Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-00.txt

"Joe Clarke (jclarke)" <jclarke@cisco.com> Fri, 08 July 2022 14:07 UTC

IronPort-PHdr: A9a23:f99bEx3nkn6pqpTxsmDPr1BlVkEcU/3cMg0U788hjLRDOuSm8o/5N UPSrfNqkBfSXIrd5v4F7oies63pVWEap5rUtncEfc9AUhYfgpAQmAotSMeOFUz8KqvsaCo3V MRPXVNo5Te1K09QTc3/fFbV5Ha16G16Jw==
IronPort-Data: A9a23:lfQAYqy1ljCakdTsakp6t+cMxirEfRIJ4+MujC+fZmUNrF6WrkUHy GMfXDqGOPbcNjHwedB+Ot7i8UwCv5+GytRjTQJqqVhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJloCCea/H9BC5C5xZVG/fngqoHUVaiVYEideSc+EH170U07y7Zj6mJVqYHR7z2l6 IuaT/L3YDdJ6xYsWo7Dw/vewP/HlK2aVAIw5jTSV9gS1LPtvyV94KYkGE2EByCQrr+4sQKNb 72rILmRpgs19vq2Yz+vuu6TnkYiGtY+MeUS45Zbc/DKv/RMmsA9+oNhKdYtT2dMsW+QnPl1k N5Vt8SoaAh8a8UgmMxFO/VZOyh6OasD87jdLD3i98eS1EbBNXDrxp2CDmlvYtZeobgxWDoIr KdIQNwORkjra+aewrm/Q/Nvi+woLdLgO8UUvXQIITTxXaZ6Ec+eGfubjTNe9BMrh/93IuSAX fscchdQUD2YOTgIBn5CXfrSm8/x1iWgLFW0smm9uaow+XPPwQo33LHtNfLaf9WLQYNemUPwj mvA8370ADkdKNXZ0jvt2nW0nebQkgv6VZ4cUrqi+ZZCgFCa3UQICAcLX1G2u+j/jEOiM++zM GQd/i4o6KM17kHuE5/2XgazpziPuRt0t8ds//MSzVuQ5pvywx2jXHEHZzoZY8Qk7NcXSml/v rOWpO/BCTtqubyTbHuS8LaIsD+/URT5y0dfOEfoqiNYvrHeTJEPYgHnFY06SfHr5jHhMXShn W7V/XFWa6A715Zj6kmtwbzQb9tATLDgSgo44G07tUr6s1sgP+ZJi2FUgGU3AN5JKIKfC1KGp nVBxo6V7fsFCteGkynlrAQx8FOBuqnt3N702AMH83wdG9KFoCXLkWd4u2oWGauRGpxYEQIFm WeK0e+r2LddPWGxcYh8aJ+rBsIhwMDITIq4CaqNPoQVM8AgLWdrGR2Cg2bNjwgBd2Bxz8kC1 WuzKq5A8F5DU/08lWrqLwvj+eZxn3tWKZzvqWDTlkT7juX2iI+9QrYeO1zGdfEi8K6Bu23oH yV3aaO3J+FkeLSmOEH/qNdLRXhTdCRTLc2m+qR/K7/YSiI7ST5JI6GKm9sJJdc695m5Y8+Vp BlRrGcClgqm7ZAGQC3XAk1ehETHBskk9S1rZXB9ZD5FGRELOO6S0UvWTLNvFZFPyQCp5acco yUtEylYPslydw==
IronPort-HdrOrdr: A9a23:jbZXMKMK4rpQH8BcT3/155DYdb4zR+YMi2TDiHoedfUFSKOlfp 6V8MjzjSWE9Ar4WBkb6LS90dq7MAzhHP9OkMQs1NKZPTUO11HYVL2KgbGSoQEIXheOi9K1tp 0QP5SWaueAdmSS5PySiGLTfrZQo+VvsprY/9s2pE0dKj2CHpsQljuRfTzrdHGeKjM2YKYRJd 653I5qtjCgcXMYYoCQHX8eRdXOoNXNidbPfQMGLwRP0njAsRqYrJrBVzSI1BYXVD1ChZ0493 LergD/7qK/99mm1x7n0XPJ5Zg+oqqu9jIDPr3MtiEmEESutu+aXvUiZ1REhkFxnAib0idrrD ALmWZlAy080QKXQoj/m2qS5+Cp6kde15al8y7fvZMmyvaJHA7TzKF69Ntkm1LimjodlcA536 RR022DsZ1LSRvGgSTm/tDNEwpnj0yuvBMZ4KYuZlFkIP0jgYVq3MUi1VIQFI1FEDPx6YghHu UrBMbA5OxOeVffa3zCpGFgzNGlQ3x2R369MwI/k93Q1yITkGFyzkMeysBalnAc9IglQ50B4+ jfKKxnmLxHU8dTZ6NgA+UKR9exFwX2MFnxGXPXJU6iGLAMOnrLpZKy6LIp5PuycJhN15c2kI SpaiIuiYfzQTObNSSj5uw4zvmWehTPYd3E8LAq26RE
From: "Joe Clarke (jclarke)" <jclarke@cisco.com>
To: heasley <heas@shrubbery.net>
CC: heasley <heas@shrubbery.net>, "opsawg@ietf.org" <opsawg@ietf.org>, "Douglas Gash (dcmgash)" <dcmgash@cisco.com>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Thread-Topic: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-00.txt
Thread-Index: AQHYdwNx3FrCoxVyLUSI7/Hm332XB61m2dgAgAFcNXOAAEWyAIALHtiAgAEeA50=
Date: Fri, 08 Jul 2022 14:06:54 +0000
Message-ID: <BN9PR11MB5371BA7E85E49364FCD821DAB8829@BN9PR11MB5371.namprd11.prod.outlook.com>
References: <165423057408.3428.4172200321096081956@ietfa.amsl.com> <YpmPnrFIGF67oDXJ@shrubbery.net> <BN9PR11MB537175FDD5A21A975272685FB8BB9@BN9PR11MB5371.namprd11.prod.outlook.com> <YryWSpLvE7X4E11H@shrubbery.net> <BN9PR11MB5371D497D5FFE940E37DC1A9B8BA9@BN9PR11MB5371.namprd11.prod.outlook.com> <Yr302mhZNxs/Mf3n@shrubbery.net> <YsdI9bKCHJsWy2/B@shrubbery.net>
In-Reply-To: <YsdI9bKCHJsWy2/B@shrubbery.net>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: o42hQOGSOaWqwSd0Ug20jZRCM3YQ8ibqumEjzRDv4jTsORi6eXByNbuedYWPvce/fBCVenejCjmA2QRj2ccektzadXTZegZM0QWTMGahXaRcxmvh2qcM+ahf8iV57BmNPr2QXiZfioeOXt4ekYumQg+pmL7vO5eP5PdAA/Jh6LOyvcs1uUrgKc2s9keQjgofIAjk4m95tqy0xj5IX2mPawhOpjfBo+Vlq+o+kjCqpNDN+2NlXwMJ9CMMb8gNzgWLo6ihOWWfSMXk2gnK9Nk83AQEXlPGm6dcPs1F4X2qnYZBISUqk/n8wqq6HY/SISampTx+xcFLkpH85zhNO4O2wDNtLFFNTxabokiH8X8iHLHLBkZ5VbvmFU5sXIDz+LkfjPwMW5viKOb5T6y8fG0zKDTgK91lFQU2b/d40J1kSBE7jnPn7IJOcEJuGcx4VI6BIcyq3Wk3/dPEQ+7M/RguC4d8OL9YpoupyjGloULIMBudhSyKkXuZEVtXSOCsc2DR6g16R9NSKk5U+DvhHoKj7uPQMgZ7GKryBEuyx+L25WBkJ9PpX4hH2PwkKQ506NuIOE7xUAEWJSMEQMg89SJ+CJT4XJrG3fBWVJeBAB3PMgMB6ZESVTy94UbGWgJVbE52zKkNEvhQrIN6uSWoNuERwjj7ViCnHW/YpVA650fB8bQzz0Jl1FR0OM84zwxEq5H79RCfJH2H/yDkmzoPAIIGxF2XxXi+V1o9E3BYVTX6mgXztsYD8jtBv1fvJtJ8HrWVB45lxI/nVHRdTTXgdBcxzBdE+aiUZiLsmLZ4UGuwFv+wOtjcH83lSpCz09NR2OlgCaaH4WDlrK4iz4mVW9Hgcqi/99BcJaAimCN4S2P/sotH+1xt+VI732Dh1QOfYqi06drjUYDEFExtHWg7KBD5CE18/C4he8UOBc/WUcojkESEgdus0E0j9jumjgHwzJxzAlONJLaPJJfzTQWnHXpN8VnXcfjYJ5cb4v5JKxG8YI2U4t5VQXVTlvhfiW3h/VoupeYB5TOFS+t2QFVFnrdsODb6R67alL3aITrxzWJ5HgfQ0MNsOepz2exR2xzwlE8ZabRTbno/0p7404jKrqjrq4YeNss00lix4Tf6li6JFQrp9ZYonm0h/VEeTXFRR5nUYe8LIoI/S3MtMMgZnwwi6wA51m0ZiFd68CLwdwlChvxODMaSOVH5PPhASEp/Q33KwVTKzkxJ72xgeD7yUaoVABoxESCZ9VYT+G1gkVl/Ct1tuAF3KtBtskAw2KsRdDq/CfHqPYTiIsr0mbqrkJl70CrIOOncMU3R9Ib/QElMIMwWUdCzygErYfqE3wr6/lADTsFIG8DhNgxh+Aca3Eu/Vi89QSNp+kmjGFWciuPMGKnVbLhWiThmnbbY8svYSErQ8Fp6TM1H6+S4k9qedjNQ/bX3IfLkX7eYZYE/QfGFfNQ4R9nEEeAG9n7aWcLrZZY6tFoQRJQqOhTL6Ilvh6XzqvArAw8uz2Gjexsw76wwwUlgi7DOj6GQ3MVPVmjhpBL5roLOCMnW3SjSlDf0kqMvDfxI/jSjFsdhST0V1KXzwnNQY0Nl4UF8b9SRelgo0NI+PQo8MGpi4wVVW6hChakT+A==
Content-Type: multipart/alternative; boundary="_000_BN9PR11MB5371BA7E85E49364FCD821DAB8829BN9PR11MB5371namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN9PR11MB5371.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e1529793-5d1a-4ff8-1453-08da60eb1cab
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2022 14:06:54.0589 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rYAlDtLPA/Ctk/37xpYb/HM36BjfvOQwrvVcYY9xxsdih1WoUljv8LEHOxtArK7P/pSozkXLn+O+zva8o7SioA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3701
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 64.101.210.234, xfe-rtp-004.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/5hXsa2cgeFgzZaOXHoR-S_Fl7xY>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-00.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 14:07:01 -0000

I was saying that when I read Alan’s comments it seemed like he wanted for T+ protocol changes and extensibility added to the tacacs-tls13 draft whereas my understanding of the original intent of this work (from when the informational T+ draft was brought to this WG) was in line with your proposal (i.e., T+ as it is over TLS).

No additional action was asked of the authors in my email.  _MY_ action is to now call for adoption.

Joe

From: heasley <heas@shrubbery.net>
Date: Thursday, July 7, 2022 at 16:58
To: Joe Clarke (jclarke) <jclarke@cisco.com>
Cc: heasley <heas@shrubbery.net>, opsawg@ietf.org <opsawg@ietf.org>, Douglas Gash (dcmgash) <dcmgash@cisco.com>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-00.txt
Thu, Jun 30, 2022 at 07:09:14PM +0000, heasley:
> Thu, Jun 30, 2022 at 03:05:33PM +0000, Joe Clarke (jclarke):
> > [JC] As chair, I will call for adoption of this work by the WG.  I read Alan’s recent reply and understand how he feels concerning this approach to more of a straight TLS encap around T+.  I would like to hear what others in the WG think.</chair>
>
> Speaking for myself only; I might have misunderstood this point of Alan's
> and will have to review that email.  I think that the approach is
> straight-forward; start tls, once established, start tacacs, tacacs, end
> tacacs, end tls.  How much easier could it be.
>
> We did specify a few TLS constraints, that Alan questioned.  We're open to
> discussing those details, but I think we need input from more tls experts
> and believe this can occur after adoption.  IIRC, that was our response at
> the beginning of May when the composite draft was submitted.

Hey Joe.
We reviewed the emails and draft and have concluded that we do not
understand what you mean by "more of a straight TLS encap around T+."
The proposal is as I suggested above.

https://www.ietf.org/id/draft-dahm-tacacs-tls13-00.html

There is text or lack of regarding SNI, resumption ticket lifetime, and
0RTT data that Alan has commented about, but otherwise nothing unusual.
We believe the text is correct but are not TLS experts and think that
these can wait for adoption.

Please explain which part is not straight.  Are you perhaps refering to
a part of the other draft?

https://datatracker.ietf.org/doc/draft-dahm-opsawg-tacacs-security/

Thanks

Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… heasley
Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… Joe Clarke (jclarke)
Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… heasley
Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… Joe Clarke (jclarke)
Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… heasley
Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… Alan DeKok
Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… heasley
Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… Joe Clarke (jclarke)
Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… Alan DeKok
Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… heasley
Re: [OPSAWG] I-D Action: draft-dahm-tacacs-tls13-… Alan DeKok