Re: [OPSAWG] Alexey Melnikov's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)

"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Fri, 20 March 2020 11:23 UTC

Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0E403A0846; Fri, 20 Mar 2020 04:23:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=NVb4SDRh; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=P43SHvEu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F2MM843tGU70; Fri, 20 Mar 2020 04:23:39 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 810C53A07D8; Fri, 20 Mar 2020 04:23:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3138; q=dns/txt; s=iport; t=1584703418; x=1585913018; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=XBW4rNEL/C2OZjyLb5AE0vVoEwJZW+wNBxkqICrjTvU=; b=NVb4SDRhywBm0wZapzYvou9fdW9blUMrnPjeXj+JjxPSKwFbDDJ3eXX5 XF3ATDOi0ZQbCf7tuMPmio+lFK49VRRqb81IQL4TzFdinwlLddox+L5cA Pcn7WCXEhAvvlM4ZQaPdYwdMtCTLtcKVK19GlDUjEtaUwZDHGif4cJb/N w=;
IronPort-PHdr: =?us-ascii?q?9a23=3Ax1qh1B21QrT5je37smDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxKHt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSw?= =?us-ascii?q?dDjMwXmwI6B8vQBUb+I/fxbwQxHd9JUxlu+HToeUU=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CSBQA3p3Re/4QNJK1mHAEBAQEBBwE?= =?us-ascii?q?BEQEEBAEBgXuBVFAFgUQgBAsqhBiDRQOKcIJfmByCUgNUCQEBAQwBAS0CBAE?= =?us-ascii?q?BhEQCF4INJDgTAgMBAQsBAQUBAQECAQUEbYVWDIVkAQEBAxIREQwBATcBDwI?= =?us-ascii?q?BCA4KAgImAgICMBUQAgQBDQUigwSCTAMuAaIQAoE5iGJ1gTKCfwEBBYUUGII?= =?us-ascii?q?MCYEOKowvGoIAgTgggk0+hEsXgnoygiyNWBKDCZAUj0QKgjyWfh2CS4gqBZB?= =?us-ascii?q?bjwqbZgIEAgQFAg4BAQWBaSKBWHAVZQGCQVAYDY4dDBcVgzuKVXSBKY1pAQE?=
X-IronPort-AV: E=Sophos;i="5.72,284,1580774400"; d="scan'208";a="493386712"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Mar 2020 11:23:37 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 02KBNbIj004381 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 20 Mar 2020 11:23:37 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 20 Mar 2020 06:23:36 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 20 Mar 2020 06:23:36 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 20 Mar 2020 06:23:36 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DKfeH16PlGAzRXlfSqxETabeOKzARt8VB/Jk383AZlT9yMCUwEyclJnkY+J6B0?= =?utf-8?q?kzlpdEK5nIM0VmpP1a4a5SuGevINWtVZVLF0PDqAzDBFp+qf/9qQaPfNxAukDVB6X?= =?utf-8?q?UX29o2VfoM34QWrrLOPv9eHA32f8Glre2COGYidhetK2ze8bT4J7e3qJLaqJetz4B?= =?utf-8?q?uWSHO5IfWptIj2MgfgYOYUdhuJef7goo9b/VHswPbuNqMk/xUsywOS/s3wovhSLQb?= =?utf-8?q?b5920AHmYYvmq+WTvmTqIIkci/pUey3S4uw7PXoC+AZPrWY1yRWe0tawltGqGO0Au?= =?utf-8?q?x9jYJJdNtpCGN4DGt6Hkg=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3DXBW4rNEL/C2OZjyLb5AE0vVoEwJZW+wNBxkqICrjTvU=3D=3B_b=3DdZDoCb?= =?utf-8?q?sq4ub2jV3WzUPEMZYL9l1rsb0sdUxScN9J8wBImQhx7vUwwKsBKA1a7E2mGTWbg46?= =?utf-8?q?EtjyojZ4XU7U4qgTU33jp0GRK1TK/pKrkkCgBCXIW62sD5yF9k+sPBnpDSRH/OjL2?= =?utf-8?q?i74Cp4r3Cba4WurKlQnJikBMp8cyLDQKQ4xsVBujZftih0lE9+kRnJ03WgqyArHZm?= =?utf-8?q?+4qcbIS7T0NWVoPfrtFGjdkvSHDXuvX11dO1td5AZOKOW1F8Gk1nKgCLfIAWHB9rV?= =?utf-8?q?+FB1n+etChvMLKkIznAdCbIhGxP1DWox0MeyEL5ubVrTcP7GIF/PN8Mm4kTFPvUYW?= =?utf-8?q?kjhYloq5Iuw=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AM?= =?utf-8?q?essage-ID=3AContent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADC?= =?utf-8?q?heck=3B_bh=3DXBW4rNEL/C2OZjyLb5AE0vVoEwJZW+wNBxkqICrjTvU=3D=3B_b?= =?utf-8?q?=3DP43SHvEugD0jns/aQQEQTkTbwJrL5IKm8xBQAITBgbFT8OfnBJ0E78zPxrAsj9?= =?utf-8?q?XcXu3GdV+FqZJHjDX54K9O/T36D/SIXsb1mFWH0Z5IGH7ADnNHr68kXYKFRNTP5B7?= =?utf-8?q?CfkQZWAP4RjsQV/eZU/w00k379RF3sf1s6ivZRuiG9b0=3D?=
Received: from MN2PR11MB4190.namprd11.prod.outlook.com (2603:10b6:208:13e::31) by MN2PR11MB3805.namprd11.prod.outlook.com (2603:10b6:208:f4::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.14; Fri, 20 Mar 2020 11:23:35 +0000
Received: from MN2PR11MB4190.namprd11.prod.outlook.com ([fe80::fc5c:a349:d52f:6bba]) by MN2PR11MB4190.namprd11.prod.outlook.com ([fe80::fc5c:a349:d52f:6bba%6]) with mapi id 15.20.2814.021; Fri, 20 Mar 2020 11:23:35 +0000
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: Alexey Melnikov's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
Thread-Index: AQHV1VBWMs0jEhQykkWaGlNOLqM3R6hOp2iAgAMB8YA=
Date: Fri, 20 Mar 2020 11:23:34 +0000
Message-ID: <BDA0F0F3-ADC5-49E0-9FA7-8870D306C7F6@cisco.com>
References: <155798766808.30465.13613903853679159439.idtracker@ietfa.amsl.com> <93780B8A-40AB-43DF-899E-34DA47E0807C@cisco.com> <6be79839-70a7-4639-a1de-87e47c59cf0f@www.fastmail.com>
In-Reply-To: <6be79839-70a7-4639-a1de-87e47c59cf0f@www.fastmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.26.0.170902
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dcmgash@cisco.com;
x-originating-ip: [2001:420:c0c0:1005::80]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2bbf7fb1-3eac-4ea2-b0d5-08d7ccc1214a
x-ms-traffictypediagnostic: MN2PR11MB3805:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: =?utf-8?q?=3CMN2PR11MB3805239BEBD3D2478D0525EBB7F?= =?utf-8?q?50=40MN2PR11MB3805=2Enamprd11=2Eprod=2Eoutlook=2Ecom=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03484C0ABF
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=284636?= =?utf-8?b?MDA5KSgzOTg2MDQwMDAwMikoMTM2MDAzKSgzNzYwMDIpKDM0NjAwMikoMzY2?= =?utf-8?b?MDA0KSgzOTYwMDMpKDE5OTAwNCkoODExNjYwMDYpKDgxMTU2MDE0KSg4OTM2?= =?utf-8?b?MDAyKSgzMTYwMDIpKDE4NjAwMykoNjUxMjAwNykoMTEwMTM2MDA1KSgzNjc1?= =?utf-8?b?NjAwMykoODY3NjAwMikoNDMyNjAwOCkoODYzNjIwMDEpKDU0OTA2MDAzKSgy?= =?utf-8?q?616005=29=2871200400001=29=286486002=29=285660300002=29=286655600?= =?utf-8?b?OCkoNjY0NzYwMDcpKDMzNjU2MDAyKSg2NjQ0NjAwOCkoNDc4NjAwMDAxKSg2?= =?utf-8?q?4756008=29=286506007=29=2853546011=29=282906002=29=2876116006=29?= =?utf-8?q?=2866946007=29=2891956017=29=3B?= DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3805; H:MN2PR11MB4190.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?mtdSFQwNZ/HkTWJ9HOG/bLqjKvPilJx?= =?utf-8?q?EuFyeYddFRb5gx1fVi4v1Y4hyMjwCAZalPXcwBokcxtbPmMBtnfSYSfVzuXRasAG9?= =?utf-8?q?1PFA8iG86yyPtIbzx55Ay3XLeKCMK0XtDN0gXFjVeKFtjZwHcyT/7FQFeaTBUrWCx?= =?utf-8?q?mTFmelqFOUUzKn6ejaQl1fTrCZX8tgT09+Yt+VMN/JDqDPaGoLqVBHCx6RhIQBuBq?= =?utf-8?q?ScLe/qjiEjl9JVOBafIDsthLJYWvA0/KJTY5ludmHBQVX7bXzMpgRCrHujcTBre+b?= =?utf-8?q?YKokI+hPod9YpsHL2XqnpzxZrH1Ln/vLVOV7B8Vt1DkzpdupVSSz01jDedNa1TzaG?= =?utf-8?q?B0mKikNtDMFp74HpuUKJZZidINA1JMKJaXVoXd//aLrsiV+Z0EVZnC2eXLISY5hD9?= =?utf-8?q?OgInn2UH/Uk+WmMQ7mw2jqKe5Xs?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?eXgFNKvFmJCSEBICqcLzeR8ARsJG7V?= =?utf-8?q?p2fK8vu/0vjIIa2SiJjFIWgNo7t/OCrzSHqlJ10w6YEKzc60XGEQNa6tNNsL45Lqz?= =?utf-8?q?5nFtHlKLHsojq+bJit4We/PJu8GbmTr8SZN3pNXQ0WzQxCWxhE4pspGkRRfvYJwkG?= =?utf-8?q?LiMJJLs4mKU=3D?=
Content-Type: text/plain; charset="utf-8"
Content-ID: <6EAC5CC096911F449F0A5119A5244733@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2bbf7fb1-3eac-4ea2-b0d5-08d7ccc1214a
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2020 11:23:35.3822 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?Dtm9jhnwU/8q7jzYwKL5W?= =?utf-8?q?PmXpHDV5vBPiGSkQPdR25mPg5AV//7u6MMKP+v+rQRsyd9kOvmfgkNRjsEZE3KeiQ?= =?utf-8?q?=3D=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3805
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/MJasvQsY1HSPBaI7fS0yXpZntbI>
Subject: Re: [OPSAWG] Alexey Melnikov's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 11:23:44 -0000

Hi Alexey,

Many thanks for the review and going through the issues that you found, the corrections for which I believe made the document considerably less bad.

Regarding the issue you mentioned below, it is another very valid point. I don’t think that the first change I made was sufficiently clear. I am proposing to add a new para to this section as follows:

“  As mentioned above, this field is used by the client to indicate how
   it performed the authentication.  One of the options
   (TAC_PLUS_AUTHEN_METH_TACACSPLUS := 0x06) is TACACS+ itself, and so
   the detail of how the client performed this option is given in
   Authentication Section (Section 5).  For all other options, such as
   KRB and RADIUS, then TACACS+ protocol did not play any part in the
   authentication phase; as those interactions were not conducted using
   the TACACS+ protocol they will not be documented here.  For
   implementers of clients who need details of the other protocols,
   please refer to the respective Kerberos [RFC4120] and RADIUS
   [RFC3579] RFCs.”

Originally I had intended to try to avoid adding references to the other protocols to minimize references which may go stale, but I’m sure the readers can redirect if needed.

Many thanks,

Doug.

On 18/03/2020, 13:28, "Alexey Melnikov" <aamelnikov@fastmail.fm> wrote:

    Hi Douglas,
    
    On Mon, Jan 27, 2020, at 8:28 PM, Douglas Gash (dcmgash) wrote:
    >     5) KRB5 and KRB4 need normative references.
    > TA> The KRB5 and KRB4 are not specifically used in this document, 
    > rather, there is one field with an option that the client uses to 
    > indicate how it authenticated, and these are option. This is not 
    > verifiable, so it is recomended in the documen tnot to use this field 
    > for policy.For this reason, it is not really useful to provide a 
    > normative reference, but it is required for the document to explai 
    > this. So have added:[AI+TA]
    
    Please add Informative references for them then. If I decide to implement TACACS+ and don't know anything about Kerberos, I wouldn't know where to look.
    
    
    All your other changes are either good or I can at least live with them.
    
    Best Regards,
    Alexey