IETF Logo Mail Archive

Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 ASCII

Alan DeKok <aland@deployingradius.com> Fri, 19 May 2017 17:11 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10898128DF3; Fri, 19 May 2017 10:11:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hMX1NN9oMKev; Fri, 19 May 2017 10:11:49 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id DF68E126CC4; Fri, 19 May 2017 10:11:48 -0700 (PDT)
Received: from [192.168.20.121] (CPEf4cc552207f0-CM00fc8dce0fa0.cpe.net.cable.rogers.com [99.230.129.191]) by mail.networkradius.com (Postfix) with ESMTPSA id 61A6DBB5; Fri, 19 May 2017 17:11:47 +0000 (UTC)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset="iso-8859-1"
From: Alan DeKok <aland@deployingradius.com>
X-Priority: 3
In-Reply-To: <017f01d2d08c$7096de20$4001a8c0@gateway.2wire.net>
Date: Fri, 19 May 2017 13:11:45 -0400
Cc: IETF OOPSAWG <opsawg@ietf.org>, draft-ietf-opsawg-tacacs@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <61BFF2A7-680E-433F-8D7E-E0F0B95A2DC6@deployingradius.com>
References: <D53BBCC7.22ECC8%dcmgash@cisco.com> <61D9FC7A-6F10-44E6-8400-578C4FEE1988@deployingradius.com> <D53C62F4.22F82E%dcmgash@cisco.com> <E7D62944-46B9-4091-BF16-0AF8CA47626D@deployingradius.com> <fc8a1ff5-db6f-d463-8ff7-77ec03f1f25f@gmail.com> <006101d2cd9c$e8c0afe0$4001a8c0@gateway.2wire.net> <D53FAB1A.23396E%dcmgash@cisco.com> <010d01d2ce79$477ceda0$4001a8c0@gateway.2wire.net> <D5411107.2340EF%dcmgash@cisco.com> <632EB4D0-15C0-4BF7-9187-9AFCD7EDE306@ll.mit.edu> <D54116DA.23412A%dcmgash@cisco.com> <6B9DFA23-41BD-4896-B80C-EC0EAB51D5FD@deployingradius.com> <017f01d2d08c$7096de20$4001a8c0@gateway.2wire.net>
To: "t.petch" <ietfc@btconnect.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/GfC4k74Hnm8elQhgOTMwY5DtToU>
Subject: Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 ASCII
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2017 17:11:51 -0000

On May 19, 2017, at 6:38 AM, t.petch <ietfc@btconnect.com> wrote:
> 
> Another fresh topic, so a slight change in the Subject:
> 
> I think that the use of the term ASCII needs more thought.

  Speaking only as an opinionated WG member... yes.

> d) in some places, I think that the term ASCII is being used too
> loosely.  ASCII is a character set and an encoding.  If you simply say
> US-ASCII, then you are including DC3 and FF, for example, which are
> unlikely to be valid.  Some use US-ASCII to mean printable ASCII, some
> to mean alphameric plus a few others such as hyphen-minus and period.
> This needs defining.  I don't know how many different character sets you
> have - I was surprised that '&£#' (or some such) is a valid identifier
> in places where an equal sign is not - so this needs more work.

  I agree.

> e) this leads into data types, which Alan raised.  Boolean is used as a
> data type. (I have seen it as a character string of 'true'/'false' of
> '0'/'1' with zero meaning either true or false or vice versa or as a
> binary integer of some number of bits or ....)  As Alan implied, section
> 7 and others are full of data types but on the one hand, what type it is
> is usually omitted and on the other hand, the data types are not
> defined.

  The main issue with data types is that TACACS+ is a protocol based on printable strings.  So "data types" really means "printed versions of data types", which is a lot more problematic than "32-bit integer".

> You need to define datatypes; from the current I-D, I do not know how
> many there would be; probably not many.  Look for example at TLS
> (RFC5246) or YANG (RFC6020) which nail down the datatypes, semantic and
> encoding, before they define data structures.  This is what I think that
> you should do, on a smaller scale.  Since YANG is being so widely
> deployed, you would get brownie points IMO for being in line with YANG
> wherever possible

  That's good, tho there are inconsistencies.  e.g. Yang "string" doesn't exactly map to TACACS+ "US-ASCII thing".  Yang "boolean" is "true/false", while TACACS+ has used "yes/no".

  We added data types to RADIUS, because it had (roughly) data types from day one, 32-bit integers, and all of the implementors had already agreed on meanings / encodings for them.  So RFC8044 was just a codification of existing practices, and not any change to implementations.

  Then there's the additional issue of trying to define data types for a protocol that's entirely string based, and has 18 years of implementation practice.

  i.e. before defining data types, it would be good to know what implementors have done, and then define types that match that.

  However, implementors are largely silent about all possible TACACS+ issues.  Which makes me think that the draft should name the data types, but be a bit vague about what they contain.

> I see a need for boolean, character string/text, IPv4 address, IPv6
> address, time interval, integer (positive ?negative).  I would like a
> section on datatypes at the front, section 1 or 2.

  I'd agree, subject to the caveats raised above.  i.e. "boolean is boolean, typically yes/no, but maybe also true/false, we really don't know..."

> f) in a similar vein, you use what I take to be hexadecimal
> representation but are inconsistent with it. I see
> OX0D 0x0D 0x1 0x01
> This should be consistent and is also worth defining, as a
> representation.

  I agree, subject to the same caveats.  It would also be nice to know what implementations do...

> g) and then there is i18n, which gets an implicit mention with UTF8 but
> harks back to d).  How much of UTF8 is allowed and where; it encompasses
> over 65k characters these day:-(

  IMHO, the draft should just mention 18n, and run away screaming. :(

  As in, "we know about it, we don't know how to fix it, we don't know what implementations do, the fields are defined to be US-ASCII, if they contain anything else, that's bad."

> This amounts to a lot of potential detailed change, but I would like to
> see consensus on the approach first before edits are proposed or made.

  I think this is the right approach.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email