China Requires Disclosure of Detailed Information About Internet Usage by IETF Participants

I have long been concerned that the current state of geopolitics and internecine competition within standards bodies has begun to negatively impact the development and implementation of important global standards.  The focus of my concerns, and much of my writing, has been on issues related to cellular, Wi-Fi and occasionally AV codecs.  I have focused on those standards because SEPs and alleged SEPs for those standards underlie the bulk of SEP litigation and aggressive SEP licensing campaigns.  But perhaps I should have paid more attention to an equally important set of communications standards – those that are set by the Internet Engineering Task Force (“IETF”) and govern the way the Internet works.

The IETF standards (which often are termed Request for Comments ("RFCs") in IETF parlance) include some of the world’s most important networking and communications standards, including the Transmission Control Protocol (“TCP”), the Internet Protocol (“IP” which sometimes is used with its version number such as IPv6 and sometimes smushed together with the Transmission Control Protocol and called TCP/IP) and the User Datagram Protocol (“UDP”).  These standards make the Internet, the World Wide Web and a great deal of other communications possible.

The IETF recently held one of its thrice yearly in-person weeklong meetings in Shenzhen, China.[1]  At first, it seemed as if the meeting would operate like a normal IETF meeting.  For example, in early 2025, Cisco, the networking and communications company that I used to work for, donated more than US$1 million of networking equipment to the IETF.[2] The IETF planned to use that Cisco equipment at the Shenzhen meeting to provide Internet and network access as it had done at previous meetings.  The IETF planned to provide such access by issuing Remote Authentication Dial-In User Service (RADIUS) accounts to onsite participants.[3]  

For those who don’t know, RADIUS is a long-standing IETF standard (it was first standardized by the IETF in 1997).  As one would expect given its full name, RADIUS originated in the early dial-up days of Internet access, although it has been updated significantly since then. By using a RADIUS server, a network administrator can set up what is essentially one connection point to the Internet that can be used by hundreds, or even thousands, of users.  This in turn can obscure data that goes out over the public Internet that otherwise could be used to identify particular users and particular user devices. But, because the RADIUS server stands as an intermediary, the RADIUS system can monitor and log users and can track users and user devices Internet access.

With that in mind, let’s go back to the meeting.  Shortly before the meeting was supposed to begin in March of this year, China notified the IETF of new rules governing Internet access during the meeting.  According to the IETF announcement, the IETF was not allowed to use the donated Cisco equipment.  Instead, the IETF was forced to use Huawei equipment to provide connectivity. 

I previously have written extensively about the many concerns about Huawei (see SEARCH RESULTS: 'huawei' - SEP Essentials), including that its products have been banned from use in the United States and other countries because of national security concerns.  I will note that the Shenzhen meeting took place many months after the Huawei IEEE vote stuffing scandal became public.[4]

China also informed the IETF that the IETF was required to have individuals from China Mobile be part of their network operations ("NOC") team. China also required the IETF to provide detailed information to certain Chinese telecommunications companies mapping each RADIUS account to the full name of the person who received such RADIUS access and the login credentials used by them.  China also required the IETF to provide all of the RADIUS accounting logs, including account name, IP address, the last 24 bits of the device MAC address, RADIUS accounting message types (start session, stop session, and interim-update), and timestamps.  

This is a big deal as it allows China to determine who accessed what, when and for how long.  China long has been accused of sponsoring malicious cyber actors, engaging in cyber espionage and other cyber intelligence gathering.[5] According to the Australian government, Chinese state-sponsored actors “leverage compromised devices and trusted connections to pivot into networks. These actors often modify routers to maintain persistent, long-term access to networks.”[6]  

The Chinese requirements at the Shenzhen IETF meeting raise a lot of questions and concerns. What was the purpose of the requirements? Was it simply an attempt by China to enforce China’s new cybersecurity laws and its strict limitations on its citizens access to the Internet[6] and was not directed specifically at the IETF? Or was there some other reason for it and what was that reason?

Will the collected data be properly safeguarded and destroyed? What is the risk of it being used as part of an industrial espionage campaign or by one of Advanced Persistent Threat actors identified by the Australians in their Cybersecurity Advisory? 

Will China insist that all such future meetings use Huawei equipment? Will China require all such meetings to include individuals who work for Chinese telecommunications companies as part of their network access teams? Will China insist on gathering this level of information from every such meeting that takes place on its soil? 

Whatever the reasons motivating China’s requirements at the IETF meeting, it is important for standards bodies, companies and individuals to be aware that this is going on. China's requirements raise a significant possibility of misuse. They make it easier to track the future Internet usage of each person who used the RADIUS system at the IETF meeting.  They also make it easier to target and potentially access the internal corporate and other networks used by these individuals.  If China insists on these requirements going forward, standards bodies, companies and individuals should carefully consider whether it is wise to hold, or to attend, future meetings in China.

[1]          IETF | IETF 125 Shenzhen

[2]          IETF | Cisco extends its commitment to the IETF with USD 1.3 Million of support

[3]          IETF 125 - Shenzhen, ChinaIETF Meeting Network Information

[4] Huawei also participates in standards development in the IETF.

[4]          China Threat Overview and Advisories | CISA

[5]          Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System | Cyber.gov.au

[6]          China does not allow most of its citizens access to the Internet as we know it.  Instead, China lives behind what is sometimes called the “Great Firewall.”  China’s version of the internet is so separated from the global Internet and so tightly controlled that the Internet Society has said “that it is more accurately described as a national intranet.”  See, https://www.internetsociety.org/resources/internet-fragmentation/the-chinese-firewall/