Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)

Warren Kumari <warren@kumari.net> Thu, 06 February 2020 16:04 UTC

Return-Path: <warren@kumari.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7087C12010E for <opsawg@ietfa.amsl.com>; Thu, 6 Feb 2020 08:04:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jf0lsp1KlO1M for <opsawg@ietfa.amsl.com>; Thu, 6 Feb 2020 08:04:28 -0800 (PST)
Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C896412006B for <opsawg@ietf.org>; Thu, 6 Feb 2020 08:04:27 -0800 (PST)
Received: by mail-qt1-x841.google.com with SMTP id j5so4856198qtq.9 for <opsawg@ietf.org>; Thu, 06 Feb 2020 08:04:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=IzW2MtNPfGcykHyX1DutwGDknVAYsE4OUitxFU80MDo=; b=m3bAPc+uVkqFSwzsGCrHVcYqHovdTy1nGICzPnj0O9GfFfdjrFHJQINAbnJkWCokzf qhXCyZmf4w4f6wx/6EiqatwGYX0eJrlMXsVJAph4LRuyso8p0OqI3XVuqQWOMBCMm2+P FX24/LnhH8qYot5rEUhV2PvgYBi0ULAkN1izxTvZ+Eq0V0t2+g+yCunHJCNkci2JNR4C T3Fi1c2soqKhjfRMt34j32rKe55Wkq6g7GstL9OV0Iv5l1mKZVMtDL5KSa5kIqsi0W8G G+wnLtW+NjxE8iBSD8mBgExy3GB0pwtqUSQGynLJatrd7gvB7h9afpqf+/+3qU3lx1OA GuZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=IzW2MtNPfGcykHyX1DutwGDknVAYsE4OUitxFU80MDo=; b=CnNCikH9faNY3cEXTL3GV5LHk6SezgwlZ/G+DkoGJd6/4UCdJCztogUL1Td+j4ZaS1 4B3kpEpoMLiXot5trLpV94IAHtDNjI4zN+1tNd60PvCxMemDtBOad2XEmRT2B7Vm/fKD BjXLzkwGsuyK7/Tp2iR3PysStR5aDDlccxXeoqXk6MhcO96+t+/3BTEqX3SvjwlFa0Pr Qnv4BqO09MZKDG3Lz2Rl6bpDtxvwTfwJBBZrvTuNUr1063M0ZDc0BW7mCh04tDPKQYg6 LHa1uVXj3jMO1+Nye7xazsyCyLTC3Xyb6KMhG675uu1OAIDwB73pyZOy6p2kd50yIEmv EiLQ==
X-Gm-Message-State: APjAAAUPmPVw/WyzkXLg5qV8+ef0RJCJ8pF6PgXDFBfPHX8xB1X2Ox63 4KBMazXo+k4csUId4v8M/d1UkvPO5cmATkHzKcp6mM0/ET0=
X-Google-Smtp-Source: APXvYqzxm2VOLeA450DcyB5XxAh9d4U8N7T7wCa1KgVp9njfNXcAqoPEoy5BFIxSmkbIG0zf9wN5VLtv3RCtXw+BZ/Y=
X-Received: by 2002:aed:2ac5:: with SMTP id t63mr3094845qtd.315.1581005066322; Thu, 06 Feb 2020 08:04:26 -0800 (PST)
MIME-Version: 1.0
References: <155794757064.30599.16805992272677304176.idtracker@ietfa.amsl.com> <00CA2AF7-C9EC-49CC-8C3F-7DDED4FC838A@cisco.com>
In-Reply-To: <00CA2AF7-C9EC-49CC-8C3F-7DDED4FC838A@cisco.com>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 6 Feb 2020 11:03:49 -0500
Message-ID: <CAHw9_iKCA13MSvoqWA_GrvnNgM-UCoK_G5pYmafj__HYNi2KyQ@mail.gmail.com>
To: "Douglas Gash (dcmgash)" <dcmgash=40cisco.com@dmarc.ietf.org>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>, "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/dCz-r_ZLtj0Hbdxbr6y27ZB2F3A>
Subject: Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 16:04:32 -0000

Hi there Roman,

I recently took over this document from Igans - it has been stuck in
'IESG Evaluation::AD Followup'  for 266 days (at version -13).
This is an informational document, describing an existing, and widely
deployed protocol -- the intent was that, once this is published,
there would be a new document largely saying "... great, now take
RFCxxxx, and throw it over TLS. Done!" (as you can guess, there is
much history here as to why it had to happen in two documents instead
of one :-))

The authors have made significant updates
(https://www.ietf.org/rfcdiff?url1=draft-ietf-opsawg-tacacs-13&url2=draft-ietf-opsawg-tacacs-16)-16),
and believe that they have now addressed all open comments.

I'd really like to get this document out the door soon - would you
mind prioritizing checking if these changes address your concerns?
W



On Mon, Jan 27, 2020 at 3:23 PM Douglas Gash (dcmgash)
<dcmgash=40cisco.com@dmarc.ietf.org> wrote:
>
> Hi,
>
> I hope that in the last few versions we have updated the document to sufficiently answer the concerns raised, please let me know if any concerns remain, many thanks.
>
> The majority of the issues were answered last summer, but the balance should be by the latest version recently uploaded.
>
> Please see the point-by point descriptions of changes or responses.
>
> Many thanks,
>
>
>
> On 15/05/2019, 20:12, "Roman Danyliw via Datatracker" <noreply@ietf.org> wrote:--------------------------------------------------------------------------------------------------
>
>     (1) I appreciate the deliberate and thoughtful attempt in this section to
>     enumerate the possible risks/attacks and mitigations of the protocol as is.  In
>     addition to the top-level risks in Section 10.1, I can see the value of
>     maintaining symmetry between Sections 5+10.2; 6+10.3 and 7+10.4.  In the spirit
>     of the middle ground this draft is trying to realize (document the as-is, but
>     highlight the issues), I have the following feedback:
>
>     (a) Section 10.1.  I recommend replacing the first three paragraphs of Section
>     10.1 (“TACACS+ protocol does not …”, “While the protocol …”, and “Even though
>     …”) with the following text synthesized from Joe Salowey’s LC review
>     (https://mailarchive.ietf.org/arch/msg/secdir/rsqrNbVEKph1RdWh836Ard73pHs) and
>     the current introduction:
>
>     TACACS+ protocol does not include a security mechanism that would meet
>     modern-day requirements.  These security mechanisms would be best referred to
>     as “obfuscation” and not “encryption” since they provide no meaningful
>     integrity, privacy or replay protection.  An attacker with access to the data
>     stream should be assumed to be able to read and modify all TACACS+ packets.
>     Without mitigation, a range of risks such as the following are possible:
>
>     Accounting information may be modified by the man-in-the-middle attacker,
>     making such logs unsuitable and untrustable for auditing purposes.
>
>     Invalid or misleading values may be inserted by the man-in-the-middle attacker
>     in various fields at known offsets to try and circumvent the authentication or
>     authorization checks even inside the obfuscated body.
>
> TA>  Many thanks, looks like a  sensible proposal [AI=TA]
> After consultation, the foll;owing chnages were made:
>
> Section 10.1., paragraph 1:
> OLD:
>
>     TACACS+ protocol does not include a security mechanism that would
>     meet modern-day requirements.  Support for MD5-based crypto pad
>     encryption fails to provide any kind of transport integrity, which
>     presents at least the following risks:
>
> NEW:
>
>     TACACS+ protocol does not include a security mechanism that would
>     meet modern-day requirements.  These security mechanisms would be
>     best referred to as "obfuscation" and not "encryption" since they
>     provide no meaningful integrity, privacy or replay protection.  An
>     attacker with access to the data stream should be assumed to be able
>     to read and modify all TACACS+ packets.  Without mitigation, a range
>     of risks such as the following are possible:
>
>
> Section 10.1., paragraph 2:
> OLD:
>
>        Accounting information may be modified by the man-in-the-middle
>        attacker, making such logs unsuitable and untrustable for auditing
>        purposes.
>
>        Only the body of the request is obfuscated which leaves all header
>        fields open to trivial modification by the man-in-the-middle
>        attacker.  For this reason, deployments SHOULD NOT use connections
>        with TAC_PLUS_UNENCRYPTED_FLAG, as mentioned in the Best Practices
>        section (Section 10.5) .
>
> NEW:
>
>        Accounting information may be modified by the man-in-the-middle
>        attacker, making such logs unsuitable and not trustable for
>        auditing purposes.
>
>     (b) I recommend finding an alternative home and strengthening the text “For
>     this reason, deployments SHOULD NOT use connections with
>     TAC_PLUS_UNENCRYPTED_FLAG, as mentioned in the Best Practices section (Section
>     10.5)”.  It seemed odd to mix deployment guidance in a list of risks as
>     currently written.  I take Andrej Ota’s point from
>     https://mailarchive.ietf.org/arch/msg/secdir/UgtsSfh1RaauNoMRi87FRqtI0YI that
>     there is no harm in requiring the obfuscation, such as it is.  Furthermore, why
>     couldn’t this be MUST NOT use?
>
> TA> Yes, I think we can move to MUST NOT, and we can remove this reference at this point  [AI=TA]
> Specifcially: Reference removed here, and reinforced in section 10.5.
>
>     (c) Section 10.5.3.  I concur with the SECDIR recommendation and the follow-up
>     discussion with Andrej Ota per
>     https://mailarchive.ietf.org/arch/msg/secdir/UgtsSfh1RaauNoMRi87FRqtI0YI which
>     would: s/stronger authentication/less weak/
>
> TA> Agreed, We will update [AI=TA]
>
> Section 10.5.3., paragraph 1:
> OLD:
>
>     To help TACACS+ administraots select the stronger authentication
>     options, TACACS+ servers MUST allow the administrator to configure
>     the server to only accept challenge/response options for
>     authentication (TAC_PLUS_AUTHEN_TYPE_CHAP or
>     TAC_PLUS_AUTHEN_TYPE_MSCHAP or TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 for
>     authen_type).
>
> NEW:
>
>     To help TACACS+ administrators select less weak authentication
>     options, TACACS+ servers MUST allow the administrator to configure
>     the server to only accept challenge/response options for
>     authentication (TAC_PLUS_AUTHEN_TYPE_CHAP or
>     TAC_PLUS_AUTHEN_TYPE_MSCHAP or TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 for
>     authen_type).
>
>     (2) Section 10.2.  I’m confused by the deprecation of
>     TAC_PLUS_AUTHEN_STATUS_FOLLOW but a seemingly weaker “SHOULD NOT be used in
>     modern deployments”.  I was expecting a MUST NOT.
>
> TA> Agreed, We will update [AI=TA]
> Section 10.2., paragraph 2:
> OLD:
>
>     This document deprecates the redirection mechanism using the
>     TAC_PLUS_AUTHEN_STATUS_FOLLOW option which was included in the
>     original draft.  As part of this process, the secret key for a new
>     server was sent to the client.  This public exchange of secret keys
>     means that once one session is broken, it may be possible to leverage
>     that key to attacking connections to other servers.  This mechanism
>     SHOULD NOT be used in modern deployments.  It MUST NOT be used
>     outside a secured deployment.
>
> NEW:
>
>     This document deprecates the redirection mechanism using the
>     TAC_PLUS_AUTHEN_STATUS_FOLLOW option which was included in the
>     original draft.  As part of this process, the secret key for a new
>     server was sent to the client.  This public exchange of secret keys
>     means that once one session is broken, it may be possible to leverage
>     that key to attacking connections to other servers.  This mechanism
>     MUST NOT be used in modern deployments.  It MUST NOT be used outside
>     a secured deployment.
>
>     (3) Section 10.4.  Why shouldn’t accounting sessions also use secure transport
>     per 10.5 (like 10.3 and 10.4) given the risks outlined in the text?  I was
>     expecting to see this section open with “Accounting Session SHOULD be used via
>     a secure transport (see Best Practices section (Section 10.5))".
>
> TA> We’ll bring this in line [AI=TA]
> Specifically:
>
> Section 10.4., paragraph 1:
> OLD:
>
>     Accounting sessions are not directly involved in authentication or
>     authorizing operations on the device.  However, man-in-the-middle
>     attacker may do any of the following:
>
> NEW:
>
>     Accounting sessions SHOULD be used via a secure transport (see Best
>     Practices section (Section 10.5).  Although Accounting sessions are
>     not directly involved in authentication or authorizing operations on
>     the device, man-in-the-middle attacker may do any of the following:
>
>
> Section 10.4., paragraph 2:
> OLD:
>
>        Replace accounting data with new valid or garbage which prevents
>        to provide distraction or hide information related to their
>        authentication and/or authorization attack attempts.
>
> NEW:
>
>        Replace accounting data with new valid or garbage which can
>        confuse auditors or hide information related to their
>        authentication and/or authorization attack attempts.
>
>     ----------------------------------------------------------------------
>     COMMENT:
>     ----------------------------------------------------------------------
>
>     (1) Editorial Nits:
>
>     ** Section 10.5.3.  Typo.  s/administraots/administrators/
>     ** Global.  Various places in the document have an extra space between the end
>     of a reference and the closing period.  Recommend: s/] ./]./g
>
> TA> Thanks, will fix [AI=TA]
>
>     (2) I endorse Mirja and Deborah’s point that strong text is needed in Section 1
>     to state that this document is describing the current deployment of the
>     protocol which has serious security issues.
>
> TA> Agreed, added to the introduction: [AI=TA]
>
> Specifically added to introduction: "This did not address all of the
>     key security concerns which are considered when designing modern
>     standards.  Deployment must therefore be executed with care.  These
>     concerns are addressed in the security section (Section 10)."
>
>
>


-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf