Re: [OPSAWG] Adam Roach's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Wed, 26 June 2019 04:30 UTC
Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2730E1205CF; Tue, 25 Jun 2019 21:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=P5GgU16N; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=JqPqwi6a
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWbhiBrsm4N2; Tue, 25 Jun 2019 21:30:51 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AB63120608; Tue, 25 Jun 2019 21:30:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13200; q=dns/txt; s=iport; t=1561523451; x=1562733051; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=8pGpxXjptdmgw5t/ze8vgQygz8szVpzW3Ek2El89nwI=; b=P5GgU16NX3K02NY3+CjfiLobjuUXVJAAPX9wLh3uJMPRJAqGBimCCdhY kXoYLMOYcusCazxU2Pc6X17wskUFIHmXaxa/cJOIatBtnwEHIFOfJ91pi uv3uSy6M56XANNrewV2MfaFzxLMO1mpWGKNGeIbyCGrWbj5GLVqx/Dg8d o=;
IronPort-PHdr: 9a23:Kzq3Dx/wKk8FzP9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+8ZB7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVcKODELyN/7CZC0hF8MEX1hgrDm2
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BxBQA19BJd/5RdJa1lHAEBAQQBAQcEAQGBZ4FEUANqVSAECyiEFYNHA45jgjYllzmBQoEQA1QJAQEBDAEBIwoCAQGEQAIXgl4jOBMBAwEBBAEBAgEFbYo3DIVLAQEDARIREQwBATcBDwIBCBoCEgIFDQICAjAVEAIEAQ0FGweDAAGBagMODwEOmmkCgTiIX3GBMYJ5AQEFgUZBgwAYghEDBoEMKIteF4F/gRABJwwTgkw+gmECAQIBgSoBDAUCAQgtMQcHgjQygiaLdQ4EL4ISDYUciDONdAkCghWGUIRihE6DaxuCKYcOjhiMXkqBMIYHj1sCBAIEBQIOAQEFgWchZ1gRCHAVGksBgkGCQQcFFxSDOYUUhT9yAYEoi0AOFQKCLAEB
X-IronPort-AV: E=Sophos;i="5.63,418,1557187200"; d="scan'208";a="585664561"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Jun 2019 04:30:20 +0000
Received: from XCH-ALN-012.cisco.com (xch-aln-012.cisco.com [173.36.7.22]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id x5Q4UHMc016752 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 26 Jun 2019 04:30:18 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-012.cisco.com (173.36.7.22) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 25 Jun 2019 23:30:17 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 26 Jun 2019 00:30:16 -0400
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 25 Jun 2019 23:30:16 -0500
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=k904XC3uWOGEs6yb6T+Lp5gJyD9r3rdmu8oWfDBqrC0nbDuFQF0BMkF1LpFpaDhZcNLyLYzp1W6nHZJ3M+KxOY4Z1DIZrOt0s2TJM877cnglToNHLRyD8+V9WMlzUegkfplq7hB7lS/nKefJctUgNB51kbRFPlA5fZwxu39UsL4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8pGpxXjptdmgw5t/ze8vgQygz8szVpzW3Ek2El89nwI=; b=oaMyT04xEMMH2jHMY2/Mc1MrcW/KAWn6W5ZUwFpR0TapvU6ttKB6niTUULlX8S9dbI2KygLkTEC7zO/NpLmKs6QuH//Iw9EuA4Amxi98RsW/nCK98xnU7ZSP3pJ1B4Qk4gWxQyH4d7Ym23pycsquZKanChmaKbKi1oCalDwT2rA=
ARC-Authentication-Results: i=1; test.office365.com 1;spf=none;dmarc=none;dkim=none;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8pGpxXjptdmgw5t/ze8vgQygz8szVpzW3Ek2El89nwI=; b=JqPqwi6asVtfXo9WCNnU3oUHLvebpBrl5vS2wZABWmq9RbZqxLuqcILgoKmapF+U/NG+0k6F9MMGtzlT8bLhNu8e8XEK84m1DrU3+avLsCIACYq4dr9cDaxHzorULQNSNVhxTl5DMRCU5Dko0Ykwn2yFb9DksG73jaYpBsJggZ0=
Received: from DM5PR11MB1322.namprd11.prod.outlook.com (10.168.104.140) by DM5PR11MB1609.namprd11.prod.outlook.com (10.172.36.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Wed, 26 Jun 2019 04:30:15 +0000
Received: from DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd]) by DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd%2]) with mapi id 15.20.2008.018; Wed, 26 Jun 2019 04:30:15 +0000
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Adam Roach <adam@nostrum.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: Adam Roach's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
Thread-Index: AQHVK9fZsmHKUlLZy0O9hlI5zblpvA==
Date: Wed, 26 Jun 2019 04:30:14 +0000
Message-ID: <22C9970D-7AA4-4509-BF0A-455DD157776B@cisco.com>
References: <155798668553.30465.3681431548982215622.idtracker@ietfa.amsl.com>
In-Reply-To: <155798668553.30465.3681431548982215622.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.26.0.170902
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dcmgash@cisco.com;
x-originating-ip: [2001:420:c0c0:1008::12e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0862b55a-c161-46bf-177e-08d6f9eefc53
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR11MB1609;
x-ms-traffictypediagnostic: DM5PR11MB1609:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR11MB1609557817103B96F8601E09B7E20@DM5PR11MB1609.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00808B16F3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(366004)(346002)(396003)(376002)(51914003)(199004)(189003)(54164003)(6512007)(14444005)(25786009)(73956011)(8936002)(46003)(8676002)(14454004)(316002)(256004)(66946007)(53546011)(110136005)(54906003)(11346002)(76176011)(2906002)(6506007)(2616005)(58126008)(6306002)(66476007)(66556008)(478600001)(64756008)(66446008)(81166006)(76116006)(81156014)(53936002)(7736002)(966005)(476003)(4326008)(71190400001)(6116002)(486006)(91956017)(68736007)(446003)(5660300002)(305945005)(86362001)(6486002)(99286004)(36756003)(33656002)(71200400001)(229853002)(6246003)(102836004)(6436002)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1609; H:DM5PR11MB1322.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: G7dUByGVgyzA+eFD2fbFOGrFduFViHlh5+nDRtqOKVuP8FQYQ1DaqiC7sm2k+1AUW+7VyBc6N7mbmSBdHHvbXsYFor2RF80WfVzj2rHewahX2SpH64H8kW5g0AEsQ3+Jel4w2x+XoIvccQRzfmFlAmQZDy57bqNgXT6YMg/hf2uFpeUB0bZTGG9ogrfDKgiaM5XTFt4zmI/s8tS//+UHRuj0MY/6iSi7J6MKv9T/aERQQcmXGkMQtrvmxYFHnd7lKTDGaom3L9Mh9mHo7f2d3LcKmY93A80nCOTH0bsZTJFazmw/Yjh8v1TT1sQk1BzWbqsyD/gp7s/sidqSog4zW1VnwgXjamzhe+T9eVTxbJeaiur1BICUkMqIIc2k4jY/u8Wac55HFT+df48/UkSXjwRGK/zI6/LDbTuSxxLBUEo=
Content-Type: text/plain; charset="utf-8"
Content-ID: <8B8A5EAA01A14646970F1617C1C58413@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0862b55a-c161-46bf-177e-08d6f9eefc53
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2019 04:30:14.8378 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dcmgash@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1609
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.22, xch-aln-012.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/g9a8mEBqTCDftQWGqZEvM8xwG18>
Subject: Re: [OPSAWG] Adam Roach's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 04:30:54 -0000
Many thanks for the comments. Please see responses from authors inline, marked “TA”. Action items from this mail to update the document are marked: [AI-TA] to mean: “action item for the authors”. On 16/05/2019, 7:04, "Adam Roach via Datatracker" <noreply@ietf.org> wrote: Adam Roach has entered the following ballot position for draft-ietf-opsawg-tacacs-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks to everyone who has worked on documenting the TACACS+ protocol as it is used today. I understand the desire to publish this document as a status other than Historic, as the protocol remains in use today. However, the shortcomings cited in the "Security Considerations" section are quite profound, and really bear highlighting in the document way before we get into what is fundamentally end material. I have serious misgivings about publishing this document as anything other than Historic without some prominent text early in the document (e.g., in the Introduction section) that warns implementors of the several caveats detailed in section 10 and its subsections. They don't need to be explained here, but some language along the lines of the following really needs to be present in order to scope the document: Note that the original TACACS+ implementations did not address all of the baseline security concerns which are considered when designing modern protocols. This document does not change this situation, and implementors should use caution when evaluating the suitability of TACACS+ for any given use. Please see section 10 for additional details. TA> Yes, there have been some comments in this round about bring such warnings to the front of the document, will action that. [AI-TA] --------------------------------------------------------------------------- §4.6: > To ensure interoperability of current deployments, the TACACS+ client > and server MUST handle user fields and those data fields used for > passwords as 8-bit octet strings. The deployment operator MUST > ensure that consistent character encoding is applied from the end > client to the server. The encoding SHOULD be UTF-8, and other > encodings outside printable US-ASCII SHOULD be deprecated. Without specification of preparation profiles for usernames and passwords, this is an incomplete specification of how to transmit non-ASCII usernames and passwords. While there are other solutions, the easy way to address this is to normatively reference RFC 7613, and select one of its username preparation profiles, and indicate its password preparation profile. The most basic problem here is that I might create a username and/or password on a machine that uses one mapping for a non-ASCII character, and later try to log in on a machine that uses a different, but semantically equivalent, mapping for that same character. This is a clear interop issue. TA> Thanks, the suggestion to reference RFC 7613 looks very sensible, we will look to take advantage of that work [AI-TA] ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ID Nits reports: ** Obsolete normative reference: RFC 1334 (Obsoleted by RFC 1994) TA> Agreed, will update [AI-TA] --------------------------------------------------------------------------- §2: > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this > document are to be interpreted as described in RFC 2119 RFC2119 > [RFC2119]. Please use the boilerplate from RFC 8174. TA> Agreed, will update [AI-TA] --------------------------------------------------------------------------- §4.3: > The packet header contains the TAC_PLUS_SINGLE_CONNECT_FLAG used by > the client and server to negotiate the use of Single Connect Mode. This is a bit jarring, as the document hasn't yet established the existence of a packet header, or of flag in that header. It might be better to pull section 4.8 earlier in the document -- at least before this sentence -- so that readers have some context for understanding what's going on. TA> Agreed, will revise this section [AI-TA] --------------------------------------------------------------------------- §4.7: > Server implementations MUST allow a unique secret key to be > associated with every client. Nit: "...with each client." TA> Agreed, will update [AI-TA] --------------------------------------------------------------------------- §5.1: > network address if the user is connected via a network, a caller ID > is the user is connected via ISDN or a POTS Nit: "...if the user..." TA> Agreed, will update [AI-TA] --------------------------------------------------------------------------- §5.4.2.1: Is the intention here to limit the characters in the user name and the password to be only those in the ASCII range? Section 4.6 would seem to indicate that this isn't the case, but the title of this section throws that into doubt. If the text in 4.6 is the guiding text here, perhaps section 5.4.2.1 should indicate that the term "ASCII" is used only for historical reasons, and that both usernames and passwords can contain UTF-8-encoded character strings. TA> Agreed, this is ambiguous, will clarify.[AI-TA] --------------------------------------------------------------------------- §5.4.2.2: > the data > field MUST contain the PAP ASCII password. Same comment as for section 5.4.2.1, above. TA> As above [AI-TA] --------------------------------------------------------------------------- §5.4.2.3: > defined in the PPP Authentication RFC RFC 1334 [RFC1334] and then > compare that value with the response. Nit: "...and then compares..." TA> Agreed, will update [AI-TA] --------------------------------------------------------------------------- §5.4.2.7. ASCII change password request Same comment as for section 5.4.2.1. TA>Agreed, As above [AI-TA] --------------------------------------------------------------------------- §5.4.3: > If this > flag is set, the data portion of the message may contain an ASCII > message explaining the reason for the abort. Does this mean "ASCII" or does it mean "UTF-8"? If it actually means "ASCII," then localization -- especially to localities that use non-latin-based alphabets -- will be incredibly challenging. TA> It is a good point, the original spec will cause problems for localization. We have a decision to either continue the backward compatibility with original draft, or to call out that localization is not possible, will work with WG to find a consensus path. [AI-TA] --------------------------------------------------------------------------- §6.2 and §7.2: > server_msg, server_msg_len > > This is a printable US-ASCII string that may be presented to the > user. > > data, data_len > > This is a printable US-ASCII string that may be presented on an > administrative display, console or log Same comment as for section 5.4.3. TA>Agreed, As above [AI-TA] --------------------------------------------------------------------------- §8.1: > All attribute values are encoded as printable US-ASCII strings. The > following type representations SHOULD be followed ... > String > > Many values have no specific type representation and so are > interpreted as plain strings. Same comment as for section 5.4.3. TA>Agreed, As above [AI-TA] --------------------------------------------------------------------------- §8.3: > err_msg (String) > > A printable US-ASCII string describing the status of the action. Same comment as for section 5.4.3. TA>Agreed, As above [AI-TA] --------------------------------------------------------------------------- §10.5.3: > To help TACACS+ administraots select the stronger authentication Nit: "...administrators..." TA> Agreed, will update [AI-TA] ---------------------------------------------------------------------------
- [OPSAWG] Adam Roach's Discuss on draft-ietf-opsaw… Adam Roach via Datatracker
- Re: [OPSAWG] Adam Roach's Discuss on draft-ietf-o… Adam Roach
- Re: [OPSAWG] Adam Roach's Discuss on draft-ietf-o… Douglas Gash (dcmgash)
- Re: [OPSAWG] Adam Roach's Discuss on draft-ietf-o… Douglas Gash (dcmgash)