Re: [OPSAWG] Mirja Kühlewind's No Objection on draft-ietf-opsawg-tacacs-13: (with COMMENT)

"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Sat, 22 June 2019 06:03 UTC

Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8214D120148; Fri, 21 Jun 2019 23:03:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=kZZ9g4aI; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=rtHRagNT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZdmgdsmgaGX; Fri, 21 Jun 2019 23:03:21 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87D2C1200FF; Fri, 21 Jun 2019 23:03:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5264; q=dns/txt; s=iport; t=1561183400; x=1562393000; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=gFPbVTAUPtHIlVYdH2hrguhjf1OfEdazeYQO2N1jaK4=; b=kZZ9g4aIDCvwhc+COHmIiJUFmb+ojaQY0tiyBC32elShyfJE2w2j+Qvi LrkfjvceqLKWGLbEJfdbj/XrmLNK0uxQ6kkwRtc/ZP4wASYbNq/hkRGOy lHQW68Y2BschnsUzemesPEEhFs3nNIbeIkNI5RIkmU8fTPgclig5jfMr1 s=;
IronPort-PHdr: =?us-ascii?q?9a23=3Aoud7hhU1QgJv7lV4aFQPwF9B0F3V8LGuZFwc94?= =?us-ascii?q?YnhrRSc6+q45XlOgnF6O5wiEPSA92J8OpK3uzRta2oGXcN55qMqjgjSNRNTF?= =?us-ascii?q?dE7KdehAk8GIiAAEz/IuTtank2F8FNXURl13q6KkNSXs35Yg6arw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DvAABgxA1d/4UNJK1kHQEBBQEHBQG?= =?us-ascii?q?BVQYBCwGBQyknA2pVIAQLKIQWg0cDjmGCNpddgS4UgRADVAkBAQEMAQEjCgI?= =?us-ascii?q?BAYRAAheCRyM2Bw4BAwEBBAEBAgEFbYo3DIVLAgEDEhERDAEBNwEPAgEGAho?= =?us-ascii?q?CJgICAjAVBQsCBAENBSKDAAGBagMdAQ6JeZBgAoE4iF9xgTGCeQEBBYFGQYJ?= =?us-ascii?q?0GIIRAwaBDCgBi10XgX+BEAEnDBOCTD6CYQIBAgGBKgERAgEIFheCczKCJot?= =?us-ascii?q?iHS+CHo1NjXAJAoIShk2JK4E5gjEbgiiHDI4SgySKAYEvhX6MHYM2AgQCBAU?= =?us-ascii?q?CDgEBBYFXBypnWBEIcBUaSwGCQYJBN24BAoJIhRSFP3IBgSiPDAEB?=
X-IronPort-AV: E=Sophos;i="5.63,403,1557187200"; d="scan'208";a="287779461"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Jun 2019 06:03:17 +0000
Received: from XCH-RCD-018.cisco.com (xch-rcd-018.cisco.com [173.37.102.28]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id x5M63HuD016731 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 22 Jun 2019 06:03:17 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-018.cisco.com (173.37.102.28) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 22 Jun 2019 01:03:16 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 22 Jun 2019 01:03:16 -0500
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Sat, 22 Jun 2019 02:03:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gFPbVTAUPtHIlVYdH2hrguhjf1OfEdazeYQO2N1jaK4=; b=rtHRagNTxZj427/pCccya1v6rBa1QItX+LFmvUq3nE9FuUbItXXfFFaa4YKi8AQW5LdEzOR4Dn3ZEXAoIJiHH4nbwGeQ7L0qLk5iSJnTfxZMR40SBglhPq7bDw+dGhwKE5L2NGUVMPlmcWQybeFBopVWygVI7wBKqAx91+IQ3Bk=
Received: from DM5PR11MB1322.namprd11.prod.outlook.com (10.168.104.140) by DM5PR11MB1578.namprd11.prod.outlook.com (10.172.39.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.12; Sat, 22 Jun 2019 06:03:13 +0000
Received: from DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::8d6c:2d4e:6b5d:fc95]) by DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::8d6c:2d4e:6b5d:fc95%5]) with mapi id 15.20.1987.014; Sat, 22 Jun 2019 06:03:13 +0000
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: =?utf-8?B?TWlyamEgS8O8aGxld2luZA==?= <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: =?utf-8?B?TWlyamEgS8O8aGxld2luZCdzIE5vIE9iamVjdGlvbiBvbiBkcmFmdC1pZXRm?= =?utf-8?Q?-opsawg-tacacs-13:_(with_COMMENT)?=
Thread-Index: AQHVKMAtEJ7NpWxS+UmCHxDti4nxUg==
Date: Sat, 22 Jun 2019 06:03:13 +0000
Message-ID: <CFA73F88-DB69-4958-81D7-50B9EE5B9FFA@cisco.com>
References: <155794338418.30711.17566495330645891210.idtracker@ietfa.amsl.com>
In-Reply-To: <155794338418.30711.17566495330645891210.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.26.0.170902
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dcmgash@cisco.com;
x-originating-ip: [2001:420:c0e0:1006::4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 458a7ff7-82aa-41e6-baa8-08d6f6d74fe7
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR11MB1578;
x-ms-traffictypediagnostic: DM5PR11MB1578:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR11MB1578CAEABBCEEB3F0B8059D4B7E60@DM5PR11MB1578.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0076F48C8A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(136003)(39860400002)(346002)(366004)(51914003)(199004)(189003)(478600001)(5660300002)(6436002)(73956011)(4326008)(58126008)(316002)(256004)(25786009)(71200400001)(14444005)(8936002)(53936002)(81166006)(81156014)(6246003)(64756008)(66556008)(305945005)(91956017)(66476007)(76116006)(66946007)(66446008)(7736002)(6306002)(2906002)(71190400001)(966005)(6506007)(6512007)(229853002)(53546011)(76176011)(86362001)(66574012)(6486002)(36756003)(224303003)(33656002)(2616005)(46003)(14454004)(6116002)(102836004)(446003)(476003)(110136005)(11346002)(486006)(54906003)(99286004)(68736007)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1578; H:DM5PR11MB1322.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 9V3scC2QV5fXETup+cDSzSwYYSwQvxeK8PMPEaFK6f+GVG2vdVi21Uos+CSC6dbWHRVYM+RakjLJ3m5uxx6+8zmMMqQFcTMyhCLaLnxUqo/GX3pTWfun1n3t4vDyllRpG+QEzK6fYmdY13DbSyxIyYuunw8Kdd6MYlAX38L6qR7IrYMiEJf0RBQnTVBB1cPScYkKP9OQ05Xfy2zOCagzfPbew7xZyMk3EDhRp3oJjEtkUV0jINYqmKJFImvLWi90veWHrfcylWSPuovnyIZaSiHExQN3TUwGrk1a8OP5YipYV4vkrk7UghhcR0VKAGysPPAgiNB0uLmWt8587G6BQxos3mrQ75w88xd1nPqT6E1jvG5vjg7OyMY17kJzeIL63xngf5ydWAASzMfrMZvwLiEF79mvPPU2TxT1WmR01Rk=
Content-Type: text/plain; charset="utf-8"
Content-ID: <6C726239001A244CB8F897ECFCAADFF4@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 458a7ff7-82aa-41e6-baa8-08d6f6d74fe7
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2019 06:03:13.6400 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dcmgash@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1578
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.28, xch-rcd-018.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/OaGgkntzqHzvZ4RXMnkSrQevBOs>
Subject: Re: [OPSAWG] =?utf-8?q?Mirja_K=C3=BChlewind=27s_No_Objection_on_draf?= =?utf-8?q?t-ietf-opsawg-tacacs-13=3A_=28with_COMMENT=29?=
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jun 2019 06:03:24 -0000

Many thanks for the comments.

Please see responses from authors inline, marked “TA”. Action items from this mail to update the document are marked: [AI-TA] to mean: “action item for the authors”.

On 15/05/2019, 19:03, "Mirja Kühlewind via Datatracker" <noreply@ietf.org> wrote:

    Mirja Kühlewind has entered the following ballot position for
    draft-ietf-opsawg-tacacs-13: No Objection
    
    When responding, please keep the subject line intact and reply to all
    email addresses included in the To and CC lines. (Feel free to cut this
    introductory paragraph, however.)
    
    
    Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    for more information about IESG DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/
    
    
    
    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------
    
    A couple of comments/question:
    
    1) I would like to see it more explicitly mentioned in the title, abstract, and
    introduction that this is only documenting the protocol as deployed today.
    Usually we use titles like “Company X’s TACACS+ protocol”; this is probably not
    applicable here but maybe something like “Documentation of the TACACS+
    Protocol” would work as well…?

TA>  Agreed, will update as advised  [AI-TA]
    
    2) If Single Connection Mode is used and the connection is idle for a while, it
    can be possible that some middlebox or the server lost state and the connection
    is actually not available anymore. I guess it could be good to explicit mention
    this case and say something like if a RST or timeout is encountered for a
    connection in Single Connection Mode, the client should try to open a new
    connection and resend the request immediately.

TA> Yes, that is certainly a possible scenario. I believe it will likely be caught by regular timeout mechanisms in the implementation, but  we  can  call it out explicitly  [AI-TA]
    
    3) I would recommend to define the term “session” in section 3 (as it seems to
    a central term that is important to understand correctly).

TA>Agreed, will add a definition of session as advised [AI-TA]
    
    4) Sec 10.5.1: “TACACS+ servers MUST NOT leak sensitive data.”
    Not sure if that is an actionable requirement, as I would assume leaking is
    often done by accident. Maybe “TACACS+ servers MUST store sensitive data
    securely.”… or something…? Not sure  how much better that is… Actually the next
    sentence could probably be normative: S/TACACS+ servers should not expose
    shared secrets in logs./TACACS+ servers MUST NOT expose shared secrets in logs./

TA> Agreed that section can be tidied and the clause you highlight normatized. [AI-TA]
    
    5) One question regarding the unencrypted/non-obfuscated mode: Why was this
    mode (and TAC_PLUS_UNENCRYPTED_FLAG=1) not deprecated completely? You mention
    briefly somewhere that this is/was used for debugging but then later say that
    modern tools should also support debugging of obfuscated traffic.

TA> It is certainly a valid point. If there is consensus, then I agreed it would make sense to be clear and say  that unencrypted mode MUST NOT be used.
    
    6) Sec 10.5.5: “TACACS+ servers SHOULD deprecate the redirection mechanism.”
    I believe you want to use a MUST here because you anyway only specify this for
    servers that follow or update to this spec; it will of course not change
    existing implementations…
    
TA> Agreed  [AI-TA]