Re: [OPSAWG] Alexey Melnikov's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)

"Alexey Melnikov" <aamelnikov@fastmail.fm> Thu, 13 February 2020 15:49 UTC

Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1E8D120131; Thu, 13 Feb 2020 07:49:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=DSCeaeDj; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=DXQznkJa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bw9NSscUhloX; Thu, 13 Feb 2020 07:49:16 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 830F812012E; Thu, 13 Feb 2020 07:49:16 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 7CEF12217D; Thu, 13 Feb 2020 10:49:15 -0500 (EST)
Received: from imap21 ([10.202.2.71]) by compute7.internal (MEProxy); Thu, 13 Feb 2020 10:49:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type:content-transfer-encoding; s=fm2; bh=buK6C 4v5nNPtbvRDfROo81XLS3ZqosaY+swz2vGUmxs=; b=DSCeaeDjnZ4v8dMz2BzBd CYp8ltUuQnsXpuOf44PgkAEY3lwVrcahlsCYqF9MB0KTFlRMap+POw5DhYKytqQl L2Gd29/yYrd0qFVt2uwrpSmeP72y8BbHaHipR4fU3MSzXIPeEn/VfUBWABGqaRee nrs/xn2Zi/w83SKsdBbdcfT44khARagrtSE5AxtQCE9+Zwt+QNjvfpxyHqKKD1Kc L+GLP/CnNQzK0NFVzpLovLGr9WyA0YJB7Sm9Falami+8ylYwXQ1Pw9R97KgiV5xP eJ66Qf5zyC5muKr/rcRUAPWRBuWzwdLGV2NXFtk2/oB6im5rUyFjuhs7v+TPe7hs A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=buK6C4v5nNPtbvRDfROo81XLS3ZqosaY+swz2vGUm xs=; b=DXQznkJatn7uF9RGX09Puesb2rhO27Nch9Xua/nDaynt/RUHVApi0ls5N m3gM0SjKyyfJIHjKzMfWgmxCGzXBk2YcXDqXg3lmlyXywl50iI7/Ky30T5PnvhWN lPQ3AJEBgdUkW0LGbbemIrQp8VUhBlOtD0a7U5xR6MpQZICODKf8TwIeRA9J2EhN 9JPaRAd5axG/LqRNPvfkeg1dw5e3w8ZjA23tG9QyF/VSRLrePNYFS7RTSDHUH++o n7+3c4p+xJBf1TMNWN9cMcCLRXl7GJq+RJdy55jZlQoYUZC3fycx8ei+yyq2w1z2 ZdUmoHN3dyBWoP/7i+K6j+SgAQVdA==
X-ME-Sender: <xms:-m9FXlFMVjCiF2tKLQm0kmAMIwVc7uUph2hOda3oFzOF_teD1VzDVg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrieekgdekudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdetlhgv gigvhicuofgvlhhnihhkohhvfdcuoegrrghmvghlnhhikhhovhesfhgrshhtmhgrihhlrd hfmheqnecuffhomhgrihhnpehivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedt necurfgrrhgrmhepmhgrihhlfhhrohhmpegrrghmvghlnhhikhhovhesfhgrshhtmhgrih hlrdhfmh
X-ME-Proxy: <xmx:-29FXuQDslE4L7GBTHVD6lnsT9rN2ZhLApmiSTvgXfYPtDYSLV4d2g> <xmx:-29FXrs2cQq_b-p4dBSdJINl5wxsh0RuS-YoYtW8CB-I5M9EO_IqCg> <xmx:-29FXjBZat0g0PVM_Nbs54lVnriYjjRlMIpCXwKTWJ24dfgvBSwXNg> <xmx:-29FXkUoieJM4bCsyYBGkr6cy79HFUB8AV43o1TaU4r_elH1769gZw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id CE933660065; Thu, 13 Feb 2020 10:49:14 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-802-g7a41c81-fmstable-20200203v1
Mime-Version: 1.0
Message-Id: <c663ae52-99be-4499-9fca-ece1b44d917e@www.fastmail.com>
In-Reply-To: <CAHw9_iJi3jaapHusG4-Yb8PyHUEwbrKz1SBfiu+5P+==UreBYw@mail.gmail.com>
References: <155798766808.30465.13613903853679159439.idtracker@ietfa.amsl.com> <93780B8A-40AB-43DF-899E-34DA47E0807C@cisco.com> <CAHw9_iJi3jaapHusG4-Yb8PyHUEwbrKz1SBfiu+5P+==UreBYw@mail.gmail.com>
Date: Thu, 13 Feb 2020 15:48:54 +0000
From: "Alexey Melnikov" <aamelnikov@fastmail.fm>
To: "Warren Kumari" <warren@kumari.net>, "Douglas Gash (dcmgash)" <dcmgash=40cisco.com@dmarc.ietf.org>
Cc: "The IESG" <iesg@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/CaU6TJf2i8tvPeF43uQEqnkX0X4>
Subject: Re: [OPSAWG] =?utf-8?q?Alexey_Melnikov=27s_Discuss_on_draft-ietf-ops?= =?utf-8?q?awg-tacacs-13=3A_=28with_DISCUSS_and_COMMENT=29?=
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2020 15:49:19 -0000

Hi Warren,
I am getting to the bottom of my ToDo list, so I should be getting to this soon.

Best Regards,
Alexey

On Thu, Feb 6, 2020, at 4:04 PM, Warren Kumari wrote:
> Hey Alexey,
> 
> I recently took over this document from Igans - it has been stuck in
> 'IESG Evaluation::AD Followup'  for 266 days (at version -13).
> This is an informational document, describing an existing, and widely
> deployed protocol -- the intent was that, once this is published,
> there would be a new document largely saying "... great, now take
> RFCxxxx, and throw it over TLS. Done!" (as you can guess, there is
> much history here as to why it had to happen in two documents instead
> of one :-))
> 
> The authors have made significant updates
> (https://www.ietf.org/rfcdiff?url1=draft-ietf-opsawg-tacacs-13&url2=draft-ietf-opsawg-tacacs-16)-16),
> and believe that they have now addressed all open comments.
> 
> I'd really like to get this document out the door soon - would you
> mind prioritizing checking if these changes address your concerns?
> W
> 
> On Mon, Jan 27, 2020 at 3:28 PM Douglas Gash (dcmgash)
> <dcmgash=40cisco.com@dmarc.ietf.org> wrote:
> >
> >  Hi,
> >
> > I hope that in the last few versions we have updated the document to sufficiently answer the concerns raised, please let me know if any concerns remain, many thanks.
> >
> > The majority of the issues were responded to initially last summer, but the balance should be by the latest version recently uploaded.
> >
> > Please see the point-by point descriptions of changes or responses.
> >
> > Many thanks,
> >
> >
> > 1) 4.6.  Text Encoding
> >
> >        All text fields in TACACS+ MUST be printable US-ASCII, excepting
> >
> >     Please add a reference to RFC 20 (for US-ASCII) here. Without out it
> >     "printable" has no meaning.
> >
> > TA> Agreed,  will update as advised  [AI=TA]
> >
> > Specifically:
> >
> > "3.7.  Treatment of Text Strings
> >
> >     The TACACS+ protocol makes extensive use of text strings.  The
> >     original draft intended that these strings would be treated as byte
> >     arrays where each byte would represent a US-ASCII character.
> >
> >     More recently, server implementations have been extended to interwork
> >     with external identity services, and so a more nuanced approach is
> >     needed.  Usernames MUST be encoded and handled using the
> >     UsernameCasePreserved Profile specified in RFC 8265 [RFC8265].  The
> >     security considerations in Section 8 of that RFC apply.
> >
> >     Where specifically mentioned, data fields contain arrays of arbitrary
> >     bytes as required for protocol processing.  These are not intended to
> >     be made visible through user interface to users.
> >
> >     All other text fields in TACACS+ MUST be treated as printable byte
> >     arrays of US-ASCII as defined by RFC 20 [RFC0020].  The term
> >     "printable" used here means the fields MUST exclude the "Control
> >     Characters" defined in section 5.2 of RFC 20 [RFC0020]."
> >
> >
> >
> >        special consideration given to user field and data fields used for
> >        passwords.
> >
> >        To ensure interoperability of current deployments, the TACACS+ client
> >        and server MUST handle user fields and those data fields used for
> >        passwords as 8-bit octet strings.  The deployment operator MUST
> >        ensure that consistent character encoding is applied from the end
> >        client to the server.  The encoding SHOULD be UTF-8, and other
> >
> >     Please add Normative RFC 3629 reference here for UTF-8.
> >
> > TA> Agreed,  will update as advised  [AI=TA]
> > Specifically: Have removed all references to UTF-8.
> >
> >
> >        encodings outside printable US-ASCII SHOULD be deprecated.
> >
> >     I am not sure what this mean. You didn't define allowed encoding (really you
> >     mean charsets).
> >
> > TA> Agreed,  will update as advised  [AI=TA]
> > Specifically: removed UTF-8, pleasee see ref to sectipn 3.7 above.
> >
> >     2) In 5.1:
> >
> >        The printable US-ASCII name of the client port on which the
> >        authentication is taking place,
> >
> >     This doesn't mean anything. Is there a registry? It doesn't look like you are
> >     using transport service name registry for this. Is it a fixed list?
> >
> > TA> Please see new sectin 3.7 above.
> >
> >        and its length in bytes.  The value
> >        of this field is client specific.  (For example, Cisco uses "tty10"
> >        to denote the tenth tty line and "Async10" to denote the tenth async
> >        interface).  The port_len indicates the length of the port field, in
> >        bytes.
> >
> >     3) Later in 5.1:
> >
> >        A printable US-ASCII string indicating the remote location from which
> >        the user has connected to the client.  It is intended to hold a
> >        network address
> >
> >     What are the allowed formats for IPv4 and IPv6? Or is this just human readable?
> > TA> Current practice the field is normally MAC  address or IP. Will recommend that  if IP is  used, it SHOULD conform to RFC5952 [AI=TA]
> > Specifcially, added text: " For IPv6 address text
> >     representation defined please see RFC 5952 [RFC5952]."
> >
> >
> >        if the user is connected via a network, a caller ID
> >        is the user is connected via ISDN or a POTS, or any other remote
> >        location information that is available.
> >
> >     4) In 5.4:
> >
> >        If the information being requested by the server form the client is
> >        sensitive, then the server should set the TAC_PLUS_REPLY_FLAG_NOECHO
> >        flag.  When the client queries the user for the information, the
> >        response MUST NOT be echoed as it is entered.
> >
> >     What does the last sentence mean? (When is it ever echoed?) Are you missing a
> >     forward reference or some explanation of echoing?
> >
> > TA> Agreed, this requires clarification in document to indicate that the data entered should not be reflected in the user interface. [AI=TA]
> > Specifically:
> > Section 5.4., paragraph 5:
> > OLD:
> >
> >     If the information being requested by the server form the client is
> >     sensitive, then the server should set the TAC_PLUS_REPLY_FLAG_NOECHO
> >     flag.  When the client queries the user for the information, the
> >     response MUST NOT be echoed as it is entered.
> >
> > NEW:
> >
> >     If the information being requested by the server form the client is
> >     sensitive, then the server should set the TAC_PLUS_REPLY_FLAG_NOECHO
> >     flag.  When the client queries the user for the information, the
> >     response MUST NOT be reflected in the user interface as it is
> >     entered.
> >
> >
> >     5) KRB5 and KRB4 need normative references.
> > TA> The KRB5 and KRB4 are not specifically used in this document, rather, there is one field with an option that the client uses to indicate how it authenticated, and these are option. This is not verifiable, so it is recomended in the documen tnot to use this field for policy.For this reason, it is not really useful to provide a normative reference, but it is required for the document to explai this. So have added:[AI+TA]
> >
> >
> >     6) Does this document need to obsolete RFC 1492?
> > TA> That could well be sensible, would follow WG consensus here.
> > After review, the differences between TACACS and TACACS+indicated that the protocols were sufficiently different that TACACS+ does not directly obsoltere plain TACACS,
> >
> >     ----------------------------------------------------------------------
> >     COMMENT:
> >     ----------------------------------------------------------------------
> >
> >     In 4.8:
> >
> >     4.8.  The TACACS+ Packet Header
> >
> >        The total length of the packet body (not including the header).
> >
> >     In network byte order? There is some text about that in 4.9, but readers don't
> >     know that yet.
> > TA> Agreed, will clarify [AI=TA]
> > Specifcially in 4.1:
> > "    The following general rules apply to all TACACS+ packet types:
> >
> >        - To signal that any variable length data fields are unused, their
> >        length value is set to zero.  Such fields MUST be ignored, and
> >        treated as if not present.
> >
> >        - the lengths of data and message fields in a packet are specified
> >        by their corresponding length fields, (and are not null
> >        terminated.)
> >
> >        - All length values are unsigned and in network byte order."
> >
> >     In 6.1:
> >
> >        The arguments are the primary elements of the authorization
> >        interaction.  In the request packet they describe the specifics of
> >        the authorization that is being requested.  Each argument is encoded
> >        in the packet as a single arg filed (arg_1...  arg_N) with a
> >
> >     Typo: filed --> field.
> > TA> Thanks, will correct. [AI=TA]
> > "Section 6.1., paragraph 29:
> > OLD:
> >
> >     The arguments are the primary elements of the authorization
> >     interaction.  In the request packet they describe the specifics of
> >     the authorization that is being requested.  Each argument is encoded
> >     in the packet as a single arg filed (arg_1...  arg_N) with a
> >     corresponding length fields (which indicates the length of each
> >     argument in bytes).
> >
> > NEW:
> >
> >     The arguments are the primary elements of the authorization
> >     interaction.  In the request packet, they describe the specifics of
> >     the authorization that is being requested.  Each argument is encoded
> >     in the packet as a single arg field (arg_1...  arg_N) with a
> >     corresponding length fields (which indicates the length of each
> >     argument in bytes)."
> >
> >
> >        corresponding length fields (which indicates the length of each
> >        argument in bytes).
> >
> >     Later in the same section:
> >
> >        Optional arguments are ones that may be disregarded by either client
> >        or server.  Mandatory arguments require that the receiving side can
> >        handle the attribute, that is: its implementation and configuration
> >        includes the details of how to act on it.  If the client receives a
> >        mandatory argument that it cannot handle, it MUST consider the
> >        authorization to have failed.  It is legal to send an attribute-value
> >        pair with a zero length value.
> >
> >     Last sentence: do you just mean that the value can be empty?
> > TA> Yes, this definition evolved, also had query about the use of the word “legal” in this round of review.
> > Will change to “The value part of an attribute-value pair may be empty, that is, the length of the value may be zero.” [AI=TA]
> > Specifically:
> > Section 6.1., paragraph 32:
> > OLD:
> >
> >     Optional arguments are ones that may be disregarded by either client
> >     or server.  Mandatory arguments require that the receiving side can
> >     handle the attribute, that is: its implementation and configuration
> >     includes the details of how to act on it.  If the client receives a
> >     mandatory argument that it cannot handle, it MUST consider the
> >     authorization to have failed.  It is legal to send an attribute-value
> >     pair with a zero length value.
> >
> > NEW:
> >
> >     Optional arguments are ones that may be disregarded by either client
> >     or server.  Mandatory arguments require that the receiving side can
> >     handle the argument, that is: its implementation and configuration
> >     includes the details of how to act on it.  If the client receives a
> >     mandatory argument that it cannot handle, it MUST consider the
> >     authorization to have failed.  The value part of an argument-value
> >     pair may be empty, that is: the length of the value may be zero.
> >
> >
> >
> >     In 8.1:
> >
> >        Date Time
> >
> >        Absolute date/times are specified in seconds since the epoch, 12:00am
> >        Jan 1 1970.  The timezone MUST be UTC unless a timezone attribute is
> >        specified.  Stardate is canonically inconsistent and so SHOULD NOT be
> >        used.
> >
> >     I am not sure what the last sentence means.
> > TA> Agree, will be removed  [AI=TA]
> >
> >     In 8.2:
> >
> >     8.2.  Authorization Attributes
> >
> >        For example: "shell", "tty-server", "connection", "system" and
> >        "firewall".  This attribute MUST always be included.
> >
> >     Is this a full list or is there a registry?
> > TA> This is not a full list, it is just for example. In order to prevent interpretation that it is a full list, will change to [AI=TA]:
> > “The primary service.  Specifying a service attribute indicates that
> >    this is a request for authorization or accounting of that service.
> >    For example: "shell". This attribute MUST always be included.”
> >
> > Specifically:
> >
> > Section 8.1., paragraph 15:
> > OLD:
> >
> >     The primary service.  Specifying a service attribute indicates that
> >     this is a request for authorization or accounting of that service.
> >
> >     For example: "shell", "tty-server", "connection", "system" and
> >     "firewall".  This attribute MUST always be included.
> >
> > NEW:
> >
> >     The primary service.  Specifying a service argument indicates that
> >     this is a request for authorization or accounting of that service.
> >     For example: "shell", "tty-server", "connection", "system" and
> >     "firewall", others may be chosen for the required application.  This
> >     argument MUST always be included.
> >
> >
> >
> >     Later in the same section:
> >
> >        remote_host (String)
> >
> >     What is the syntax of this field?
> > TA>  Will remove this definition.  [AI=TA]
> >
> >     10.4.  Security of Accounting Sessions
> >
> >           Replace accounting data with new valid or garbage which prevents
> >           to provide distraction
> >
> >     "prevents to provide distraction" doesn't read well.
> > TA> Agreed, will attempt to translate into readable language! [AI=TA]
> > Specifcially:
> > "Section 10.4., paragraph 2:
> > OLD:
> >
> >        Replace accounting data with new valid or garbage which prevents
> >        to provide distraction or hide information related to their
> >        authentication and/or authorization attack attempts.
> >
> > NEW:
> >
> >        Replace accounting data with new valid or garbage which can
> >        confuse auditors or hide information related to their
> >        authentication and/or authorization attack attempts.
> > "
> >
> >           or hide information related to their
> >           authentication and/or authorization attack attempts.
> >
> >     In 10.5.1:
> >
> >        TACACS+ server administrators SHOULD change secret keys at regular
> >        intervals.
> >
> >     Humans are very bad at this. So I think it would be better if this is changed
> >     to add a requirement on management UIs.
> > TA> That is sensible. Will  discuss options with WG. [AI=TA]
> > Generlised the advise for the section, i.e. added: "Vendors SHOULD provide
> >     mechanisms to assist the administrator to achieve these best
> >     practices."
> >
> >     10.5.3.  Authentication
> >
> >        To help TACACS+ administraots select the stronger authentication
> >
> >     Typo: administrators.
> > TA> Thanks, will correct. [AI=TA]
> > Specifically:
> >
> > "Section 10.5.3., paragraph 1:
> > OLD:
> >
> >     To help TACACS+ administraots select the stronger authentication
> >     options, TACACS+ servers MUST allow the administrator to configure
> >     the server to only accept challenge/response options for
> >     authentication (TAC_PLUS_AUTHEN_TYPE_CHAP or
> >     TAC_PLUS_AUTHEN_TYPE_MSCHAP or TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 for
> >     authen_type).
> >
> > NEW:
> >
> >     To help TACACS+ administrators select less weak authentication
> >     options, TACACS+ servers MUST allow the administrator to configure
> >     the server to only accept challenge/response options for
> >     authentication (TAC_PLUS_AUTHEN_TYPE_CHAP or
> >     TAC_PLUS_AUTHEN_TYPE_MSCHAP or TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 for
> >     authen_type)."
> >
> >
> > _______________________________________________
> > OPSAWG mailing list
> > OPSAWG@ietf.org
> > https://www.ietf.org/mailman/listinfo/opsawg
> 
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf
>