP6vhQZRwjamjIwlfIKqHHwVC3fheIgoScuBU 6aviSH7W1OGvT09Ozv7n6bPZ6bf/cKTWjhaDsB92MO/25OQZ0QE3MUHfMgiV plQynwgUWvHWdEzAfQ1JE/2ZwctcYrI8IHzgo/hZZVDNDnb76JoQaCdEI4Mu ugCUsiAk4F1xO/76HBtPx4btMOQUIB4ZX6wSU+RQaNJMIEXix1lg6acQH/T3 ssq+tZMtFz9Q4s/T1AMUcRajADY7aGdN+Ut6KpwGKRWE/STmpu2ofP4iZRI7 DhugpQ2eP5mQPjEH02iVeSdYTBKotZNAZiQtlNogCQ0IRIb53lpKeDziGwTZ HofFzwnmhzUi+/4caqPCsAWNBUcScbjT/Q8t1KvxJXlz8eRRsM9Y83uhB9IJ W99eu21ISqm/4bSmuDhfEJCBP7jCdNSDD+fvjiXQ/fzpkzM+ElqodYRJiKOC gBlcaZVNSaA/AV0Nf4YB40KOnr149PLs9PTsd/LICfAhioh3K5Odx6VW6DPt SP8b/0Jx7hif65pFSYunwPORHXCqYia4CuBbICq2pmqhep/UhI0kh9GArU1c OK/pGaEGqgtVr6TzGDiiqQ6DMJSqQIpyiU7LdjZ4sC6pS6QIMritvyAXbs8L 7Dl6tiFvu58Dx4IK1o6pAPuRQkdyEPgsCpqGU/lqCKUfG7a4aNYAIzn4CENb +TvVwq5i3JkIDAEIUKHHHraTXSn+Sqbo6RRmpHEMr2DRt4vwCgrEHxJO5ObD hAj/2CaVKPYxk/InYIu+weoyQu8OyHhMzXTDeg2uA6vZiK6xBX/ESJTHj3yK QSgsLwKR7LdMt2uNBdklUp2CFJCA9DvBYErkpHg0FYGSQ8NEzmbrluSoHnAN fMcyJzLfVH7/PB11PIblz6tmzgkKOhRTVLoo4QJCO8naIWwLz2dvQIm1pG+0 VokQ3uvrHsh051qy21I+IBvnjqDtzMSlPQdIMqCrKKVQgidZ6PjAUCdTyx5N /gYbobh6Orsg0Mp1rSVJ7Pv/PN1wCyZo9LLdAl4DJpBKMdo0nUSrteXhiCUr U2afmI2PlV3Z9yTLSt/yNYa06EObgKMG64xzzmD+ExZuQg7B6DqosgCOxtcH 38Q/HEtQOAQSUhhyQFMTki4xEM/R7yAEMX+aPBUdSoHyCcsJ54OaRDkvaZA0 cEKHi9CKpyejZogCQ1x9sJCJU2qKDGMFQSlqNuCb+gAE/WTyLXz3jDGuWiiM weUuFzOaMV3GInitne5UsdCZ4iEfn3C+1TwndM3HTa3wqX2D0ZFRN8dMPdGf F8ffe8KYWmRTCqSzkOL4Cfq1HUhqr5UkyiCSqReq1U09Y3Ld+N0fSI3DtrFY xQYkxoFAk0XlEeYofd9r1IR0EX710U+PHvHcnjIpmIChfs2sU0jbKdj/Ow+8 ofIqBCK0wMlj4KNcWVlORl5Ok2/R3TtBs2fnGaHVgRUJ72sR9hY8M3MMZfs1 O93Tk4ww1yJgGBT+jwfmofNJrPDQTBMx1FnbBPmYKhq/NUMB//lKsJx2sLKm NQVjWulFdTIybMjey+RgwLOxiSHXqGxtdwnHhWCwFlXOPbsmEiMnzVuV89a1 lgTg7uqHzAMcIVXpmDL71DLfNSZx0b+07oJFIyDWs8PwPqXULcXOEorp8VrX TXvgs2QRsgjqBKFLc8ZVdteIFpOjYIrVTqSnTS7qECpIVYZsU1Do/COpH/Ok JOvpvGrQToLloRPLnjdLiJT6XqfISSAmK7lVqiE2jfiMgjoKYYkW/VATxoQK OfqyYqGYcIoW+kT0suwn7BE9TZFI1G0SwVEgVS8zcuYrKQLwDk71TLRAvq6k DCyLuyRoplE4zkiQJ8FC3GfH2+Idq3mcQZ0fRBCxlUw9LLAsRmStK1p3ly4R /kLoFTCoMbfZIoan4UoW1tIaHUMzcoHp1IjF0S2zeTB+jO05kRIEqXXYVABb 0ggKNPEUk43GESQUSvNZ9AnR/wGHk7po/RBD8NgIopOEFSf1H7XYi/xKEq2f //n9tHh/cX45LT69AVpT4Bt2H4+Fw5wY+iNglY19BEF1S9T4H768V8fGQjIo QNOT109nlgp0xVoiSA29yJggYkgNp0iCwa6foBRo/JOb8+zp08dP9ZPoFaHB E9q/jPGQGmApZblSAMFdvQUtE0MhE8DXuOtFMBCsnEYIgVZ8RM8JVqlAWNwF TP/KWMcH5ibxDHAW3JarBiPd1T0P37UEZmZi9DmcXfgyBTpI3EpEP3kX/wer 8BMgf4iDwHdpCgTh9CDsl5S0wBFoZLJ1qQSVoKYBAADMEpIdKkyp7YI5146c W4RWLqzsbYdKiquCiKZsVDP0FaNY0folvNkuJwFlRP/IwCyWrZ3fH5sIvHBD qoAIj9fI76go3ehmKpYM89kfkkBImc8LE8a6u7G4W2hlRLlFI7ZUHJOZxHyE YBY2l2xRShbgc/uOA+j2rpEwj1Wqkv2j55G03TD/o+ARcbsJqlgecCCSuUpE hNKYqNh+QpSboNEleDL3YT+EvxjBvlf7IcxFcEXEIsfeI5RbCDj107MXSXRG Hoj51NNHZ09shqZuQussxe4jL2fxkzJz38Jz5LkRxAS8xL6yX0JJVnF3nuwE 54QyRiraY6OoqjG9adY5DzE5G3ikwELIbpgwysHURsxWJPoNOOieDMWR1kdI scZ49ogxOgrZmQVAR5m64qF5hwEinkx+PW+Lh9/y/2e7TQ4bx2ZuGDMiBQGZ rz7iuJL21YCTORlJxOJdb8B4OUPyknCz8aMVZrwqzI5hm5+hDuhPhAy65R7/ 8KFTgQKazOBaU9ESzZA93EM+IdQmPDaKchI7bPbWOxuSNbIp6oWVltVZtGdi XeyFBDnKYpu2SDgAzcgARRsJtlicoeBcqYTDcVO/gHuOPQ0iYB73IwEt1rvo uRvlb7y7wP9pWJ0ABDLlQ7ON9MHDzM0LViOKlmEIlQOGAxYXSWbG79k/JjFa 5sOrZWSGJfbkmJcOisWQlPhX+9w8jhNMvOORjoCBJUxDwPsCvziuZW85vYoC TDo3aoySdgeH3JR/5joaHO0n9TuwQFO8GFpgrMgOyR0M2q24wg+XoLqTkkuO 8GCLUjCCRxjVwjgkni95rQDnYXFT7Y7U6cVlKhC/ReSVFFag38lxPeM6EuIz pJqzlgg7Qjjh3GPTL4TE0rpTOqLpyRmpFHWtRyb3RDKUSOB6isAMHZJ9FPD/ NwKP3JsWyUKiQXPB7kiuZpR2XKiKhaQ6yYX0fdAIUcVfuy63NvdscCUshDNS E5kpyKhet/hocTJd/DgR9Oc/VUqPntwVISJr8R8av/vQpDuKDSOkaZagTfbk ClofLDWCPcV1XYex7neurfNvSpgsFAi/M36+slqCK0thXGPkN2iL9+XKI6Kl w+Z28Ho/oMuFmdHAPmA0xHyKLULF9yt939Yy9g3HQIzxQXKaIsRvJbcQtlPS LrB7pb/VnhshZDi7+I46eZKa1b8wZpgbU1JiTmdxWJNqZR4IKPIppayLnJ4f tetLmti0a8WkEffG6W1xu6RSmgWsBTudKFb0krsvolGOMdk/+xZ5rZMETJIA H03QoXkTqmLw2wSbQ92Nba01KIQN0lhZRYQqnc01VuT1yUPOyGJ8BjkfJHTZ +dgwkuUAcvWGILoaH5ZtgB148/riuzd/wEfZBn365MVLAmBwBTm3fVrFHQa9 TX0XQYgNbYiudNxJFj/BGCdqhkvbFKdlatcNUsLVMftNRKKMFzmb4tzEEtcl Hwrdfo4FBFQ41ceC/42RtC11RwilUHu2MaeeJNTAhW9L7QTLj8YOr5qukiPN KSrpUmRCo3dA18pRex9NSnBEOy3QiPVZtlYlwWyIv4+2DdB7yXscGiOJnYW8 SO0EeQb6uVosSk8asmzI+AkIN8PoQcuC/CrXIWCiHUXthzlgUnl3o0RysE/U iwht+r6pPBZHFKLcKceXNfARFCXnEkA0vR5v3CfbonCd0PAAswICL7sJPZf3 0D8mX5Q5oqFoDWz8hqKBVFYaU1Wryq1juOEIzfkdMPNDIPFRbspKkFXszO4m dAXIhTlL8r7z1Ura74XGJPfq66Ntd/OH5bX/w40/yttNv9EyzR9QhJoMvPv5 3g7oMirU6AAc7HCBZ6yKTIBUmKMpt6gosGMwOws88OOzp8mnBV8l/TumySzS eb4MSDht30AoFNPlsAfZMwNOjmZyCuyKtTc5Hjx5jAM1h6vUCO3yKS71KFtr VXZ9rOx6d/7hnFnnNT/1mZ46Qs2EimA3nRTFr+y6QreEbMuBbZKSXJSs+cvc AUUaiUxpkHRyzJ9azO7hTxvqIgYjS3neKkoTAhdyrsDKNAs51qpj7iCV957J TqhXRCVFGTg2F+JwNp+0stG6ZclgUjpmcGw0rpkNzjYs+CQDjxcyRuOY0yvb /kwMn9hKjTzfPbTjWPqf6CF2tOnwFU582urLYvOpNXeFdJYwq4bn9tJNJvGH gXySxgxC8oWmBCTkGuRrbMey1PFj87l0FawtFeAr7qFxbnN0mZii3G/b9nxB Gn04/2y76kX4dgAFjr+nLdVYrQIl9RfipuZtVaMhowIymXFMiOcpp8eYEsep cPCdcBvBbbCDp7GO0TXd+6EnCuAvgNXA3AOnVuPj2Jwb+7/C12SZW8cYAwr7 IrfvfM/h33mLIDiOlQZkwdxXbEVLTXJo8SHYOLLPUUC0sf2MWKJTVdZjTeyC i4HuLiJwxit8Xl/qhKVFUzrIXvVPcstBwDcm/VW1VwP3wGC9GlJVaJkrDbX0 IoI8DTa0b8vbUnpxAh9RobaxH3Vr1YbEUtikbYIpYdIiJFoMe3Qqp4yHSYZI wrumtJ7uzEHDHCEasIOeMxHacV6e5+xQJ/0Knr54KnU72riBUXWrUAlFQj1t 4nuoXt7qR63D4PoJWwA2UkulreWnh/genqF8nkoNqgngzlbSCAwMJvjxCGlw JMOB0QRkC/6j27tq46CJKNZ2uqLQ0Vh7hCZbeaBz5S81JmWcPYMSLH/tcsqm 3qIP5fEjtzVkFSXxaHAwiRBFEl9Iaxt4ayiLqvj6Zui5/62NKRfFBf0OdKP0 +9gi2HfL35WpBtT1dNwiHA8f/Zdt+l+26Z5t+v/LLr1KkYhM+AfdcUDZpvcR pSJ5JONh0x0cGzJdZFH6wnvUkBfdXunHG+oZjfMnqRqJ0rUwqKO4DZq1af1j vOUHpPVrGfJSHwkGT6n1B10QbAjcy9u2SGdXvL9MDojalmDgHEsYTe/qMNeL PMhvojJq55iapTEcITCqgqMpitPepJW8RWJGx3qqPYpp+90lwexC+xvbZGe/ pzDCWI0BEtCZpuW2SbgKMEyQQLaNzdbHm1jEkiY3xZuicRKXe0Qeq2nM0aIB E+nsZNk+IkcHFXwXRPJ+/50VdSINXles6sprc/q8AFgvUKNvhYKyFBCON+GA QXlsC0DSQfBwCfaLpEJcPo4Y0WIRodaZKFpAPB6yIzldY18OE9SQiLxL+CnN uUkbUXlFYEzYTYjKIwK25kixwGjHY7ZI4/t2F3nuiOUhZDTvmwSk9zgoRoZN YXLESmTOEIczFcqXJSZlbvKljWslDBkqJ13xY/m21NKjS9Dk0rSi+B+XH6iq wdccLJ4Wvsdk2kXoh6mkkdGTZnIdyqTYOvOGOIzQKX8asLxC65ioHwhVQuML MA3sRgETm33iB6OZTwYISQb7XQLUkfwLr+or4naPiUCCT0qX9FEZyQ0fHN51 EzfUHC4tgeZpzSWyEMIOZgvv2Tcft00xfcFrFzneHRILCVI4SOzWDJWOkBao U7wVCzriBV8/cyICkmrUHTZeSy7d7b2L9qJANt/6kvspjE8ysc5Yo6W3IQoy S+IB5K9o66WANcbrCqXDC8Wmsc8+BTlqs6kWsBh6FYV7ClN4av6WeYwxCXRF xgAWciUSkc3vGkMbPbWW3yd7SBdiVZBCvw8qUYUohurX5L5Jnhb1v2W8HRbC 0KIjaZDmQTDbhsJjH8u8HvLwzYUuwZ3M2VTOVOjzcOfzG0tQFYj2ZbRWsDhc x3Ejp1fUYU+SAIhwFaEdqZD/ztRMCZKnsM089AOa2BmzZTh2hz4Nq5N2lwAS bGWWixnFtuxuVB9nH6OrKkc+xNAeaqolt3vFxqMGuiACNIJ0FZUg2OZwtdm5 huPE+LDwem7qQhz5+vIhTKKjWAavxAQUbKILM3rALnd4/y43rSPNkBdcUgRn bFnKwlOzmtgY09w2QR/iwQvpbE2BI91taeWbNtdPiAxs+QaXx4rkvvv0BHgd Ijv5fR0Cmxhq7SPQtGuHsDE21tMmACyH0iciMEP7K2r3jhxPxsm3eM8giFEg UVNTF0JZmHa208sDR4m/d40dr45SnnFQdjZaby6zO9nLDGdwEM2eZtSxK3YV N093LZeA0gkwVzVqHWZ2AQrv1KFIRetD7XiQmfajEpTLFkdCn6Ub7499hfuc 4pmQALu99MotsZkk4qHI1zLqXc/mXnI/3XUkktF8NvrDwA12xYzZQLuPKWRR otrKEV8Vl3hv2bGxGvGVvJk2nEUTkdWPooD1qlO939PW+YZGLkGQSb0ZrSC9 SDcNPtnAj/IFZUL4hlW98zvL4ghQisAxmnXHmxv7TmBdfR7U5H75jdjvVkZh pzD8C9uuI+6lue0jkW0Y0EwviEwMsOSA+fgFKrS4Z8hw69qhsbPb1/YfC8IM 9RqVxc9hX1fchysooT5Gz8twmUmX3F8rKXQFtNtLV51pmRWqWCy/M+huLTV0 lHLHemZSwp2pQuJQvqmX6TnXzv3ScNoLvRbFtK4VUNwhPZjEqbhrYmg+Xra8 G4LqEDyaNhO7LN7qOMavErsk3OOW2IwhnH5wRkVjwp5ppPMqqZXn21S0RDBC +ymF4vQe+oy1TWegLjlOUsUzYp2QzxgzB/SZAN7XwQO0LAQgjhxfLnSUWlDy JbFqzJVcif8mMxMDO2/8a8oN6ETILUY0PobEQuPwUCAh2lyMdVvPJeUHAbG0 J3SVkdTcHN0zL5ZAooZU6cvhOkiQYNtFyKpUOqyrZo5w3LJjt1iuUyU066FB +lKKcszVvUnvr5F2lmybWnZgAcELZLP9QOPk+LbspfRIkl7ebFsNc2EKnXSw 0NNLNbizNrdglMbFIc3ECGhr6AmkLL91BG8pxMDBth+4+UkfwymJc0DfIepN C3OLaGRE24ePhYEFAOUhmTQSE+4FCXEy6mgRS+MJY5/3L8h2yo6oILxYTBcD fIpg05OQ8sZ0H4NjogEk37N1wTMc66ArQFMnkTeJ2BHxQaFDY73kFcRWfSIO edrh+soRrUltKBbRArUhxciUfGEeF1UfCEsYQCCeGcpsgWpQsiS7j9FqPjqh dU8kNidpazxvhMCf5hCNXMTkHvrIo1onKfdh/jkUSqayVihhBrimcBnG2mOR cVKVHpJqCmOjOgnTvpk98toKTRMl4ApbQ4LwwbRHBZopdG9C8vFwjZDZtAxC sIudCJKQk+os6QLWsb4MtQ+mFNVGmw7tVm8KoWjTYpHxPrXGcDcjs2L0tCnk LzUrYcLUqk4ZMhuBjfu7G1P/e7wr+kJY9RdOWK+DsGghbRKsffODKZ1uAZ0m 4hdsVCTVNXzoRw98kDHj4aDPwyIDDKV3HGJRJvlfU77wGD4FO7fL+3XGhAyF 6UYvlcK4qxpQ2KQFJI9W1FmCCqwAg9Lo8U/JrMCdVHiVOWEqIBxtgNxp5+GB 5X1vSRMXOcuMd0w5IHD7R1bc7HsyO8WentK7wLyXKTTmS1xr57mYPJFkC0nX VW47He15lPV34pC920bU1gURUIxPMr+TEaaJ4WHj3xx5cFbajiggNOMkYuZV IY8/yVS8C/dF2LWJo4NUCk3N6MjQptE3qpi2i9dj2WJTIUEMRI4mSPNroXOE S7C1TO6EzR7u2DxiWOuJ1+ViF66XZyePTuC/D7GlfFucPXp0+uri9y9evXr4 +CyVRYvsekUtGKKr9hK/WDMcIWy48fkULD7HGtJAR5kdO6TCJl24HzjtoY3U 0css0u5p7EqV2icjF5e5HsHIIM8sWnd6iwitGwbe5WfPWPRMgM1mqFViISae S4e1mY8UyFNveMO+5CppwM6eqWl+Vyc7WXgM8m4J0ngS28qFfNNYKJqCPII5 f1eHHI3iD2OXX7qCOQSi/XVJKEtffDi/KhCSfud20+yN8ba8pkOwRkisKspC xmmvCR0xrhbzO5Qvpo7DI4aLaaChpoE2wdsbdrmXxZMYFA6eiITpXsNmpYlD iigI1dgu1LgnfuDgJgRxIXcpSlNhqZHcNDW3cdWrSA5hMNIuqt3+RcPmbl8D kD1PlKyYfeOmQTDHtMGJChsRoYc1T2JG7Hf6yUSHNryiAKLDzoOZzZAd4uT+ rdh8pc9tKJKJeROgqRZSGgPERPossJRtA47qmS9Sdyn71QSVcJ+V9+N478IV EHSOKQog7z2WUHefKZTKSg7R7EXdU83RlcjhrvbN0FW77ArL8RlQSEbGC8VM jV6LMG6/SXpZbi8afQTjnqX6fRz4G10ihtdQlDKRgn1oVCsjBYNE0FHyKKvt yUcq+JW0pbFWtAAhjIeKUtc6zX2TvyLpKd7oxGDJJVFIz+ElpHBEZyQiGoSl uuWM69AoTih1W9kKYhAcRr1u1hQK1Saf143UV4oyTpcwdNpo6VMs2/+L6X73 Vav89jIkNi4lCG5T+s/hz6RKLL2pPI0jxp6bEvm1IpsxeLEDl8CYdrEimlMw MUFvb1ihiyzUYFDSkxGcXNQWYg0zzrv+3LFLmNEUbJs57zcZHKlJvC37/Wgx Clbp1Ju2SYxKwibvOGSU9mfLminGZ9MEf4iJx0nqZfVyuUbS7TDH5HemL0eS WNd8ejq0gZ6iDFA5qcDD4Lsn9g2qBIoURMAZ978BI7PNUA5JBxfrx5cao5ZG LGFzHgSCiJ21+2XBp2MSQdR2ju9xdNQ1EAycLaNMQ7+Y0A/PlEcz+DvSrjuA kpTmqKGJvAmx99giChevZsbCB8hyL65awByVyZ4hRcOtnMKWWTedbN+ki014 SXtMSh8abaGip8MCfYEppIA174rILHA/0Uxgutb2FtQpCZuxkN2aFuFzpxZB BWSlhpkDY52HkOxIMXWxMDhYIbH3W4V6ju6yviHzeJUzyl2AmCU+QJ1CN0a2 Nj/z92wlFQuVHI2lbrHUAlW8fY7Z3iUhW6F30kKF7SKNIScB36x/7km8+7mX oh0N+V/r99I5YgkYd2fKO+gn3uVd7OwRWr/tZUrYNKevSJBhRRaYtJGM8oBn iM2FmRFC2yqdLTdoIaiSDJde4Vf2yvJ5+PFjm7WG04vM+2RcsWEODU7dBSkD vdeu8r5I23lo1JPB9bGeSiX81gdXioocemT2tF8VRZ61peqDLBi/QKDxkuK1 XHlhO089e/TkxaNHEpiCd5/Dc7vuGNHqrl1S+ZO5Ezd8JbQNwNoNarU4qhQ4 Ahs3XRIkN34XvOERpIbgeMyIWNsVjY99YIbwniiq5EUpQgzgRdN1ha1ibMiC TVbkETVYQhzULixmQ7K6GHsNA9Gbw+NLrn5jiVRSA4HVgJcjhc6b3YAYKDXi Bc8lAUBt7bUoO5M/27il14Ht6RNHxuy26lVKKfQtF7cp1C3pRmqLy5Z8zNKw PMMdkjyzy5YiVoZBHdp+9TKtBGc+lm2i096W6zLrmL5L0mlpp7Ux9HBsWjt5 Zz4TxH74BnJqvJGXmwwenMQxThE7ebJSrAShEseXAUZiNcfc55G/Y/X6AcZw afM4MTX4de5/2tGtuXAGZ81qxvFk/Ukvz3199fHLcUQ73A4VehYSogVlHcF4 cvmHIFmic8UXF2634gaK43SIuVOFKc3gbAxr/3XrCIQ2G4h/SnrIofc87y2+ LjSFzi43EqAOJquSY4QttDgAGA/UHce7lgIzsBtJ42OQRFtW/NVbFjSalvA4 LKB0kr6ONNHpiLUVZxfTgR6vOhJ9ldz4ItBT/Xu2ZAqG5GseIXsApvLaIhGC KYZ/wALjJOIRmsuf/yveGj1wj0AVD7bRdsgnpScek4koqvIZ2Uspe8l33/dm clxTFuSQkuMGtUoEDfRoIHaaxivVAQiV79ooPBd3+eV/9NzPuBmdIAuDeRiu WrQu7CHYcqzxNx6l5AfSCpW9bEGIiYbrp3HD1KzZbfNeJNNwuQvhUGLbdwTz jRf1jF71JdGaEBJpQzBzGYALaeDFpBO5mSRe1dsouuG++i02Azqv6TAanOLx vaRvIzJrJH6mV2NSxeyl3J/zuqEUN0dnuEk1AmDpggxuXMMB4PszjqbxdT4g Ks1tCzYI3Uy9GMTgKs0lrfF6qaSZ1yIZyeAa4YOXrb8lwZ5WF6j7f+8gwbiq JxJiplo+uhmetgebU7JnM1K3+ebkOVqvpgfWdBIIAr94Qe7cFUXIdYVyh7C/ U7M0o+bEUJO4Inp9rcOGR4r25MvfvNwToGvzy8mIssLuaGuyLW2MOK3vAEp+ ScCjBiF6h0MHgKitkERXg9NARvON05tWi6+y3MAmgM2iqbq9/pImOuRsDcLD kM6z2SoSRd9dXV1+lii2pDA4FDP3AYuKCWRqhiC63mklCVnTScvBBE+qK2Uv tEvikNI0EAHNZOZJqofbmVpj6fLdu2MFcO74ewxv5rBORRIgglOlvEvEHoWF Avwk4kMssC9uyZ0AhnBUuh5+mIPnLP0VN1hmRecOZpQ0YZrGKFLswhLuuVaY OPfj4rg/9W9Mu3gFLDubh4c6gfEh+S0fqLOvX481/iINC6nrVoTAcf1z8Iuk Hkg6OjjT04ugswRnZdsfZg3yiOqUR2RRBFTTExm7lnUqmrCnyNvXxRvwnZr2 VVq5KonE1m+a24iXXJGW5tyhJsa/Kc4X6DxXfrmWpi6gOOqbTqPeG25kirXD pq8obO2bf7miClqk+rpthi33Sm26koIxK/BAMPtC36AOc75q1ljvDT7vLEgC 1EyUMIPfn8Lvh+2Sb26iwwezmc1mBY4z+X+Qwnd50aoAAA==best practice. --></rfc>