Re: [OPSAWG] Start of WGLC for TACACS+ document.
t.petch <ietfc@btconnect.com> Thu, 06 October 2016 16:21 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 280A1129667 for <opsawg@ietfa.amsl.com>; Thu, 6 Oct 2016 09:21:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6UIWZSl4NsK for <opsawg@ietfa.amsl.com>; Thu, 6 Oct 2016 09:21:40 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0110.outbound.protection.outlook.com [104.47.2.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D5A9129555 for <OpsAWG@ietf.org>; Thu, 6 Oct 2016 09:21:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector1-btconnect-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=0KK22BG5Id1FFtcnudqWWMGrW+ajDoTbSYwZGC0V74E=; b=OFB5Org6itY3m+/yYk/PtAS9AbmBdq5Y3pTaULBE4a6W1+HlAbhrHdgv90mlfD5d4NgHhpsCbaa1N1cpFOw7WfPj2+9oUjisNdfVhe8ZLZTd3ziEtExQ3AiO6ARIIGKbU9Q0efuSNG22/CPP9oi9hrecOxv21Y03bUO99L1I+Aw=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
Received: from pc6 (81.159.102.255) by DB6PR0701MB2999.eurprd07.prod.outlook.com (10.168.84.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.16; Thu, 6 Oct 2016 16:21:37 +0000
Message-ID: <003101d21fed$6978cb80$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Alan DeKok <aland@deployingradius.com>
References: <CAHw9_iK-1=Epr5CLAtFayd0Bss6oZrsDTfyox6y2SfPJAav78Q@mail.gmail.com> <5019ABA9-BB74-4C69-A455-12C17A2958CE@deployingradius.com> <E6C64895-F0C6-40B8-A687-4DC56590B22E@deployingradius.com> <025401d21fb8$71906e20$4001a8c0@gateway.2wire.net> <2769B0A9-00DE-41F8-9971-9C0AABDC8109@deployingradius.com>
Date: Thu, 06 Oct 2016 17:19:19 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [81.159.102.255]
X-ClientProxiedBy: AM4PR0902CA0023.eurprd09.prod.outlook.com (10.171.89.33) To DB6PR0701MB2999.eurprd07.prod.outlook.com (10.168.84.137)
X-MS-Office365-Filtering-Correlation-Id: c5110605-2b56-4f83-afc3-08d3ee04d916
X-Microsoft-Exchange-Diagnostics: 1; DB6PR0701MB2999; 2:lKMezH0f+79XfpqbbwJMiWPkbN4lbQhEdfygojmEU9fLRzOWyyhDobm3RsFi0PpEJKmoG/GZX9CWQFocKj6zPL3TcmnDa/k2+4vUgCLYA/6pz0i6f61WVwnv6tBxbF3fZqH6peVxwTV1yJXiIIapnQ+YtQWkJUN1uubZVXPoghSuOa/q8WhYxnnkMPhenOlejokm8VmIQ+Qa9UhRc5CqwQ==; 3:6FxoDV+mugSiY2Q6K8B9K81OO0xw41mYI3lMAXtr6WOLIIDHwkTwLDRD2nJXkVRu0e7R2SQKLjvdJiYuPYo6f25SJ6PRpB756MWYvjOt1xPNgkIpRziTUEfazOKeH5WV5wj+cK5eqCUREXYywxYYew==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0701MB2999;
X-Microsoft-Exchange-Diagnostics: 1; DB6PR0701MB2999; 25:ItEGcZriak33KuDuOg/tNLp1T/ZeS0wc6DkjD8C+52paK9rx8kOtxO5JkayOFpSV1sakIpzfCZ5sEFVjeHQveNvZMLCUhZ8oWVqqswx5pB4sN3kcKIMZhDiBe3ersbpncqPrzmmocrGw76ZRiRPweuXpdParUcZTYXYzu+ztYJQiNCKan+7SGcUQrvlAs6XFiIgiLekPz4oNdjDuIaa0L+69MfvSHMo6/O4arzWOeprcCilctN0ULugIMfWeAB71VYhGrO0vTtDtziqquEj+5kIabdn8lgFJb+0KjoWz3T1ZFN11NXcnYJD+wyFpI9mPawRAahssOq2s6NwawGBTOUljAXbsUKd6VJ3/aQdfYfVHug5PW3zmw1DX4TPihnboDr87gthssstmFOZeGind3zTlVzGree2REtD5ILV9E5ZQGerJCuOOb4R1Wx2OY7FDqTyfsRkIc9VA/D4T2mwi4dZZNWnYIezlbP3s96cXdz2D6WZRhJ3L9XpR/I0N8CAXdN+2X2yqMaBSg1+wJfQEVpFwjRT6YCE45tV5GmEwg3dXxNUcYDLByVxc0J5glsQP8XeOcs1AYgwBrHopFtCAJkFXlmbjsWgh7p/LHFVlOffehwne+wSCaKicLX3H1/E7LW/OiK3iUuW8aHxBh9AnxAPO00r9veGlM0Fi9TI4P2/7FrSxX97vEetndWk+aPOY+vy8Ng2uAaZMZSp6/K9I6iZkeGXvlZjY/1QuDREoaOmaZx51+ozPPqU9Dh0gb5ny
X-Microsoft-Exchange-Diagnostics: 1; DB6PR0701MB2999; 31:R3BKeK4eL1w4Ev1YMGesNmJe8kWHAPL6gPpDWfBmdxX0fUTHeH8e7gyu3TEwF5LOSaxh51N+fXyPrsU+7usTi0idzA5dGXLZ/pfT2NUbljrUfP3I4kTNZK4RMGnH9NNBiKw+y6x5dZBPumzlpoJcGFm0zjEHdiq7hcrqhdff0LE3BRxNcNleqgZJOoi8hskQ8czgN8Vup7d1DH2ecEoIOStiplygBjkpko+q4nXj7pwwsSaUe3J+OzDM2SLuz5jS; 4:a4IxnLlzmLrdroDUPkpkR4RPORt//fkCfI18XzZ0JGKWfHB+45IMT05xkAdfFyIZFUTvLSnRoktASpZeHf8rqq/G7CsWZ4CxDR8hmR3eDGVR3CCPYs3cUCiJW+Zj/y5/fm5+ZOGrw9MdNJVoUzx3r00zrAb0RZoxpAkdR05Drq9izBR0GV5dKhNH3S929IA6A8fPB4Hks/JGl3T4Z0iPN0C7Pfw/IZRSImLtD9FmslxdYXrzFImljNyTuq33GPI+v5mqlav8+p1f/oQkTcQ3udLvqIeRwbBgqAKrwp4xzuR53/CILnQ03OEcIqe08G+OQo+toWB6C7wK0krYgX7UvC+lzPiVyHhpHK2NzlzqxsO4RlL3Z40EWFjRXYwLclPCiYtZrc1g1e6SJ3EsJeEmCJiw+stPfieSwnC2Ai/rKFJUad95XM4nJ58l8EegPm+6E6ODgdW7atNf70jOfGsZ7l4cpOPhDjuZ288X74+0DfE=
X-Microsoft-Antispam-PRVS: <DB6PR0701MB29993BB669E64C8CC9290610A0C70@DB6PR0701MB2999.eurprd07.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(178726229863574)(192374486261705);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046); SRVR:DB6PR0701MB2999; BCL:0; PCL:0; RULEID:; SRVR:DB6PR0701MB2999;
X-Forefront-PRVS: 00872B689F
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6009001)(7916002)(189002)(199003)(24454002)(377454003)(13464003)(50226002)(6666003)(105586002)(8676002)(81156014)(81166006)(14496001)(66066001)(68736007)(42186005)(9686002)(61296003)(101416001)(33646002)(47776003)(110136003)(5660300001)(97736004)(62236002)(44716002)(23756003)(44736004)(81686999)(6116002)(230700001)(6916009)(50986999)(76176999)(7846002)(7736002)(19580395003)(19580405001)(3846002)(586003)(305945005)(81816999)(1456003)(86362001)(4720700003)(77096005)(92566002)(106356001)(2906002)(93886004)(116806002)(4326007)(50466002)(84392002)(1556002)(189998001)(74416001)(7726001)(7756004); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6PR0701MB2999; H:pc6; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
Received-SPF: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1; DB6PR0701MB2999; 23:KHa1nW3MqLczFIdzMHTtayzuwUZsJDPNE0RHVRTlBbsuuUFTHb6OAI6qA6xUmYeOSpfMcRHp3xRvh7SiNuUPa1PsPQpDI654ShbwUfp6CvjAie2UzBth0kevnhZec95hCExOh/xgx9MK4Ky4PG/e7BgWxptjqVAwEPGjse1wmV2z8Sb12qpfMFbhUQgyrm3PimzpgmIuk5E4bw7amkOoUa1t2g5R8LAFogwNr0n5p8g7jXSxmTA7Uu00Z5B1rFbsDC2A0KmiKDqX7at+bg6DyLRo2ZXJXr75nXe4Mau0vQ4d6eZx+7UZNCcaN/XOeSvXUIApnid3ZghKH83w0zcKKWH6VCCyw9MVEXmFMB6w6t62oz+evKJulRJ6PIrgOK4S+XmCx5oEsbYFjsiZJ8KM5bKRfaesgM12PypBW7RSTtClerStEhHsTMYQ6j1gsuOKr1Dd6B3FWBYWNr7ZzLmUQnYOG9uA9eKOUbfALbmH7YR0ea35+7NiMM07cObV4tlQngB93m8UGraiK2W0Uw4aq9orBYLzAupBUVzbyYhArSt53shkTi5amQlqI3MavFw93UvbcUGaA+WbBDo0pApzBaqPCTTqJNmR1rRCYh7IyucFWI8MA+HqRPrklgnaujbHC+noGHK3C6DEj+LOIjmMZcIT6jjmcdrIhshqvVc7aZ7i3So+7OA5PtAXBnZWW2rrvS4qGYrUEFTJKljKQHig9KMrTt1xl+5zyFP4NP3uHEEOS4A2V8N3o6tbwuqdwvABMHu2Lisfyd6wcdhmK5RQfbzgQDHJ8stR9h6eXJqg797x7jbwFooskGhZBhnNhwFrpC1EWFPqfR+u4eOOZhwDwJvQKQUDIb9AUmcjJx4rFjWZD6N2pnF8MalI6YRD3JaJYDMupt/+DqMVCOGd06hwEeA507y5ylwHDaHp8QPLj+GPyeAmKnRJH/iv/MUtuvHKJw5t0z1btD0OfXAZfNjKKF0wmY0XG0RzvYVZRYV8MQS02AD/IAW+eJIknvaUXwGBQ7UjWU3iN/R+v6X4+aXBO247FtNGd/ewN9ZZCqfvae7w8ze+4x0Wt2WtltgZrjIsPdBj0Qjuazclc5XhrXYct/vp87KEwKISXsLIdFnEKCr0BX4lEaQaD3F0cyN3B5ekTJKFtg0f58myQmkQ7nwjIMoqIFKT3xoGXMTfvAkxRAKMew0kEUdVbL+9QCKYcksbMAyuhMd8Dn9Rrz7UOHXeMUY14/G1X8vSDh5B+ky1U2MuKxJm+VJSd3s7LkF+s4UT09nGOFzoC11pccZmgKIU+tWkZG1gzjd+9du1qfduDXmUOdWS3O8a8Ei1SWVCcZ5wvUdziaLsasl4L9HvTyAfQO2kdXHs2zJPIIlOOCGJ9qtImJFWQ41WpQYNL6JOpW4jcOeX3o/cja2ORWgIFHBncaArWrsldNkG11N2yNEd+tg8ZCbSKAUgxHb3QTlEnKvn
X-Microsoft-Exchange-Diagnostics: 1; DB6PR0701MB2999; 6:HjplPtnaYGo8Mdl7HKcK3T6CacLEGKNiDRa1LE3yOrvmpt/7NEmcdX9D1UZY+QUijimD4p1YxVQnsdZkIedv/c3Ru7psMmQl/bfG/DFyh/QA3MthZcwQNh17n011kpnn+8lw6K8N9w23H8ing59hht4kvJjbKCr0NkXdqr4HJFSCizaK5w7JDfZlN0Hg26rBu5q4M1lSG2upIoX9o8JYUTGAVPvuXKCjeUUCQoi4ibhiTUFehTXjekX2qF77/hzFhtIQWoQ/8WnCr0qD5rwGPcGZFCxSCPf22Q0joZp06/5al/VesL2NS65Ah63y/yoW; 5:pJ7bFdfT3Lle+/pGEE9kedMgZcxi+DRgpmAoBIO7vfj4t47Eb3PKJrwUryh55fg/wRVzWc0oPQfs4LKcj0DhJoebZ4Y+ScjS/6Q2tDN8Y6b8TiVALfvl/OinLKbSw+3mjQLEMSzoLoo3L1wOsDVU9RuVTBgkGX+Dw2osYDr1q1Q=; 24:+7a47wQqT1rtY3iqoJeJyoRBjxI9GzlzwMyphTQ8tVI/Q4Cyse+pn0mzdTv2QZNpCzIZyedTxVHUwlHPJ4u0TEjtYeB3l944HVLW0Ea4+G4=; 7:TzNreb5kn1c8UE55TL4eEodllOwwQ0cguOrjsM+Rm095E68MaL4lCC2YsiTerIxPH61D5poncxEAO84lRzGD+pKUlRsp9fpZnKKJlrNKu49vHhPnBwWOs6KXpu92Fh4CQgoR17BcxTnMoZuGxJTJ4xnymoVLjL3A+TXEFa9Uwa1kprZwwgrJV7DXU4qlmj+MsTmCISSAr3ZoPWaOWR97LUB4Yowp7twxcvgvkjTed7IhGCEN3g6/dLN6Mdxa4mayzBVQPXf9NhAvfx8yZLWzL44Fv0UyxbUixeQJEYYJnHPRTh3QFGD9H46W2XhcEeiPAvEsZpN2bzIsu8qKG4jFEA==
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Oct 2016 16:21:37.3810 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0701MB2999
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/GcCWkv3t4-83OlHsyaTnvxdAPnM>
Cc: "opsawg@ietf.org" <OpsAWG@ietf.org>, draft-ietf-opsawg-tacacs-05@tools.ietf.org, "opsawg-chairs@tools.ietf.org" <OpsAWG-chairs@tools.ietf.org>
Subject: Re: [OPSAWG] Start of WGLC for TACACS+ document.
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 16:21:45 -0000
----- Original Message ----- From: "Alan DeKok" <aland@deployingradius.com> Sent: Thursday, October 06, 2016 2:56 PM On Oct 6, 2016, at 6:00 AM, t.petch <ietfc@btconnect.com> wrote: > Alan is right to pick up on the style - philosophical - and the > security - lack of. > > But do we want to change it all at this time? Please show where I'm trying to change the protocol. <tp> Alan You are not, and I did not mean to imply that you were. I mean that your changes seem to me reflect a different approach, a different style which I do not see as that of the authors. I see the existing style as unusual, but not wrong, and am content to leave it as is for an Informational RFC which documents what is, or perhaps what has been. You used the word 'philosophical' and I agreed. So I would keep changes to the minimum, omissions or contradictions and those required by the publication process (such as splitting References into Informative and Normative). It is, after all, WGLC. On Security, I would invite the chairs to ask for an early review by the Security Directorate, explaining the context of this document, asking them how much more is needed and how it should be expressed. It might not be very much although my experience is that I never know in advance what they are going to come up with. Tom Petch > This is an Informational document describing the state of play as of > some time past, perhaps not as far back as 1997 but not for 2016. It > would require many changes to make it a 2016 Standards Track document > but that is not what I see us doing except that is how I take Alan's > comments. Then you're not reading my comments. I would like to implement historical TACACS+. I have *NO IDEA* what to do for huge swaths of the protocol. I would like to deploy historical TACACS+. I have *NO IDEA* what the security implications are of using it. > The analogy I have in mind is when SSL v3 was published, long after it > had been superseded by anyone who took security seriously, but was > needed as an RFC to refer to, although it would not pass muster because > the security thereof was too weak. It would not have met the standards > of the day but was published despite that. I'm not asking that the protocol be *fixed* in this document. I'm asking that it be *documented*. That shouldn't be hard to understand. I've been saying it for about a year now, for anyone who bothers to read my messages. I'll note that RFC 6101 is "Category: Historic", and has substantial text about the security (or lack thereof) of the protocol. It has substantial text about how the historical protocol works. I'm suggesting we do the same here. I'm suggesting the the TACACS+ protocol be documented as designed, in sufficient detail that someone can read the document and create an inter-operable implementation. I'm suggesting that the TACACS+ protocols security (or lack thereof) be documented. Which is (so far as I'm aware) still IETF practice for informational specifications. If the goal for the document is something else, fine. Update the document to say that. Something like: "This document attempts to specify the historical TACACS+ protocol. However, there are many portions of the protocol which are under-specified or unspecified. We cannot second-guess twenty years of practice here. As a result, this specification is incomplete, under-specified, insecure, and should not be used by anyone to implement anything. Please wait for the Standards track document to get the actual TACACS+ specification that people can implement". If the document can be updated with such text, I'll withdraw all of my review comments. But I predict that the document won't pass security area review. And they'll make all of the same comments as I've made here, with a recommendation that the document not be published until it's fixed. Alan DeKok.
- [OPSAWG] Start of WGLC for TACACS+ document. Warren Kumari
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. t.petch
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)
- Re: [OPSAWG] Start of WGLC for TACACS+ document. t.petch
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Dan Romascanu
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Randy Bush
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)