Re: [OPSAWG] APPEAL: re AAA protocols and IETF consensus
Alan DeKok <aland@deployingradius.com> Thu, 11 February 2016 20:01 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C1C31B39BE for <opsawg@ietfa.amsl.com>; Thu, 11 Feb 2016 12:01:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHM-W9t8HOM3 for <opsawg@ietfa.amsl.com>; Thu, 11 Feb 2016 12:01:28 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id D10EA1B39CD for <opsawg@ietf.org>; Thu, 11 Feb 2016 12:01:01 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id 171B1D14; Thu, 11 Feb 2016 20:01:01 +0000 (UTC)
Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uiM7z0sdu6Tj; Thu, 11 Feb 2016 20:01:01 +0000 (UTC)
Received: from [192.168.120.60] (OTWAON1140W-LP140-03-1176332297.dsl.bell.ca [70.29.104.9]) by mail.networkradius.com (Postfix) with ESMTPSA id 895758E5; Thu, 11 Feb 2016 20:01:00 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAL9jLabKooSmF4KCZeRf80Oh2xob=JmjCC8VwG1Qg=kkceVVww@mail.gmail.com>
Date: Thu, 11 Feb 2016 15:00:59 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <1E95FB31-2386-4407-B36E-C8BDDCFB31E9@deployingradius.com>
References: <93B875C8-FF5A-4CD3-BBAB-E028749C67FF@deployingradius.com> <CAL9jLabKooSmF4KCZeRf80Oh2xob=JmjCC8VwG1Qg=kkceVVww@mail.gmail.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/UmRrNZCP3OxK12aLhShnZuwevCE>
Cc: opsawg@ietf.org
Subject: Re: [OPSAWG] APPEAL: re AAA protocols and IETF consensus
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2016 20:01:33 -0000
On Feb 11, 2016, at 12:46 PM, Christopher Morrow <christopher.morrow@gmail.com> wrote: > 2989 is titled: "Criteria for Evaluating AAA Protocols for Network Access" > > 2989 is explicitly not about 'device management' or 'device > administration' access management (AAA). > tacacs+ is explicitly about 'device management' or 'device > administration' access management (AAA). The TACACS draft is silent on device management. The only discussion in the draft of functionality is AAA. For you, the AAA RFCs I mentioned don't apply to a self-described AAA document. Because the document really (wink wink) applies to device management. Which it doesn't talk about. i.e. A isn't the same as B because A is really the same as C, even though A claims to be the same as B. This is logic so twisted as to become farcical. > again, not applicable to 'device management' / 'device administration' > ... so not applicable to this discussion, at all. Then you should be in favour of not standardizing the TACACS+ document, because it doesn't talk about device management either. >> Standardizing a new AAA protocol without IETF-wide discussion means we're ignoring the requirements of RFC 2989, and discarding the results shown in RFC 3127. >> > > it doesn't seem like 'IETF-wide discussion' is being missed at all, actually. Forgive me if I'm missing a wider CC list. Are the people who wrote RFC 2989 and RFC 3127 involved in this discussion? No? Then a wider IETF discussion is being missed. > perhaps, but you seem to have content questions, did you make these > comments to the authors? I think dealing with larger issues is a higher priority than editorial comments. >> The TACACS+ functionality therefore *explicitly* overlaps 100% with RADIUS. It is explicitly *not* "device authorization". It is uniformly inferior to RADIUS in functionality and capability. It meets none of the requirements set out in RFC 2989, and wasn't even considered in RFC 3127 > > because 2989 and 3127 are not about the problem tac+ solves. And neither is the TACACS+ document. > For network operations the meaning of AAA is different than that used > for 'dialup users' (or equivalent as the technology advances). > > o Authorizing users of your network access to the network is different > than authorizing administration/management of the devices which make > the network. > > o Accounting for the device administration activities is not the same > acocunting for bits/time spent on a customer > > o Authenticating a device administrator is likely very different from > authenticating a user of the network Remind me again where the TACACS+ document discusses that? > I think you mean to rephrase and aim this comment to the editors... so > they can add a note about it in the draft. I do see discussion of > authorization and why it's important/used in the original > grant-tacacs-02 draft, and in the draft-dahm version 02 there's this: > > https://tools.ietf.org/html/draft-dahm-opsawg-tacacs-01#section-5 > > this seems to have some level of detail and useful information about > the authorization process/work/packets. Which is a vague discussion of "authorization". It misses "device management" entirely. > i don't know that 'two decades' is particularly important, much has > changed over the last 20 yrs in the IETF and the Internet and in stuff > provided by vendors/etc. Making device administration better and more > secure over time is a win for operations, networks and users. While I agree with that, there were many opportunities over the last 20 years to standardize device management in the IETF. The vendors refused. Because (as I've said repeatedly), they saw benefits in avoiding the standards process. Now that they're getting bitten by inter-operability problems, *oops*, it's time get a rubber stamp on the protocol. I welcome publishing the document as an information draft. I see no reason why it should be an IETF standard. And so far, I haven't seen a convincing argument from anyone else. The arguments in favour amount to: - just 'cause - it's widely used - it's not an AAA protocol, even though it's explicitly an AAA protocol Alan DeKok.
- [OPSAWG] APPEAL: re AAA protocols and IETF consen… Alan DeKok
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… joel jaeggli
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Christopher Morrow
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Brian E Carpenter
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Alan DeKok
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Alan DeKok
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Brian E Carpenter
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Alan DeKok
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Brian E Carpenter
- Re: [OPSAWG] APPEAL: re AAA protocols and IETF co… Alan DeKok