IETF Logo Mail Archive

Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt

Marc Huber <Marc.Huber@web.de> Wed, 05 July 2023 19:25 UTC

Return-Path: <Marc.Huber@web.de>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1FA3C151062 for <opsawg@ietfa.amsl.com>; Wed, 5 Jul 2023 12:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=web.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ufdCeZYhra8v for <opsawg@ietfa.amsl.com>; Wed, 5 Jul 2023 12:25:17 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.15.3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 449E4C14CE27 for <opsawg@ietf.org>; Wed, 5 Jul 2023 12:25:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=s29768273; t=1688585115; x=1689189915; i=marc.huber@web.de; bh=6OxItndpxPR9oPep4RP2GCi47BpuMYSpv8cde2jIm50=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=oOKFDxG6cfe5zazKxU4WCYu5crooV3N8cRx5tVhNyVBlxsJzGdyNkwiYsocDDmLQ3IjnQ0/ dK8dcAuhy6Sj5a+OROA3Szzrh98oJ3B5QgaxzxKxMPVOa4cQe9AjDqMYd6bIgAB9CA+626IiV XbqEmqmGb3cKD91VGcTTD7Q2uSJxUVC7/2QMOMxNO61A2G+kRlICBf435U+98NbWkiIZr87Xs mXmtUakRcf/56D2/rWx7H1Xdw6X9oInbgeum0sEHJZGhjEvBwD7VZBCr7lRBM3jgmSJZkkbeI i/myg2gWe0yNTLHLb1BCG6tEy+g/QfneQqLCT4sUwoUW36GfeoLA==
X-UI-Sender-Class: 814a7b36-bfc1-4dae-8640-3722d8ec6cd6
Received: from [172.16.0.4] ([217.231.41.149]) by smtp.web.de (mrweb005 [213.165.67.108]) with ESMTPSA (Nemesis) id 1MXGKA-1qVyNx171i-00Ywe1 for <opsawg@ietf.org>; Wed, 05 Jul 2023 21:25:15 +0200
Content-Type: multipart/alternative; boundary="------------DIRqBg2kfFmcKkJXNAHgN6jK"
Message-ID: <ae412ed1-e92c-2fd2-9906-43bbd3e53b69@web.de>
Date: Wed, 05 Jul 2023 21:25:12 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0
To: opsawg@ietf.org
References: <168805050611.46147.7135705558590726585@ietfa.amsl.com> <BN9PR11MB537112089669BC32EF2C0772B82FA@BN9PR11MB5371.namprd11.prod.outlook.com>
From: Marc Huber <Marc.Huber@web.de>
In-Reply-To: <BN9PR11MB537112089669BC32EF2C0772B82FA@BN9PR11MB5371.namprd11.prod.outlook.com>
X-Provags-ID: V03:K1:hU3s7u1FljO16iksddd6v6jnyM7CXql5uzdmM8cWWZXoyYLoSUa 7q8u/ETyb1QjIxSFlc+fEcNXmJUuc0TXRW6UydNlII2JHfcX6q3bsb8cRVJihXE3/GqAkA8 Txyb98EI7zhZC+JEEd99AEYRNeYWOpjegeXkwlCY4tqOcLp/bRpOI+Ac1pv66kYCGyfsd12 R3+6bqXMZYAIEo0RwrbYQ==
UI-OutboundReport: notjunk:1;M01:P0:a/E9xskrFlA=;R+xbqWsMQGbU8Y49AnuSdtZzVmu t1+iK7jQ0bmLupDdW0pjsUfylXAw8YiBtew8bG8/LClrBxNkYeD1CNu1u/xga9c+aYTWxw8L7 SYacWaOS6bTsvvnGS1K3B6BELO35IqTHCIkz6km8qQ+BRKXJGXmFwvA1RdmuYIPMDGWQit62n iBEMrTCB5vHPd96A/b7XnHVGoxqE+RHOspvW3gNKbbPjXsZqbPZwy1RLQiSVlQ6y9zyLLcSCX EOYcolGyaypCmUpWN9zLo7V/ZOsaREcCGnOnhLVWM1095iXLAb4W5nR1UIsCCOPwVPqUVjyKR 8heayd0AF9+bQxKJBbH2aDCZG/e7QinrBiMIG+lpUV4gTDxVRplzQ+zrJuruX9DvRPVlQeEfo Ui1I0C7AnJjaFnuWXmJeAeTx08kJyGDuUBRnofEDhcfcBo/aqMWrC98RIZEDpWjdManSVAVjX BCVRsq7wkFiIbG2fDl1Vmr8+bE2peLmSR4FOa88COMT2o7Iju8e7LETKUDkoYxYHAxhvapKZ+ SldlX4MAIhOfmUJ8IujZHLC6q83nQ3K5L9Uhkc0qEb3WZG0crQy0ju1JWNCJ8nZMalq/fFvw8 wYb1/psI3j5trGGRez4YOZy5N54O5hcYE9JNLh+BtxOmkbfMfW6zX8epBQvXRVhKwZcs6ZaBk GpQdg6Ksqy7YImqbwzxGkOqls6uq4fWPK35WPGwL2vkv3FwOAYiVW9c8BHbvqsozez8vLwrB3 FDVDC/uzRubzLF+aWLOmgSsLrWOfUGhKuh0zabtfvuDmDAUuwVXyc3capCppokTUwPxzJNpJK JcV7K8N06B0MlScWxU+gWYgdrGKN8663AwgTWLCWLB6BXkEdX4Mh32Iy1hhJT+NHcNXGXv+rp eyuXuDZVTg/t8nkO6hZD5eddn9sjaxudao9mC5th1HymxG/+t/WvNxWZMnypxt10hQxKnxX9U ErqOuBZmRYZTzYlF0bSfIQcb3f8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/-RYJZIDkg85a0Urw0HiwLxz8R-4>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jul 2023 19:25:20 -0000

Hi authors,

I still unsure whether the

   Obsolescence of TACACS+ Obfuscation

section could hinder implementations and migrations using TLS wrappers
(load balancers, e.g.). I'd still suggest to change the "MUST" clauses
regarding obufuscation to "SHALL". There's no gain to change the
protocol at this point, it's sufficient to wrap it in TLS. If a client
insists in using obfuscation-over-TLS, that should be fine, even if it's
of no use.

Regarding a dedicated TCP port: Is there really a need for that, or
would this rather be an convenience option? A specific port number
limits the attack surface to a single port, and I don't see any need for
that.

Nevertheless .. those are not show-stoppers, and I welcome anything that
move this forward, so just continue the RfC process if you feel fine
with the current draft.

@Joe Cleake: I 've implemented TLS support, experimentally, to ease
starting client implementation. This doesn't qualify as a reference
implementation as I plainy don't know about any 3rd party clients to
test with. Your preferred search engine should easily find that
implementation.

Thanks,

Marc

On 05.07.2023 16:42, Joe Clarke (jclarke) wrote:
>
> Thanks for the update on this document. I’ve reviewed this new version
> in its entirety.  To summarize:
>
>   * TACACS+ TLS will use a dedicated “tacacss” TCP port number
>   * Obfuscation is prohibited by TACACS+ TLS compliant clients/servers
>     (within the tunnel)
>
> These were two issues I believe were discussion points in the WG.  As
> a contributor, I am convinced that both make sense for the reasons put
> forth in the draft. Hopefully during the migration process,
> implementors won’t forget the obfuscation on non-TLS sessions.
>
> I like the migration section, but I am curious why, after migration,
> one would need any legacy servers at all (regardless of server
> lists).  I can see having my “DEVICE_ADMIN” T+ list having both TLS
> servers first followed by legacy servers while I sus out the stability
> of the new implementation.  But when I’m satisfied, I likely would
> remove the legacy servers altogether.  Moreover, at least with Cisco
> config, I assume I’d have each server defined with various TLS
> attributes and it wouldn’t matter what list they are in.
>
> I guess what I’m suggesting is dropping the second paragraph in
> Section 6.2 and saying something to the effect of, when migration from
> legacy, obfuscated T+ to T+ TLS, insecure and secure servers MAY be
> mixed in redundant service lists.  However, secure servers SHOULD be
> tried first before falling back to insecure servers.
>
> As a nit, Indication is misspelled in Section 3.3.
>
> As co-chair:
>
>   * WG, please review this draft!
>   * Authors, any thoughts to what port number to use for tacacss or
>     whatever IANA can assign?  I’d like to see a few more reviews
>     before pinging the ADs on early allocation.
>   * Are there any implementations of this thus far?  If so having an
>     Appendix for them would help.
>
> Joe
>
> *From: *OPSAWG <opsawg-bounces@ietf.org> on behalf of
> internet-drafts@ietf.org <internet-drafts@ietf.org>
> *Date: *Thursday, June 29, 2023 at 10:55
> *To: *i-d-announce@ietf.org <i-d-announce@ietf.org>
> *Cc: *opsawg@ietf.org <opsawg@ietf.org>
> *Subject: *[OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories. This Internet-Draft is a work item of the Operations and
> Management Area Working Group (OPSAWG) WG of the IETF.
>
>    Title           : TACACS+ TLS 1.3
>    Authors         : Thorsten Dahm
>                      Douglas Gash
>                      Andrej Ota
>                      John Heasley
>    Filename        : draft-ietf-opsawg-tacacs-tls13-03.txt
>    Pages           : 12
>    Date            : 2023-06-29
>
> Abstract:
>    The TACACS+ Protocol [RFC8907] provides device administration for
>    routers, network access servers and other networked computing devices
>    via one or more centralized servers.  This document, a companion to
>    the TACACS+ protocol [RFC8907], adds Transport Layer Security
>    (currently defined by TLS 1.3 [RFC8446]) support and obsoletes former
>    inferior security mechanisms.
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/
>
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-03.html
>
> A diff from the previous version is available at:
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-tacacs-tls13-03
>
> Internet-Drafts are also available by rsync at
> rsync.ietf.org::internet-drafts
>
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg

v2.23.0 | Report a Bug | By Email