Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt
Alan DeKok <aland@deployingradius.com> Tue, 11 July 2023 19:12 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20FE1C137384 for <opsawg@ietfa.amsl.com>; Tue, 11 Jul 2023 12:12:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OuzcHUTdiSfN for <opsawg@ietfa.amsl.com>; Tue, 11 Jul 2023 12:12:52 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A9CEC17CEA2 for <opsawg@ietf.org>; Tue, 11 Jul 2023 12:12:30 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id F2450303; Tue, 11 Jul 2023 19:12:27 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <PSBP153MB0373B53CC86D57CDD517025E9331A@PSBP153MB0373.APCP153.PROD.OUTLOOK.COM>
Date: Tue, 11 Jul 2023 15:12:26 -0400
Cc: "opsawg@ietf.org" <opsawg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6D6C74D7-2866-4438-B531-34772255E26E@deployingradius.com>
References: <168805050611.46147.7135705558590726585@ietfa.amsl.com> <BN9PR11MB537112089669BC32EF2C0772B82FA@BN9PR11MB5371.namprd11.prod.outlook.com> <DU2PR02MB10160503322FB68A7CBFA3988882FA@DU2PR02MB10160.eurprd02.prod.outlook.com> <BN9PR11MB5371BABF4EBC116C901D16F2B82FA@BN9PR11MB5371.namprd11.prod.outlook.com> <DU2PR02MB101606103DE6014B5A2AE7348882CA@DU2PR02MB10160.eurprd02.prod.outlook.com> <PSBP153MB0373B53CC86D57CDD517025E9331A@PSBP153MB0373.APCP153.PROD.OUTLOOK.COM>
To: Peter Marrinon <peter.marrinon=40microsoft.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/DIIJaqaRvT5K2OCd3pmxKTpiyrI>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2023 19:12:58 -0000
On Jul 10, 2023, at 10:09 PM, Peter Marrinon <peter.marrinon=40microsoft.com@dmarc.ietf.org> wrote: > This feedback is based on my own review and some comments from people in my team who will be implementing this in our internal TACACS+ system. Our issues are relatively minor; we generally believe we could take most of this standard and implement it as intended. I have some related comments. Rather than start a new thread, I'll reply here. > > ISSUES THAT CAUSED CONFUSION > > 3.2 Based on some questions from a developer in my team, it may be beneficial to explicitly state that earlier versions of TLS MUST NOT be supported. I think the text implies it but explicitly stating it may stop someone also adding support for earlier versions. Agreed. > 3.2.1 Cipher Requirements: "The cipher suites offered or accepted SHOULD be configurable so that operators can adapt." It is slightly unclear what the operators are adapting. Is this meant to be "The cipher suites offered or accepted SHOULD be configurable by operators" or is there a subtlety I'm missing? The implementation should expose enough TLS configuration that the administrator can change the cipher list if necessary. For example: https://github.com/FreeRADIUS/freeradius-server/blob/release_3_2_3/raddb/mods-available/eap#L407 That just takes configuration: cipher_list = "..." and hands the string over to OpenSSL, which does it's magic. This lets the admin use "DEFAULT" in most cases. But if the admin needs to change that, it's simple to do so. > 3.3 TLS identification: There does not appear to be any network location based validation methods in section 5.2 of RFC5425. Is it meant to be a reference to the using a wildcard with a domain? I would agree that implementations should support IP-layer filtering by network. The TACACS+ server may be accessible on a management network, but perhaps only part of that network contains edge devices which will connect via TACACS+. As a result, it is useful to have a configuration which can say "allow network FOO, forbid network BAR". This would be in addition to any TLS layer filtering. Alan DeKok.
- [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls… internet-drafts
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… Joe Clarke (jclarke)
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… mohamed.boucadair
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… Joe Clarke (jclarke)
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… Marc Huber
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… mohamed.boucadair
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… Peter Marrinon
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… Alan DeKok
- Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… Alan DeKok