[OPSAWG] Alexey Melnikov's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
Alexey Melnikov via Datatracker <noreply@ietf.org> Wed, 15 May 2019 18:48 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsawg@ietf.org
Delivered-To: opsawg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 53302120175; Wed, 15 May 2019 11:48:37 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Alexey Melnikov via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsawg-tacacs@ietf.org, Joe Clarke <jclarke@cisco.com>, opsawg-chairs@ietf.org, opsawg-chairs@ietf.org, jclarke@cisco.com, opsawg@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.96.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Alexey Melnikov <aamelnikov@fastmail.fm>
Message-ID: <155794611732.30470.1197104619504417977.idtracker@ietfa.amsl.com>
Date: Wed, 15 May 2019 11:48:37 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/Fy9WfT9vcAQhNRJJbGj-hFoxPak>
Subject: [OPSAWG] Alexey Melnikov's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 18:48:38 -0000
Alexey Melnikov has entered the following ballot position for draft-ietf-opsawg-tacacs-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I appreciate that this is documenting an existing protocol and I am very glad that it is being documented. However there are several things which are still not documented well enough/not in enough details to implement. So I would like to discuss these issues before recommending approval of this document: 1) 4.6. Text Encoding All text fields in TACACS+ MUST be printable US-ASCII, excepting Please add a reference to RFC 20 (for US-ASCII) here. Without out it "printable" has no meaning. special consideration given to user field and data fields used for passwords. To ensure interoperability of current deployments, the TACACS+ client and server MUST handle user fields and those data fields used for passwords as 8-bit octet strings. The deployment operator MUST ensure that consistent character encoding is applied from the end client to the server. The encoding SHOULD be UTF-8, and other Please add Normative RFC 3629 reference here for UTF-8. encodings outside printable US-ASCII SHOULD be deprecated. I am not sure what this mean. You didn't define allowed encoding (really you mean charsets). 2) In 5.1: The printable US-ASCII name of the client port on which the authentication is taking place, This doesn't mean anything. Is there a registry? It doesn't look like you are using transport service name registry for this. Is it a fixed list? and its length in bytes. The value of this field is client specific. (For example, Cisco uses "tty10" to denote the tenth tty line and "Async10" to denote the tenth async interface). The port_len indicates the length of the port field, in bytes. 3) Later in 5.1: A printable US-ASCII string indicating the remote location from which the user has connected to the client. It is intended to hold a network address What are the allowed formats for IPv4 and IPv6? Or is this just human readable? if the user is connected via a network, a caller ID is the user is connected via ISDN or a POTS, or any other remote location information that is available. 4) In 5.4: If the information being requested by the server form the client is sensitive, then the server should set the TAC_PLUS_REPLY_FLAG_NOECHO flag. When the client queries the user for the information, the response MUST NOT be echoed as it is entered. What does the last sentence mean? (When is it ever echoed?) Are you missing a forward reference or some explanation of echoing? 5) KRB5 and KRB4 need normative references. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- In 4.8: 4.8. The TACACS+ Packet Header The total length of the packet body (not including the header). In network byte order? There is some text about that in 4.9, but readers don't know that yet. In 6.1: The arguments are the primary elements of the authorization interaction. In the request packet they describe the specifics of the authorization that is being requested. Each argument is encoded in the packet as a single arg filed (arg_1... arg_N) with a Typo: filed --> field. corresponding length fields (which indicates the length of each argument in bytes). Later in the same section: Optional arguments are ones that may be disregarded by either client or server. Mandatory arguments require that the receiving side can handle the attribute, that is: its implementation and configuration includes the details of how to act on it. If the client receives a mandatory argument that it cannot handle, it MUST consider the authorization to have failed. It is legal to send an attribute-value pair with a zero length value. Last sentence: do you just mean that the value can be empty? In 8.1: Date Time Absolute date/times are specified in seconds since the epoch, 12:00am Jan 1 1970. The timezone MUST be UTC unless a timezone attribute is specified. Stardate is canonically inconsistent and so SHOULD NOT be used. I am not sure what the last sentence means. In 8.2: 8.2. Authorization Attributes For example: "shell", "tty-server", "connection", "system" and "firewall". This attribute MUST always be included. Is this a full list or is there a registry? Later in the same section: remote_host (String) What is the syntax of this field? 10.4. Security of Accounting Sessions Replace accounting data with new valid or garbage which prevents to provide distraction "prevents to provide distraction" doesn't read well. or hide information related to their authentication and/or authorization attack attempts. In 10.5.1: TACACS+ server administrators SHOULD change secret keys at regular intervals. Humans are very bad at this. So I think it would be better if this is changed to add a requirement on management UIs. 10.5.3. Authentication To help TACACS+ administraots select the stronger authentication Typo: administrators.
- [OPSAWG] Alexey Melnikov's Discuss on draft-ietf-… Alexey Melnikov via Datatracker