IETF Logo Mail Archive

Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt

"Joe Clarke (jclarke)" <jclarke@cisco.com> Thu, 30 June 2022 16:35 UTC

Return-Path: <jclarke@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 438D4C13CDB5 for <opsawg@ietfa.amsl.com>; Thu, 30 Jun 2022 09:35:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.604
X-Spam-Level:
X-Spam-Status: No, score=-9.604 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=AVDvSu2C; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=fbzN1tSA
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ufakx8VyD2Ph for <opsawg@ietfa.amsl.com>; Thu, 30 Jun 2022 09:35:34 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01298C13CD9F for <opsawg@ietf.org>; Thu, 30 Jun 2022 09:35:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13814; q=dns/txt; s=iport; t=1656606934; x=1657816534; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ijYgBq2MtcLC46PR/cxhpKn9c2bfd1xkUvMx5Hoa194=; b=AVDvSu2CJSd6RTe4oMLfaku2jn+Xwcyvou9YG6pkOVhMkuvAFFPZCHhU Q0QDEyBcz3/IHf5Z0ZejKgwgFXag3oV2jdq6p+mdDQYKyqAdOWhoMw3Za HhJ9TAP+SNTRyDQZ0DROSnLx7ZKaHzbf1FLmlHnO9Xs6GB235+FBOpKzX w=;
X-IPAS-Result: A0AQAACVz71imIUNJK1aHQEBAQEJARIBBQUBQIE7CAELAYEgMSoofwJZOkSIGgOEUl+FC4MCA4sdixOFF4EsFIERA1QLAQEBDQEBLAEKCwQBAYQ/RQKFSwIlNAkOAQIEAQEBAQMCAwEBAQEBAQMBAQUBAQECAQcEFAEBAQEBAQEBCRQHBgwFDhAnhWgNhkIBAQEBAwEBEC4BASwLAQ8CAQgRAwECAS4hBgsdCAIEAQ0FCBqCWwGCDlcDMAMBDp9bAYE/AoofeIEzgQGCCAEBBgQEhQ4NC4I4AwaBPQGDFIMIgS+DEoQeJxyBSUSBFUOCZz6CIEIBAYErARIBIx4Ng2CCLo0UjHgHOANHLxKBIG4BCAYGBwoFMAYCDBgUBAITEk0GHAISDAoGFQ5CEhcMDwMSAxEBBwIJEggVKwgDAgMIAwIDIAsCAxYJBwoDHQgKHBIQFAIEER4LCAMZHiwJAgQOA0AICwoDEQQDExgJFggQBAYDCC8NJwsDBQ8NAQYDBgIFBQEDIAMUAwUkBwMhDyYNDQQbBx0DAwUlAwICGwcCAgMCBhUGAgIYVi4NCAQIBBgfJA8FAgcvBQQQHwIeBAUGEQgCFgIGBAUCBAQWAhAIAggnFwcTMxkBBVkQCSEWBikKBgUGFgMhSCYFRQ8oNDY8LB8bCoEaLAkiFgMEBAMCBhoDAyICECkGMgMWBi0KBQQfAZtDdQ5ZAwRDEFsggQkPAQEXETqMUohUik+ODZIfawqDTpkVgQOGGhWoZJZzIJBvkE+FPAIEAgQFAg4BAQaBYWc+cHAVO4JoURkPjiAZgQ0BAgWCRIUUhUp1OwIGCwEBAwmOJ14BAQ
IronPort-PHdr: A9a23:dBDbvhFRImM7F2evy/V1lp1GfiYY04WdBeZdwpYkircbdKOl8tyiO UHE/vxigRfPWpmT8PNLjefa8sWCEWwN6JqMqjYOJZpLURJWhcAfhQd1BsmDBAXyJ+LraCpvG sNEWRdl8ni3PFITFtz5YgjZo2a56ngZHRCsXTc=
IronPort-Data: A9a23:LzcbRKsv2ibNfTcg4WVqdxEVlefnVIheMUV32f8akzHdYApBsoF/q tZmKW+GO/+LZTGje95wYIm//BwCscfTm9BiGVY4rS8xES5GgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0vrav67xZVF/fngqoDUUIYoAQgsA14+IMsdoUg7wbRh3NUw2YLR7z6l4 LseneWOYDdJ5BYsWo4kw/rrRMRH5amaVJsw5zTSVNgT1LPsvyB94KE3ecldG0DFrrx8RYZWc QpsIIaRpQs19z91Yj+sfy2SnkciGtY+NiDW4pZatjTLbhVq/kQPPqgH2PU0OGBwtA2Yn8BK2 vpsj8CqWwcqPvTCobFIO/VYO3kW0axu8bvDJz20ttaeihSfNXDt2P5pSkoxOOX0+M4uXjoIr qJecWtLN0vY7w616OrTpu1EhM8nJdPoMasUu2prynfSCvNOrZXrEv+XtIcBjGth7ixINfKda epGZWJjVxaaWjhWB2cPC6IYuej90xETdBUB+A7K+sLb+VP70Ax2yqPxPdyTdtWKQO1am0+Zo iTN+GGRKhgcOMaSyxKC7nvqne6ntSTjQ4sNG5W5++JkxlqJyQQ7CBAfTnOgoeOkgESzQcMZL UEIkgInqaE0+GSnQ8H5WAy5pnGetxIdRsEWGOo/gDxh0YLd5wKfQ2MDVDMEMYVgv84tTjts3 ViM9z/0OdBxmOyybk2l57eEliGdGBJJN30CZi9dQzJQtrEPv7oPph7IS99iFou8gdv0BSz8z li2QM4W2up7YSkjivnTwLzXv96/jsOSF1dquG07Skrgv10nO9/8D2C9wQKDhcusOrp1WbVoU JIsssya4eZm4Xqly3HVGb5l8F1EG5+43ND0iFprGdwq8C6gvif6O4tR+zp5YkxuN67omAMFg meO5mu9B7cKYRNGiJObharqV6zGKoC7TrzYugj8NIYmX3SIXFbvENtSTUCRxXvxt0MnjLsyP 5yWGe71UytEVP44kGHpHbdHuVPO+szY7T6DLXwc50n5uYdymFbOIVv4GALUN7tgvP/sTPv9q o0CaqNmNCmzoMWnMnWIrub/3HgBLGMwAtjtutdLe+uYSjeK60l/Y8I9NYgJItQ/94wMz7+g1 ijkBidwlQqu7VWaeF7iQi0yN9vHA80lxVplZnNEALpd8yV5CWpZxP1BJ8JfkHhO3LEL8MOYu NFbK5veWa0RFWyvFvZ0RcCVkbGOvS+D3WqmVxdJqhBlF3K8b2QlIuPZQzY=
IronPort-HdrOrdr: A9a23:GAJyLa27PYyrYSBbjZy/wwqjBQxyeYIsimQD101hICG9Lfb3qy n+ppsmPEHP5Ar5AEtQ5expOMG7MBfhHO1OkPYs1NaZLUTbUQ6TTb2KgrGSuwEIdxeOlNK1kJ 0QDpSWa+eAQWSS7/yKmzVQeuxIqLLsncDY5ts2jU0dNz2CAJsQiDuRfzzra3GeMzM2Y6bReq Dsg/Zvln6FQzA6f867Dn4KU6zovNvQjq/rZhYAGloO9BSOpSnA0s+0LzGomjMlFx9fy7Yr9m bI1ybj4L+4jv29whjAk0fO8pVtnsf7wNcrPr3DtiFVEESstu+bXvUjZ1SwhkF2nAhp0idurD D4mWZhAy200QKUQoj6m2qr5+Cq6kdR15ar8y7ovZKkm72+eNr/YPAx3b6wtXDimhMdVZhHod J29nPcuJxNARzamiPho9DOShFxj0Kx5WEviOgJkhVkIMMjgZJq3PoiFXluYd49NTO/7JpiHP hlDcna6voTeVSGb2rBtm0qxNC3RHw8EhqPX0BH46WuonJrtWE8y1FdyN0Un38G+p54Q55Y5/ 7cOqAtkL1VVMcZYa90Ge9ES8qqDW7GRw7KLQupUB/aPbBCP2iIp4/84b0z6u3vcJsUzIEqkJ CES19cvX5aQTOYNSRP5uw+zvngehTOYd228LAs23FQgMyIeIbW
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.92,234,1650931200"; d="scan'208,217";a="925901849"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 30 Jun 2022 16:35:32 +0000
Received: from mail.cisco.com (xfe-rtp-003.cisco.com [64.101.210.233]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 25UGZVld011792 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 30 Jun 2022 16:35:32 GMT
Received: from xfe-rcd-004.cisco.com (173.37.227.252) by xfe-rtp-003.cisco.com (64.101.210.233) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Thu, 30 Jun 2022 12:35:31 -0400
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Thu, 30 Jun 2022 11:35:31 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aezLdkffG1kTEM9NCHMbuL6RgejuUauE6CU7WsXG6ERHojMWuWLDODtNolfh2aTPaAPchc3mjY8m1b0yySABU0Jsj7dHccPf1IIvTJDIoqlPoBtF3HR8eX2ChQNhRbON9lYuxJNKAHGWs2UCHCtJQaNZf92tyszkAICy4jTe+PUFWtTyJ8/cU5HfjPaSrfrJ3BN/S8nppiEvwQTimMfqOYjq4d/LZ+CagJQ6qcW966lH1mLebUIodsI9GZsPIjwsv6aKdqRLqBalFQZoGML4Oe86r09vmuHjzY/7Pc1SYiak2FCULoxXEbeWLuF14CcLglBLV4FJhLuNphIfvot82g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=azzDLAtjuH3gqSfBclTGcCbnTbMrIJED1rrmo7x/02U=; b=IngRMVU9DJp+qc5Kv3F9BInRqjo8upYWesz65WVpNutGZ8TxNc6Iuv3Xp6onCA2yQK8FasvNwDIqjDwyELJnhLfPMzNXwSL/6gKMNGJwoOracvRixbedBFS+O4gFClfH8WJPNHvMfYicMzikop1n7Bel/NHxbll2+YgxrIW8rzoGCiW1Xw6l7B+u/wUu9UTnzgOhCMkV5Hc0fWztZHsjghkvBxFiFkrFgepkqrC1gpDJe0yQwMn2QPCgBTZBmJJHLW9mSJqaHEG6sncWp3GEN4ALOfDCoMUmmoVB6H0WnGaoPoeyDRXv4rEvHb62LqpvXeQcFYFMcrHk8CPKaXrWjQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=azzDLAtjuH3gqSfBclTGcCbnTbMrIJED1rrmo7x/02U=; b=fbzN1tSA7NgUjagQ/ecrz7jUbKeFR4rHWAw/psP7CtdJf280JexTC88MEFw/glmkXuZxftN9PAA+95qhNBEFY+Sv0BR98pSIr6DNGE5Ct1BaGRh5/P4mezVAfgwihEyKlrh2sIPwPpM0d7HAJpShe0lnRInrqXjINiFnqwCwAHA=
Received: from BN9PR11MB5371.namprd11.prod.outlook.com (2603:10b6:408:11c::11) by MN2PR11MB3631.namprd11.prod.outlook.com (2603:10b6:208:ef::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5395.14; Thu, 30 Jun 2022 16:35:21 +0000
Received: from BN9PR11MB5371.namprd11.prod.outlook.com ([fe80::e8f6:a55d:824e:d66c]) by BN9PR11MB5371.namprd11.prod.outlook.com ([fe80::e8f6:a55d:824e:d66c%7]) with mapi id 15.20.5395.014; Thu, 30 Jun 2022 16:35:21 +0000
From: "Joe Clarke (jclarke)" <jclarke@cisco.com>
To: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>, Alan DeKok <aland@deployingradius.com>, heasley <heas@shrubbery.net>
CC: "opsawg@ietf.org" <opsawg@ietf.org>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Thread-Topic: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
Thread-Index: AQHYi+XXzoqigg7BlUGqrcw2LRd4s61m6AIAgAEl51yAAAlJgIAAD4/C
Date: Thu, 30 Jun 2022 16:35:21 +0000
Message-ID: <BN9PR11MB5371E6B99435DD1205EA4D67B8BA9@BN9PR11MB5371.namprd11.prod.outlook.com>
References: <YryZcYAjzaUr/Er1@shrubbery.net> <D14D7902-487E-4C8C-8D1A-99CE0CF03FAF@deployingradius.com> <BN9PR11MB5371D3375FEB7727BCA96921B8BA9@BN9PR11MB5371.namprd11.prod.outlook.com> <PH0PR11MB5783AE73910604189BA238B6B7BA9@PH0PR11MB5783.namprd11.prod.outlook.com>
In-Reply-To: <PH0PR11MB5783AE73910604189BA238B6B7BA9@PH0PR11MB5783.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5a488a4d-0d23-4caf-fbd4-08da5ab686a9
x-ms-traffictypediagnostic: MN2PR11MB3631:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AEeWgXYHArL6CQ+Yq7anEhwMqK2A/5pI3oODfZ0Fqe82bjy9snTOSnjZv6xZy+doFCLefevZL4GgJil0EaPuR2gN4H2w7QahKTPeT+StfHSciJrevYYaUYhpDO/lAWTy47D4XpNJkAxeZA1hkNoTM1ytwR4M8mrdjckHFECiM7RVXohcdP/mWGVmIX1kbgVGsxHDJj95nTo2sqasnIRlrDnq4V45DSqq9qkRqHActsfrk4F7opCh3nFqPRvxh0ImJbu5WRj0Hrs2C0A0/wUQ7HyiHI12CVXCPsiG6ElG5JBMhwQRv64kP1VFgAs3lAt5dVFxGPf/czem79d3TK1NBKBcRLUgVbSbF6Yd0cxJzlXKf+K681efIidJPBEMdp9+0oWCHqxWHGZWrpnPf6uV90GAFJdX0oD0MeJBQakh3rth8467CSp7mbicQMXGHRDQoQE5JieruQwARqOHSsqYp12rDC+unZm+T+yNsR+iq8GczSUvAHjaX61IKmpzTKOh2NxfqYzKGUS54V3OzvO/nM0ijLXIO0ODVKabL69AfpjQfmI5BYpiGxl/WevzTMHp4Fv/b4WXA6lnCsNqNMEzGynuxYOYrQce0dR5S7ASTakpJ45N+7uH+HQsmkJZ5zO4hkpeZ0Ljb+Je9ZIXqLVYmO5tN/xW7FbRUFxfV67Pbyn9XaqqAKnI/k9guYGI8CsE+S34oiQz9BKO5GT5yLOWDXGoM8jLc+WQTT5Nh5YNAvLWCQ+luERhVGNbepStulFM8XrZBQm6u3re9VvW7qP4zz7hQUdprFckkg0n988moOIXKstFcrjYGAUWeM91efDb4lliCn/R9UGFg4TTxbQkBQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN9PR11MB5371.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(366004)(39860400002)(376002)(396003)(136003)(86362001)(54906003)(122000001)(316002)(110136005)(6506007)(66476007)(166002)(38100700002)(38070700005)(91956017)(186003)(53546011)(66556008)(76116006)(8676002)(4326008)(66446008)(7696005)(64756008)(66946007)(9686003)(8936002)(478600001)(71200400001)(15650500001)(33656002)(52536014)(966005)(2906002)(55016003)(41300700001)(83380400001)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: L6kg2e+qU6EN5TocHaB6RrGjg5yfIjbwpj6awx+RyAbyGy3qWdcEck0QkWu81TGqdvh2ode0gWNs8bUNclmCZz4OcW7yrbSoExTJ4+LcQjbKeplGe/SNW4ZVEtitZ4f3ZKDKSb8hh4ElDvMFhM6ffpkny/wIs4DDDbOaln34wdmwnztzm69xkZ4fA93mTGsNt/vr0g+xWDdGK3KMyUjhiUTVTAtJY4jyChuwDPozEXJdjIAdRZtZ4izFyqQYyr0ycwCS6d9/iLWxld+Xxhq8ZJM/MOR5RBU46cYLsueicHPVfooNVu6QXY+nIICWIKIdCOAhYIFE0fXuT6FzmoGFCN+zs9Zd7PLsbOrnr/1XDyM988F8uzS85QNlk5PdQUYcakRl0JdL3DOYZe1/guWRG+/ptaMFwBR+hxi5Uhx+UGfoThUbrkBtHGsRbcZ6qnKHa6e6nUtyxgvxtXzSRHFKf6Mksj0fLRjHFk11rxqM0Q9DCFtXzRxac7ZPMaC4wi1lmOfwypi/dZKb7HhK5W19Imy90LzAgjOn0RV5qIGJlrxSYPKNne4JW3naMZnfsxc0YEyez0yjLivcsZyYH5570bAypMjqonC6szAgiF559SCrJlkpA56zplFuRSJQf7H21iocgg7BFwcFEF65Vk5vaz859Mey1ZhEt1apT8C9V3QZNE0Vhzc8KqvHiYs/AJuojzy/1n6fIXD/6quu9AzLaYmWeNM2YEXEa8zQTAT3hrfsr4XWM1K1lyMIB2TI0hxKQBfJ523H74rxfx+hwCXm6k26x5iUvz+aX1VmU8WSa6Fuak3YSb/K5dalnnnEvDKwgBPJ1meOVFXMNDTUiI5tVRMz18rse3MIVWy2oHqbkVeuGbVIni18D+jmmeYEgPjkUP3MTwcjpJhQ8aRf0k2PNDXTWEWvOHX8B2vq7kja9QrUNJG0M4P7PJwy8GogVTrgmXUSsrY8AWtvmI193I/KLZZRvZHJg5tfX9H1Tolfq9PD4vK7HhmNTq89+88or1MER4OsmTYhScMGQsZg4BAvJ93p2/wp9J6sgFTbegT13bnV9dcQ14j3M9X03JHdwgVh1jRLLlbXiIoeN3lk7yaOgyqCa+L8vmlK+6YEDcBQrHNrp5PcZeB8ND+5Uze3ucdUXihdnQcWZB0tyzEyI3ZGexyHwNa+wUhsZ7lK7n9Waw/UgKILsTlLpQp4dyX4wFZDh2m7JSUKkkTTYpCynW07ARon9axd/QU9IsuKpy/qQfCQwY3sKXVRycIlP9vgazXSak7w85jsevTFwxwFTgjuWWMacX6sv0uh0htz1Y5wyn5tGWAOC6ffFiZLlt1QTmnlrvBCEU1lWGN4p/SydtW6Tv9CEnm/g32QFNkUJFpJe5X0/kjFuKu127R4iAv50Qb5Ci6cmHa8AgCaDGPe5T1VNjV1IbHFGCtt7us8ddwgkllytGwbmv06aHBlJ7CvJetIhm2VYhnCTTga7GaazmcomGSPTBmEv9PJQhJJuzzpgj7sM0cAkV3CYADOx/+v+RTj2IqWcnN58CNa/Af01/pkkcOd3sheu4SE9G/MayXNunRXLj5CxY2Uc48sHONF0v+1Uui2imhIpSgfASCOpWg1txBhqreI4Zo8ciOGbCVmCoETCfzoRukzVzWB9xR1YJHgwrcWtWT5wGBAPg5XQHMe2A==
Content-Type: multipart/alternative; boundary="_000_BN9PR11MB5371E6B99435DD1205EA4D67B8BA9BN9PR11MB5371namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN9PR11MB5371.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a488a4d-0d23-4caf-fbd4-08da5ab686a9
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2022 16:35:21.5868 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LSUtuffeIpACaLD+eGz0NRCx4UWk2VlJBHtvEaxhipcucuOO7G2YlLdYjEUrbvoo3i7yXjzex1vdQOXo8g5aCQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3631
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 64.101.210.233, xfe-rtp-003.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/WTiaPxZXIYUAVaQr6RDk81M2_1U>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 16:35:38 -0000

Thanks, Douglas.  While I commented on _this_ email, I have not reviewed this draft.  I was merely commenting to Alan’s statement about the TLS 1.3 draft.

I still have this draft on my TODO list to review.

Joe

From: Douglas Gash (dcmgash) <dcmgash@cisco.com>
Date: Thursday, June 30, 2022 at 11:38
To: Joe Clarke (jclarke) <jclarke@cisco.com>, Alan DeKok <aland@deployingradius.com>, heasley <heas@shrubbery.net>
Cc: opsawg@ietf.org <opsawg@ietf.org>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
Hi,

First would be good to make sure the intent is clear: Though the TLS 13 draft is simply to do the TLS encapsulation, the security draft is primarily to support the SSH key distribution during T+ authentication.

To do this we added the variable arguments to authentication phase so that authentication phase matches the pattern already established in the protocol for authorization and accounting phases.

The feedback is pretty clearly though, not to do this. Let us take a look at the options.

From: Joe Clarke (jclarke) <jclarke@cisco.com>
Date: Thursday, 30 June 2022 at 16:07
To: Alan DeKok <aland@deployingradius.com>, heasley <heas@shrubbery.net>
Cc: opsawg@ietf.org <opsawg@ietf.org>, Douglas Gash (dcmgash) <dcmgash@cisco.com>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
Thanks for your continued attention to this work, Alan.  Your insight is very much appreciated.</chair>

As an contributor, I rather like the simpler TLS encap over T+ approach described in the tls13 draft.  I’d personally not over-engineer something that isn’t immediately required.  T+ has been around for a while and is heavily used.  I don’t know that we need to spend time adding extensibility.

Joe

From: OPSAWG <opsawg-bounces@ietf.org> on behalf of Alan DeKok <aland@deployingradius.com>
Date: Wednesday, June 29, 2022 at 17:34
To: heasley <heas@shrubbery.net>
Cc: opsawg@ietf.org <opsawg@ietf.org>, Douglas Gash (dcmgash) <dcmgash@cisco.com>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
On Jun 29, 2022, at 2:26 PM, heasley <heas@shrubbery.net> wrote:
> We have received no comments about this draft, which I presume means no
> technical objections exist.  So, I would like to ask the Chairs for an
> adoption call.

  I would suggest that ~3 weeks is a little too short a time frame to claim that there are no objections.   I'll point to the previous TACACS+ document, where there were multiple reviews which got addressed by the authors many months later.

  I'll also point to my earlier review of draft-dahm-tacacs-tls13-00.txt, where I had concerns with extending the 1990s style TACACS+ packet format.  The same concerns apply here.

  If we're going to extend TACACS+ by adding major new features, I would suggest that it's a priority to design these features correctly, the first time.  Experience shows that it is extremely difficult to extend fixed-field packet formats.  It's almost always better to use an extensible format, as with DHCPv4, DHCPv4, DNS options, YANG, RADIUS, Diameter, etc.

  Using a format with fixed fields now makes it more difficult to extend TACACS+ in the future.  There will just be one complex format added after another.  The alternative is instead to define an extensible format, in which case new extensions become trivial.

  Alan DeKok.



_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

v2.23.0 | Report a Bug | By Email