Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contributions, Status and Plans
"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Sun, 14 May 2017 12:12 UTC
Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 012641286B1; Sun, 14 May 2017 05:12:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GdCS6j6MPMY5; Sun, 14 May 2017 05:12:49 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3AD012949F; Sun, 14 May 2017 05:11:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=45138; q=dns/txt; s=iport; t=1494763866; x=1495973466; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=0PHsKR3qzmzqhFVKMXbOQjVGpBlM1q+S6OrlolaqUzc=; b=DK/KoR0KIQrttBZwDbujUH1eJaH87hJQB648mko0IZgi7/qK75xDV8GU fuo6NwUfaYbSIKzTASrJEco0guZ+1onWG5nYewnpkxABkBCG5PtAQ8S3e b5ZXhoDuKD7Ojde8ONB1j0fbJBx0ovW0Vylf4uFpHDzMq7du0Ade7V40T o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DWAABhSBhZ/5xdJa1WBhkBAQEBAQEBAQEBAQcBAQEBAYNVgRRhjXynUoIPgm6DNgJEhFU/GAECAQEBAQEBAWsohRkGGgEfHxMKAxACAQgtAQEBBhAyJQIECgSKKLARikEBAQEBAQEBAwEBAQEBAQEBIIg9gg+BDIRNAgYVMQcJAQWFJAWJOgOGZYFZhHSHGwGKUIMbhS+CBIU7g2aGRoh/i0MBHziBCnAVRoRyAgMBG2MBfgGHNAEBBAkXgQqBDQEBAQ
X-IronPort-AV: E=Sophos;i="5.38,340,1491264000"; d="scan'208";a="248779896"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 May 2017 12:11:04 +0000
Received: from XCH-ALN-015.cisco.com (xch-aln-015.cisco.com [173.36.7.25]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id v4ECB55N010954 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 14 May 2017 12:11:05 GMT
Received: from xch-aln-014.cisco.com (173.36.7.24) by XCH-ALN-015.cisco.com (173.36.7.25) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 14 May 2017 07:11:04 -0500
Received: from xch-aln-014.cisco.com ([173.36.7.24]) by XCH-ALN-014.cisco.com ([173.36.7.24]) with mapi id 15.00.1210.000; Sun, 14 May 2017 07:11:04 -0500
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Alan DeKok <aland@deployingradius.com>
CC: "opsawg@ietf.org" <opsawg@ietf.org>, "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "ops-ads@ietf.org" <ops-ads@ietf.org>
Thread-Topic: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contributions, Status and Plans
Thread-Index: AQHSy08ttZSP0sW41keg1j/jrc0SIqHxblMAgADBTACAAE4+gIAAh0UAgAEfG4A=
Date: Sun, 14 May 2017 12:11:03 +0000
Message-ID: <D53E063F.231B6C%dcmgash@cisco.com>
References: <D53BBCC7.22ECC8%dcmgash@cisco.com> <61D9FC7A-6F10-44E6-8400-578C4FEE1988@deployingradius.com> <D53C62F4.22F82E%dcmgash@cisco.com> <E7D62944-46B9-4091-BF16-0AF8CA47626D@deployingradius.com> <D53D15C9.230A48%dcmgash@cisco.com>
In-Reply-To: <D53D15C9.230A48%dcmgash@cisco.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.0.161029
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.1.6]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <AA04ABC243336A49B11E5289357D6976@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/66qtuXxmLF9fJxGe1oc0vE8HUsc>
Subject: Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contributions, Status and Plans
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 May 2017 12:12:53 -0000
Dear Alan, Below is a simple textual concatenation and minor (hopefully lossless) edit of comments you kindly sent for the October revision (version 5), We will work through this list, and reply with an item-by item response, (In place of previous mode of updating the doc to make v6) and then hopefully move towards a consensus for the content for version 7. Thanks, Regards, Doug. ... Some comments. Mostly little nits and clarifications. The major points for me are related to security. The "Security Considerations" section is almost empty, and will certainly not pass a review from the security area. They will in all likelihood block publication until substantive comments have been added. ------ 3.3. Single Connect Mode The packet header (see below) contains a flag to allow sessions to be multiplexed on a connection. * it would be good to name the flag here. If the server sets this flag in the first reply packet in response to the first packet from a client, this indicates its willingness to support single-connection over the current connection. The server may set this flag even if the client does not set it, but the client is under no obligation to honor it. * what happens if the client does not honour the flag? The flag is only relevant for the first two packets on a connection, to allow the client and server to establish single connection mode. The flag MUST be ignored after these two packets since the single- connect status of a connection, once established, must not be changed. The connection must instead be closed and a new connection opened, if required. Why would it be required to change the mode? It would be good to explain the use-cases, and why (or not) they make sense. TAC_PLUS_UNENCRYPTED_FLAG := 0x01 If this flag is set, then body encryption is not used. If this flag is cleared, the packet is encrypted. Unencrypted packets are intended for testing, and are not recommended for normal use. * it would be good to have a pointer to the security considerations, with a discussion of the implications. * Also, it's odd that a completely insecure mode is just "not recommended for normal use". I would suggest more panic-inducing phrasing. e.g. ."Unencrypted packets offer a complete compromise of all security related to the protocol and MUST NOT be used outside of a testing environment" TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04 This flag is ussequernt, ed to allow a client and server to agree whether multiple sessions may be multiplexed onto a single connection. * I find the "agree" phrasing odd. I've mentioned before that the tone of the document is often philosophical. Perhaps saying instead "this flag signals whether the client and server are capable of performing session multiplexing" * i.e. the flag is a signal, not a capability for the systems to agree. session_id The Id for this TACACS+ session. The session id is to be selected randomly. This field does not change for the duration of the TACACS+ session. (If this value is not a cryptographically strong random number, it will compromise the protocol's security, see RFC 1750 * it would be good to update the paragraph to be more prescriptive. i.e. The Id for this TACACS+ session. The session id MUST be taken fro a cryptographically strong random number generation. If not, the protocol's security will be compromised. See RFC 1750 for further information ... length The total length of the packet body (not including the header). This value is in network byte order. Packets are never padded beyond this length. * Why is the text on "padding" there? The TACACS+ packets are sent over TCP, not UDP. So any "padding" would be outside of the scope of the current packet, and be seen by the other end as a subsequent, but invalid, TACACS+ packet. 3.5 ... - Unused fixed length fields SHOULD have values of zero. * what happens when they don't? I suggest adding text saying that the fields are ignored. - There will be no padding in any of the fields or at the end of a packet. * I wonder again what "padding" means here. 3.6. Encryption The body of packets may be encrypted. ... * Which is not a standard encryption method. Security people will complain here. I suggest (as before) using the term "obfuscated". With a note that for historical reasons, the flags / fields / etc. refer to TACACS+ "encryption". ... This document does not discuss the management and storage of those keys. ... * there should be some discussion in the Security Considerations section about this. Otherwise, this subject will be brought up in the security review. ... It is an implementation detail of the server and client, as to whether they will maintain only one key, or a different key for each client or server with which they communicate. For security reasons, the latter options MUST be available, but it is a site dependent decision as to whether the use of separate keys is appropriate. * those sentences seem to disagree with each other. It's an "implementation detail", but it MUST be supported. I suggest requiring the capability of per-server and per-client keys. ... The session id is used in network byte order. * nit: if the session ID is a 32-bit opaque token, it's not in any byte order. Maybe just "as taken from the packet header" ? When a server detects that the secret(s) it has configured for the device mismatch, it MUST return ERROR. The handling of the TCP connection by the server is implementation independent. * I repeat my objection here. There is just no reason for the TCP connection to remain open after the connection has been determined to be fraudulent. This subject also came up in the RADIUS over TCP drafts. The consensus there was the same: if it's not a real / known / good client, there is every reason to close the connection, and zero reasons to keep it open. After a packet body is decrypted, the lengths of the component values in the packet are summed. If the sum is not identical to the cleartext datalength value from the header, the packet MUST be discarded, and an error signalled. The underlying TCP connection MAY also be closed, if it is not being used for other sessions in single- connect mode. * This last sentence is confusing. Are there different secrets for different packets in one TCP stream? If so, nothing in the document says so. If not, then there is every reason to believe that the secret is mismatched. And, the *next* packet will decrypt incorrectly. Which means (again) you might as well just close the TCP connection. If an error must be declared but the type of the incoming packet cannot be determined, a packet with the identical cleartext header but with a sequence number incremented by one and the length set to zero MUST be returned to indicate an error. * this mix of clear-text and encrypted signalling opens up the protocol to an attacker. Since this "NAK'" is not protected, an attacker can forge the NAK at any time, and force the connection to be closed. * this attack (along with all others) should be noted in the Security Considerations section. ... Packet fields are as follows: action This describes the authentication action to be performed. Legal values are: * what happens if a client/server receives values outside of the legal range? I suggest sending ERROR, and closing the TCP connection. * similar comments apply for other fields with "legal values". While it's good to define what happens when things go as planned, it's also good to define what happens when things *don't* go according to plan. * review of 4.2 and subsequent sections will follow in a later message. Summary: the spec is still fairly descriptive / philosophical instead of prescriptive. Many optional parts of the protocol are described, "A and B are allowed", but there is often no description of what to *do* when either A or B is present. I've suggested descriptive text, or places where descriptive text can be added. The larger worry here is what happens if the descriptive text conflicts with existing implementations? This is a topic which should be discussed in the "Security Considerations" section. i.e. the spec documents the existing protocol, with recommendations for security and inter-operability. As the protocol has historically been poorly specified, implementations are likely to follow the broad requirements of this specification. They are also likely to not follow many of the newly-clarified behaviours / requirements. The hope is that this specification can guide implementors towards a common understanding of the protocol. Also, vague requirements and open options in a protocol spec are ripe for implementation bugs and security issues. That worry drives many of my comments. ----- 4.2 ... server_msg, server_msg_len c A message to be displayed to the user. This field is optional. If it exists, it is intended to be presented to the user. US-ASCII charset MUST be used. The server_msg_len MUST indicate the length of the server_msg field, in bytes. * The last sentence is atypical of RFC 2119 language. Then language is typically about system behaviour or inter-field comparisons. I'm not sure what it means that a field MUST indicate a length. * i.e. the "server_msg_len" field is *defined* to encode the length of the "server_msg" field. No "MUST" is necessary. * similar comments apply to many of the other "foo_len" fields, elsewhere in the document rem_addr, rem_addr_len An US-ASCII string this is a "best effort" description of the remote location from which the user has connected to the client. * perhaps instead of "best effort", just re-use language from the "port" description. The contents of this field are the clients description of the remote location... 4.4 ... When the REPLY status equals TAC_PLUS_AUTHEN_STATUS_GETDATA, TAC_PLUS_AUTHEN_STATUS_GETUSER or TAC_PLUS_AUTHEN_STATUS_GETPASS, then authentication continues and the SHOULD provide server_msg * editorial: the WHAT should provide... ... quest for more information to flexibly support future requirements. If the TAC_PLUS_REPLY_FLAG_NOECHO flag is set in the REPLY, then the user response must not be echoed as it is entered. * the implicit assumption here is that there is a person who is entering text on a terminal. It would be good to have a bit more explanation of this expected use-case. NOTE: Only those requests which have changed from their minor_version 0 implementation (i.e. CHAP, MS-CHAP and PAP authentications) will use the new minor_version number of 1. All other requests (i.e. all authorisation and accounting and ASCII authentication) MUST continue to use the same minor_version number of 0. * that's an odd phrasing of the requirement. Perhaps something more prescriptive would be useful. e.g.: NOTE: Authentication requests which use ASCII login or chpass MUST use minor version 0. Authentication requests using PAP, CHAP, or MS-CHAP MUST use minor version 1. All authorization and accounting packets MUST use minor version 0. 4.4.2... This section describes common authentication flows. If the options are implemented, they MUST follow the description. If the server does not implement an option, it will respond with TAC_PLUS_AUTHEN_STATUS_ERROR. * It's not typically required to say that implementations MUST follow the spec. * also, perspective terminology is better than descriptive. Not "will do", but "MUST do". * I suggest re-phrasing: This section describes common authentication flows. If the server does not implement an option, it MUST respond with TAC_PLUS_AUTHEN_STATUS_ERROR. This is a standard ASCII authentication. The START packet may contain the username, but need not do so. * what happens when the username is / is-not included? i.e. what do implementations *do*? * if this is a valid protocol flow, then it should be described. e.g. "Any username in the START packet is ignored", or "any username in the START packet MUST match the username in subsequent packets" ... The data fields in both the START and CONTINUE packets are not used for ASCII logins. * what happens if there is data in the fields? Is it ignored? * RFC 2119 language is recommended here. "any data (if present) MUST be ignored", or "the data field MUST NOT be present" * I have no idea how to make these requirements compatible with existing implementations. Sorry... CHAP: The length of the challenge value can be determined from the length of the data field minus the length of the id (always 1 octet) and the length of the response field (always 16 octets). * it would be good to recommend a minimum length for challenge. 1 octet is clearly insufficient, but is (silently) allowed by the spec. I suggest at least 8 octets/ * also, the challenge MUST be derived from a cryptographically strong pseudo-random number generator, and MUST change on every CHAP request. Otherwise, the spec allows (also silently) a fixes challenge. To perform the authentication, the server will run MD5 over the id, the user's secret and the challenge, as defined in the PPP Authentication RFC 1334 and then compare that value with the response. * again "server WILL run". As opposed to "calculates..." MSCHAPv1 / MSCHAPv2: The length of the challenge value can be determined from the length of the data field minus the length of the id (always 1 octet) and the length of the response field (always 49 octets). * RFC 2433 says that the challenge is 8 octets. RFC 2759 says that the challenge is 16 octets. It would be good to re-iterate that here. * i.e. smaller challenges are insecure, and should be forbidden ... To perform the authentication, the server will use a the algorithm specified RFC2759 * editorial: "specified IN RFC ..." ... ASCII change password request * I suspect that the security area review will recommend that this be removed. Even RADIUS had "change password" removed at the behest of the security people. 4.4.3. Aborting an Authentication Session The client may prematurely terminate a session by setting the TAC_PLUS_CONTINUE_FLAG_ABORT flag in the CONTINUE message. If this flag is set, the data portion of the message may contain an ASCII message explaining the reason for the abort. * again, what happens if the field is / is-not present? * what does the server do with this message? Should it be logged somewhere? ... The session is terminated and no REPLY message is sent. * what happens to the TCP connection? Does it remain open? It may be good to say "The session is terminated, and the session Id is no longer valid. However, other sessions on the same TCP connection may continue..." The host is specified as either a fully qualified domain name, or an ASCII numeric IPV4 address specified as octets separated by dots ('.'), or IPV6 address test representation defined in RFC 4291. * editorial ".. text .. "representation, not "test" If a key is supplied, the client MAY use the key in order to authenticate to that host. The client may use a preconfigured key for the host if it has one. * so the server is pushing keys to clients? The security implications of this should be discussed * what happens if the client gets pushed a key, and then also has a pre-configured key? Which one takes precedence? Why? Continuing with 4.4.3 While the order of hosts in this packet indicates a preference, but the client is not obliged to use that ordering. * the use of "obliged" is unusual here. Perhaps "the order used by the client is implementation specific, and does not have to follow the order sent by the server" If the status equals TAC_PLUS_AUTHEN_STATUS_RESTART, then the authentication sequence is restarted with a new START packet from the client. ... * nit: it may be good to say that the next session does not have to use the current TCP connection * "restart" may also be ambiguous. Does the session ID change for the next session? It may be good to say instead "If the status equals TAC_PLUS_AUTHEN_STATUS_RESTART, then the client re-authenticates with a new session, beginning with a new START packet" ... This REPLY packet indicates that the current authen_type value (as specified in the START packet) is not acceptable for this session, but that others may be. * Which others "may" be acceptable? And why "acceptable for this session"? is the client free to re-try the same authentication type in a different session? i.e. what does the client *do*? * perhaps say "the REPLY indicates a negative acknowledgement that the current authen_type is not accepted by the server. The client SHOULD start a new session with a different authen_type" If a client chooses not to accept the TAC_PLUS_AUTHEN_STATUS_RESTART packet, then it is TREATED as if the status was TAC_PLUS_AUTHEN_STATUS_FAIL. * why uppercase "TREATED" ? * why "chooses not to accept" ? again, prescriptive is better than philosophical * Perhaps "If the client does not start a new session after receiving a TAC_PLUS_AUTHEN_STATUS_RESTART, it MUST behave as if it received a TAC_PLUS_AUTHEN_STATUS_FAIL." 5. Authorization ... The authorization REQUEST message contains a fixed set of fields that indicate how the user was authenticated or processed * nit: remove "or processed" * from a security point of view, it's unusual for a client to indicate to a server how a user was authenticated. This allows the client to claim authentication when none existed. ... This field matches the port field in the authentication section (Section 4) above * what is meant by "matches"? Perhaps "The definition of this field is the same as in Section 4". Or does the field in the authorization session have to contain the same data as the similar field from the authentication session? * similar comments apply for other uses of "matches" It is not legal for an attribute name to contain either of the separators. It is legal for attribute values to contain the separators. * what are the legal characters for an attribute name? The previous paragraph says US-ASCII. So is "($#@!" a legal attribute name? * a reference to Section 7 would be useful here. Optional arguments are ones that may be disregarded by either client or server. Mandatory arguments require that the receiving side understands the attribute and will act on it. If the client receives a mandatory argument that it cannot oblige or does not understand, it MUST consider the authorization to have failed. * "oblige" is an unusual word to use here. Perhaps "If the client receives a mandatory argument it cannot implement, it MUST consider the authorization to have failed" 5.2 The Authorization RESPONSE Packet Body ... server_msg, server_msg_len This is an US-ASCII string that may be presented to the user. The decision to present this message is client specific. * nit: perhaps "This field is a message from the server to the client. The client MAY display it to the user" * saying "decision is client specific" is a long way of saying "the client MAY do it", but doesn't always have to ... The attribute-value pair that describes the authorization to be performed. (see below), * That's not clear to me. Perhaps "if present, the list of additional authorizations permitted the user" If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the appropriate action is to deny the user action. * again, a bit more philosophical than prescriptive. Perhaps "If the status equals TAC_PLUS_AUTHOR_STATUS_FAIL, then the requested action MUST be denied" If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the arguments specified in the request are authorized and the arguments in the response are to be used IN ADDITION to those arguments. * uppercase "IN ADDITION" is unusual. Perhaps: If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_ADD, then the arguments specified in the request are authorized and the client MUST also enforce the authorization attribute-value pairs (if any) in the response. * similar comments apply here: If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the arguments in the request are to be completely replaced by the arguments in the response. * perhaps If the status equals TAC_PLUS_AUTHOR_STATUS_PASS_REPL then the client MUST use the authorization attribute-value pairs (if any) in the response, instead of any authorization attribute-value pairs from the request. ... If the intended action is to approve the authorization with no modifications, then the status is set to TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt is set to 0. * should be prescriptive. Perhaps: Servers can signal to client that the authorization is approved with no modifications by setting the status to TAC_PLUS_AUTHOR_STATUS_PASS_ADD and the arg_cnt is set to 0. ... A status of TAC_PLUS_AUTHOR_STATUS_ERROR indicates an error occurred on the server. * what does the client do then? Perhaps "the client MAY show an error to the user (how???), and MUST treat the response as TAC_PLUS_AUTHOR_STATUS_FAIL" * Also, the last sentence of the subsequent paragraph also talks about ERROR, and seems misplaced. 6.1. The Account REQUEST Packet Body TACACS+ accounting is very similar to authorization. The packet format is also similar. * nit: that seems redundant. All of the packets use a common format. ... There is a fixed portion and an extensible portion. The extensible portion uses all the same attribute-value pairs that authorization uses, and adds several more. * except that the authorization section didn't list any attribute-value pairs. So it's hard to say that those (non-existent) pairs are re-used here All other fields are defined in the authorization and authentication sections above and have the same semantics. * Can an accounting packet indicate an authen_type and authen_service? If so, what does that mean? 6.2. The Accounting REPLY Packet Body The response to an accounting message is used to indicate that the accounting function on the server has completed. * what does that mean? Do servers always implement "functions"? As background, RFC 2866 (RADIUS accounting) says: ... Upon receipt of an Accounting-Request, the server MUST transmit an Accounting-Response reply if it successfully records the accounting packet, and MUST NOT transmit any reply if it fails to record the accounting packet. ... * perhaps similar text could be used here. ... The server will reply with success only when the record has been committed to the required level of security, * what is a "required level of security"? Is that indicated in the packet? Elsewhere? * my recommendation is just to delete that... ... relieving the burden on the client from ensuring any better form of accounting is required. * I find that statement awkward. Perhaps re-using / re-phrasing text from RFC 2866 would be good here. 6.2. The Accounting REPLY Packet Body * there's more duplication definition of fields here. It may be useful to just say "server_msg has the same meaning and behaviour as defined in Section 4.2" ... The server MUST terminate the session after sending a REPLY. * this is the only reference to a session being terminated in the document. What does it mean? Perhaps that the next REQUEST packet has to have a different session ID? If so, it would be good to say that in the REQUEST section. The TAC_PLUS_ACCT_FLAG_START flag indicates that this is a start accounting message. Start messages will only be sent once when a task is started. The TAC_PLUS_ACCT_FLAG_STOP indicates that this is a stop record and that the task has terminated. The TAC_PLUS_ACCT_FLAG_WATCHDOG flag means that this is an update record. Update records are sent at the client's discretion when the task is still running. * what's a "task" ? This is the first reference in the document to a "task". Perhaps more explanation here as to the expected use-case The START and STOP flags are mutually exclusive. When the WATCHDOG flag is set along with the START flag, it indicates that the update record is a duplicate of the original START record. * why would an update duplicate the original START record? This seems redundant. ... If the START flag is not set, then this indicates a minimal record indicating only that task is still running. * nit: perhaps delete "a minimal record indicating only". * Some more questions... * does the client retry an accounting packet if it doesn't get a response from the server? * how often do the updates get sent? Saying "implementation defined" is OK, but some recommendations would be good. i.e. not more than 100x per second, and not less than 1 day apart (as extreme examples) * I have similar questions about the TCP connection. What happens if a client can't connect to a server? How often should it retry? Should it treat "unable to connect" as "authentication / authorization fail"? Should the user be forbidden *all* access if the client cannot connect to the server? Should the user be given minimal access in order to be able to diagnose server connection problems? 7. Attribute-Value Pairs It is recommended that hosts be specified as a numeric address so as to avoid any ambiguities. * Is this IPv6 safe? I suspect not... but it should be stated Absolute times are specified in seconds since the epoch, 12:00am Jan 1 1970. The timezone MUST be UTC unless a timezone attribute is specified. * nit: perhaps "a decimal number representing seconds since..." except what about time zones? * how is a time zone specified? what format is the time? Examples would help here. * nit: the section defines numbers, booleans, hosts, and time. But no "text" type. RADIUS is just in the process of fixing this (20+ years later...), which is why I noticed * adding a data type to each attribute definition would be useful * also, it would be good to say which attributes are mandatory, and which are optional Attributes may be submitted with no value, in which case they consist of the name and the mandatory or optional separator. * this sounds like the separator is optional. Perhaps "... consist of the name and separator only" 7.1. Authorization Attributes ... a protocol that is a subset of a service. An example would be any PPP NCP. * nit: expand acronyms on first use. What's a "PPP NCP" ? cmd a shell (exec) command. This indicates the command name for a shell command that is to be run. This attribute MUST be specified if service equals "shell". If no value is present then the shell itself is being referred to. * perhaps a bit more explanation of the use-case here. What is a "shell" in reference to an administrative management protocol? routing A boolean. ... * note that "routing" is defined to be a boolean, but the other attributes don't have data types defined. I *think* "cmd" is a textual attribute, but it's not defined that way timeout an absolute timer for the connection (in minutes). A value of zero indicates no timeout. * probably "numeric" data type? autocmd an auto-command to run. Used only when service=shell and cmd=NULL * it's confusing to have an explicit NULL in "cmd". Perhaps quotes would clarify it here. e.g. n auto-command to run. Used only when the packet contains attribute-values of "service=shell" and "cmd=" noescape Boolean. ... * nit: consistent terminology. "Boolean" ? or "A boolean ..." ?? callback-dialstring Indicates that callback is to be done. Value is NULL, or a dialstring. A NULL value indicates that the service MAY choose to get the dialstring through other means. * nit: explicit NULL is confusing. Perhaps "value is a dial string, or when omitted, indicates that the server may choose to get the value via other means" * nit: what's a "dialstring" ? * what's a callback? How does that work? 7.2. Accounting Attributes ... The following new attributes are defined for TACACS+ accounting only. When these attribute-value pairs are included in the argument list, they will precede any attribute-value pairs that are defined in the authorization section (Section 5) above. * "will" precede? Perhaps "MUST precede" task_id Start and stop records for the same event MUST have matching task_id attribute values. The client must not reuse a specific task_id in a start record until it has sent a stop record for that task_id. * how big is the task_id? Since values can be omitted, is it OK to have a zero-length task_id? or 1 octet? * are there recommendations for the content of task_id? e.g. incrementing numbers, strings, etc. * is task_id mandatory to occur in accounting packets? start_time The time the action started (). * nit: what are the brackets for? stop_time The time the action stopped (in seconds since the epoch.) * which attributes are allowed in which packets? I presume it's not recommended to have a START which contains "stop_time" elapsed_time The elapsed time in seconds for the action. Useful when the device does not keep real time. * I'd recommend removing that last sentence. it also indicates that the device may not have accurate time, notwithstanding the definition of "absolute times" at the start of Section 7. bytes_in The number of input bytes transferred by this action * input to where? This was poorly specified in RADIUS, and some implementations got it wrong... * this number might be large. Should implementations allow 16 bit numbers? 32-bit? 64-bit? What are the expected / recommended limits? * i.e. implementations MUST be able to parse numbers up to 2^32, and SHOULD be able to parse numbers up to 2^64 status The numeric status value associated with the action. This is a signed four (4) byte word in network byte order. 0 is defined as success. Negative numbers indicate errors. Positive numbers indicate non-error failures. The exact status values may be defined by the client. * This is the first (and only) time that a field is defined as non-ASCII. That's very off. * nit: values "may" be defined by the client? Perhaps just saying "values are implementation specific" would be better ... Privilege Levels are ordered values from 0 to 15 with each level representing a privilege level that is a superset of the next lower value. * nit: perhaps this could be "each level is defined to be a superset of the next lower value", instead of "representing". If a client uses a different privilege level scheme, then it must map the privilege level to scheme above. * editorial :"... to A scheme..." * and how is mapping done? It might be better to just omit that sentence. Privilege Levels are applied in two ways in the TACACS+ protocol: * nit: perhaps "used" instead of "applied" - As an argument in authorization EXEC phase (when service=shell and cmd=NULL), where it is primarily used to set the initial privilege level for the EXEC session. * how does that work? And what does it mean to set an initial privilege level? - In the packet headers for Authentication, Authorization and Accounting. The privilege level in the header is primarily significant in the Authentication phase for enable authentication where a different privilege level is required. * again, how does that work? Additional text would be useful. e.g. In typical use-cases, an administrator can perform a series of commands at a low privilege level. When additional privileges are required, the administrator can authenticate at the desired level, perform a series of commands, and the drop privilege level to the lower one. This methodology minimizes possible errors by using high privilege levels only when necessary, and using low privilege levels for most commands. * expanding on the use-case and work flow would be of great benefit. The use of Privilege levels to determine session-based access to commands and resources is not mandatory for clients, but it is in common use so SHOULD be supported by servers. * and clients, presumably? Perhaps instead, say: It is RECOMMENDED that clients and servers use Privilege levels to signal and control session-based access. It is RECOMMENDED that clients permit users to change their Privilege levels, so as to ensure that commands are executed with the minimum Privilege level required. 9. TACACS+ Security Considerations * there is a lot which can be said here. My proposal here is a substantial amount of text. I'll include it in another message My $0.02 on the contents of the Security Considerations section. I'm sure I've missed things. Please also comment if the suggestions here are wrong or unworkable. ---- 9. Security Considerations The protocol described in this document has been in widespread use since specified in "The Draft" (1998). However it does not meet modern security standards, and faces vulnerabilities with privacy and authenticity. This section describes issues with the TACACS+ specification, then the protocol, deployments, followed by recommendations for implementations. Because of the security issues with TACACS+, the authors intend to follow up this document with an enhanced specification of the protocol employing modern security mechanisms. 9.1 Security of The Draft Specification TACACS+ was originally specified in "The Draft" (1998). However, this draft is incomplete, and leaves key points unspecified. As a result, software authors have had to make implementation choices about what should, or should not, be done in certain situations. These implementation choices are somewhat constrained by ad hoc interoperability tests. That is, all TACACS+ clients and servers interoperate, so there is a rough consensus on how the protocol works. While the authors have made every effort to maintain compatibility, there is no guarantee, however, that this specification matches the behavior of current or historical implementations. We believe that any incompatibilites are due to modern security requirements. We therefore suggest that implementors should read this document, and verify that their implementations follow the security practices recommended here. 9.2 Security of The Protocol The major security issue with the TACACS+ protocol is the ad hoc "encryption" defined in Section 3.6. This "encryption" is more properly called "obfuscation", and has had no security analysis. That is, the security or insecurity of the protocol is entirely unknown. Attacks on cryptographic hashes are well known and are getting better with time, as discussed in [RFC4270]. The security of the TACACS+ protocol is dependent on MD5 [RFC1321], which has security issues as discussed in [RFC6151]. It is not known if the issues described in [RFC6151] apply to TACACS+. <<AD: lifted from RFC 6929 Section 11 >> The choice of encrypting the body but not the packet header is unusual. The lack of security on the packet header means that an attacker can modify the header without detection. For example, a "session_id" can be replaced by an alternate one, which could allow an unprivileged administrator to "steal" the authorization from a session for a privileged administrator. An attacker could also update the "flags" field to indicate that one or the other end of a connection requires TAC_PLUS_UNENCRYPTED_FLAG, which could remove what little security is available. What little security that exists is dependent on implementations limiting access to known clients, and on the strenght of the secret key. Attacks who can guess the key or break the obfuscastion method can gain unrestricted and undetected access to all TACACS+ traffic. This access permits the attacker to execute any command on any system, leaving the attacker in complete control of the network. The negative side effects of such a successful attack cannot be overstated. 9.2.1 Security of Authentication Sessions There are a number of security issues with authentication sessions. As the sessions enable the exchange of clear-text passwords, an attacker capable of observing the unencrypted traffic or breakign the encrypted traffic, can gain complete network access. Similarly, MSCHAPv1 and MS-CHAPv2 offer little additional security, while ARAP is insecure and MUST NOT be used. As of the publication of this document, there has been no similar attacks on the CHAP protocol. Section 4.4.3 permits the redirection of a session to another server via the TAC_PLUS_AUTHEN_STATUS_FOLLOW mechanism. As part of this process, the secret key for a new server can be sent to the client. This public exchange of secret keys means that once one session is broken, it may be possible to leverage that attack to attacking connections to other servers. Section 9.4, below, has recommendations for securing this portion of the protocol. 9.2.2 Security of Authorization Sessions The primary issue with authorization sessions is that unauthenticated authorization is allowed. Almost as bad, authorization is permitted where authentication was done by a third party, such as with TAC_PLUS_AUTHEN_METH_KRB5. This third party authentication is based entirely on the client claiming that the user has been authenticated, and the server trusting that request. This practice is entirely insecure. There is also no way to cryptographically tie an authorization session to a particular authentication session. That is, when the client indicates "authen_method" in the packet header, the authentication and authorization sessions are tied together implicitly by the contents of the other fields, such as "use", "port", "rem_addr", etc. <<AD: it would be good for Section 5.1 to contain recommendations on how the server can use these fields to tie together authentication / authorization sessions. Perhaps recommend that all AAA include a "task_id"? >> The specification allows for the exchange of attribute-value pairs. While a few such attributes are defined here, the protocol is extensible, and vendors can define their own attributes. There is no registry for such attributes, and in the absence of a published specification, no way for a client or server to know the meaning of a new attribute. As a result, vendors SHOULD NOT define new attribute-value pairs, unless such pairs are used only to communicate between client and server implementations both written by the same vendor. The "cmd" and "cmd-arg" attributes define shell commands and arguments, but does not specify what these are. The specific commands, therefore, are undefined. 9.2.3 Security of Accounting Sessions The security considerations for accounting sessions are largely the same as for authorization sessions. This section describes additional issues specific to accounting sessions. There is no way in TACACS+ to signal that accounting is required. There is no way for a server to signal a client how often accounting is required. The accounting packets are received solely at the clients discretion. Adding such functionality would assist with auditing of user actions. The "task_id" field is defined only for accounting packets, and not for authentication or authorization packets. As such, it is difficult to correlate accounting data with a previous authentication or authorization request. <<AD: re-use the recommendations suggested for Section 5.1, above? >> 9.4 Security of Deployments Due to the above concerns with the protocol, it is critical that it be deployed in a secure manner. Systems using TACACS+ MUST be configured so that TACACS+ traffic is secured. Any user or service who is not interacting with the TACACS+ protocol MUST NOT be able to observe TACACS+ traffic, even when TACACS+ "encryption" is used. When used inside of enterprises, TACACS+ traffic MUST be sent over management networks. When used on the wider internet, TACACS+ traffic MUST be secured via a modern security protocol such as TLS or IPSec. As this specification describes the historic protocol, recommendations on TLS and IPSec parameters are outside of the scope of this document. 9.4 Recommendations for Implementations The following recommendations are for clients and servers which implement the TACACS+ protocol. These recommendations describe end user interaction or user interface design. While not part of the protocol itself, good designs can prevent insecure configurations. Clients and servers MUST default to rejecting all connections which have the TAC_PLUS_UNENCRYPTED_FLAG set. Clients and servers MAY permit such connections when a debugging or test flag is set. Clients and servers MUST NOT run with this flag set in normal environments. Similarly, the default for both clients and servers MUST be to require a secret key when configuring a new server or client. The secret key MUST NOT be empty, and SHOULD be at least eight (8) characters in length. Clients and servers SHOULD permit the user of keys unique to each server or client which they are connecting to. They SHOULD warn the administrator if a secret key is re-used. Documentation for implementations SHOULD recommend the use of strong secret keys. Servers should maintain list of known clients, and reject connections which originate from other systems. Servers SHOULD NOT permit the configuration of wildcard clients. e.g. clients which map to a network range. Where a client or server detects that the secret key is incorrect, it SHOULD terminate the underlying TCP connection, and log a message to the system administrator. There is no good reason to keep a connection open when the systems are unable to communicate in a meaningful fashion. Implementions MUST default to using TAC_PLUS_AUTHEN_TYPE_CHAP for authentication. We recognize, however, that this authentication method is incompatible with many password storage systems. As a result, other authentication methods are still in the protocol, and can be used so long as administrators recognize the security issues with their use. Clients MUST default to treating TAC_PLUS_AUTHEN_STATUS_FOLLOW as if TAC_PLUS_AUTHEN_STATUS_FAIL had been received instead. Clients SHOULD allow administrators to explicitly enable the TAC_PLUS_AUTHEN_STATUS_FOLLOW functionality. When the functionality is enabled, clients SHOULD permit administrators to specify ranges of addresses, and/or sets of hosts, along with corresponding secret keys, for which redirection will be permitted. Clients SHOULD ignore redirects to hosts which are outside of the pre-configured range or list. Clients SHOULD ignore any key provided via TAC_PLUS_AUTHEN_STATUS_FOLLOW, and SHOULD instead use a preconfigured key for that host. For authorization, servers SHOULD default to requiring TAC_PLUS_AUTHEN_METH_TACACSPLUS. Servers SHOULD track authentication sessions via methods "to be described" in Section 5.1. Where a server receives an unknown attribute-value pair, it SHOULD reply with TAC_PLUS_AUTHOR_STATUS_FAIL. Where a server receives an unrecognized values in authorization attributes such as "cmd", "cmd-arg", "acl", etc., the server SHOULD reply with TAC_PLUS_AUTHOR_STATUS_FAIL. When a client receives an unknown authorization attribute, it SHOULD behave as if it had received TAC_PLUS_AUTHOR_STATUS_FAIL. >
- [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribution… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Robert Drake
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Ignas Bagdonas
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… t.petch
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Tianran Zhou
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Ignas Bagdonas
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… t.petch
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Randy Presuhn
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Tianran Zhou
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… t.petch
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Tianran Zhou
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Tianran Zhou
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… t.petch
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 ASCII t.petch
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 ASCII Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 ASCII Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 ASCII Eliot Lear
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 ASCII t.petch
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… t.petch
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contribu… Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 ASCII Douglas Gash (dcmgash)
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 ASCII Alan DeKok
- Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 ASCII Douglas Gash (dcmgash)