IETF Logo Mail Archive

[OPSAWG]Re: draft-ietf-opsawg-tacacs-tls13: Debugging TACACS+ over TLS

Heikki Vatiainen <hvn@radiatorsoftware.com> Tue, 26 November 2024 10:52 UTC

Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06642C14CF0D for <opsawg@ietfa.amsl.com>; Tue, 26 Nov 2024 02:52:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7lXxpkye5Ep1 for <opsawg@ietfa.amsl.com>; Tue, 26 Nov 2024 02:52:09 -0800 (PST)
Received: from mail-oo1-xc29.google.com (mail-oo1-xc29.google.com [IPv6:2607:f8b0:4864:20::c29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BAC6C14F69E for <opsawg@ietf.org>; Tue, 26 Nov 2024 02:52:08 -0800 (PST)
Received: by mail-oo1-xc29.google.com with SMTP id 006d021491bc7-5f1dfb0b44dso971483eaf.2 for <opsawg@ietf.org>; Tue, 26 Nov 2024 02:52:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20230601.gappssmtp.com; s=20230601; t=1732618327; x=1733223127; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QpY6zrj0C7ljzqmI2qUe9XPH//qgSAyFPWW0A5CF+bI=; b=QkPI1wukfwl42zNzQTXerjRZZ1PJuxQYFa3J20EKqUwzwAfUkwKvxB6RhwtWgPHMJp LOd3B17nHeEMxuoCxLS98gEtu93CN+g99bjvj+KQyq+u7entcQaWKQkHr9BTqbp2NEKv 7DdPXcFirvhzJnF+DdjfyjdXNjeGcHGz1zfkxFIlD0xPgKYEBlpsRMNMWfzmOaZi7bwN dxZEVLdsyTQPI/Bq6+How6/IPqlEauzKghsDMrxzmgluzzvpatZtuNnQ4xArVpJEc1Qw aOtfM1aZnUZ3CZCvF/qXvg7r8q/2fR4RMR0CS1XuwrM/nwXRqoH7F+qwUC02YWPz4OVd 7Xmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732618327; x=1733223127; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QpY6zrj0C7ljzqmI2qUe9XPH//qgSAyFPWW0A5CF+bI=; b=dFc9gM44DXocFZ6P9VII5Rs3o8KC6qGecmDIsTNaDTGxkh+JCSV53DEdb2Vya5eUpW QRcXnuJg2spqJ1wF59nzBKW/M7xwckKVBQgBL+QoH4ze/aN0sH5eDjvDAtpw5f0nshsP bJTBfFTmIo2Q9UjLT12ntEfEj/lTeS83X+Fr494gTMi0uts+hA1OvMXTYEyvswPnTVMp UDln2BNOFYTGXyXJXh//r44Coud387NLpRUGmhwavlZuXFjuUW8IpnYSPGV4rH58Zr71 tJB5mW6J1AIlxBhvOw4EKPj+ppvDvSSmJ5lT1nXNkNSUQ387HdJiUlJx9nKdj3Ta9fbv BpCA==
X-Gm-Message-State: AOJu0YwXoJiu6js1S09PT9hIk+Y2fu/H3OpQQxB29U2/rDeLYoMgaT1X SaoxteMwvOhLoJBqUOv3qwhnApyydiYtzOuUpNjfy9ZNjro0Jet/jpewUI0O9VKK1ItwxGvA/wk G8TvcT+MQw4FCRB3iPEIPhI4SHhpiy4Q3oAYr
X-Gm-Gg: ASbGncsde+DjgutRi5wB3OAbn7O3F3govqo7kqutywDKiKT2s2K7MBRSR4YRt+e495v Hi4nUQprzvLc/y9LE9SbSzjoPQyiqcXcjcOXjxjkiFpw2OhqprgrLbui78foHAw==
X-Google-Smtp-Source: AGHT+IEHVnyQaQOC4ycyEhRvK0h53KpKJKjne7nwWsZoEotTVr1KM5FXMMuNbpakpzNmdRB3UdQEVFlf6ZgAPkbjmqo=
X-Received: by 2002:a05:6870:ab07:b0:296:8309:6a50 with SMTP id 586e51a60fabf-29720f83c36mr13718156fac.41.1732618327605; Tue, 26 Nov 2024 02:52:07 -0800 (PST)
MIME-Version: 1.0
References: <CAA7Lko9cmE2t0i9h0vTV0JwUAdSagLg9U=TOkPkVXpxNhPTMGA@mail.gmail.com> <DU2PR02MB101601D475162B87BCC2F0D00882F2@DU2PR02MB10160.eurprd02.prod.outlook.com>
In-Reply-To: <DU2PR02MB101601D475162B87BCC2F0D00882F2@DU2PR02MB10160.eurprd02.prod.outlook.com>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Tue, 26 Nov 2024 12:51:51 +0200
Message-ID: <CAA7Lko9Pm0nvjoYt66702TB4pKY=nR_A7_r72tG8vR05vqLseQ@mail.gmail.com>
To: mohamed.boucadair@orange.com
Content-Type: multipart/alternative; boundary="000000000000f2e2b80627cea356"
Message-ID-Hash: Y54LAB3GLNDX5OEOKMK6J2IRKBJMUXSO
X-Message-ID-Hash: Y54LAB3GLNDX5OEOKMK6J2IRKBJMUXSO
X-MailFrom: hvn@radiatorsoftware.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-opsawg.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: opsawg <opsawg@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OPSAWG]Re: draft-ietf-opsawg-tacacs-tls13: Debugging TACACS+ over TLS
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/IoXZNjxrMTpFbjmd68q4KfKQjRM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Owner: <mailto:opsawg-owner@ietf.org>
List-Post: <mailto:opsawg@ietf.org>
List-Subscribe: <mailto:opsawg-join@ietf.org>
List-Unsubscribe: <mailto:opsawg-leave@ietf.org>

Hello Med,

yes, TLS keylog is a very powerful and dangerous tool and needs to be used
with care. Where I thought it would be primarily be used is a test or
staging environment where configurations are built, updated and tested
before brought to production. If a tool, such as Wireshark, is used to help
with this now, I'd say it would be useful to hint TACACS+ users and client
and servers developers about the options they have when building
configurations that use TLS.

What I'm thinking is that what can be done to help switching to TLS when it
becomes available. At the moment everything is directly visible on the
wire. This has made troubleshooting very easy: just watch what's going to
if server or client debug logging does now help. With TLS 1.3 only the
beginning of the handshake can be snooped directly before encryption is
switched on. This is a very, very good thing and if users know how to do
debugging with TLS, my hope is that it will make TLS adaptation faster.

I understand why recommending TLS keylog in production can not be done.
Could it be mentioned as a tool when developing and testing TLS enabled
configurations?

Thanks,
Heikki

On Tue, 26 Nov 2024 at 08:28, <mohamed.boucadair@orange.com> wrote:

> Hi Heikki,
>
>
>
> I have one comment about the suggestion to indicate that
> draft-ietf-tls-keylogfile is a better option.
>
>
>
> That spec says actually the following:
>
>
>
>    This format is intended for use in
>
>    systems where TLS only protects test data.  While the access that
>
>    this information provides to TLS connections can be useful for
>
>    diagnosing problems while developing systems, this mechanism MUST NOT
>
>    be used in a production system.
>
>
>
> I’m not quite sure we can recommend this mechanism here.
>
>
>
> Cheers,
>
> Med
>
>
>
> *De :* Heikki Vatiainen <hvn@radiatorsoftware.com>
> *Envoyé :* lundi 25 novembre 2024 19:18
> *À :* opsawg <opsawg@ietf.org>
> *Objet :* [OPSAWG]draft-ietf-opsawg-tacacs-tls13: Debugging TACACS+ over
> TLS
>
>
>
>
>
> Would it be possible to add some text about troubleshooting TACACS+ when
> TLS is enabled? More exactly, add a reminder that TLS keylog
> https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/ is a better
> option than:
>
>
>
> - trying to enable NULL encryption, authentication and integrity only,
> ciphers for TLSv1.3 (see RFC 9150, supported by WolfSSL and OpenSSL 3.4); or
>
> - switching to non-TLS TACACS+ connections just because of troubleshooting
>
>
>
> Any of the above alternatives would likely require configuration changes
> on the TACACS+ server and client side which may affect more connections
> than necessary. After the troubleshooting is done, any changes to TLS
> settings would also need to be reverted. This may be easy to forget leaving
> the system in insecure state.
>
>
>
> The reason why debugging is done may also relate to the TLS handshake
> itself in which case any changes to TLS settings may make the debugging
> effort useless. I.e., the attempt to observe the system changes the system
> behaviour.
>
>
>
> To provide some background, I work on AAA software named Radiator that has
> supported TACACS+ for 20+ years. From what we see, Wireshark, as an
> example, is often used to debug TACACS+. It's well-known, supports TACACS+
> well and very importantly, provides a neutral third party view of what's
> going on between the client and server. Because Wireshark also supports TLS
> keylog, it will likely continue to be a very important tool when TACACS+
> runs over TLS.
>
>
>
> Thanks to authors working on this! Please excuse me for being a bit late
> for the party.
>
>
>
> --
>
> Heikki Vatiainen
> hvn@radiatorsoftware.com
>
> ____________________________________________________________________________________________________________
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>
>

-- 
Heikki Vatiainen
hvn@radiatorsoftware.com

v2.46.0 | Report a Bug | By Email | System Status