IETF Logo Mail Archive

Re: [OPSAWG] Start of WGLC for TACACS+ document.

Alan DeKok <aland@deployingradius.com> Thu, 06 October 2016 16:35 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 069DD1296A8 for <opsawg@ietfa.amsl.com>; Thu, 6 Oct 2016 09:35:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNjVj0M2bHGc for <opsawg@ietfa.amsl.com>; Thu, 6 Oct 2016 09:35:33 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id E9A0912971F for <OpsAWG@ietf.org>; Thu, 6 Oct 2016 09:35:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id 29E671305; Thu, 6 Oct 2016 16:35:32 +0000 (UTC)
Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PUtZTIcxJVNt; Thu, 6 Oct 2016 16:35:32 +0000 (UTC)
Received: from [192.168.20.14] (69-196-165-104.dsl.teksavvy.com [69.196.165.104]) by mail.networkradius.com (Postfix) with ESMTPSA id 70257C14; Thu, 6 Oct 2016 16:35:31 +0000 (UTC)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset="iso-8859-1"
From: Alan DeKok <aland@deployingradius.com>
X-Priority: 3
In-Reply-To: <003101d21fed$6978cb80$4001a8c0@gateway.2wire.net>
Date: Thu, 06 Oct 2016 12:35:30 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <0124D7D3-98BA-4175-AE57-39C03349009C@deployingradius.com>
References: <CAHw9_iK-1=Epr5CLAtFayd0Bss6oZrsDTfyox6y2SfPJAav78Q@mail.gmail.com> <5019ABA9-BB74-4C69-A455-12C17A2958CE@deployingradius.com> <E6C64895-F0C6-40B8-A687-4DC56590B22E@deployingradius.com> <025401d21fb8$71906e20$4001a8c0@gateway.2wire.net> <2769B0A9-00DE-41F8-9971-9C0AABDC8109@deployingradius.com> <003101d21fed$6978cb80$4001a8c0@gateway.2wire.net>
To: "t.petch" <ietfc@btconnect.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/IjLmm1rs6Vjnu9IxAYSJ-AIMdvo>
Cc: "opsawg@ietf.org" <OpsAWG@ietf.org>, draft-ietf-opsawg-tacacs-05@tools.ietf.org, "opsawg-chairs@tools.ietf.org" <OpsAWG-chairs@tools.ietf.org>
Subject: Re: [OPSAWG] Start of WGLC for TACACS+ document.
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 16:35:35 -0000

On Oct 6, 2016, at 12:19 PM, t.petch <ietfc@btconnect.com> wrote:
> You are not, and I did not mean to imply that you were.  I mean that
> your changes seem to me reflect a different approach, a different style
> which I do not see as that of the authors.  I see the existing style as
> unusual, but not wrong, and am content to leave it as is for an
> Informational RFC which documents what is, or perhaps what has been. You
> used the word 'philosophical' and I agreed.

  I see the existing draft as not documenting the protocol.  That's my main concern.

> So I would keep changes to the minimum, omissions or contradictions and
> those required  by the publication process (such as splitting References
> into Informative and Normative).  It is, after all, WGLC.

  This doesn't address my concerns.

  Again, as an implementor, I have *no idea* what to do for huge swathes of the protocol.

  On top of that, the current draft is silent on serious security topics.

  e.g. Length of CHAP challenges is implied from the context.  OK, that's fine, but what are the *limits* on CHAP challenge lengths?

 A: none.  CHAP challenges can be omitted entirely!

> On Security, I would invite the chairs to ask for an early review by the
> Security Directorate, explaining the context of this document, asking
> them how much more is needed and how it should be expressed.  It might
> not be very much although my experience is that I never know in advance
> what they are going to come up with.

  I've been a member of SAAG for a while now, and have done reviews, and read many more.  My prediction is that the current document will give SAAG a heart attack, and they will refuse publication.

  There is a huge push to get the draft published.  That's fine.  What's *not* fine is that it seems to me at least... that many people simply don't care what's in the document.  They don't care if the protocol is badly specified.  Or if it's insecure.  In fact, these "features" could be beneficial.  Because it means that everyone can claim compliance.  And no one has to re-examine their implementation.

  That may sound harsh, but I just don't see any other explanation.  If we are going to document the protocol, then let's document the protocol.  If we're going to agree that we don't need to document the protocol then put a huge disclaimer at the top of the draft saying so.

  Giving lip service to "document the protocol", while opposing attempts to do so is unproductive.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email