IETF Logo Mail Archive

Re: [OPSAWG] Start of WGLC for TACACS+ document.

"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Thu, 06 October 2016 17:34 UTC

Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4141E129650 for <opsawg@ietfa.amsl.com>; Thu, 6 Oct 2016 10:34:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.517
X-Spam-Level:
X-Spam-Status: No, score=-17.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGkTiTg2hSS7 for <opsawg@ietfa.amsl.com>; Thu, 6 Oct 2016 10:34:48 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4FCE12967B for <OpsAWG@ietf.org>; Thu, 6 Oct 2016 10:34:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4047; q=dns/txt; s=iport; t=1475775288; x=1476984888; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Zp6KFOUsXm30lYJSYku7of2VY8x/l/f7xCvqrnQRI3A=; b=EG7It/9ozpFJH8zM99TCEmFnBgyojA65kbEynq4btvkJd2H/I6nA3yr5 X4iU2+m1T7UEuSUWCDqroM+8lug7ugIUfZWPG2K7wzpuMtKKk19lxdCGn O7aZHz5rmhRm+oAMt2ebuSV8wwrpEsR1yVrUp5akeF2BO0ettZq42WmXz 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BvAQDhivZX/5NdJa1WBhoBAQEBAgEBAQEIAQEBAYM9AQEBAQEegVMHjSuXAJIdgg+CC4YgAoF0OBQBAgEBAQEBAQFeJ4RiAQEEeRACAQgYLjIlAgQBDQWITr8CAQEBAQEBAQEBAQEBAQEBAQEBAR+LEYQ5hVAdAQSUJYVaAY96gW6IHoVojHeDfgEeNkuCaxyBU3KHQIEAAQEB
X-IronPort-AV: E=Sophos;i="5.31,454,1473120000"; d="scan'208";a="331957032"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Oct 2016 17:34:47 +0000
Received: from XCH-RCD-014.cisco.com (xch-rcd-014.cisco.com [173.37.102.24]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id u96HYlVO028916 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 6 Oct 2016 17:34:47 GMT
Received: from xch-aln-014.cisco.com (173.36.7.24) by XCH-RCD-014.cisco.com (173.37.102.24) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 6 Oct 2016 12:34:47 -0500
Received: from xch-aln-014.cisco.com ([173.36.7.24]) by XCH-ALN-014.cisco.com ([173.36.7.24]) with mapi id 15.00.1210.000; Thu, 6 Oct 2016 12:34:47 -0500
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Alan DeKok <aland@deployingradius.com>, "t.petch" <ietfc@btconnect.com>
Thread-Topic: [OPSAWG] Start of WGLC for TACACS+ document.
Thread-Index: AQHSHbl9KZdR5oDUSkK9CBlvcR3x3qCaX9MAgABN84CAAMn/zYAALDV5gAB0/IA=
Date: Thu, 06 Oct 2016 17:34:47 +0000
Message-ID: <D41C42F2.195352%dcmgash@cisco.com>
References: <CAHw9_iK-1=Epr5CLAtFayd0Bss6oZrsDTfyox6y2SfPJAav78Q@mail.gmail.com> <5019ABA9-BB74-4C69-A455-12C17A2958CE@deployingradius.com> <E6C64895-F0C6-40B8-A687-4DC56590B22E@deployingradius.com> <025401d21fb8$71906e20$4001a8c0@gateway.2wire.net> <2769B0A9-00DE-41F8-9971-9C0AABDC8109@deployingradius.com> <003101d21fed$6978cb80$4001a8c0@gateway.2wire.net> <0124D7D3-98BA-4175-AE57-39C03349009C@deployingradius.com>
In-Reply-To: <0124D7D3-98BA-4175-AE57-39C03349009C@deployingradius.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.8.160830
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.197.93]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <F3D0F698CD0C8648956A4D5B2F67DE4A@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/b9IzM_LK9Vx7UBz-rVa6FWRQ7JY>
Cc: "opsawg-chairs@tools.ietf.org" <OpsAWG-chairs@tools.ietf.org>, Andrej Ota <aota@google.com>, "draft-ietf-opsawg-tacacs-05@tools.ietf.org" <draft-ietf-opsawg-tacacs-05@tools.ietf.org>, Thorsten Dahm <thorstendlux@google.com>, "opsawg@ietf.org" <OpsAWG@ietf.org>
Subject: Re: [OPSAWG] Start of WGLC for TACACS+ document.
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 17:34:54 -0000

Hi Alan,

Regarding the security concern, the approach we have with the current
document is:

1) A statement that the protocol does not provide security in a modern
environment. 
2) The two common approaches to support T+ so that it may be used.
3) An indication that a version with built-in security is to follow, which
will not require the mitigations in 2) (actually I suspect it may precede
the info document ;-))

We need to make sure there is no ambiguity for 1) for any security review.
No soft-peddalling. T+ provides the function, not the security.



SoŠ An approach we could employ is to enumerate all the ways in which 1)
is true, including an analysis of each of the other components of the rest
of the protocol, and their contribution to 1).

My question would be: would this dissection of vulnerabilities and
exploration of the attack vectors would help anyone from a security
perspective, when we have established that the approaches 2) are required?

I suspect that we¹d probably miss some, and that may give implementors
more comfort than is afforded by the clear and simple statement.

Therefore, for security review, I¹d suggest we keep the statement simple,
as defined above. However, if this statement is not clear enough/correct
in the document, then certainly, it should be clarified.

Best Regards,

Doug.

On 06/10/2016 17:35, "Alan DeKok" <aland@deployingradius.com> wrote:

>On Oct 6, 2016, at 12:19 PM, t.petch <ietfc@btconnect.com> wrote:
>> You are not, and I did not mean to imply that you were.  I mean that
>> your changes seem to me reflect a different approach, a different style
>> which I do not see as that of the authors.  I see the existing style as
>> unusual, but not wrong, and am content to leave it as is for an
>> Informational RFC which documents what is, or perhaps what has been. You
>> used the word 'philosophical' and I agreed.
>
>  I see the existing draft as not documenting the protocol.  That's my
>main concern.
>
>> So I would keep changes to the minimum, omissions or contradictions and
>> those required  by the publication process (such as splitting References
>> into Informative and Normative).  It is, after all, WGLC.
>
>  This doesn't address my concerns.
>
>  Again, as an implementor, I have *no idea* what to do for huge swathes
>of the protocol.
>
>  On top of that, the current draft is silent on serious security topics.
>
>  e.g. Length of CHAP challenges is implied from the context.  OK, that's
>fine, but what are the *limits* on CHAP challenge lengths?
>
> A: none.  CHAP challenges can be omitted entirely!
>
>> On Security, I would invite the chairs to ask for an early review by the
>> Security Directorate, explaining the context of this document, asking
>> them how much more is needed and how it should be expressed.  It might
>> not be very much although my experience is that I never know in advance
>> what they are going to come up with.
>
>  I've been a member of SAAG for a while now, and have done reviews, and
>read many more.  My prediction is that the current document will give
>SAAG a heart attack, and they will refuse publication.
>
>  There is a huge push to get the draft published.  That's fine.  What's
>*not* fine is that it seems to me at least... that many people simply
>don't care what's in the document.  They don't care if the protocol is
>badly specified.  Or if it's insecure.  In fact, these "features" could
>be beneficial.  Because it means that everyone can claim compliance.  And
>no one has to re-examine their implementation.
>
>  That may sound harsh, but I just don't see any other explanation.  If
>we are going to document the protocol, then let's document the protocol.
>If we're going to agree that we don't need to document the protocol then
>put a huge disclaimer at the top of the draft saying so.
>
>  Giving lip service to "document the protocol", while opposing attempts
>to do so is unproductive.
>
>  Alan DeKok.
>

v2.23.0 | Report a Bug | By Email