Re: [OPSAWG] Genart telechat review of draft-ietf-opsawg-tacacs-13

"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Sat, 22 June 2019 05:46 UTC

Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FC7212014E; Fri, 21 Jun 2019 22:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Ym+Q5fxz; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=TU/swH86
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxzPJg21dJBB; Fri, 21 Jun 2019 22:46:08 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1325012011F; Fri, 21 Jun 2019 22:46:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8614; q=dns/txt; s=iport; t=1561182368; x=1562391968; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=FuMc/sgdCjfq6CbzbHr96U7UpvQCrj2PU5MqKjlz+T4=; b=Ym+Q5fxz+bnMeBG41cglgws87IRI6Rn7HHOTkRdsXV61jO3YAgSnwMWe Pgk2F9YYKnahF9vKHpAe3YycUYBsek77i2uX8IoyyAJYg8qcPwb0VPIcI Rp8JYSpuCZpVa5JE7V2xBVEYtWFIKEwW1wt3oucd8ESw0j26BzUgeIGcy Y=;
IronPort-PHdr: =?us-ascii?q?9a23=3ARdbcqRZ7B6sWXVAdFJuYSoT/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el20gebRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn?= =?us-ascii?q?1NksAKh0olCc+BB1f8KavmZCk1Fd9CfFRk5Hq8d0NSHZW2ag=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BIAAD6vw1d/40NJK1kHAEBAQQBAQc?= =?us-ascii?q?EAQGBUwcBAQsBgUNQA2pVIAQLKIQWg0cDhFKKD4JblziBLhSBEANUCQEBAQw?= =?us-ascii?q?BASMKAgEBhEACF4JFIzQJDgEDAQEEAQECAQVtijcMhUsCAQMSEREMAQElEgE?= =?us-ascii?q?PAgEIFAYCFAUNAgICMBUQAgQBDQUigwABgWoDHQEOmmcCgTiIX3GBMYJ5AQE?= =?us-ascii?q?FhHsYghEDBoEMKAGLXReBf4EQAScfgkw+gmECgUEBAQYCLTiCOzKCJottPwW?= =?us-ascii?q?CG4UciDGNBWsJAoISgnSDWYkrg2obgiiHDI4SjSWBL4V+j1MCBAIEBQIOAQE?= =?us-ascii?q?FgVA4gVhwFWUBgkGCQQsBARaDTYUUhT4BcoEpjEkVgi4BAQ?=
X-IronPort-AV: E=Sophos;i="5.63,403,1557187200"; d="scan'208";a="295437819"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Jun 2019 05:46:06 +0000
Received: from XCH-RCD-017.cisco.com (xch-rcd-017.cisco.com [173.37.102.27]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x5M5k6eq021734 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 22 Jun 2019 05:46:06 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 22 Jun 2019 00:46:05 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 22 Jun 2019 01:46:05 -0400
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sat, 22 Jun 2019 00:46:05 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FuMc/sgdCjfq6CbzbHr96U7UpvQCrj2PU5MqKjlz+T4=; b=TU/swH8626BZ2VC8cRMk9xICqvqs2eH8tE5Vdg4tRAGWNQqAkyGJ7sHkW1+9ZfzHD5ueLyIgAEqTlJgoqxOmGonmxDlQedAclgQsbbCAJ881t2qsUdk6pqYT86ftI0VgSoAAfEyGJQkloYH3CqEx0RPCPHu5c++yONw7rqgsksA=
Received: from DM5PR11MB1322.namprd11.prod.outlook.com (10.168.104.140) by DM5PR11MB1258.namprd11.prod.outlook.com (10.168.108.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Sat, 22 Jun 2019 05:46:04 +0000
Received: from DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::8d6c:2d4e:6b5d:fc95]) by DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::8d6c:2d4e:6b5d:fc95%5]) with mapi id 15.20.1987.014; Sat, 22 Jun 2019 05:46:04 +0000
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Stewart Bryant <stewart.bryant@gmail.com>, "gen-art@ietf.org" <gen-art@ietf.org>
CC: "opsawg@ietf.org" <opsawg@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "draft-ietf-opsawg-tacacs.all@ietf.org" <draft-ietf-opsawg-tacacs.all@ietf.org>
Thread-Topic: Genart telechat review of draft-ietf-opsawg-tacacs-13
Thread-Index: AQHVKL3HpZK/9UGpJ0y2XKW1YfW57w==
Date: Sat, 22 Jun 2019 05:46:03 +0000
Message-ID: <97B82D7D-D342-4DFC-AFD5-42B9A22433D5@cisco.com>
References: <155775206584.23645.18248080061887454144@ietfa.amsl.com>
In-Reply-To: <155775206584.23645.18248080061887454144@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.26.0.170902
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dcmgash@cisco.com;
x-originating-ip: [2001:420:c0e0:1006::4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7024de8e-dbc5-42f2-6536-08d6f6d4ea1b
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR11MB1258;
x-ms-traffictypediagnostic: DM5PR11MB1258:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DM5PR11MB1258D17F1BEACFE7DE0B3BA3B7E60@DM5PR11MB1258.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0076F48C8A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(396003)(366004)(346002)(376002)(51914003)(199004)(189003)(76176011)(99286004)(81156014)(256004)(81166006)(36756003)(14444005)(229853002)(5660300002)(4326008)(25786009)(14454004)(110136005)(54906003)(8676002)(33656002)(316002)(102836004)(446003)(6512007)(2616005)(476003)(6246003)(7736002)(11346002)(68736007)(58126008)(86362001)(71200400001)(71190400001)(53936002)(2906002)(6486002)(6306002)(6436002)(46003)(6506007)(53546011)(73956011)(8936002)(64756008)(305945005)(66476007)(66446008)(66946007)(2501003)(66556008)(6116002)(486006)(478600001)(91956017)(76116006)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1258; H:DM5PR11MB1322.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: OFNW8XZU9FUiXcOkrSI0tr/CvvRQgvGxT9nCmvUT2u8/FCXsb2zOaiYF2sWFu4tGfdgPSLU8DuJwujEv5chBAejcER7Vma9ehVslqnFphPXYfVAOjqjTwT7iPkIkMAXpTGfjp+vxes8T5k3mFomAcNPiurIVR8JSY35rqslHd4+BHDZRXRRNy7stMMdfxiP/KunM2goj5CQ59Dey+OoeSQQ975KV/Kcf4EZr5BM6S9qi6E8ObeENxxi7vryMdSMBT36mOEekVMAyGf/5qhTlkT2K7Ut3y6SKf8TLpaOCNTzds2FjkYGTI2Gk366eEUXEId4Kyd45SNwAUb+2MvnLcStdWpUrgETlcWyzd1XWBkVwE/iFoLc4KrswWZ4FmAxTM0NmTYMdPSBaLyQ8cQpuGPrwvfv/XqzVQT0gVZ3/+2g=
Content-Type: text/plain; charset="utf-8"
Content-ID: <E12F9BBBAE518D459E22B4B0B8360A42@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7024de8e-dbc5-42f2-6536-08d6f6d4ea1b
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2019 05:46:03.9066 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dcmgash@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1258
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.27, xch-rcd-017.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/HGj9KEDW1vS4T7Zz9soEpmeSzOk>
Subject: Re: [OPSAWG] Genart telechat review of draft-ietf-opsawg-tacacs-13
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jun 2019 05:46:11 -0000

Many thanks for the comments.

Please see responses from authors inline, marked “TA”. Action items from this mail to update the document are marked: [AI-TA] to mean: “action item for the authors”.

On 13/05/2019, 13:54, "Stewart Bryant via Datatracker" <noreply@ietf.org> wrote:

    Reviewer: Stewart Bryant
    Review result: Almost Ready
    
    I am the assigned Gen-ART reviewer for this draft. The General Area
    Review Team (Gen-ART) reviews all IETF documents being processed
    by the IESG for the IETF Chair. Please wait for direction from your
    document shepherd or AD before posting a new version of the draft.
    
    For more information, please see the FAQ at
    
    <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
    
    Document: draft-ietf-opsawg-tacacs-13
    Reviewer: Stewart Bryant
    Review Date: 2019-05-13
    IETF LC End Date: None
    IESG Telechat date: 2019-05-16
    
    Summary:
    
    There are a number of issues called out below that need addressing before publication.
    
    Someone needs to micro-check the text to make sure that all terms are defined and referenced.
    I picked up a few, but there were a lot I did not have time to check.
    
    Major issues:
    
    SB> The IANA section should ask IANA to point to this RFC as a reference
    SB> for port 49
    
    ============
    
    
       The first MD5 hash is generated by concatenating the session_id, the
       secret key, the version number and the sequence number and then
       running MD5 over that stream.  All of those input values are
       available in the packet header, except for the secret key which is a
       shared secret between the TACACS+ client and server.
    
    SB> MD5 make a good checksum, but I am surprised to see it used in this
    SB> application in a new protocol.

TA>  Agreed, however TACACS+ is not a new protocol  (This is an informational document)
    
    =============
    
       All TACACS+ packets begin with the following 12-byte header.  The
       header describes the remainder of the packet:
    
    SB> If ever there was an error in a long term session, how
    SB> how would you find in in the following packet structure?
    SB> Presumably from an incorrect major version and sequence number?

TA> Yes, sequence number tracking is essential. But TACACS+ sessions related to single AAA operations, they  do not extend to link multiple AAA sessions to track connectivity, for example.
    
    SB> Some details on the error cases and the unconditional "safety"
    SB> of the protocol would be useful.
    
TA> There is some general discussion of ERROR conditions within  the context of connectivity and aborting a transaction  in sections  “4.4  Session Completion”  and  “4.5.  Treatment of Enumerated Protocol Values”,  and section 10  contains some coverage  of security issues, please advise if there are other areas of error cases and safety  they  would be useful to be  covered.

    ==========
    
          TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01
    
          TAC_PLUS_AUTHEN_TYPE_PAP := 0x02
    
          TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03
    
          TAC_PLUS_AUTHEN_TYPE_ARAP := 0x04 (deprecated)
    
          TAC_PLUS_AUTHEN_TYPE_MSCHAP := 0x05
    
          TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 := 0x06
    
    SB> There are lots of lists similar to the above.
    SB> I have not checked them all, but a number of the types 
    SB> in this and subsequent parts of the design don't seem
    SB> to be defined or have a definitive reference
    
TA> Correct, the enumerations are listed without further details where it is assumed that the values provide understood meanings. In fact for the enumerations above, the imlications have  some coverage in  section: “5.4.2.  Common Authentication Flows”

    ===========
    
     The START packet MUST contain a username and the data
       field MUST contain the PAP ASCII password.  A PAP authentication only
       consists of a username and password RFC 1334 [RFC1334] . The REPLY
       from the server MUST be either a PASS, FAIL or ERROR.
    
    SB> Should there note be a note that RFC1334 is obsolete?

TA> Agreed [AI-TA]
    
    ===========
    
    Minor issues:
    
    The use of the term "packet" as a unit of data is confusing, since the protocol
    is carried over TCP which is a streaming protocol.
    
    They are really TACAS+ PDUs
    
TA> Agreed. There is  a  definition of packet:

“   Packet

   All uses of the word packet in this document refer to TACACS+
   protocol packets unless explicitly noted otherwise.”

However, of course the doc should be updated for the  correct terminology [AI-TA]

    =========
    
    (For example, Cisco uses "tty10"
       to denote the tenth tty line and "Async10" to denote the tenth async
       interface).  
    SB> Is it correct to quote a particular vendor in an RFC of this type?
    
TA> Likely not! Agreed [AI-TA]

    ========
    
          TAC_PLUS_PRIV_LVL_MAX := 0x0f
    
          TAC_PLUS_PRIV_LVL_ROOT := 0x0f
    
          TAC_PLUS_PRIV_LVL_USER := 0x01
    
          TAC_PLUS_PRIV_LVL_MIN := 0x00
    
    SB> Where are these defined?

TA>  They are not defined as yet. [AI-TA] 
    
    ========
    Nits/editorial comments:
    
          The normative description of Legacy features such as ARAP and
    SB> ARAP not expanded anywhere in document.
    
TA> Agreed. Though we have:

“The normative description of Legacy features such as ARAP and
      outbound authentication has been removed, however, the required
      enumerations are kept.”

Probably it is best to remove  the  enumerations as well.  [AI-TA]

    =====
    
    SB> telnet and rlogin need references
    
    =====
       is the user is connected via ISDN or a POTS, 
    SB> Are ISDN and POTS well known IETF terms?
    
TA> Agreed [AI-TA]

    =====
    
       It is not legal for an attribute name to contain either of the
       separators.  It is legal for attribute values to contain the
       separators.  
    SB> Is "legal" the correct term here?

TA> Agreed [AI-TA]