Re: [OPSAWG] Adam Roach's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)

"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Wed, 26 June 2019 04:30 UTC

Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2730E1205CF; Tue, 25 Jun 2019 21:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=P5GgU16N; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=JqPqwi6a
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWbhiBrsm4N2; Tue, 25 Jun 2019 21:30:51 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AB63120608; Tue, 25 Jun 2019 21:30:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13200; q=dns/txt; s=iport; t=1561523451; x=1562733051; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=8pGpxXjptdmgw5t/ze8vgQygz8szVpzW3Ek2El89nwI=; b=P5GgU16NX3K02NY3+CjfiLobjuUXVJAAPX9wLh3uJMPRJAqGBimCCdhY kXoYLMOYcusCazxU2Pc6X17wskUFIHmXaxa/cJOIatBtnwEHIFOfJ91pi uv3uSy6M56XANNrewV2MfaFzxLMO1mpWGKNGeIbyCGrWbj5GLVqx/Dg8d o=;
IronPort-PHdr: =?us-ascii?q?9a23=3AKzq3Dx/wKk8FzP9uRHGN82YQeigqvan1NQcJ65?= =?us-ascii?q?0hzqhDabmn44+8ZB7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUER?= =?us-ascii?q?oMiMEYhQslVcKODELyN/7CZC0hF8MEX1hgrDm2?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BxBQA19BJd/5RdJa1lHAEBAQQBAQc?= =?us-ascii?q?EAQGBZ4FEUANqVSAECyiEFYNHA45jgjYllzmBQoEQA1QJAQEBDAEBIwoCAQG?= =?us-ascii?q?EQAIXgl4jOBMBAwEBBAEBAgEFbYo3DIVLAQEDARIREQwBATcBDwIBCBoCEgI?= =?us-ascii?q?FDQICAjAVEAIEAQ0FGweDAAGBagMODwEOmmkCgTiIX3GBMYJ5AQEFgUZBgwA?= =?us-ascii?q?YghEDBoEMKIteF4F/gRABJwwTgkw+gmECAQIBgSoBDAUCAQgtMQcHgjQygia?= =?us-ascii?q?LdQ4EL4ISDYUciDONdAkCghWGUIRihE6DaxuCKYcOjhiMXkqBMIYHj1sCBAI?= =?us-ascii?q?EBQIOAQEFgWchZ1gRCHAVGksBgkGCQQcFFxSDOYUUhT9yAYEoi0AOFQKCLAE?= =?us-ascii?q?B?=
X-IronPort-AV: E=Sophos;i="5.63,418,1557187200"; d="scan'208";a="585664561"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Jun 2019 04:30:20 +0000
Received: from XCH-ALN-012.cisco.com (xch-aln-012.cisco.com [173.36.7.22]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id x5Q4UHMc016752 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 26 Jun 2019 04:30:18 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-012.cisco.com (173.36.7.22) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 25 Jun 2019 23:30:17 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 26 Jun 2019 00:30:16 -0400
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 25 Jun 2019 23:30:16 -0500
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=k904XC3uWOGEs6yb6T+Lp5gJyD9r3rdmu8oWfDBqrC0nbDuFQF0BMkF1LpFpaDhZcNLyLYzp1W6nHZJ3M+KxOY4Z1DIZrOt0s2TJM877cnglToNHLRyD8+V9WMlzUegkfplq7hB7lS/nKefJctUgNB51kbRFPlA5fZwxu39UsL4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8pGpxXjptdmgw5t/ze8vgQygz8szVpzW3Ek2El89nwI=; b=oaMyT04xEMMH2jHMY2/Mc1MrcW/KAWn6W5ZUwFpR0TapvU6ttKB6niTUULlX8S9dbI2KygLkTEC7zO/NpLmKs6QuH//Iw9EuA4Amxi98RsW/nCK98xnU7ZSP3pJ1B4Qk4gWxQyH4d7Ym23pycsquZKanChmaKbKi1oCalDwT2rA=
ARC-Authentication-Results: i=1; test.office365.com 1;spf=none;dmarc=none;dkim=none;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8pGpxXjptdmgw5t/ze8vgQygz8szVpzW3Ek2El89nwI=; b=JqPqwi6asVtfXo9WCNnU3oUHLvebpBrl5vS2wZABWmq9RbZqxLuqcILgoKmapF+U/NG+0k6F9MMGtzlT8bLhNu8e8XEK84m1DrU3+avLsCIACYq4dr9cDaxHzorULQNSNVhxTl5DMRCU5Dko0Ykwn2yFb9DksG73jaYpBsJggZ0=
Received: from DM5PR11MB1322.namprd11.prod.outlook.com (10.168.104.140) by DM5PR11MB1609.namprd11.prod.outlook.com (10.172.36.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Wed, 26 Jun 2019 04:30:15 +0000
Received: from DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd]) by DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd%2]) with mapi id 15.20.2008.018; Wed, 26 Jun 2019 04:30:15 +0000
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Adam Roach <adam@nostrum.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: Adam Roach's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
Thread-Index: AQHVK9fZsmHKUlLZy0O9hlI5zblpvA==
Date: Wed, 26 Jun 2019 04:30:14 +0000
Message-ID: <22C9970D-7AA4-4509-BF0A-455DD157776B@cisco.com>
References: <155798668553.30465.3681431548982215622.idtracker@ietfa.amsl.com>
In-Reply-To: <155798668553.30465.3681431548982215622.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.26.0.170902
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dcmgash@cisco.com;
x-originating-ip: [2001:420:c0c0:1008::12e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0862b55a-c161-46bf-177e-08d6f9eefc53
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR11MB1609;
x-ms-traffictypediagnostic: DM5PR11MB1609:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR11MB1609557817103B96F8601E09B7E20@DM5PR11MB1609.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00808B16F3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(366004)(346002)(396003)(376002)(51914003)(199004)(189003)(54164003)(6512007)(14444005)(25786009)(73956011)(8936002)(46003)(8676002)(14454004)(316002)(256004)(66946007)(53546011)(110136005)(54906003)(11346002)(76176011)(2906002)(6506007)(2616005)(58126008)(6306002)(66476007)(66556008)(478600001)(64756008)(66446008)(81166006)(76116006)(81156014)(53936002)(7736002)(966005)(476003)(4326008)(71190400001)(6116002)(486006)(91956017)(68736007)(446003)(5660300002)(305945005)(86362001)(6486002)(99286004)(36756003)(33656002)(71200400001)(229853002)(6246003)(102836004)(6436002)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1609; H:DM5PR11MB1322.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: G7dUByGVgyzA+eFD2fbFOGrFduFViHlh5+nDRtqOKVuP8FQYQ1DaqiC7sm2k+1AUW+7VyBc6N7mbmSBdHHvbXsYFor2RF80WfVzj2rHewahX2SpH64H8kW5g0AEsQ3+Jel4w2x+XoIvccQRzfmFlAmQZDy57bqNgXT6YMg/hf2uFpeUB0bZTGG9ogrfDKgiaM5XTFt4zmI/s8tS//+UHRuj0MY/6iSi7J6MKv9T/aERQQcmXGkMQtrvmxYFHnd7lKTDGaom3L9Mh9mHo7f2d3LcKmY93A80nCOTH0bsZTJFazmw/Yjh8v1TT1sQk1BzWbqsyD/gp7s/sidqSog4zW1VnwgXjamzhe+T9eVTxbJeaiur1BICUkMqIIc2k4jY/u8Wac55HFT+df48/UkSXjwRGK/zI6/LDbTuSxxLBUEo=
Content-Type: text/plain; charset="utf-8"
Content-ID: <8B8A5EAA01A14646970F1617C1C58413@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0862b55a-c161-46bf-177e-08d6f9eefc53
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2019 04:30:14.8378 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dcmgash@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1609
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.22, xch-aln-012.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/g9a8mEBqTCDftQWGqZEvM8xwG18>
Subject: Re: [OPSAWG] Adam Roach's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 04:30:54 -0000

Many thanks for the comments.

Please see responses from authors inline, marked “TA”. Action items from this mail to update the document are marked: [AI-TA] to mean: “action item for the authors”.

On 16/05/2019, 7:04, "Adam Roach via Datatracker" <noreply@ietf.org> wrote:

    Adam Roach has entered the following ballot position for
    draft-ietf-opsawg-tacacs-13: Discuss
    
    When responding, please keep the subject line intact and reply to all
    email addresses included in the To and CC lines. (Feel free to cut this
    introductory paragraph, however.)
    
    
    Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    for more information about IESG DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/
    
    
    
    ----------------------------------------------------------------------
    DISCUSS:
    ----------------------------------------------------------------------
    
    Thanks to everyone who has worked on documenting the TACACS+ protocol
    as it is used today.
    
    I understand the desire to publish this document as a status other than
    Historic, as the protocol remains in use today. However, the shortcomings
    cited in the "Security Considerations" section are quite profound, and
    really bear highlighting in the document way before we get into what is
    fundamentally end material.
    
    I have serious misgivings about publishing this document as anything
    other than Historic without some prominent text early in the document
    (e.g., in the Introduction section) that warns implementors of the
    several caveats detailed in section 10 and its subsections. They don't
    need to be explained here, but some language along the lines of the
    following really needs to be present in order to scope the document:
    
       Note that the original TACACS+ implementations did not address all of the
       baseline security concerns which are considered when designing modern
       protocols.  This document does not change this situation, and implementors
       should use caution when evaluating the suitability of TACACS+ for any given
       use.  Please see section 10 for additional details.

TA> Yes, there have been some comments  in this round about bring such warnings to the front of  the document, will action that.  [AI-TA]
    
    ---------------------------------------------------------------------------
    
    §4.6:
    
    >  To ensure interoperability of current deployments, the TACACS+ client
    >  and server MUST handle user fields and those data fields used for
    >  passwords as 8-bit octet strings.  The deployment operator MUST
    >  ensure that consistent character encoding is applied from the end
    >  client to the server.  The encoding SHOULD be UTF-8, and other
    >  encodings outside printable US-ASCII SHOULD be deprecated.
    
    Without specification of preparation profiles for usernames and passwords,
    this is an incomplete specification of how to transmit non-ASCII
    usernames and passwords. While there are other solutions, the easy
    way to address this is to normatively reference RFC 7613, and select
    one of its username preparation profiles, and indicate its password
    preparation profile.
    
    The most basic problem here is that I might create a username and/or password
    on a machine that uses one mapping for a non-ASCII character, and later try to
    log in on a machine that uses a different, but semantically equivalent,
    mapping for that same character. This is a clear interop issue.

TA> Thanks, the suggestion to reference RFC 7613 looks very sensible, we will look to take advantage of that work  [AI-TA]
    
    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------
    
    
    ID Nits reports:
    
      ** Obsolete normative reference: RFC 1334 (Obsoleted by RFC 1994)
 TA> Agreed, will update [AI-TA]
    ---------------------------------------------------------------------------
    
    §2:
    
    >  The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
    >  "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
    >  document are to be interpreted as described in RFC 2119 RFC2119
    >  [RFC2119].
    
    Please use the boilerplate from RFC 8174.
TA> Agreed, will update [AI-TA]
    ---------------------------------------------------------------------------
    
    §4.3:
    
    >  The packet header contains the TAC_PLUS_SINGLE_CONNECT_FLAG used by
    >  the client and server to negotiate the use of Single Connect Mode.
    
    This is a bit jarring, as the document hasn't yet established the existence
    of a packet header, or of flag in that header. It might be better to pull
    section 4.8 earlier in the document -- at least before this sentence --
    so that readers have some context for understanding what's going on.
TA> Agreed, will revise this section [AI-TA]
    ---------------------------------------------------------------------------
    
    §4.7:
    
    >  Server implementations MUST allow a unique secret key to be
    >  associated with every client.
    
    Nit: "...with each client."
TA> Agreed, will update [AI-TA]
    ---------------------------------------------------------------------------
    
    §5.1:
    
    >  network address if the user is connected via a network, a caller ID
    >  is the user is connected via ISDN or a POTS
    
    Nit: "...if the user..."
TA> Agreed, will update [AI-TA]
    ---------------------------------------------------------------------------
    
    §5.4.2.1:
    
    Is the intention here to limit the characters in the user name and the
    password to be only those in the ASCII range? Section 4.6 would seem to
    indicate that this isn't the case, but the title of this section throws
    that into doubt. If the text in 4.6 is the guiding text here, perhaps
    section 5.4.2.1 should indicate that the term "ASCII" is used only for
    historical reasons, and that both usernames and passwords can contain
    UTF-8-encoded character strings.
TA> Agreed, this is ambiguous, will clarify.[AI-TA]
    ---------------------------------------------------------------------------
    
    §5.4.2.2:
    
    >  the data
    >  field MUST contain the PAP ASCII password.
    
    Same comment as for section 5.4.2.1, above.
TA> As above  [AI-TA]
    ---------------------------------------------------------------------------
    
    §5.4.2.3:
    
    >  defined in the PPP Authentication RFC RFC 1334 [RFC1334] and then
    >  compare that value with the response.
    
    Nit: "...and then compares..."
TA> Agreed, will update [AI-TA]    
    ---------------------------------------------------------------------------
    
    §5.4.2.7.  ASCII change password request
    
    Same comment as for section 5.4.2.1.
TA>Agreed, As above  [AI-TA]    
    ---------------------------------------------------------------------------
    
    §5.4.3:
    
    >  If this
    >  flag is set, the data portion of the message may contain an ASCII
    >  message explaining the reason for the abort.
    
    Does this mean "ASCII" or does it mean "UTF-8"? If it actually means
    "ASCII," then localization -- especially to localities that use
    non-latin-based alphabets -- will be incredibly challenging.
TA> It is a good point, the original spec will cause  problems for localization. We have a decision to either continue the backward compatibility with original draft, or to call out that localization is not possible, will work with WG to find a consensus path. [AI-TA]  
    ---------------------------------------------------------------------------
    
    §6.2 and §7.2:
    
    >  server_msg, server_msg_len
    >
    >  This is a printable US-ASCII string that may be presented to the
    >  user.
    >
    >  data, data_len
    >
    >  This is a printable US-ASCII string that may be presented on an
    >  administrative display, console or log
    
    Same comment as for section 5.4.3.
TA>Agreed, As above  [AI-TA]       
    ---------------------------------------------------------------------------
    
    §8.1:
    
    >  All attribute values are encoded as printable US-ASCII strings.  The
    >  following type representations SHOULD be followed
    ...
    >  String
    >
    >  Many values have no specific type representation and so are
    >  interpreted as plain strings.
    
    Same comment as for section 5.4.3.
 TA>Agreed, As above  [AI-TA]       
    ---------------------------------------------------------------------------
    
    §8.3:
    
    >  err_msg (String)
    >
    >  A printable US-ASCII string describing the status of the action.
    
    Same comment as for section 5.4.3.
TA>Agreed, As above  [AI-TA]           
    ---------------------------------------------------------------------------
    
    §10.5.3:
    
    >  To help TACACS+ administraots select the stronger authentication
    
    Nit: "...administrators..."
 TA> Agreed, will update [AI-TA]       
    ---------------------------------------------------------------------------