The IESG has approved the following document: - 'Dynamic Authorization Proxying in Remote Authorization Dial-In User Service Protocol (RADIUS)' (draft-ietf-radext-coa-proxy-10.txt) as Proposed Standard This document is the product of the RADIUS EXTensions Working Group. The IESG contact persons are Warren Kumari, Ignas Bagdonas and Benjamin Kaduk. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-radext-coa-proxy/ Technical Summary: RFC 5176 defines Change of Authorization (CoA) and Disconnect Message (DM) behavior for RADIUS. Section 3.1 of that document suggests that proxying these messages is possible, but gives no guidance as to how that is done. This ommission means that proxying of CoA packets is, in practice, impossible. This specification corrects that omission for scenarios where networks use Realm-based proxying as defined in [RFC7542]. It leverages an existing RADIUS attribute, Operator-Name ( Section 4.1 of [RFC5580]), to record the visited network for a particular session. The document explains how that attribute can be used by CoA proxies to route packets "backwards" through a RADIUS proxy chain. It introduces a new attribute; Operator-NAS-Identifier, and shows how this attribute can increase privacy about the internal implementation of the visited network. Working Group Summary: The radext working group is rather light in attendance and discussion, and will shut down soon. With that said, this particular document got a (comparatively) good amount of review and interest. Document Quality: At least one RADIUS implementation has support for parts of this specification. Particularly the bit about replacing NAS-IP-Address/IPv6-Address/NAS-Identifier with Operator-NAS-Identifier when leaving the own administrative domain is not implemented. The complexity of that functionality can be expected to be modest, though. Personnel: The Document Shepherd is Stefan Winter <stefan.winter@restena.lu>. The responsible area director is Benjamin Kaduk <kaduk@mit.edu>.