IETF Logo Mail Archive

Re: [OPSAWG] re opsawg-tacacs-yang & ietf-system user-authen-order

"Joe Clarke (jclarke)" <jclarke@cisco.com> Wed, 20 November 2019 05:30 UTC

Return-Path: <jclarke@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5797412021C for <opsawg@ietfa.amsl.com>; Tue, 19 Nov 2019 21:30:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Ljb4Qwtp; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=vLYuXi1m
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDPaLtyy97Hy for <opsawg@ietfa.amsl.com>; Tue, 19 Nov 2019 21:30:55 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A950412006F for <opsawg@ietf.org>; Tue, 19 Nov 2019 21:30:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7859; q=dns/txt; s=iport; t=1574227855; x=1575437455; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Yvs9aOgzTsyEEhjhv6/bT5ENLtvVQWckdEgGnFqAsdQ=; b=Ljb4Qwtp6pB8uUmyMDWmzreeYcd7cA1cghsS/wL4WM8KCczXs83d9pBS hzP9hNRhFKaxiam+3WgzqNhgAhGCzgH4fB1gpWcB/CSkyXa26D6oiBBPj XjgjjpPo1X/+xLFN7/wx0g15iYcQyHWkGPfyOEr4q0iAR0I4I34OGT+HU w=;
IronPort-PHdr: 9a23:4fntRR36xsWz6+yFsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxKHt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSwdDjMwXmwI6B8vQC0b/JeTpYgQxHd9JUxlu+HToeUU=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CoAAAxz9Rd/5FdJa1lHAEBAQEBBwEBEQEEBAEBgWwFAQELAYEbL1AFgUQgBAsqhCqDRgOKdJV8hGKBLoEkA1QJAQEBDAEBLQIBAYRAAheCDiQ2Bw4CAw0BAQQBAQECAQUEbYU3DIVSAgEDEhEdAQE3AQ8CAQg/AwICAjAUEQIEAQ0FIoMAgXpNAy4BpTYCgTiIYHWBMoJ+AQEFgkmCQhiCFwmBNgGMFBiBQD+BOB+CTD6EL4MmMoIskBOFR5hTCoIrjECJDxuaEYcshxyaCAIEAgQFAg4BAQWBWAEygVhwFTsqAYJBUBEUkRqDc4pTdIEojhEBAQ
X-IronPort-AV: E=Sophos;i="5.69,220,1571702400"; d="scan'208,217";a="668103596"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Nov 2019 05:30:31 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id xAK5UVAU024406 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 20 Nov 2019 05:30:31 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 19 Nov 2019 23:30:31 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 19 Nov 2019 23:30:30 -0600
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 20 Nov 2019 00:30:30 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UK2mI5QGbdMGdlUwEGtDd50l+0ggQIoFFqzcbM0XW7hUPQWInxV3IfK8QFhbvQKUf+b7fmnlBD1Kv46ejmswurhTT8yd3UE6OyDitdr/cy0fR1ipWGTn7LsGenm5TdBtJ706irApjISIg4s0yAZU6uQRgENe7FVizLL14BsIphHEM10A2BoXtK7q8T62URyjMQCjYEnTkpzcWPunxabfMCKS46+adgo2JMbKxhgM0Y5+rAKsZUq7I3VZ6GuLgIZ0ebBpfwJlLPYsAvq0v5/P4vnmKNkwQ8oPuit91MdJTtAMdyuK5WjFp/E3A942ht+R4n0DWrH6OLmL9xj3HcNOYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Yvs9aOgzTsyEEhjhv6/bT5ENLtvVQWckdEgGnFqAsdQ=; b=Fng16FQTQHaDKpO/VnWo9XMYJFePIl7sbZdk1qxYEy3UgD1ao8rnZv3546NVzKwTsHagAPvR+RzunDrEy4Cl9+eG1M30IyG3ZO8wSzAX4hd+CEiT3yvD+vWjpPj8WlO7W/sQ3SUFcEqCYNtjWw6LBi4MJ4Bkw8fHdzH4yFIOaBHuzQu5QUQ+nt44N4StjFvPr2IwE6PDFyV716AIPZC9uq559z0i5IGFaIC3agGWBJ1S6v79wFLZF8Hp8g6EiVtw0R7iLc8D3dUNbIpHjjLWtRJlceS4MOvZ7BAoUGMFgr2T1OzML+6oA2jAGg7daHjC1AkGSjVL1/5aqHuxdrK5Cg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Yvs9aOgzTsyEEhjhv6/bT5ENLtvVQWckdEgGnFqAsdQ=; b=vLYuXi1mali89LTqU66KcaNF+wPn3nfddEz+g7umE9yEqXtdkaHAVvVYbApUyT677metzuRvaWBy318+BHEULzFrE3HCXBIwh5yS+H5lul7enANwIJOzrnbhYzpg0wXHRzA52X8WliYYsZ50po3i1SlkeAQl5booHrBsLaHs0ZY=
Received: from BN6PR11MB1667.namprd11.prod.outlook.com (10.172.23.12) by BN6PR11MB0002.namprd11.prod.outlook.com (10.161.152.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.30; Wed, 20 Nov 2019 05:30:29 +0000
Received: from BN6PR11MB1667.namprd11.prod.outlook.com ([fe80::499:8548:e967:458e]) by BN6PR11MB1667.namprd11.prod.outlook.com ([fe80::499:8548:e967:458e%12]) with mapi id 15.20.2474.015; Wed, 20 Nov 2019 05:30:29 +0000
From: "Joe Clarke (jclarke)" <jclarke@cisco.com>
To: john heasley <heas@shrubbery.net>, "Wubo (lana)" <lana.wubo@huawei.com>
CC: opsawg <opsawg@ietf.org>
Thread-Topic: [OPSAWG] re opsawg-tacacs-yang & ietf-system user-authen-order
Thread-Index: AQHVn1EmTy6mXPNIwkqu28KSNyZFj6eTiJkA
Date: Wed, 20 Nov 2019 05:30:29 +0000
Message-ID: <96C3F282-036F-4F04-BB1A-B18407AEE502@cisco.com>
References: <20191120031745.GC49549@shrubbery.net>
In-Reply-To: <20191120031745.GC49549@shrubbery.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jclarke@cisco.com;
x-originating-ip: [2001:420:c0c4:1002::b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5bcb907c-3d0e-4357-977b-08d76d7ac17e
x-ms-traffictypediagnostic: BN6PR11MB0002:
x-microsoft-antispam-prvs: <BN6PR11MB00023DFF8031581F397CF095B84F0@BN6PR11MB0002.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02272225C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(39860400002)(346002)(366004)(136003)(189003)(199004)(66446008)(186003)(66476007)(316002)(81166006)(66556008)(11346002)(486006)(25786009)(446003)(478600001)(476003)(6506007)(102836004)(76116006)(76176011)(14454004)(91956017)(7736002)(46003)(6246003)(14444005)(256004)(5660300002)(36756003)(86362001)(71190400001)(71200400001)(81156014)(64756008)(66946007)(8936002)(4326008)(99286004)(2616005)(53546011)(8676002)(6116002)(6486002)(2906002)(236005)(110136005)(6512007)(54896002)(229853002)(33656002)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR11MB0002; H:BN6PR11MB1667.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ahTK3CLIwO9YBPF9OP2COEdbJv9txLvfWo6Uy37pT8ajF6Pz47hzpTfY6CVRxHP/O+ICHZ8I7h+z3NB+KJ8mYUmHbW8EaKbtDfkqHgivllt4OqDr/j5tiiH/LW/CDJEciqv3XGwxos7A2TsFeHjBAVyxVstiirEotKxHIDeBf0ZOH0Um2F0yJ+SNqEeL2p2GxRP8JuJ84bnUt5Oo93LT5RRfLPMJbdWgDe5Yin83FXZza5ICtEBMc16iwocMMXCOHUpfTPhD8Re+FWlPnwQvdB7zXFhoTvK9ft50xqKnMXxj+EGM7GvyKeieyQTAELokY59K8Hks5HR2W7YC6mUJ/HF7l2sYv3XL0/vwcBfUXB7kzGrW/HnxlXDZtHVbtGN2QpdPfrBvZ0gEc1RD1kzdvOtWihQxLFpaJwLSWqk297YHIceXd+iwvK4+2S7YyUCJ
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_96C3F282036F4F04BB1AB18407AEE502ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5bcb907c-3d0e-4357-977b-08d76d7ac17e
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2019 05:30:29.3782 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HjNQyPpHnjeIni6JhyadfqCSmsubYDUDdyhnxfYRIUUND8G/9D5z7Jm5OlpCNG4OaOItsSKJ4dRctbn+WchoGA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB0002
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/4EfLz5zHi2s7FKjCrsdNZXS1J4g>
Subject: Re: [OPSAWG] re opsawg-tacacs-yang & ietf-system user-authen-order
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 05:30:57 -0000


On Nov 19, 2019, at 22:17, john heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>> wrote:

Regarding the question, on the second to last page of the opsawg-tacacs-yang
presentation slides, about the must in model ietf-system, which I believe was
whether to add a must for tacacs, remove the must for radius, or do nothing;
that must seems wrong to me.

I would expect the system to react no differently to missing sever
configuration than to a list of servers that all fail to respond.  Some
vendors have done this historically in cli.

Whether ietf-system should be changed, I do not know it is worth the effort.
If the WG agrees that its existence is wrong, that might be another question
for yang doctors.

Lada replied on YANG docs with a suggestion for the T+ module authors.  While we can’t affect the authentication-order node, the tacacsplus container could be defined like:

augment "/sys:system" {
 container tacacs {
   must "not(derived-from-or-self("
      + "../sys:authentication/sys:user-authentication-order, 'tacacs')"
      + "or server";
   list server {
      ...
   }
 }
}

In this manner, T+ can provide enforcement.  Lada also mentioned that this would have been a better way of handling RADIUS in ietf-system.  Certainly this could be an item for a .bis, but not sure if this alone is worth taking on that work.

Joe

v2.23.0 | Report a Bug | By Email