IETF Logo Mail Archive

Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt

"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Thu, 30 June 2022 15:38 UTC

Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBB6CC15948D for <opsawg@ietfa.amsl.com>; Thu, 30 Jun 2022 08:38:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.604
X-Spam-Level:
X-Spam-Status: No, score=-14.604 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=bmwP3VOp; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=o/fsgKqZ
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ig5Zy5b8pzaf for <opsawg@ietfa.amsl.com>; Thu, 30 Jun 2022 08:38:55 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0145C157B35 for <opsawg@ietf.org>; Thu, 30 Jun 2022 08:38:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11205; q=dns/txt; s=iport; t=1656603535; x=1657813135; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=SdvR0e5RaXcTnRVMalOMSd6ulcPL4XcncaqASz9WlyU=; b=bmwP3VOp6WyW3yY5icMMfK167u87JK27vDs4FXcUPLoN1zNPvKvrdsT1 2e/To/ZbbObTcGMAh64dWg+X2gDO92Fdtcu7KoMwEfdnqWdvdTLTiSGrA 4JfivwP2zGcC6nDu9nEMGUMe7S6IrA+rdAQ9wX7dKJF84lB16WYPSDR5H M=;
X-IPAS-Result: A0AQAACCwr1imIgNJK1aHQEBAQEJARIBBQUBQIE7CAELAYEgMSoofwJZOkSIGgOEUl+FC4MCA4sdixOFF4EsgSUDVAsBAQENAQEsAQoLBAEBhD9FAoVLAiU0CQ4BAgQBAQEBAwIDAQEBAQEBAwEBBQEBAQIBBwQUAQEBAQEBAQEJFAcGDAUOECeFaA2GQgEBAQEDAQEQLgEBLAsBDwIBCBEDAQIBLiEGCx0IAgQBDQUIGoJbAYIOVwMwAwEOn2oBgT8Cih94gTOBAYIIAQEGBASFDg0LgjgDBoE9AYMUgwiBLYMShB4nHIINgViCZz6CIEIBAYFiHg2DYIIujRSMdwc4A0cvEoEgbgEIBgYHCgUwBgIMGBQEAhMSTQYcAhIMCgYVDkISFwwPAxIDEQEHAgkSCBUrCAMCAwgDAgMgCwIDFgkHCgMdCAocEhAUAgQRHgsIAxkeLAkCBA4DQAgLCgMRBAMTGAkWCBAEBgMILw0nCwMFDw0BBgMGAgUFAQMgAxQDBSQHAyEPJg0NBBsHHQMDBSUDAgIbBwICAwIGFQYCAhhWLg0IBAgEGB8kDwUCBy8FBBAfAh4EBQYRCAIWAgYEBQIEBBYCEAgCCCcXBxMzGQEFWRAJIRYGKQoGBQYWAyFIJgVFDyg0NjwsHxsKgRosCSIWAwQEAwIGGgMDIgIQKQYyAxYGMQUEHwGbQHUOWQMEQxBbIIEJDwIXETqMUohUik+ODZIfawqDTpkVgQOGGhWoZJZzIJBvkE+FPAIEAgQFAg4BAQaBYWeBLnAVO4JoURkPjiAZgQ0BAgWCRIUUhUp1OwIGCwEBAwmOJ14BAQ
IronPort-PHdr: A9a23:jnXsQhR01lIfzBnGvICOklTT+tpso7vLVj580XJvo75Nc6H2+ZPkM QSf4Ph2l1bGUM3d7O4MkOvZta3sGAliqZaMuXwPatpAAhkCj8hFkwkpGsXQD0r9IbbjZDA7G 8IXUlhj8jm7PEFZFdy4aUfVpyi57CUZHVP0Mg8mTtk=
IronPort-Data: A9a23:xGC5FaJh4/pbRGq+FE+RDJUlxSXFcZb7ZxGr2PjKsXjdYENS0TFTy TFJDW6Gb6nbZWejfdxwO9vnpE0FvcOEnYMyGlQd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUvGZcIZsCCW0Si6FatANl1EkvU2zbue6WbSs1hxZH1c+En9/0ko7wYbVv6Yx6TSHK1LV0 T/Ni5W31G+Ng1aY5UpNtspvADs21BjDkGtwUm4WPJinj3eC/5UhN6/zEInqR5fOria4KcbhL wrL5OnREmo0ZH7BAPv9+lrwWhVirrI/oWFih1IOM5VOjCSuqQRu8PkfC6dFd3xpjiSinN5z2 f9nkKa/HFJB0q3kwIzxUjFRFyV4eKZB4rKCej60sNeYyAvNdH6EL/dGVR5te9ZGvL8sRzgVq 5T0KxhVBvyHr+69xb2yUelEjcU4J86tN4Qa0p1l5WGGVK18Hc2SHM0m4/dZxDE1nvlHMMqFe u9BcGpdRyrxbRp2bwJ/5JUWxbf02SaXnydjgE6VorAs/2XVigB40L3FP9/ce9jMTsJQ9m6Ro G7c8mbRBQ0TcseeoRKC6mmlmeDnnC7nVsQVDrLQ3v5niUa73WwJFRccWEGq5/+0liaWUtZWL UA89ic2qa8j9UqkVNDxXgCj5nWDu3Yht8F4Guk+7kSGzbDZpl3fDWkfRTkHY9sj3CMredA0/ gOrwPfWWGVxi4OQWFme+LWFhxmXAydAeAfuehQ4ZQcC5tDipqQ6gRTOUstvHcaJYjvdRG6YL 9ei8XRWulkDsSIY//7gpAmY3VpAsrCMH1BruVSONo6wxlkhDLNJcbBE/rQyARxoBYKdQ1/pU JMsxJXGtbtm4X1gaEWwrAglFbWt4bOONyfRxAUpFJg6/DPr8HmmFWyx3N2cDBo2WirnUWa0C KM2he+3zMQPVJdNRfQsC79d8+xwkcDd+S3ND5g4lOZmbJlrbxOg9ypzf0OW1G2FuBFyzP9iY 8jHKpn2XSxy5UFbINyeGrd1PVgDm35W+I8vbcuTI+mPiODHPyfFFd/pznPXNb1khE97nOkl2 48Pa5TVo/mueOb/eSLQuZUCNkwHKGNTOHwFg5I/SwJ3GSI/QDtJI6aImdsJItU594wIxrag1 izsASdwlQug7VWZcl/iQi44N9vSsWNX8ChT0doEZwj4ghDOoO+Hsc8iSnfAVed3qrI4lKArF 5HouayoW5xyd9gOwBxFBbGVkWCoXE3Dad6mV8Z9XAUCQg==
IronPort-HdrOrdr: A9a23:9jrK+qssJNQl1uFnk/C9s8C27skCyIMji2hC6mlwRA09TyXGra 6TdaUguiMc1gx8ZJh5o6H9BEGBKUmskaKdkrNhQotKPTOW9VdASbsC0WKM+UyZJ8STzJ8+6U 4kSdkCNDSSNyk3sS+Z2njCLz9I+rDum8rE5Za8854ud3ARV0gK1XYfNu/vKDwOeOAwP+teKH Pz3LsjmxOQPVAsKuirDHgMWObO4/fRkoj9XBIADxk7rCGTkDKB8tfBYlel9yZbdwkK7aYp8G DDnQC8zL6kqeuHxhjV0HKWx4hKmeHm1sBICKW3+4Yow3TX+0eVjbZaKv6/VQMO0aOSAZER4Z zxSiIbToROArXqDyWISFXWqk7dOX0VmgHfIBej8AreSIrCNXQH4w4rv/MATvMfgHBQ5e2UmZ g7r16xpt5ZCwjNkz/64MWNXxZ2llCsqX5niuILiWdDOLFuIIO5gLZvin+9Kq1wVR7S+cQiCq 1jHcvc7PFZfReTaG3YpHBmxJipUm4oFhmLT0AesojNugIm1kxR3g8d3ogSj30A/JUyR91N4P nFKL1hkPVLQtUNZaxwCe8dSY+8C3DLQxjLLGWOSG6XX50vKjbIsdr68b817OaldNgBy4Yzgo 3IVBdCuWs7ayvVeLqzNV1wg2TwqUmGLEbQI5tllutEU5XHNc/WDRE=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.92,234,1650931200"; d="scan'208,217";a="871324597"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 30 Jun 2022 15:38:54 +0000
Received: from mail.cisco.com (xfe-aln-001.cisco.com [173.37.135.121]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 25UFcsUD015210 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 30 Jun 2022 15:38:54 GMT
Received: from xfe-rtp-002.cisco.com (64.101.210.232) by xfe-aln-001.cisco.com (173.37.135.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Thu, 30 Jun 2022 10:38:53 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-002.cisco.com (64.101.210.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Thu, 30 Jun 2022 11:38:53 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BijTScc3wy98prfsvrUvajDdszd9+UAAu7h2Hs/n+UcsmKG322h8Pi+1iU3LzjUvvvK8xTfUReN6ALV2/01/NJgop2qcyxWB0M3ijkTB0wCWqZ0SUJpEJSVvx1H9YzBPzhgvMNJCe5CYtzpp2Y1suhP9aMNCV9qUnlOiwcUkBZsA/oNFo9N13OIaRT1fxkA/cxXeyoUuo2iuuZVnHmAiJSq6/B3mfSg6sN93tTvsCoi219Sly32oxsa/7LP20FABZIvOOAv+SIs1yai7fu6CdpcyPtmlhJCG9nW5mjQo3AUkawmzatrusC25CvIM6/sM4KxENL181aXMcFc+LPv2qA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QA63dCEvAufyWjh3S/qAlZ0MwlXvcRSMXs8u+N91Nsw=; b=Do/tMx7uYZSbmMKfplQjrsiboChxMGSCdY+xM5cgw9ccXkUpDjMSj1o0PvXiXg3AM8HFGsAH6xuFgMNoMzvZ1JLzCzcNEeOzieRBuO118N3t/DgqFBm3xALEsN/M621Q/ZaKpRIx/Rb+iBmHZPSdwkMisJ/sBEdU1oeVpRNqZ9NMhT89VmmzwkJp91Eud/evuYog7YeFUyoXjLWuhhqwsQm7WLNeSj2jC+kPf29jTjI+ML1rVWciPv1SoJtMwsQXYg3DFtSIG/az1PkZ7YVRtGGkWJ3xtbAKTKpBgIna9cMqF+9tlA1Rh8mz6D7gmrGGIj0+ZMaIXPdGsv887ObLXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QA63dCEvAufyWjh3S/qAlZ0MwlXvcRSMXs8u+N91Nsw=; b=o/fsgKqZYF6dwJULyNbFOJRQVlsapFENOx6bxB+BPk7QlHl6Kaw3Wb2EX5BZMC8UJvN2s7iNkbYlfirDaTGQivdHHDBL8EV+qjBj06909RslPAnBou+qk3YPhIVOC0Cu1PFq4neuAVMNtuldcfdUVPzgBkJesYbIAkM8KxVeYtQ=
Received: from PH0PR11MB5783.namprd11.prod.outlook.com (2603:10b6:510:128::13) by IA1PR11MB6195.namprd11.prod.outlook.com (2603:10b6:208:3e9::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5395.15; Thu, 30 Jun 2022 15:38:52 +0000
Received: from PH0PR11MB5783.namprd11.prod.outlook.com ([fe80::f029:4482:7cf8:75b5]) by PH0PR11MB5783.namprd11.prod.outlook.com ([fe80::f029:4482:7cf8:75b5%9]) with mapi id 15.20.5373.018; Thu, 30 Jun 2022 15:38:52 +0000
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: "Joe Clarke (jclarke)" <jclarke@cisco.com>, Alan DeKok <aland@deployingradius.com>, heasley <heas@shrubbery.net>
CC: "opsawg@ietf.org" <opsawg@ietf.org>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Thread-Topic: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
Thread-Index: AQHYi+XXjAL+w6fxTkmR8U3XNXjCv61m6AIAgAEmYACAAAZQOw==
Date: Thu, 30 Jun 2022 15:38:51 +0000
Message-ID: <PH0PR11MB5783AE73910604189BA238B6B7BA9@PH0PR11MB5783.namprd11.prod.outlook.com>
References: <YryZcYAjzaUr/Er1@shrubbery.net> <D14D7902-487E-4C8C-8D1A-99CE0CF03FAF@deployingradius.com> <BN9PR11MB5371D3375FEB7727BCA96921B8BA9@BN9PR11MB5371.namprd11.prod.outlook.com>
In-Reply-To: <BN9PR11MB5371D3375FEB7727BCA96921B8BA9@BN9PR11MB5371.namprd11.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5729c333-e6f3-4c15-9c9e-08da5aaea249
x-ms-traffictypediagnostic: IA1PR11MB6195:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BpFoH3eNoTOGklK3arTVNiSd4sBe4j+V5LrKJ2druCKWl8Y54itI6qIRjjexRLJU7N7Nz8AQ5h57GHeaCnxo09jZcg7FriaTNsq4bRzuTFjcs0n2noaJpCAOcLkBHNtLDxfbua4eUTabBbgRgdfPUGzuOc0AzVC+f/THbefkelbBDLYmuTwAOXCzJtJpLpEdaLpL01SesjwhaHSPpuxfVLpHhx4Xn6gX2vJv2QhkpMezsfmaeyEYWCiLOzb+XQYaOsjXPmYTtyk8dv1JxmG5fP3hpKQPno4VspRjHqreCzacwtG9gtzx7Qm7lhxKscoEjFcUJ7frXu55Mzt+KKnmeVWXZXuYNYCjyapJxnoMv7U56OGKSHbOwVvt/krXK8dZ+t26N9wAVMRFEnSzlSEJyJ6DkLF9Gx9YIykeyr3T8PrM09S0keYauUBK0nrfuOj/Ao5z4uuBveBDFIYHJokAQAwYXkpNlLvjFuwsqJDmXx3/ngPmCVAivy5R5E/5Mtmoy0eKoNeDR6aYC37qPcNR7DK/fnbl20P/uuc4ZRkKhcs5Y0wdcWh0JtWLoWr+BC6wRJ6xlXxlP72wHVCTEaNykJNXtlSidt1t5i4uSWdsG3+jE4yuP6srUXrUilNj5DJw3QFuBztv2XyajktngYbiwcJdeofVLODl7quHH/LUYcDvKMPKQRzEad+lObfZqaVyFiEGTn+Ilaig9Lx/Pr+eya2Wb9dsvC48e2zh7c0pwJnvAxiiHgfsSVQWjkHZJDV97fVaX3s/NJq5cCah8XAHyPdPvb85kUUvT3NbY+t6dPLLXAmI74Yaa4Y8DPoJx8FEwUV/p9zMablK2VddY+2cfw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB5783.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(136003)(396003)(366004)(39860400002)(346002)(83380400001)(55016003)(53546011)(54906003)(110136005)(15650500001)(33656002)(8936002)(52536014)(86362001)(5660300002)(2906002)(122000001)(91956017)(9326002)(166002)(66476007)(8676002)(38100700002)(64756008)(76116006)(316002)(38070700005)(66946007)(66446008)(66556008)(4326008)(6506007)(41300700001)(9686003)(966005)(478600001)(7696005)(186003)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: fsrusJn9IDZQ7uPlMrozcnGXTyYtgxAOxPNW2z+t/3nB3EnfE+VieBG8OarSesBMjSYChZNRzz29+1bsy1arldGLBibH3Jg8kRUxVzyJ9wLAxY+Y/oUHH6m6ohaVYV9zf19fCunHFrMULB1xUsOCWpyYvUqQL15Od47ECNw0c6fMhFskWIg2yY3ij4SY/+x9dD36OZBpIBVGuCVhCK73ndnmJ5sGjPefEtMrOm2O/jS4wSsN0GVwzaZBhz5ChAjijxgLntdh3fpU8zj9qdoXvJfNNAj9ri7/spn/DHoxi/xR2MUt4vULXJl5yu8QiMqxpQpga/G/BCsV0cJfng1NdNrPAsadn+UUgh9evfRg00OxJEC6mtQZtU6l83y/l5RKd4aKjmGDjeC8+r/HGVIiX0CNkplRfvWo7Ve2iqjCAJ+XiFZRtV/7LDm+weAasVHzRy7USsmIpcDIo9G0VFNKneSl84H4G6JpDXrUGDHxnVaE7+P8/7EdBApcEJrrdIcNvlI6apfczoIeNX53Ghs7iSCJ4VU+SKwOme1Dzm9ehcj/B4nGEKWDdcLXJaEsSXjQhZhb3uB87KFy0fDtZ1xVD8/qnSY4g63N42mKZ5BtEVQhIwvQwk6kKyIg0JmQC93wMTvoncyxOCW9QUrQpolg2JX+kIUPyWiU2RTmZAlPhc0xic2xTolUgJUHAiY5c254a6EiS1YGb437ybWJDF+hyWOaqVcaTSOS4QiPnj3iaJkiOOjIHgsV5jQs8On6v/oiqVsiB5SAdsJWvx9bEwZYxKVIEt2c7pWlVa3VZt3KTFj/jrVaY2sxavK4xgNQ/bt03RtJXt6jPkjIuWJwF+dpyyxdmWbJ5cw4t9YK16v/nEzCOuff+kofhWyWBWr7cb3NflxsBCFbp8+1Ixb4kDGU2spp5Wkd9BS0whcN5U2H86pbTNY6H/y1YJTDvYEfy+nrUgTQWKLIzLRhXYXyqmqR1jcAm5aCuTAKj2p3tvixoD3XLmV8dhTLHLAkzFyvhnuVvgUI6MevAsolCWo+nu5ulVH1BvxGMp8bAQJRw/0XIobSR562KtH2/KWLjYfkiFf0wP1Eeem1fdWxe/D7mPGB6qnVTrmWtFgDpM9HvfDTJ4LKWQH/MllJyvaC9kDlVIsC3HAe4iqgc3QenP2/wkesZ5niKdqSm3g2sjaLfEPgZ7dTM+jYfbqFT2fz0lG7AGi3QCX5Kv7pM51iCfp98U/nuaHv5VSmje5u5ahuET2YzmIl+ZI7FiB722j/2StV7nZgdcPl3VpFfk4GSQYVEB+ZVjoOwHdIyM4VppemFPtv9fZa/8nm6fmFeEb+4+o3bkFK8z9ui9JatnrOc+jmJjhlmqVit+YjkCzRrf1P905dZYdxu8uzA87/lwvey4VWGxVFiCSXg4SJoTOtIfVZPQkeRCWjWPLoGbsDEltxgye9ta7VUWiISdeACvIE39TsPmILH7NfdsgSU7HQQuZ4+4MQWwvc3bBFYD9DRRKKEhnfBDoQj4d+75xs7bWll2mBvCjzitUi+0e+VUmroct3eq4o2IjdTbbB2AzG9sXxB1PsnGmQedqPp6hi07ADYCnWArSQGkQThGYdr2iTPXttSzDAQza6JszHT925QEd/DQHxwSBcg7G1DhbhW9tYL6M399zAtpxewpQCK9jjOxg0/5JM/A==
Content-Type: multipart/alternative; boundary="_000_PH0PR11MB5783AE73910604189BA238B6B7BA9PH0PR11MB5783namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5783.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5729c333-e6f3-4c15-9c9e-08da5aaea249
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2022 15:38:51.9732 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ylvLsYrQHAm8rpySqPf/TFegAlgb4D3YtHgBAEedjRBd8bYgUsfqpAmEAEM8r+FLt07FEGONUN7Y/kQyqZ/I+g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR11MB6195
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.135.121, xfe-aln-001.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/9HyVHY6yss73hNrNg7cxsJynHD0>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 15:39:00 -0000

Hi,

First would be good to make sure the intent is clear: Though the TLS 13 draft is simply to do the TLS encapsulation, the security draft is primarily to support the SSH key distribution during T+ authentication.

To do this we added the variable arguments to authentication phase so that authentication phase matches the pattern already established in the protocol for authorization and accounting phases.

The feedback is pretty clearly though, not to do this. Let us take a look at the options.

From: Joe Clarke (jclarke) <jclarke@cisco.com>
Date: Thursday, 30 June 2022 at 16:07
To: Alan DeKok <aland@deployingradius.com>, heasley <heas@shrubbery.net>
Cc: opsawg@ietf.org <opsawg@ietf.org>, Douglas Gash (dcmgash) <dcmgash@cisco.com>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
Thanks for your continued attention to this work, Alan.  Your insight is very much appreciated.</chair>

As an contributor, I rather like the simpler TLS encap over T+ approach described in the tls13 draft.  I’d personally not over-engineer something that isn’t immediately required.  T+ has been around for a while and is heavily used.  I don’t know that we need to spend time adding extensibility.

Joe

From: OPSAWG <opsawg-bounces@ietf.org> on behalf of Alan DeKok <aland@deployingradius.com>
Date: Wednesday, June 29, 2022 at 17:34
To: heasley <heas@shrubbery.net>
Cc: opsawg@ietf.org <opsawg@ietf.org>, Douglas Gash (dcmgash) <dcmgash@cisco.com>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
On Jun 29, 2022, at 2:26 PM, heasley <heas@shrubbery.net> wrote:
> We have received no comments about this draft, which I presume means no
> technical objections exist.  So, I would like to ask the Chairs for an
> adoption call.

  I would suggest that ~3 weeks is a little too short a time frame to claim that there are no objections.   I'll point to the previous TACACS+ document, where there were multiple reviews which got addressed by the authors many months later.

  I'll also point to my earlier review of draft-dahm-tacacs-tls13-00.txt, where I had concerns with extending the 1990s style TACACS+ packet format.  The same concerns apply here.

  If we're going to extend TACACS+ by adding major new features, I would suggest that it's a priority to design these features correctly, the first time.  Experience shows that it is extremely difficult to extend fixed-field packet formats.  It's almost always better to use an extensible format, as with DHCPv4, DHCPv4, DNS options, YANG, RADIUS, Diameter, etc.

  Using a format with fixed fields now makes it more difficult to extend TACACS+ in the future.  There will just be one complex format added after another.  The alternative is instead to define an extensible format, in which case new extensions become trivial.

  Alan DeKok.



_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

v2.23.0 | Report a Bug | By Email