Re: [OPSAWG] RFC 8907 on The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol

"Joe Clarke (jclarke)" <jclarke@cisco.com> Fri, 02 October 2020 21:21 UTC

Return-Path: <jclarke@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE9B23A16E6 for <opsawg@ietfa.amsl.com>; Fri, 2 Oct 2020 14:21:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.577
X-Spam-Level:
X-Spam-Status: No, score=-8.577 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MISSING_HEADERS=1.021, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=eIbX1qmv; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=VzK4PKtA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0Mh7rHjAIc1 for <opsawg@ietfa.amsl.com>; Fri, 2 Oct 2020 14:21:26 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73C6E3A16E5 for <opsawg@ietf.org>; Fri, 2 Oct 2020 14:21:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2781; q=dns/txt; s=iport; t=1601673686; x=1602883286; h=from:cc:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=sICQgG9QfqiYtVjLbzWv4NlRyLf1jCrCIE4VzP1Fji0=; b=eIbX1qmv2+AX9MUMGSuZAxyWLnFIT/zBrUwkTyb6xyPMXE9Tis9WUH0f u9WXVcQ9l5XS7oOvZE/yI7l+sEYyh8RFTeB5rhkPvaosK12t9r1REa2kH Zcmf9EhEz2rGc+29/U1pq04BrrsIY7JKcc083K7TlpzghdkvgEgZGh5ia Y=;
X-IPAS-Result: =?us-ascii?q?A0CNVQCxmHdf/4QNJK1gHgEBCxIMQIMhUQdTHVkvGxEKh?= =?us-ascii?q?3kDjTcENIoPAo5mglMDVQsBAQENAQEYCwoCBAEBhAZEAiOCEwIlOBMCAwEBA?= =?us-ascii?q?QMCAwEBAQEFAQEBAgEGBG2FLwEsDIVqCAEBAQECAQEBECgGAQEMIAsBBAsCA?= =?us-ascii?q?QgUBAwSBQshBgoBJQISBRQHAgQBOYJLAYJLAw4gAQ6efAKBOYhhdIE0gwEBA?= =?us-ascii?q?QWFEA0LghADBoE4gnKDXIZjG4FBP4E4HIJNPoEEgRZCAQGBOySDKx+CLZBMA?= =?us-ascii?q?qYyUgqCZ4cogVaMWIULAx+hHZ4BgmqOXoNeAgQCBAUCDgEBBYFrIzeBIHAVG?= =?us-ascii?q?iEqAXMKgUE+EhcCDYEZBY0BGB+DOoUUhUJ0NwIGCgEBAwl8ixeBJAGBEAE?=
IronPort-PHdr: =?us-ascii?q?9a23=3ANCEsnxEqGF4OK6tAjfRaJp1GYnJ96bzpIg4Y7I?= =?us-ascii?q?YmgLtSc6Oluo7vJ1Hb+e401QWbXIjH5bRDkeWF+6zjWGlV55GHvThCdZFXTB?= =?us-ascii?q?YKhI0QmBBoG8+KD0D3bZuIJyw3FchPThlpqne8N0UGGcviaRvVuHLhpTIXEw?= =?us-ascii?q?/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.77,329,1596499200"; d="scan'208";a="545498462"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 02 Oct 2020 21:21:25 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 092LLP8K003405 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <opsawg@ietf.org>; Fri, 2 Oct 2020 21:21:25 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 2 Oct 2020 16:21:24 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 2 Oct 2020 16:21:23 -0500
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 2 Oct 2020 16:21:23 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E5mOtEHIwcvsLLoVbpPbZDi/269w1WdZwl/M917Rlf+ayu1f+vy829/USO6i4W7YT7T59pCKI0DpLTcVFD7TG9RwSoatYrLrtcYEyjBjhCnbUBYdMR7ZRBpghptM7bKzcYBVnJcJwT7FzvX+D2peZ0FOCdneFeT4l/KFlX3S3gkOW5eurGqFVgzvEq3HR3EruQpHSfNRldZtNusCBaoGPz12A4j7xzJ7bSVAjHTU4WzV4yReAwzRWuKiKzJrBrZl6KTVqP472EBMHlL3bYU+CwCtE2FP0tPXQsAJTIo34YgGBvvlvhEwpGLT/344x31fs7TPDnyyDOq9EXweVpkySg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CipI21WtCegY6IIQIf+vbD7jDSxMJ/hmDbkovyB9hHY=; b=Afedj2T8YUVxTretBKWLspJ1rVc5Of0eifiItWHGLvxGG161NjA4Zj+rkFeyAtxRveiWTmgvuLV2m0epW+scLTnstBzgWFn5HiUdt55FCTd68IjaNAphirvANaYrtBnwlkGhFAeId+7tmSlYy6Y05KtgdvnVdV0XHdSfeeVmgzvwhkrt8bxSwv8YS5EuskFrgJvY2RSt+A062RAlwU3UuEt9v+0U3akwjp0PqeLo4WegAoON0Z7x3lWfXAV0B/LLim/AU7+RclKFPAv2Ac9xfSv2cvvHSWHkz7oEY+Q07uP8jPKQz36zmfDNl2VdILUJtgfwFDVRHzpHb04W8/8NUg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CipI21WtCegY6IIQIf+vbD7jDSxMJ/hmDbkovyB9hHY=; b=VzK4PKtA/dlTTCOKqLf8BimkqjOBHvLCV23RJX3Yafq4hgEPX1FbUsyw91vx99fKlR6Ve0qvymQruAEduwb9t7MMyN//do2kjqUX1xXz95Ubdj1nmveawbPSIYYlgX6E06NzWC6H1T03H4AfPgdtIuFV8nwUPOB8w5uscRBeBBE=
Received: from BN6PR11MB1667.namprd11.prod.outlook.com (2603:10b6:405:e::12) by BN6PR11MB1906.namprd11.prod.outlook.com (2603:10b6:404:104::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.38; Fri, 2 Oct 2020 21:21:23 +0000
Received: from BN6PR11MB1667.namprd11.prod.outlook.com ([fe80::5142:3a35:18c2:75c2]) by BN6PR11MB1667.namprd11.prod.outlook.com ([fe80::5142:3a35:18c2:75c2%8]) with mapi id 15.20.3433.037; Fri, 2 Oct 2020 21:21:23 +0000
From: "Joe Clarke (jclarke)" <jclarke@cisco.com>
CC: opsawg <opsawg@ietf.org>
Thread-Topic: [OPSAWG] RFC 8907 on The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol
Thread-Index: AQHWl4VaKn3h5UE2h0KccFl5btHw6amE1OkA
Date: Fri, 2 Oct 2020 21:21:23 +0000
Message-ID: <C871C723-1E9C-4CE1-9A91-11679A791659@cisco.com>
References: <20200930235612.01938F406CB@rfc-editor.org>
In-Reply-To: <20200930235612.01938F406CB@rfc-editor.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.79]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5e3450e3-9ad7-4a0d-1181-08d867191d0e
x-ms-traffictypediagnostic: BN6PR11MB1906:
x-microsoft-antispam-prvs: <BN6PR11MB1906059FF93D39677AADC2A3B8310@BN6PR11MB1906.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DQTfjt6SJ2H+5DDlOSNf7lp73MuXEEpN03QvFXPSJyFKuUhxD2VoRDhdWIQbNwjUyRh+TuVyKPG2+0O3nY8sYBzGEUw5YTn9i+RncH/OLzWfEXoOkiyF3TiU0IFH2s5MftRQmnAmZlID0/A13nr6yha8X4PCRKXHAIaesTmFKap/uZgNT/BOYngXQmOMTwCUQ5sEF9e37Ux/69YImwBWi/y+p867blXd2FvQgXdhQELv76SEafZjX8Ae9gYNuNi8yc/X89qAwy+8YJC28i6VLj6VwfVMMd/wP5hXfnHDWrZi16ChM4Q1NmZtD8JkPOPghqpSUvray+F/JEy4U5prwyVZi08zWs69i/MhM8cfKSQNWGO8jTXKZeY7mNkP5e4jc4Zn//1SBprtFYvw1zu2Qw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN6PR11MB1667.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(346002)(136003)(366004)(376002)(396003)(186003)(26005)(5660300002)(66556008)(66446008)(91956017)(4326008)(76116006)(109986005)(6506007)(66476007)(64756008)(478600001)(66946007)(36756003)(53546011)(6512007)(83080400001)(66574015)(966005)(86362001)(8936002)(33656002)(71200400001)(316002)(8676002)(2616005)(2906002)(6486002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: m3lcA3mfS+jro2lQTiSRPnjTrU0HIQvPUXsMjZ6z8F6Y0htewzUgT4e6D5kBX6FuDxhI08/gSf9GdllBDuWqpy3PYXjC3jaGxKK8k9btLnAjcHiyeOXfyUVyUtUaaxKkWPCzosN3WsHa9jTIlzlr3XhiwnS792ZGE+QbzLnXHUcxe8SI0wkxmup/xETq6CWSLsyIIfibZrqUkiq2j4SI7vgZAeLJGh0BY6D9ArtTmUGIk0PevaZ5oyA1SDP/g5etVJ1gZ1Cm/XA+yZz4H+9ftx9THE1VgdfT89+iMLvbBmOwuyoZzE00LPS1EaNcFfqVYaGZ9Zu2cEiM9CyFxmTRBKOKxmZE7mRkzYd143Dw3r4qtVUrl3q9Zxb4s/iwF51p62zU2SsPJH2etts2RGIt367Km6RQ/+d/41HDI0tDDxyOw1GBif0oO9TGOWjh8SEvNRrxNOiMO/d1C3oxdsFeDb6Wni/KJJR18iPddom5k4hJIAZK0Atcki0JxHB/pWmDf4s1v+kd3/tmbOHWCTCP3zmDO93eFKUIXkgLRVmQQtzZhGDv7NFViLXDkXpLHa8bZVB9ACT/AMzV5UMTmONHuiVFU2UXZNjLeIEoaAHJPZLX7ZDHGbIM+QmnKtFLkeKJU7lExuO41VYpe/rx6aHMqA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D9E6AC3FD527354CBF8318F1AB8DA760@namprd11.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1667.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e3450e3-9ad7-4a0d-1181-08d867191d0e
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Oct 2020 21:21:23.1520 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BLZ78Gdm2D6pMU1r6nKXTrvxJuIgvpCxZesuGoYePdjReSnzjgdiF8XUQ/7MD24IdnPSZYoHZvE9W6auBoUZJg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1906
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/90av0wXjkAAuS6Yj1Oona3JWimk>
Subject: Re: [OPSAWG] RFC 8907 on The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2020 21:21:28 -0000

Thanks to the authors and the working group members for all your efforts in getting this one across the finish line.

I hope the authors are still planning to take up new work to secure TACACS+ with TLS as was the original intent of this work.

Have a good weekend, all.

Joe  

> On Sep 30, 2020, at 19:56, rfc-editor@rfc-editor.org wrote:
> 
> A new Request for Comments is now available in online RFC libraries.
> 
> 
>        RFC 8907
> 
>        Title:      The Terminal Access Controller Access-Control 
>                    System Plus (TACACS+) Protocol 
>        Author:     T. Dahm,
>                    A. Ota,
>                    D.C. Medway Gash,
>                    D. Carrel,
>                    L. Grant
>        Status:     Informational
>        Stream:     IETF
>        Date:       September 2020
>        Mailbox:    thorstendlux@google.com, 
>                    andrej@ota.si, 
>                    dcmgash@cisco.com,
>                    carrel@ipsec.org, 
>                    lol.grant@gmail.com
>        Pages:      41
>        Updates/Obsoletes/SeeAlso:   None
> 
>        I-D Tag:    draft-ietf-opsawg-tacacs-18.txt
> 
>        URL:        https://www.rfc-editor.org/info/rfc8907
> 
>        DOI:        10.17487/RFC8907
> 
> This document describes the Terminal Access Controller Access-Control
> System Plus (TACACS+) protocol, which is widely deployed today to
> provide Device Administration for routers, network access servers,
> and other networked computing devices via one or more centralized
> servers.
> 
> This document is a product of the Operations and Management Area Working Group Working Group of the IETF.
> 
> 
> INFORMATIONAL: This memo provides information for the Internet community.
> It does not specify an Internet standard of any kind. Distribution of
> this memo is unlimited.
> 
> This announcement is sent to the IETF-Announce and rfc-dist lists.
> To subscribe or unsubscribe, see
>  https://www.ietf.org/mailman/listinfo/ietf-announce
>  https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
> 
> For searching the RFC series, see https://www.rfc-editor.org/search
> For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk
> 
> Requests for special distribution should be addressed to either the
> author of the RFC in question, or to rfc-editor@rfc-editor.org.  Unless
> specifically noted otherwise on the RFC itself, all RFCs are for
> unlimited distribution.
> 
> 
> The RFC Editor Team
> Association Management Solutions, LLC
> 
> 
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg