Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-01.txt

Marc Huber <Marc.Huber@web.de> Thu, 01 December 2022 18:14 UTC

Content-Type: multipart/alternative; boundary="------------osu10fWYuakKR6qyxQeRczgn"
Message-ID: <43ee82a3-c554-a4c3-cbb0-4525dee143b0@web.de>
Date: Thu, 01 Dec 2022 19:14:15 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
To: opsawg@ietf.org
References: <166987104468.50685.985158519755735069@ietfa.amsl.com> <Y4g8SzupPkBSLotd@shrubbery.net>
From: Marc Huber <Marc.Huber@web.de>
In-Reply-To: <Y4g8SzupPkBSLotd@shrubbery.net>
UI-OutboundReport: notjunk:1;M01:P0:ibUPGpIZDlg=;blbN4Sq9CHx9FioD+bU2wwZnZXh DaqRIexhG+yChfKuL3kpG1JAnMcBk3VA3a5IL7QUv+bFaN9TzZHzIulDpm/D+kmD7uI3pXYG2 Vej/1bLaXT4eOFIeqKy+XHYz2NFUvQdmZQNQSH9l7FHTiL5dMLJKohdOM6zDpxu0COKnGVhKt 2tRiha8w8MnyC6HCX5mMCugCiFzTSvg5q12ob/FHZ3Vhtp3Dendc7W2AqCggQ36MgP1/xWrPM lspCnoZia/VsVkZ0oIRug/9ypPszAxgiaPemL/W66v1XwQOTjxxQHqiz6DKF+upzClvg7zRK7 EmCNHeAIRA//XZEeQqOeeYjG2oN8jQKMChu1xV2o7qizLu/2IS/auwFuu1/Pey/ipqBpz+RJT +8GvGT+ra1Q7pbJmWM0Mcqj68O0omM0OAE0spTGrpBmzUJ1S8MNMyOrYsKquvIJwgoBpTl1XP 4Boo1tDF6UZjBNdmP/rIfNgRdJHGtmpgodhEtlaowh3VUxrQfiWRQLHflSCyWSlmsSavZ+V1N BMd9f4+sH/LMhdqumUB6wY/evcSu6rR/S9axflCT+5t0e6M96Os4bwm3fiRwkkSJhT+JmtLoI xn3G6cngK2CI1mI+6UoVVsUep3GPE/wf41qFhXOJWvuxGmQ+CLglDCAHcQVwaUBhzsJVYXB1o uKJYyyNSfkoguRSnEUgX5MTKRBXjZ79bsKDSmk30lXEk53jOidCR0FBos4VVR3kjdOcWVb5vF Wbo3wLyEDYTBcdWUlHpqa2E83irAdfGsLPOLHyMgfXa6Ax20taKrCTNtPRmR9YoxxvRQiru64 rMKKgSV+N94fMJ2PwGEnw5qPkvnlDeF6D+WJoC67RQhLxfxX/gBeugWxx1pWGuKQr0JeJmjny Y6vUD5+vYMP70MraRWNK/EWEbGMT2VzvySO3o42Lw02qV7i8JVNoUA3w2yke7rRKy4JMcg635 gHTzbITZSitPot5h/Yang93zSr8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/a8S6hwmU2ubfRjFpTGM33dEJtuE>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-01.txt
Precedence: list

Hi,

I've the gut feeling that

    Peers MUST NOT use Obfuscation with TLS.

    A TACACS+ client initiating a TACACS+ TLS connection MUST set the
    TAC_PLUS_UNENCRYPTED_FLAG bit, thereby asserting that Obfuscation is
    not used for the Session.  All subsequent packets MUST have the
    TAC_PLUS_UNENCRYPTED_FLAG set.

    A TACACS+ server that receives a packet with the
    TAC_PLUS_UNENCRYPTED_FLAG not set (cleared) over a TLS connection,
    MUST return an error of TAC_PLUS_AUTHEN_STATUS_ERROR,
    TAC_PLUS_AUTHOR_STATUS_ERROR, or TAC_PLUS_ACCT_STATUS_ERROR as
    appropriate for the TACACS+ message type, with the
    TAC_PLUS_UNENCRYPTED_FLAG set, and terminate the Session.

isn't the best approach. This would break the transition process
compatibility for devices that don't encrypt on their own which move TLS
to an intermediate system (a reverse proxy, essentially).

This might be a corner case, but I'd prefer a standard for
TACACS+-over-TLS that just leaves the TACACS+ protocol as-is and simply
encrypts/decrypts. TACACS+ over TLS shouldn't behave differently to
plain TACACS+.

Thanks,

Marc

[OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls… internet-drafts
Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… heasley
Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… Joe Clarke (jclarke)
Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… Marc Huber
Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… Alan DeKok
Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… heasley
Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs… heasley