IETF Logo Mail Archive

Re: [OPSAWG] Start of WGLC for TACACS+ document.

t.petch <ietfc@btconnect.com> Thu, 06 October 2016 16:21 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 280A1129667 for <opsawg@ietfa.amsl.com>; Thu, 6 Oct 2016 09:21:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6UIWZSl4NsK for <opsawg@ietfa.amsl.com>; Thu, 6 Oct 2016 09:21:40 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0110.outbound.protection.outlook.com [104.47.2.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D5A9129555 for <OpsAWG@ietf.org>; Thu, 6 Oct 2016 09:21:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector1-btconnect-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=0KK22BG5Id1FFtcnudqWWMGrW+ajDoTbSYwZGC0V74E=; b=OFB5Org6itY3m+/yYk/PtAS9AbmBdq5Y3pTaULBE4a6W1+HlAbhrHdgv90mlfD5d4NgHhpsCbaa1N1cpFOw7WfPj2+9oUjisNdfVhe8ZLZTd3ziEtExQ3AiO6ARIIGKbU9Q0efuSNG22/CPP9oi9hrecOxv21Y03bUO99L1I+Aw=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
Received: from pc6 (81.159.102.255) by DB6PR0701MB2999.eurprd07.prod.outlook.com (10.168.84.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.16; Thu, 6 Oct 2016 16:21:37 +0000
Message-ID: <003101d21fed$6978cb80$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Alan DeKok <aland@deployingradius.com>
References: <CAHw9_iK-1=Epr5CLAtFayd0Bss6oZrsDTfyox6y2SfPJAav78Q@mail.gmail.com> <5019ABA9-BB74-4C69-A455-12C17A2958CE@deployingradius.com> <E6C64895-F0C6-40B8-A687-4DC56590B22E@deployingradius.com> <025401d21fb8$71906e20$4001a8c0@gateway.2wire.net> <2769B0A9-00DE-41F8-9971-9C0AABDC8109@deployingradius.com>
Date: Thu, 06 Oct 2016 17:19:19 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [81.159.102.255]
X-ClientProxiedBy: AM4PR0902CA0023.eurprd09.prod.outlook.com (10.171.89.33) To DB6PR0701MB2999.eurprd07.prod.outlook.com (10.168.84.137)
X-MS-Office365-Filtering-Correlation-Id: c5110605-2b56-4f83-afc3-08d3ee04d916
X-Microsoft-Exchange-Diagnostics: 1; DB6PR0701MB2999; 2:lKMezH0f+79XfpqbbwJMiWPkbN4lbQhEdfygojmEU9fLRzOWyyhDobm3RsFi0PpEJKmoG/GZX9CWQFocKj6zPL3TcmnDa/k2+4vUgCLYA/6pz0i6f61WVwnv6tBxbF3fZqH6peVxwTV1yJXiIIapnQ+YtQWkJUN1uubZVXPoghSuOa/q8WhYxnnkMPhenOlejokm8VmIQ+Qa9UhRc5CqwQ==; 3:6FxoDV+mugSiY2Q6K8B9K81OO0xw41mYI3lMAXtr6WOLIIDHwkTwLDRD2nJXkVRu0e7R2SQKLjvdJiYuPYo6f25SJ6PRpB756MWYvjOt1xPNgkIpRziTUEfazOKeH5WV5wj+cK5eqCUREXYywxYYew==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0701MB2999;
X-Microsoft-Exchange-Diagnostics: 1; DB6PR0701MB2999; 25:ItEGcZriak33KuDuOg/tNLp1T/ZeS0wc6DkjD8C+52paK9rx8kOtxO5JkayOFpSV1sakIpzfCZ5sEFVjeHQveNvZMLCUhZ8oWVqqswx5pB4sN3kcKIMZhDiBe3ersbpncqPrzmmocrGw76ZRiRPweuXpdParUcZTYXYzu+ztYJQiNCKan+7SGcUQrvlAs6XFiIgiLekPz4oNdjDuIaa0L+69MfvSHMo6/O4arzWOeprcCilctN0ULugIMfWeAB71VYhGrO0vTtDtziqquEj+5kIabdn8lgFJb+0KjoWz3T1ZFN11NXcnYJD+wyFpI9mPawRAahssOq2s6NwawGBTOUljAXbsUKd6VJ3/aQdfYfVHug5PW3zmw1DX4TPihnboDr87gthssstmFOZeGind3zTlVzGree2REtD5ILV9E5ZQGerJCuOOb4R1Wx2OY7FDqTyfsRkIc9VA/D4T2mwi4dZZNWnYIezlbP3s96cXdz2D6WZRhJ3L9XpR/I0N8CAXdN+2X2yqMaBSg1+wJfQEVpFwjRT6YCE45tV5GmEwg3dXxNUcYDLByVxc0J5glsQP8XeOcs1AYgwBrHopFtCAJkFXlmbjsWgh7p/LHFVlOffehwne+wSCaKicLX3H1/E7LW/OiK3iUuW8aHxBh9AnxAPO00r9veGlM0Fi9TI4P2/7FrSxX97vEetndWk+aPOY+vy8Ng2uAaZMZSp6/K9I6iZkeGXvlZjY/1QuDREoaOmaZx51+ozPPqU9Dh0gb5ny
X-Microsoft-Exchange-Diagnostics: 1; DB6PR0701MB2999; 31:R3BKeK4eL1w4Ev1YMGesNmJe8kWHAPL6gPpDWfBmdxX0fUTHeH8e7gyu3TEwF5LOSaxh51N+fXyPrsU+7usTi0idzA5dGXLZ/pfT2NUbljrUfP3I4kTNZK4RMGnH9NNBiKw+y6x5dZBPumzlpoJcGFm0zjEHdiq7hcrqhdff0LE3BRxNcNleqgZJOoi8hskQ8czgN8Vup7d1DH2ecEoIOStiplygBjkpko+q4nXj7pwwsSaUe3J+OzDM2SLuz5jS; 4:a4IxnLlzmLrdroDUPkpkR4RPORt//fkCfI18XzZ0JGKWfHB+45IMT05xkAdfFyIZFUTvLSnRoktASpZeHf8rqq/G7CsWZ4CxDR8hmR3eDGVR3CCPYs3cUCiJW+Zj/y5/fm5+ZOGrw9MdNJVoUzx3r00zrAb0RZoxpAkdR05Drq9izBR0GV5dKhNH3S929IA6A8fPB4Hks/JGl3T4Z0iPN0C7Pfw/IZRSImLtD9FmslxdYXrzFImljNyTuq33GPI+v5mqlav8+p1f/oQkTcQ3udLvqIeRwbBgqAKrwp4xzuR53/CILnQ03OEcIqe08G+OQo+toWB6C7wK0krYgX7UvC+lzPiVyHhpHK2NzlzqxsO4RlL3Z40EWFjRXYwLclPCiYtZrc1g1e6SJ3EsJeEmCJiw+stPfieSwnC2Ai/rKFJUad95XM4nJ58l8EegPm+6E6ODgdW7atNf70jOfGsZ7l4cpOPhDjuZ288X74+0DfE=
X-Microsoft-Antispam-PRVS: <DB6PR0701MB29993BB669E64C8CC9290610A0C70@DB6PR0701MB2999.eurprd07.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(178726229863574)(192374486261705);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046); SRVR:DB6PR0701MB2999; BCL:0; PCL:0; RULEID:; SRVR:DB6PR0701MB2999;
X-Forefront-PRVS: 00872B689F
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6009001)(7916002)(189002)(199003)(24454002)(377454003)(13464003)(50226002)(6666003)(105586002)(8676002)(81156014)(81166006)(14496001)(66066001)(68736007)(42186005)(9686002)(61296003)(101416001)(33646002)(47776003)(110136003)(5660300001)(97736004)(62236002)(44716002)(23756003)(44736004)(81686999)(6116002)(230700001)(6916009)(50986999)(76176999)(7846002)(7736002)(19580395003)(19580405001)(3846002)(586003)(305945005)(81816999)(1456003)(86362001)(4720700003)(77096005)(92566002)(106356001)(2906002)(93886004)(116806002)(4326007)(50466002)(84392002)(1556002)(189998001)(74416001)(7726001)(7756004); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6PR0701MB2999; H:pc6; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
Received-SPF: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1; DB6PR0701MB2999; 23:KHa1nW3MqLczFIdzMHTtayzuwUZsJDPNE0RHVRTlBbsuuUFTHb6OAI6qA6xUmYeOSpfMcRHp3xRvh7SiNuUPa1PsPQpDI654ShbwUfp6CvjAie2UzBth0kevnhZec95hCExOh/xgx9MK4Ky4PG/e7BgWxptjqVAwEPGjse1wmV2z8Sb12qpfMFbhUQgyrm3PimzpgmIuk5E4bw7amkOoUa1t2g5R8LAFogwNr0n5p8g7jXSxmTA7Uu00Z5B1rFbsDC2A0KmiKDqX7at+bg6DyLRo2ZXJXr75nXe4Mau0vQ4d6eZx+7UZNCcaN/XOeSvXUIApnid3ZghKH83w0zcKKWH6VCCyw9MVEXmFMB6w6t62oz+evKJulRJ6PIrgOK4S+XmCx5oEsbYFjsiZJ8KM5bKRfaesgM12PypBW7RSTtClerStEhHsTMYQ6j1gsuOKr1Dd6B3FWBYWNr7ZzLmUQnYOG9uA9eKOUbfALbmH7YR0ea35+7NiMM07cObV4tlQngB93m8UGraiK2W0Uw4aq9orBYLzAupBUVzbyYhArSt53shkTi5amQlqI3MavFw93UvbcUGaA+WbBDo0pApzBaqPCTTqJNmR1rRCYh7IyucFWI8MA+HqRPrklgnaujbHC+noGHK3C6DEj+LOIjmMZcIT6jjmcdrIhshqvVc7aZ7i3So+7OA5PtAXBnZWW2rrvS4qGYrUEFTJKljKQHig9KMrTt1xl+5zyFP4NP3uHEEOS4A2V8N3o6tbwuqdwvABMHu2Lisfyd6wcdhmK5RQfbzgQDHJ8stR9h6eXJqg797x7jbwFooskGhZBhnNhwFrpC1EWFPqfR+u4eOOZhwDwJvQKQUDIb9AUmcjJx4rFjWZD6N2pnF8MalI6YRD3JaJYDMupt/+DqMVCOGd06hwEeA507y5ylwHDaHp8QPLj+GPyeAmKnRJH/iv/MUtuvHKJw5t0z1btD0OfXAZfNjKKF0wmY0XG0RzvYVZRYV8MQS02AD/IAW+eJIknvaUXwGBQ7UjWU3iN/R+v6X4+aXBO247FtNGd/ewN9ZZCqfvae7w8ze+4x0Wt2WtltgZrjIsPdBj0Qjuazclc5XhrXYct/vp87KEwKISXsLIdFnEKCr0BX4lEaQaD3F0cyN3B5ekTJKFtg0f58myQmkQ7nwjIMoqIFKT3xoGXMTfvAkxRAKMew0kEUdVbL+9QCKYcksbMAyuhMd8Dn9Rrz7UOHXeMUY14/G1X8vSDh5B+ky1U2MuKxJm+VJSd3s7LkF+s4UT09nGOFzoC11pccZmgKIU+tWkZG1gzjd+9du1qfduDXmUOdWS3O8a8Ei1SWVCcZ5wvUdziaLsasl4L9HvTyAfQO2kdXHs2zJPIIlOOCGJ9qtImJFWQ41WpQYNL6JOpW4jcOeX3o/cja2ORWgIFHBncaArWrsldNkG11N2yNEd+tg8ZCbSKAUgxHb3QTlEnKvn
X-Microsoft-Exchange-Diagnostics: 1; DB6PR0701MB2999; 6:HjplPtnaYGo8Mdl7HKcK3T6CacLEGKNiDRa1LE3yOrvmpt/7NEmcdX9D1UZY+QUijimD4p1YxVQnsdZkIedv/c3Ru7psMmQl/bfG/DFyh/QA3MthZcwQNh17n011kpnn+8lw6K8N9w23H8ing59hht4kvJjbKCr0NkXdqr4HJFSCizaK5w7JDfZlN0Hg26rBu5q4M1lSG2upIoX9o8JYUTGAVPvuXKCjeUUCQoi4ibhiTUFehTXjekX2qF77/hzFhtIQWoQ/8WnCr0qD5rwGPcGZFCxSCPf22Q0joZp06/5al/VesL2NS65Ah63y/yoW; 5:pJ7bFdfT3Lle+/pGEE9kedMgZcxi+DRgpmAoBIO7vfj4t47Eb3PKJrwUryh55fg/wRVzWc0oPQfs4LKcj0DhJoebZ4Y+ScjS/6Q2tDN8Y6b8TiVALfvl/OinLKbSw+3mjQLEMSzoLoo3L1wOsDVU9RuVTBgkGX+Dw2osYDr1q1Q=; 24:+7a47wQqT1rtY3iqoJeJyoRBjxI9GzlzwMyphTQ8tVI/Q4Cyse+pn0mzdTv2QZNpCzIZyedTxVHUwlHPJ4u0TEjtYeB3l944HVLW0Ea4+G4=; 7:TzNreb5kn1c8UE55TL4eEodllOwwQ0cguOrjsM+Rm095E68MaL4lCC2YsiTerIxPH61D5poncxEAO84lRzGD+pKUlRsp9fpZnKKJlrNKu49vHhPnBwWOs6KXpu92Fh4CQgoR17BcxTnMoZuGxJTJ4xnymoVLjL3A+TXEFa9Uwa1kprZwwgrJV7DXU4qlmj+MsTmCISSAr3ZoPWaOWR97LUB4Yowp7twxcvgvkjTed7IhGCEN3g6/dLN6Mdxa4mayzBVQPXf9NhAvfx8yZLWzL44Fv0UyxbUixeQJEYYJnHPRTh3QFGD9H46W2XhcEeiPAvEsZpN2bzIsu8qKG4jFEA==
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Oct 2016 16:21:37.3810 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0701MB2999
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/GcCWkv3t4-83OlHsyaTnvxdAPnM>
Cc: "opsawg@ietf.org" <OpsAWG@ietf.org>, draft-ietf-opsawg-tacacs-05@tools.ietf.org, "opsawg-chairs@tools.ietf.org" <OpsAWG-chairs@tools.ietf.org>
Subject: Re: [OPSAWG] Start of WGLC for TACACS+ document.
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 16:21:45 -0000

----- Original Message -----
From: "Alan DeKok" <aland@deployingradius.com>
Sent: Thursday, October 06, 2016 2:56 PM


On Oct 6, 2016, at 6:00 AM, t.petch <ietfc@btconnect.com> wrote:
> Alan is right to pick up on the style - philosophical - and the
> security - lack of.
>
> But do we want to change it all at this time?

  Please show where I'm trying to change the protocol.

<tp>

Alan

You are not, and I did not mean to imply that you were.  I mean that
your changes seem to me reflect a different approach, a different style
which I do not see as that of the authors.  I see the existing style as
unusual, but not wrong, and am content to leave it as is for an
Informational RFC which documents what is, or perhaps what has been. You
used the word 'philosophical' and I agreed.

So I would keep changes to the minimum, omissions or contradictions and
those required  by the publication process (such as splitting References
into Informative and Normative).  It is, after all, WGLC.

On Security, I would invite the chairs to ask for an early review by the
Security Directorate, explaining the context of this document, asking
them how much more is needed and how it should be expressed.  It might
not be very much although my experience is that I never know in advance
what they are going to come up with.

Tom Petch

> This is an Informational document describing the state of play as of
> some time past, perhaps not as far back as 1997 but not for 2016.  It
> would require many changes to make it a 2016 Standards Track document
> but that is not what I see us doing except that is how I take Alan's
> comments.

  Then you're not reading my comments.

  I would like to implement historical TACACS+.  I have *NO IDEA* what
to do for huge swaths of the protocol.

  I would like to deploy historical TACACS+. I have *NO IDEA* what the
security implications are of using it.

> The analogy I have in mind is when SSL v3 was published, long after it
> had been superseded by anyone who took security seriously, but was
> needed as an RFC to refer to, although it would not pass muster
because
> the security thereof was too weak.  It would not have met the
standards
> of the day but was published  despite that.

  I'm not asking that the protocol be *fixed* in this document.  I'm
asking that it be *documented*.  That shouldn't be hard to understand.
I've been saying it for about a year now, for anyone who bothers to read
my messages.

  I'll note that RFC 6101 is "Category: Historic", and has substantial
text about the security (or lack thereof) of the protocol.  It has
substantial text about how the historical protocol works. I'm suggesting
we do the same here.

  I'm suggesting the the TACACS+ protocol be documented as designed, in
sufficient detail that someone can read the document and create an
inter-operable implementation.  I'm suggesting that the  TACACS+
protocols security (or lack thereof) be documented.

  Which is (so far as I'm aware) still IETF practice for informational
specifications.

  If the goal for the document is something else, fine.  Update the
document to say that.   Something like:

  "This document attempts to specify the historical TACACS+ protocol.
However, there are many portions of the protocol which are
under-specified or unspecified.  We cannot second-guess twenty years of
practice here.  As a result, this specification is incomplete,
under-specified, insecure, and should not be used by anyone to implement
anything.  Please wait for the Standards track document to get the
actual TACACS+ specification that people can implement".

  If the document can be updated with such text, I'll withdraw all of my
review comments.  But I predict that the document won't pass security
area review.  And they'll make all of the same comments as I've made
here, with a recommendation that the document not be published until
it's fixed.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email