Re: [OPSAWG] APPEAL: re AAA protocols and IETF consensus
Christopher Morrow <christopher.morrow@gmail.com> Thu, 11 February 2016 17:46 UTC
Return-Path: <christopher.morrow@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 116E01B3825 for <opsawg@ietfa.amsl.com>; Thu, 11 Feb 2016 09:46:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s9CXkIwtEhHl for <opsawg@ietfa.amsl.com>; Thu, 11 Feb 2016 09:46:54 -0800 (PST)
Received: from mail-yk0-x22e.google.com (mail-yk0-x22e.google.com [IPv6:2607:f8b0:4002:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FFC81B2CE7 for <opsawg@ietf.org>; Thu, 11 Feb 2016 09:46:54 -0800 (PST)
Received: by mail-yk0-x22e.google.com with SMTP id z7so23902450yka.3 for <opsawg@ietf.org>; Thu, 11 Feb 2016 09:46:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=o4lKzzavtLYKFnNQR0PDhIK8GYFEkcfzNo0Fm1p73pM=; b=IzcVFuareVY3v05SFUCrVVYKA8qm2lcraCVzpsMO2xjD+oV/QU31fSyPOZhj/g6Mxa V5nZ+i4kf6edMPlECcDs+3FcSU4nvYi6k03ebYwkvodpQKTU4MDEhr+i8SLmUxoPMxy1 KpKJGIYALMb3rSHCkcltYSvAaBZTgPGFct2i4ZS2j+ScwctLJ/CKZ3TzF4eW0iKdOEbL ojXCm+gz/riVuOikPQ1tBthdE5JMZLbyblvvh3OaomWT1zX9ZLTwBWhqGHZEn365UQzO 7mrttfYGEL6QREbOR9yzgYW6CTc1cXUvJM0zkIFhwIBo0OnN6h0SoYd/KENAifuK8Gzk dPfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=o4lKzzavtLYKFnNQR0PDhIK8GYFEkcfzNo0Fm1p73pM=; b=g3d8iwj1YDLcsPSbyEVp1zaTfz3arhBg/fEOAbHa8VvNfMOtcO7EcOW9fWEuyf98TV l+xST+rdddB+xHippr6FYZsoRNkFgk4vbHpPhejQNB4NjersK9UsQNrr3vSHRvs0JJYd Z/CrMXLxJ5dUEyy7TEA0eLPPGyB2bwlMzphsHtP939VaCn87aPFfI08I7BvAL+p77WqR uMZ2MQSFMEYIwIDRwSH3YmLmaCQN48fpdb4TDnAxcmJTUPQvMR8JSgGb/7LT6do6vp8E uDz4bz6QsEC8/sOSmSLZWeIRBJHxPje+CoKWTk61McsF/td+xWb2BtEPt45lx7Pp1o8f 83Kw==
X-Gm-Message-State: AG10YOTyZRLp8AnM8xbQOmV+gWxIypc309r/hf3FJrcMNhQ4S0sm7S1+cYaLIRNwvvLbEIqb4A80f/HuRH1gqg==
MIME-Version: 1.0
X-Received: by 10.37.230.210 with SMTP id d201mr15269204ybh.134.1455212813399; Thu, 11 Feb 2016 09:46:53 -0800 (PST)
Received: by 10.13.209.198 with HTTP; Thu, 11 Feb 2016 09:46:53 -0800 (PST)
In-Reply-To: <93B875C8-FF5A-4CD3-BBAB-E028749C67FF@deployingradius.com>
References: <93B875C8-FF5A-4CD3-BBAB-E028749C67FF@deployingradius.com>
Date: Thu, 11 Feb 2016 12:46:53 -0500
Message-ID: <CAL9jLabKooSmF4KCZeRf80Oh2xob=JmjCC8VwG1Qg=kkceVVww@mail.gmail.com>
From: Christopher Morrow <christopher.morrow@gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/14X4qXHELaWz50j9BOjaTzw5SjE>
Cc: opsawg@ietf.org
Subject: Re: [OPSAWG] APPEAL: re AAA protocols and IETF consensus
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2016 17:46:56 -0000
On Thu, Feb 11, 2016 at 12:00 AM, Alan DeKok <aland@deployingradius.com> wrote: > The IETF created a process to specify requirements for AAA protocols. This process is documented in RFC 2989 [1] (2000), which had about 20 authors from all major networking companies at the time. It solicited submissions, and established a panel to evaluate the submissions. The results are documented inRFC 3127 [2] (2003). TACACS+ was not even considered, as it did not meet the requirements set out in RFC 2989. > 2989 is titled: "Criteria for Evaluating AAA Protocols for Network Access" 2989 is explicitly not about 'device management' or 'device administration' access management (AAA). tacacs+ is explicitly about 'device management' or 'device administration' access management (AAA). I don't think 2989 applies at all to this discussion. 3127 says: "This memo represents the process and findings of the Authentication, Authorization, and Accounting Working Group (AAA WG) panel evaluating protocols proposed against the AAA Network Access Requirements," again, not applicable to 'device management' / 'device administration' ... so not applicable to this discussion, at all. > Standardizing a new AAA protocol without IETF-wide discussion means we're ignoring the requirements of RFC 2989, and discarding the results shown in RFC 3127. > it doesn't seem like 'IETF-wide discussion' is being missed at all, actually. > The document draft-ietf-opsawg-tacacs-00.txt *explicitly* describes itself as an AAA protocol in it's abstract. Despite the authors stating it is for "device administration", that phrase *does not appear in the document*. Despite claims that it is not an AAA protocol, the document itself claims TACACS+ is an AAA protocol. The document discusses user authentication, authorization, and accounting, in a manner which overlaps 100% with RADIUS. > perhaps, but you seem to have content questions, did you make these comments to the authors? > In fact, RADIUS has more capability than TACACS+. RADIUS is standardized to transport many more attributes which describe hundreds of possible pieces of information. The TACACS+ document documents little more than the base protocol, and a less than 30 kinds of information it can transport. > I'm not sure that the three points here are relevant to the discussion, we don't always want more things in the knife drawer, we want the right knife for the job. > The TACACS+ functionality therefore *explicitly* overlaps 100% with RADIUS. It is explicitly *not* "device authorization". It is uniformly inferior to RADIUS in functionality and capability. It meets none of the requirements set out in RFC 2989, and wasn't even considered in RFC 3127. > because 2989 and 3127 are not about the problem tac+ solves. For network operations the meaning of AAA is different than that used for 'dialup users' (or equivalent as the technology advances). o Authorizing users of your network access to the network is different than authorizing administration/management of the devices which make the network. o Accounting for the device administration activities is not the same acocunting for bits/time spent on a customer o Authenticating a device administrator is likely very different from authenticating a user of the network > The only *technical* capability that TACACS+ has which RADIUS doesn't is "device administration". Perhaps what is meant here is "command authorization", in which individual administrator commands are authorized via the AAA protocol. However, this capability is *not* documented in the draft, which means that any "device administration" remains a proprietary vendor extension, and entirely outside of the control of the IETF. > I think you mean to rephrase and aim this comment to the editors... so they can add a note about it in the draft. I do see discussion of authorization and why it's important/used in the original grant-tacacs-02 draft, and in the draft-dahm version 02 there's this: https://tools.ietf.org/html/draft-dahm-opsawg-tacacs-01#section-5 this seems to have some level of detail and useful information about the authorization process/work/packets. > > The document overturns nearly two decades of IETF consensus. It competes directly with an established IETF protocol. It's functionality is explicitly inferior to RADIUS. It's suggested use-case is entirely undocumented in the draft. > i don't know that 'two decades' is particularly important, much has changed over the last 20 yrs in the IETF and the Internet and in stuff provided by vendors/etc. Making device administration better and more secure over time is a win for operations, networks and users. -chris
- [OPSAWG] APPEAL: re AAA protocols and IETF consen… Alan DeKok
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… joel jaeggli
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Christopher Morrow
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Brian E Carpenter
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Alan DeKok
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Alan DeKok
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Brian E Carpenter
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Alan DeKok
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Brian E Carpenter
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Alan DeKok