Re: [OPSAWG] Alexey Melnikov's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Mon, 24 June 2019 05:47 UTC
Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E363B12028C; Sun, 23 Jun 2019 22:47:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=KkCfp52i; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=egyzYbaG
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EaXC8DqhgkkB; Sun, 23 Jun 2019 22:47:13 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C57E12003F; Sun, 23 Jun 2019 22:47:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11960; q=dns/txt; s=iport; t=1561355233; x=1562564833; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Trb1gxN/q9wT3hqpM9izmi3fa63we8QxXPn/LK6KyHo=; b=KkCfp52ivfcf4IoLNuKE3GmabWuweP4geG/f1imkRoV9JJ6y71f04Ch2 m/KD+IuiFr8u6larWXMEYYhduuX7mCErZxIrFWvuEzHy+dTdFBhq9b2zM RvkVjtBZc4Gm69TvrciogwRyWOzre+eAaqLClZ5oR8YW+Wbe3x+jR3+f+ A=;
IronPort-PHdr: 9a23:rFU1PBB3PtctrYa9WK2VUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qs13kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuIPXvYCUhHOxJVURu+DewNk0GUMs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BIAAAXYxBd/4ENJK1kHAEBAQQBAQcEAQGBUwcBAQsBgUNQA2pVIAQLKIQWg0cDhFKKD5oTgS4UgRADVAkBAQEMAQEjCgIBAYRAAheCTCM0CQ4BAwEBBAEBAgEFbYo3DIVLAgQSEQQNDAEBNwEPAgEIDgwCJgICAjAVEAIEAQ0FIoMAAYFqAx0BDpdSAoE4iF9xfjOCeQEBBYFGQYJzGIIRAwaBDCgBiRSCSReBf4EQAScfgkw+gmECAQIBgSoBEQIBBgIWF4JzMoImi24IBgSCToUcggSGLo0GawkCghSGTYRihEmDahuCKIcNBYQFigiNJoEvhgCPVAIEAgQFAg4BAQWBUDhnWBEIcBU7KgGCQYJBBwIaFIM5hRSFPgFyAYEojwkBAQ
X-IronPort-AV: E=Sophos;i="5.63,411,1557187200"; d="scan'208";a="296189781"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Jun 2019 05:47:11 +0000
Received: from XCH-ALN-020.cisco.com (xch-aln-020.cisco.com [173.36.7.30]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x5O5lB7W006385 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 24 Jun 2019 05:47:11 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-020.cisco.com (173.36.7.30) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 24 Jun 2019 00:47:10 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 24 Jun 2019 01:47:09 -0400
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 24 Jun 2019 00:47:09 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Trb1gxN/q9wT3hqpM9izmi3fa63we8QxXPn/LK6KyHo=; b=egyzYbaGK2S80NdUBYjWaYL9Sq/UhSm4e/3hE/PM/EYGmvez+8PlV3SR8NGqWEbPO9njFJaDtzVF934UuSnlZ8i3uGR4CaOFqLEwoGFi+sn5BoK4n5rkfF5IsK8pExaaAbMLxkolOImSLFlfruKQbX853p+DsX51BSX9Y6CJIlo=
Received: from DM5PR11MB1322.namprd11.prod.outlook.com (10.168.104.140) by DM5PR11MB1292.namprd11.prod.outlook.com (10.168.101.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Mon, 24 Jun 2019 05:47:07 +0000
Received: from DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd]) by DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd%2]) with mapi id 15.20.2008.014; Mon, 24 Jun 2019 05:47:07 +0000
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: Alexey Melnikov's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
Thread-Index: AQHVKlBAMs0jEhQykkWaGlNOLqM3Rw==
Date: Mon, 24 Jun 2019 05:47:07 +0000
Message-ID: <3DB6015A-6E93-4A5E-AADD-077A38E8A273@cisco.com>
References: <155798766808.30465.13613903853679159439.idtracker@ietfa.amsl.com>
In-Reply-To: <155798766808.30465.13613903853679159439.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.26.0.170902
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dcmgash@cisco.com;
x-originating-ip: [2001:420:c0e0:1006::4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d92202b3-90dd-4579-7bbd-08d6f8676501
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR11MB1292;
x-ms-traffictypediagnostic: DM5PR11MB1292:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR11MB12927672A1CF7DD36105CADCB7E00@DM5PR11MB1292.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 007814487B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(346002)(366004)(376002)(39860400002)(136003)(189003)(199004)(51914003)(81156014)(446003)(66476007)(71200400001)(966005)(76176011)(8676002)(478600001)(76116006)(66946007)(81166006)(25786009)(64756008)(91956017)(4326008)(6486002)(66556008)(66446008)(2616005)(73956011)(5660300002)(486006)(6306002)(86362001)(6436002)(476003)(8936002)(11346002)(186003)(53546011)(58126008)(53936002)(110136005)(6246003)(6116002)(256004)(2906002)(305945005)(6512007)(71190400001)(14444005)(33656002)(229853002)(68736007)(102836004)(6506007)(7736002)(46003)(316002)(99286004)(54906003)(36756003)(14454004); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1292; H:DM5PR11MB1322.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: I6cLRG1byN1YlTS6axebfD37apuQL9KCXCS8yoN5aC//QtiHnkScuysTTMcIk+AtRpHm2Y0EeNvU1Tmlm70J3hKomvc8WyQQKc+K5pJjDH3sa5Ep23JhsrZYYLZ+a1Pu9cWMOS/s91gt6WyL2mVdaXslGVA4m7r7k1mUl+Ddv9V0tuFwOi70iFk/bBJySd9ho4GSRCA7JbNT/BsIGxdlJ0E3B0AeIikuQrY2EH7/zvyWxhbw9YN4Fkm+Cuvz7iit94q7px6wVcIHxG2LjXDPO38DKGXmjSjHxVKtdrKuV5EREe2QKtjSpykvLBq01/vAJstTr94zpveIPK9RlFoT9SEpJKaBDRupzJHyMbiO1ZKoiP/rPLjv7edS4uJCCrUIDW9DWx7Ce7dCo4ZopHB2+AsHZSzogo2jNb4P2xTosSM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <2ADA791B5FDFBC4886B76A6ABF3C5214@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d92202b3-90dd-4579-7bbd-08d6f8676501
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2019 05:47:07.7017 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dcmgash@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1292
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.30, xch-aln-020.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/_Wet7UysnwbT9WIxtDDbMnlzPbM>
Subject: Re: [OPSAWG] Alexey Melnikov's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2019 05:47:16 -0000
Many thanks for the comments. Please see responses from authors inline, marked “TA”. Action items from this mail to update the document are marked: [AI-TA] to mean: “action item for the authors”. On 16/05/2019, 7:21, "Alexey Melnikov via Datatracker" <noreply@ietf.org> wrote: Alexey Melnikov has entered the following ballot position for draft-ietf-opsawg-tacacs-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- (One small addition to my earlier comments, see new DISCUSS point 6) I appreciate that this is documenting an existing protocol and I am very glad that it is being documented. However there are several things which are still not documented well enough/not in enough details to implement. So I would like to discuss these issues before recommending approval of this document: 1) 4.6. Text Encoding All text fields in TACACS+ MUST be printable US-ASCII, excepting Please add a reference to RFC 20 (for US-ASCII) here. Without out it "printable" has no meaning. TA> Agreed, will update as advised [AI-TA] special consideration given to user field and data fields used for passwords. To ensure interoperability of current deployments, the TACACS+ client and server MUST handle user fields and those data fields used for passwords as 8-bit octet strings. The deployment operator MUST ensure that consistent character encoding is applied from the end client to the server. The encoding SHOULD be UTF-8, and other Please add Normative RFC 3629 reference here for UTF-8. TA> Agreed, will update as advised [AI-TA] encodings outside printable US-ASCII SHOULD be deprecated. I am not sure what this mean. You didn't define allowed encoding (really you mean charsets). TA> Agreed, will update as advised [AI-TA] 2) In 5.1: The printable US-ASCII name of the client port on which the authentication is taking place, This doesn't mean anything. Is there a registry? It doesn't look like you are using transport service name registry for this. Is it a fixed list? TA> We’d be grateful if you could clarify, is your concern here relating to the charset or the content? If it regards the content then this is not constrained, as below it is client specific. The servicer must accommodate the free-format content. and its length in bytes. The value of this field is client specific. (For example, Cisco uses "tty10" to denote the tenth tty line and "Async10" to denote the tenth async interface). The port_len indicates the length of the port field, in bytes. 3) Later in 5.1: A printable US-ASCII string indicating the remote location from which the user has connected to the client. It is intended to hold a network address What are the allowed formats for IPv4 and IPv6? Or is this just human readable? TA> Current practice the field is normally MAC address or IP. Will recommend that if IP is used, it SHOULD conform to RFC5952 [AI-TA] if the user is connected via a network, a caller ID is the user is connected via ISDN or a POTS, or any other remote location information that is available. 4) In 5.4: If the information being requested by the server form the client is sensitive, then the server should set the TAC_PLUS_REPLY_FLAG_NOECHO flag. When the client queries the user for the information, the response MUST NOT be echoed as it is entered. What does the last sentence mean? (When is it ever echoed?) Are you missing a forward reference or some explanation of echoing? TA> Agreed, this requires clarification in document to indicate that the data entered should not be reflected in the user interface. [AI-TA] 5) KRB5 and KRB4 need normative references. TA> Agreed, will add [AI-TA] 6) Does this document need to obsolete RFC 1492? TA> That could well be sensible, would follow WG consensus here. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- In 4.8: 4.8. The TACACS+ Packet Header The total length of the packet body (not including the header). In network byte order? There is some text about that in 4.9, but readers don't know that yet. TA> Agreed, will clarify [AI-TA] In 6.1: The arguments are the primary elements of the authorization interaction. In the request packet they describe the specifics of the authorization that is being requested. Each argument is encoded in the packet as a single arg filed (arg_1... arg_N) with a Typo: filed --> field. TA> Thanks, will correct. [AI-TA] corresponding length fields (which indicates the length of each argument in bytes). Later in the same section: Optional arguments are ones that may be disregarded by either client or server. Mandatory arguments require that the receiving side can handle the attribute, that is: its implementation and configuration includes the details of how to act on it. If the client receives a mandatory argument that it cannot handle, it MUST consider the authorization to have failed. It is legal to send an attribute-value pair with a zero length value. Last sentence: do you just mean that the value can be empty? TA> Yes, this definition evolved, also had query about the use of the word “legal” in this round of review. Will change to “The value part of an attribute-value pair may be empty, that is, the length of the value may be zero.” [AI-TA] In 8.1: Date Time Absolute date/times are specified in seconds since the epoch, 12:00am Jan 1 1970. The timezone MUST be UTC unless a timezone attribute is specified. Stardate is canonically inconsistent and so SHOULD NOT be used. I am not sure what the last sentence means. TA> Agree, will be removed [AI-TA] In 8.2: 8.2. Authorization Attributes For example: "shell", "tty-server", "connection", "system" and "firewall". This attribute MUST always be included. Is this a full list or is there a registry? TA> This is not a full list, it is just for example. In order to prevent interpretation that it is a full list, will change to [AI-TA]: “The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. For example: "shell". This attribute MUST always be included.” Later in the same section: remote_host (String) What is the syntax of this field? TA> Will elaborate. [AI-TA] 10.4. Security of Accounting Sessions Replace accounting data with new valid or garbage which prevents to provide distraction "prevents to provide distraction" doesn't read well. TA> Agreed, will attempt to translate into readable language! [AI-TA] or hide information related to their authentication and/or authorization attack attempts. In 10.5.1: TACACS+ server administrators SHOULD change secret keys at regular intervals. Humans are very bad at this. So I think it would be better if this is changed to add a requirement on management UIs. TA> That is sensible. Will discuss options with WG. [AI-TA] 10.5.3. Authentication To help TACACS+ administraots select the stronger authentication Typo: administrators. TA> Thanks, will correct. [AI-TA]
- [OPSAWG] Alexey Melnikov's Discuss on draft-ietf-… Alexey Melnikov via Datatracker
- Re: [OPSAWG] Alexey Melnikov's Discuss on draft-i… Douglas Gash (dcmgash)
- Re: [OPSAWG] Alexey Melnikov's Discuss on draft-i… Douglas Gash (dcmgash)
- Re: [OPSAWG] Alexey Melnikov's Discuss on draft-i… Warren Kumari
- Re: [OPSAWG] Alexey Melnikov's Discuss on draft-i… Alexey Melnikov
- Re: [OPSAWG] Alexey Melnikov's Discuss on draft-i… Joe Clarke (jclarke)
- Re: [OPSAWG] Alexey Melnikov's Discuss on draft-i… Warren Kumari
- Re: [OPSAWG] Alexey Melnikov's Discuss on draft-i… Warren Kumari
- Re: [OPSAWG] Alexey Melnikov's Discuss on draft-i… Alexey Melnikov
- Re: [OPSAWG] Alexey Melnikov's Discuss on draft-i… Warren Kumari
- Re: [OPSAWG] Alexey Melnikov's Discuss on draft-i… Douglas Gash (dcmgash)