IETF Logo Mail Archive

Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt

mohamed.boucadair@orange.com Thu, 06 July 2023 07:25 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49B7EC1522C6 for <opsawg@ietfa.amsl.com>; Thu, 6 Jul 2023 00:25:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S59uhNdeozCq for <opsawg@ietfa.amsl.com>; Thu, 6 Jul 2023 00:25:37 -0700 (PDT)
Received: from smtp-out.orange.com (smtp-out.orange.com [80.12.210.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4AD9C14CEFC for <opsawg@ietf.org>; Thu, 6 Jul 2023 00:25:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; i=@orange.com; q=dns/txt; s=orange002; t=1688628337; x=1720164337; h=to:subject:date:message-id:references:in-reply-to: mime-version:from; bh=+IMJnSvjlwoPfBS8aimajlrk+NOR+kG9Q9auAJwWlC4=; b=KlH0+cxoCSI47q6BnlMdmrOEja3Z3p2RncpO3S8AkiqEOkgMDCkcZP1x pDG4+o33lGPQLelYOWZOyU0rL2iE9rIe2GDXHgawQgcsZJDkhMI3kRG1i Ci94eEkwfocTjBhY8taYvnah52R8oBZRykOXYzvTvXPAqil6xOfPpm6cI LozGpFo8hfXxq5Jb+j27JvImdVKVnljkg3oKz0KADUXGvyYtNuMq+om0H oflbcz+Zk/9Bp+y7cHEBX8p5Gbc42g63B42SDXP9vDFML0aZsHuMvj6p0 9UucZQinECZU+5Q69RfeDBdkdq894A/aGXGX/wl1CY4Kz0bGtb810CGzq Q==;
Received: from unknown (HELO opfedv1rlp0e.nor.fr.ftgroup) ([x.x.x.x]) by smtp-out.orange.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jul 2023 09:25:34 +0200
Received: from unknown (HELO opzinddimail1.si.francetelecom.fr) ([x.x.x.x]) by opfedv1rlp0e.nor.fr.ftgroup with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jul 2023 09:25:34 +0200
Received: from opzinddimail1.si.francetelecom.fr (unknown [127.0.0.1]) by DDEI (Postfix) with SMTP id 89D86DE91DE6 for <opsawg@ietf.org>; Thu, 6 Jul 2023 09:25:34 +0200 (CEST)
Received: from opzinddimail1.si.francetelecom.fr (unknown [127.0.0.1]) by DDEI (Postfix) with ESMTP id DA2B7DE91DEF for <opsawg@ietf.org>; Thu, 6 Jul 2023 09:23:34 +0200 (CEST)
Received: from smtp-out365.orange.com (unknown [x.x.x.x]) by opzinddimail1.si.francetelecom.fr (Postfix) with ESMTPS for <opsawg@ietf.org>; Thu, 6 Jul 2023 09:23:34 +0200 (CEST)
Received: from mail-am6eur05lp2107.outbound.protection.outlook.com (HELO EUR05-AM6-obe.outbound.protection.outlook.com) ([104.47.18.107]) by smtp-out365.orange.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 Jul 2023 09:23:35 +0200
Received: from DU2PR02MB10160.eurprd02.prod.outlook.com (2603:10a6:10:49b::6) by DB9PR02MB9995.eurprd02.prod.outlook.com (2603:10a6:10:45d::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6565.17; Thu, 6 Jul 2023 07:23:32 +0000
Received: from DU2PR02MB10160.eurprd02.prod.outlook.com ([fe80::58f3:64de:5ef8:aba]) by DU2PR02MB10160.eurprd02.prod.outlook.com ([fe80::58f3:64de:5ef8:aba%5]) with mapi id 15.20.6565.016; Thu, 6 Jul 2023 07:23:32 +0000
From: mohamed.boucadair@orange.com
X-TM-AS-ERS: 10.106.160.160-127.5.254.253
X-TM-AS-SMTP: 1.0 c210cC1vdXQzNjUub3JhbmdlLmNvbQ== bW9oYW1lZC5ib3VjYWRhaXJAb 3JhbmdlLmNvbQ==
X-DDEI-TLS-USAGE: Used
Authentication-Results: smtp-out365.orange.com; dkim=none (message not signed) header.i=none; spf=Fail smtp.mailfrom=mohamed.boucadair@orange.com; spf=Pass smtp.helo=postmaster@EUR05-AM6-obe.outbound.protection.outlook.com
Received-SPF: Fail (smtp-in365b.orange.com: domain of mohamed.boucadair@orange.com does not designate 104.47.18.107 as permitted sender) identity=mailfrom; client-ip=104.47.18.107; receiver=smtp-in365b.orange.com; envelope-from="mohamed.boucadair@orange.com"; x-sender="mohamed.boucadair@orange.com"; x-conformance=spf_only; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:80.12.66.32/28 ip4:80.12.210.96/28 ip4:80.12.70.34/31 ip4:80.12.70.36 include:spfa.orange.com include:spfb.orange.com include:spfc.orange.com include:spfd.orange.com include:spfe.orange.com include:spff.orange.com include:spf6a.orange.com include:spffed-ip.orange.com include:spffed-mm.orange.com -all"
Received-SPF: Pass (smtp-in365b.orange.com: domain of postmaster@EUR05-AM6-obe.outbound.protection.outlook.com designates 104.47.18.107 as permitted sender) identity=helo; client-ip=104.47.18.107; receiver=smtp-in365b.orange.com; envelope-from="mohamed.boucadair@orange.com"; x-sender="postmaster@EUR05-AM6-obe.outbound.protection.outlook.com"; x-conformance=spf_only; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/50 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all"
IronPort-Data: A9a23:PzSV6qrIiwRivAHmYQvJMXYB+PxeBmIQYhIvgKrLsJaIsI4StFCzt garIBmFMqyPNGbyKI90aYiw9R4Gv5/Tz4MyTQI+qXhnFH8T9pacVYWSI3mrMnLJJKUvbq7GA +byyDXkBJppJpMJjk71atANlVEliefSAOOU5NfsYkhZXRVjRDoqlSVtkus4hp8AqdWiCmthg /uqyyHkEAHjg2cc3l48sfrZ80sw5Kqq4Vv0g3RlDRx1lA6H/5UqJMJHTU2BByOQapVZGOe8W 9HCwNmRlo8O105wYj8Nuu+TnnwiGtY+DyDX4pZlc/HKbix5m8AH+v1T2Mzwyatgo27hc9hZk L2hvHErIOsjFvWkdO81C3G0H8ziVEFL0OevHJSxjSCc52P0aHjX2ttzNwZ1NLAJ89RQIWsWz ONNfVjhbjjb7w636J+GcLExw+0GcozsNo5ZvWx8xzbEC/pgWYrEX6jB+d5f2nE3m9xKGvHdI cEebFKDbjyZO0EJZghRUcJ4xb/37pX8W2UwRFa9oK036m3ewEp716XmOdbce8aiQt9cmEmV4 GnB+gwVBzlAZIXGlGbfmp6qrvPBvjnBV9lKL5mT5NVA2laM42YIIiRDADNXptHi0xXlA4sFQ 6AOwQIspqw77k+mZtL8RBa/5nWDu3Y0XMJLGvI1wACA1qSS5ByWblXoVRZEYd0i8cYzGzE3z AfUm8uzXGQw9rqIVXia67GY6yuoPjQYJnMDYilCShYZ597ko8c4iRenostf/LCdoO/uGgrp7 S2x62s3uqQav+kr3f2C4gWS696znaThQgkw7wTRe2uq6AJleYKoD7CVBUjnAeVocdzCEQTQ1 JQQs5TOvb9TZX2YvHbVKNjhCo1F8N6jFFUwa3ZGGoI9+i6h8nvLkWt4uWknfi+F3u4ifiX1Y AfzvgdV7ZlfVEZGgIdyaoO1Ts0vk6X9D4y4UuiON4IRJJ9saAWA4SdiI1aK2Hzgm1Qtlqd5P oqHdcGrDjARDqEPINuKqwU1geFDKsMWnDy7qXXHI/KPj+b2iJm9F+xtDbd2RrplhJ5oWS2Mm zqlC+OEyg9ETMr1aTTN/IgYIDgidCZrVc2m8pwLK7DeeWKK/V3N7deAmNvNnKQ0x8xoehvgp C/VtrJwlAWn2yWbdVriho5LMe+2AcYkxZ7EAcDcFQ3xgCN7ONzHAFY3cpo8Z7488+J/hfdmU uMIE/hs8dweIgkrDw81NMGnxKQ7LErDrVvXY0KNPmJjF7Y+HFah0oG/IWPSGNwmVXffWT0W+ OH7iWs2gPMrG2xfMSohQK71ngjh4iRAwLwasomhCoA7RXgAObNCc0TZ5sLb6elVQfkf7lN2F jp6ACv0YcHgnrVtrZzgoP7BqI2kVexjAkBdAm/Xq66sMjXX9XaixokGV/uUeTfaVyX//6DKi SB90aTnKPNe9LpVm9MULlqp5fpWCxjTS3tyyR5tGnrGKV+sD9uM51GYiNJXuPQlKqBx5WOLZ 65XxuRnBA==
IronPort-HdrOrdr: A9a23:URmS4q1u3d6KIz6w366gogqjBSZyeYIsimQD101hICG9Lfb0qy n+pp4mPEHP4wr5AEtQ4OxoS5PwOU80lKQFqLX5Uo3SOTUO1FHHEGgm1/qF/9SCIVy3ygc+79 YFT0EWMrSZYTdHZITBkW6F+r0boOVvhZrY59s2uE0dLj2CBZsA0y5JTiKgVmFmTghPApQ0UL CG4NBcmjamcXMLKuymG3gsRYH41pf2vaOjRSRDKw8s6QGIgz/twqX9CQKk0hAXVC4K6as+8F LCjxfy6syYwryGI17npiPuBqZt6ZXcI+h4dY2xYw8uW3XRYzOTFctcsnu5zXMISa+UmRQXeZ L30mwd1oxImgnslyeO0FDQMkDboUoTA3OO8y7kvVLz5cP+Xz40EMxHmMZQdQbY8VMpuJVm3L tMxH/xjesiMfrsplWO2zHzbWAeqmOk5X451eIDhX1WVoUTLLdXsIwE5UtQVJMNBjjz5owrGP RnSJi03ochTXqKK3TC+mV/yt2lWXo+Wh+AX0gZo8SQlzxbhmpwwUcUzNEW2n0A6JU+QZ9Z4P msCNUeqJheCssNKa5tDuYIRsW6TmTLXBLXKWqXZU/qEakWUki92KIfII9FlN1CVKZ4vafawq 6xL2+wnVRCBX7TNQ==
X-Talos-CUID: 9a23:8VPb3mD7OeIrMXb6EwdV700vA+44STqexUrBKn2fKWwxcaLAHA==
X-Talos-MUID: 9a23:NKbS9A80NJ2GyNTbjspTTB6Qf9tmwL6UBxtVqrEtqeKubydvHj2Gpg3iFw==
X-IronPort-AV: E=Sophos;i="6.01,185,1684792800"; d="scan'208,217";a="2811542"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UTbbWdAOuz5jV3n8qxPfXsBgr5uJNglIExhCqskRm9HDDD2ETcWSNs5U1moVHSg53f/E0VRBKdXhL+V3kWeADwG9eOdyAJrt5I7NzULHESegwEbnHXiwJq4pRR6LW4FVaEDzUmA1Vvuq8PqA9QYaRT/6B3IKNDQl9+PQFKoaIq5wmqoNmZqYiQwNBUYFuA3W0VlvNWnqpLZEY0q28RU1h2mq5VtzOODF4LuBYoz2dE25Lo11W4UVuWgng0IBwNHDYhsOHElW7P6VHnH0QyAf8ckvoFu//0DnhVC6H+3dRzevTt/J0OJYlFFVz0q0yEWv+LHZGV19Bkm5GglbZDclyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vSQdzf/8xk5SyvSJ0wZSN11GY3WDh748MfnfXhS3Tq8=; b=oc5fhzzalGpsgTJnmEpeDV4Gw1bNgRl0IYfBZt27uUPk9Yktq8zdfweiHc92y61Cjq4ro5PlkIp1NLol8F+5YUJLFjjyagQ1wk60ySK2XGvNUh3BuwBFHvq8QdmAIrmXbPEbeapZw8dAtYH2Aut1XS76HsxKwvzpZ+b10+ho2Lr/amEDaXk+UGAPOCK1gDqf/NpF2uQEEpXhMwvvfI8JghtlTZS1CEkK+W2juMWixItTLgqXbFze7A+bQDV5y2GtxCeP6zC48x06CuzYFCkCuBiItsBGV6yQo811E+Rhh5lkslXlJi3c6PSaKwMpNmrENNgjvDuqR5r6A5K9o8XodQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=orange.com; dmarc=pass action=none header.from=orange.com; dkim=pass header.d=orange.com; arc=none
To: "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt
Thread-Index: AQHZqpnQi7GkEw7UXEuuj7Oe45XXqq+rQtf7gAAHCmCAAAYNr4ABDLyg
Date: Thu, 06 Jul 2023 07:23:32 +0000
Message-ID: <DU2PR02MB101606103DE6014B5A2AE7348882CA@DU2PR02MB10160.eurprd02.prod.outlook.com>
References: <168805050611.46147.7135705558590726585@ietfa.amsl.com> <BN9PR11MB537112089669BC32EF2C0772B82FA@BN9PR11MB5371.namprd11.prod.outlook.com> <DU2PR02MB10160503322FB68A7CBFA3988882FA@DU2PR02MB10160.eurprd02.prod.outlook.com> <BN9PR11MB5371BABF4EBC116C901D16F2B82FA@BN9PR11MB5371.namprd11.prod.outlook.com>
In-Reply-To: <BN9PR11MB5371BABF4EBC116C901D16F2B82FA@BN9PR11MB5371.namprd11.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=True; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2023-07-05T14:47:52.0000000Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU2PR02MB10160:EE_|DB9PR02MB9995:EE_
x-ms-office365-filtering-correlation-id: 175b1621-d2b9-4ba2-b7f9-08db7df1e78d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LzgZwbu9XH84DyLHotShbG+ztl56veUnA8aPWsSj1Gjyil3ZYM3HmB7gz+qV6fBnjhUnny6IaSeMQMso+PzueJpMmo9bd7qCZdsVTyp9lEApP615XAzGLyMLcQ1WNzX+hmsf3QZIiZbA+ujCrkDRR5B/jyRDbSeg0oR2i4m57RDRYoZRue9fWfbAsge9DYb2FL5GvavxWVd7nXM6JgkVkAbu13WW04UO/LN9CK+W8g7QWXfxH9jmxnujnelByoGmwgouNHTykRn0q/vlCy2r3SMWteSsfDuhnFCQRgbzBkOPkeVGjeyeLRasUuWyU+5j0Fn7jOcfHBq4foRbtqqvm2y3ouwZIl5TsJgjg+nTvKWatxcNxYeVmzilE6L1X1zz1ZZGSi1xoj1Ji3A06/EX7/QdR5XQ9yUqFRLg5AdvHBI3wdW4ErMk03da4Ku1AWRJNbTENzw2PWGeObhxxjEB5P+y5UcKaS1aUG7whfJePluY+fHhnGrwJPfwlMXLD+n2/h25R/i90lawKNyvjIEp+zAY3iXuoL7V1RQSNEOPj2Ewtr9NNF8ybEsUdgokLx1HJe41HdAXlSJ5FsM0fKFc0d9fsA5h41zTIO71lMCRhA4B+LLB7VvpaqnIkWlHx+Yv2nxwJJm1rAP7l1469wXXOQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU2PR02MB10160.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(396003)(39860400002)(136003)(376002)(346002)(451199021)(71200400001)(316002)(7696005)(86362001)(966005)(55016003)(66946007)(76116006)(478600001)(66556008)(64756008)(66446008)(66476007)(5660300002)(122000001)(110136005)(66574015)(33656002)(2906002)(52536014)(83380400001)(38100700002)(8676002)(8936002)(6506007)(166002)(186003)(53546011)(38070700005)(9686003)(26005)(41300700001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Z6tXQznIPQh3o46rGyCXjT/JObLU1b0jqjZvh5rWnwlyi6fwjXqlOqtxs1Ab3+E+5bVElFpRnu8CdaRCE9e2GLnQ9pUqI0nnTNJ/yGcPO8y+78huCjjtrm207YbERAWjn7+z11filRyjObQuh9SOQYsvX9r0ouIo4Q1AqQVXfTQz5HKefdEqWJu2wA5+BIk44BWJSzg/6WecRSumUyiTK+b24D7VlhPb9rrWMF04zLoohvJTJJfT3/TuDOQnV5txmznOPlarYLMDVab11jf5sBBFvqtl/iy3utZYoGDHDg/8z+EbTLx3WQOCf/Nqw5mrKPAE06waiL3ibZeUL1sVGC2gEN3++nQjiB6xNue15xoO3Z1x5irZa3Xm4qp3IOq6RgnBaVBL5wjF9UT8AvDtl4YKCMOwPs2IbBi1PlNrFsQEXgt6NGwTZ/mS389ZZJC/C1AOalzIlsOpV64V+OeR2rQ6RxPoi3bwZjQe+iYnr8wneaSiEw1haU/4B0/vJ1RF73Y3RCmOXwiJuMGuTDCVmdJhygSy/eM/Za6To5RnWymx9A2L9DeFDO41wGsU47BsUJeqcRcEmAgyTSQjgY/EuSpBjln2Zcp57gc4nDYGlIE9ZvX12bz6+Qx0/yq9Or+FcoFSbaHnNhUhDOQXs2uSXQuLfmMe5j6WVeGao8w6B8+ZbMt2elmL9SgilCAHFWzhqqSbg0cOMShGtuv3PvOffldGirJlKvuGOKyNyNPUY4LAxfIP6oe5Ti1wnG+jpQ1xynLCmivggYqNOBsfAZ8Yjzaq5phT5q1wBAOHpmCoJBzckikqB+DSRqSIr95ds+W7nRNJnGOl2B0AmSpg9ALYXMQyaLdNY/6ccaFb+zxjTnVSZmVh4GHrFRYr8ivknniBvpGPsDNckYGjYb3fSIJP7VmMfmPFmeIBh3s6PD4/PKYJVPrWD3s1XaZ1Avkkv311y7j9ve4vAVU0mHnOT+nn9feNUtm8pjikpQ3ZKnXDm7vdNviEtitDZf0lp8+2wi+4xdd6cUEy4F5yClKETNY2wYYtk+/UYy6P5xtHuWWCAou31ErKexUW2E5In0J5obYWMktWNbjZ/7eEawd8XiBlSVEOdGo1PryYTwW2pCmh/t+Af9HXMymOt3bOYV5GczuL6hL1lcU7ei89JQFGFZTgyPXGsy5QVBXko2+QJq1/J73iwpzemxmw1SzduO9jR9SSE7Y91QippuAulwGWDrle7oIY91SwrboM5Mfn2PmDIu/3WIDLSERpdilvX8DTGmtdienH0ccGzWqmclrMtlQZSM1/s4lKTmY1Eku+O/W+ZO9Pa/OLtdT+m8KfVf0MX8lIrzgTrW/F37f/YLP6oMKZBtyk8ek97AAhLJ7XNT7bvSrYKRJvi5HDMHpQW5rVDykpNj8eiJGSYpCkfge/uLUHgCveOVEfoDCE+jRPn5pv+X1rovNB0P+tXACYZ0C9I3DGmkizwit2ONe27uwuiuPbpDFIAPk2mAUuGbv3O+5JWC0rN7t+FKzUy+Pwx0MaMADoM8sa/XWRW3qJw4pcSjAf9axN9ZDcbclDZmWJa7LujFN5qxaTQxyg1KwYLQfGbBmH3hhbk13lY5RmAYHXANLp2Q==
Content-Type: multipart/alternative; boundary="_000_DU2PR02MB101606103DE6014B5A2AE7348882CADU2PR02MB10160eu_"
MIME-Version: 1.0
X-OriginatorOrg: orange.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU2PR02MB10160.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 175b1621-d2b9-4ba2-b7f9-08db7df1e78d
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2023 07:23:32.8424 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 90c7a20a-f34b-40bf-bc48-b9253b6f5d20
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: L7305iXC/+bqi4CRGqlJcZmgI52Y5fHJAVN1VvciIvXHN3eiikagjpZJMZAGxMGuLPALLc50uwQz/24AmiGWBXv0OEEMvfe5rzRELBTwfwc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR02MB9995
X-TM-AS-ERS: 10.106.160.160-127.5.254.253
X-TM-AS-SMTP: 1.0 c210cC1vdXQzNjUub3JhbmdlLmNvbQ== bW9oYW1lZC5ib3VjYWRhaXJAb 3JhbmdlLmNvbQ==
X-TMASE-Version: DDEI-5.1-9.0.1002-27734.004
X-TMASE-Result: 10--35.157900-10.000000
X-TMASE-MatchedRID: fSYce/2kgDy7REX8b2FriFK8HW5BYYruolVO7uyOCDWu2GmdldmiUHy/ Hx1AgJrrhK9QYbxD0+xWIIrzqE9JE3arKNCNGQzAybd+Ty6w3qa55gHWZJfOv4PAtNs5CO8O3ym qV5Ai0QUOcsr/se4BKWNw+CBvj5AT6Yck8TymhgEqr12s6iu4vG3WvUlNWM3NY/8hgefJn7BDoK PcRdYETWlnHyeRofX+ACcXUHmClPY2zKARD+s6Li4ZoMjlt7R+dnC5uaS6tb9vTi4hBnJxzcJqg pdIFZrry/SydI98Zan0cpCeX8JCy23gRcdaTWWgotihZr0PA+YK3Ma88LL+bmmQExgOfwV4hJMC VzIZzm/O/T5SZgJlw6vWMqbRJSuXlCOddg9NafQ5fJEi9zRcQ3V7tdtvoibaIE/7F7Rl63897zm hkgHmU6AssuKVAEQ3PL6F5JtDNmEkddWGDqeAkQ3mZXbns8PVEhGH3CRdKUXoqNj4K1y7OD3jhz zlBjmIqHC+QmJ4xwLP1hd0ZMHSA4yOjRXvm/iUYw1f/0r5B95BDn6Fjq77jqf2MTZGT5pyfRk+M nvWje5opiM29am9TyMfzqgpOSddLVx+eYOWp+NAvI8qaszytmgws6g0ewz2Uh4weWPqOWQshJBv GTVn0Kv9+CSUrEe2IXDJlJ/IXYrhQMf79d1zXq1X5QS2bmlZ+Basxm9uZ4fV9PSyputFJ9kKZvh Ux4/TVM2p/cRDyjH3mRS1naE4zw7nx+stTY8lnAgY4Vf1HDds7yIvC2pwGsJWkMZBXP7Dwx+D6c aAJK77mZcXlr4l+Yfg/53yPqyaEbq9aVy5FClaDZzIQ9XtNp4CIKY/Hg3A8gGd4jv8zaP9a7Q38 w1tP7Yh47+6UnDR4E9s12Gvf51AIwxxfoqTWqekT+magwxASnQ4MjwaO9erEHfaj14Zyf+K1r6Y /VHIA/3R8k/14e0=
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
X-TMASE-INERTIA: 0-0;;;;
X-TMASE-XGENCLOUD: ff9d9ce8-0b04-41be-84cd-d972cd6e46f7-0-0-200-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/gXlDVPUU3AN2VB_Z8eiZ-jIHQ9c>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2023 07:25:41 -0000

Hi Joe, all,

Thanks.

I went and reviewed the spec in more detail. I'm afraid that simply pointing to that section in 7605 is not sufficient, especially that the spec:

  *   requests for a service name: which can be used to discover address/port used by a server
  *   asks for implementations to support a configuration knob to provide alternate port number.
  *   Assumes that the IP address of the server has to be configured anyway. One would argue that the port number can be configured as well.
  *   recommends to separate unsecure vs secure servers: which means that the recommended deployment is to expose distinct IP addresses, and hence no demultiplexing issues.

I think that many parts can be simplified by leveraging existing specs, mainly: RFC9325 and draft-ietf-uta-rfc6125bis. Also, some considerations about provisioning are worth to be covered (even if this would be tagged as out of scope).

FWIW, some more comments can be found at:

  *   pdf: https://github.com/boucadair/IETF-Drafts-Reviews/blob/master/draft-ietf-opsawg-tacacs-tls13-03-rev%20Med.pdf
  *   doc: https://github.com/boucadair/IETF-Drafts-Reviews/raw/master/draft-ietf-opsawg-tacacs-tls13-03-rev%20Med.doc

Hope this helps.

Many thanks to the authors for their effort to progress this spec.

Cheers,
Med

De : Joe Clarke (jclarke) <jclarke@cisco.com>
Envoyé : mercredi 5 juillet 2023 17:18
À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>; opsawg@ietf.org
Objet : Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt

Fair point.  I was agreeing to the dedicated port for tacacss.  That said, I do believe tacacss meets the secure requirement set forth in 7605 with respect to creating a new, secure service that replicates and insecure service in a non-backwards compatible way.

That part of Section 7.1 should be cited as a justification for the assignment.

Joe

From: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>
Date: Wednesday, July 5, 2023 at 11:04
To: Joe Clarke (jclarke) <jclarke@cisco.com<mailto:jclarke@cisco.com>>, opsawg@ietf.org<mailto:opsawg@ietf.org> <opsawg@ietf.org<mailto:opsawg@ietf.org>>
Subject: RE: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt
Hi Joe, all,

On the port number point, I'm afraid that the arguments in Section 8 are more for justifying why distinct port numbers might be useful, not why a well-known port number has to be assigned. I would suggest to strengthen that part before making the request (see more in rfc6335#section-7.2 and also rfc7605#section-7).
Cheers,
Med

De : OPSAWG <opsawg-bounces@ietf.org<mailto:opsawg-bounces@ietf.org>> De la part de Joe Clarke (jclarke)
Envoyé : mercredi 5 juillet 2023 16:42
À : opsawg@ietf.org<mailto:opsawg@ietf.org>
Objet : Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt

Thanks for the update on this document.  I've reviewed this new version in its entirety.  To summarize:


·         TACACS+ TLS will use a dedicated "tacacss" TCP port number

·         Obfuscation is prohibited by TACACS+ TLS compliant clients/servers (within the tunnel)

These were two issues I believe were discussion points in the WG.  As a contributor, I am convinced that both make sense for the reasons put forth in the draft.  Hopefully during the migration process, implementors won't forget the obfuscation on non-TLS sessions.

I like the migration section, but I am curious why, after migration, one would need any legacy servers at all (regardless of server lists).  I can see having my "DEVICE_ADMIN" T+ list having both TLS servers first followed by legacy servers while I sus out the stability of the new implementation.  But when I'm satisfied, I likely would remove the legacy servers altogether.  Moreover, at least with Cisco config, I assume I'd have each server defined with various TLS attributes and it wouldn't matter what list they are in.

I guess what I'm suggesting is dropping the second paragraph in Section 6.2 and saying something to the effect of, when migration from legacy, obfuscated T+ to T+ TLS, insecure and secure servers MAY be mixed in redundant service lists.  However, secure servers SHOULD be tried first before falling back to insecure servers.

As a nit, Indication is misspelled in Section 3.3.

As co-chair:


·         WG, please review this draft!

·         Authors, any thoughts to what port number to use for tacacss or whatever IANA can assign?  I'd like to see a few more reviews before pinging the ADs on early allocation.

·         Are there any implementations of this thus far?  If so having an Appendix for them would help.

Joe

From: OPSAWG <opsawg-bounces@ietf.org<mailto:opsawg-bounces@ietf.org>> on behalf of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: Thursday, June 29, 2023 at 10:55
To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org> <i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>>
Cc: opsawg@ietf.org<mailto:opsawg@ietf.org> <opsawg@ietf.org<mailto:opsawg@ietf.org>>
Subject: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts
directories. This Internet-Draft is a work item of the Operations and
Management Area Working Group (OPSAWG) WG of the IETF.

   Title           : TACACS+ TLS 1.3
   Authors         : Thorsten Dahm
                     Douglas Gash
                     Andrej Ota
                     John Heasley
   Filename        : draft-ietf-opsawg-tacacs-tls13-03.txt
   Pages           : 12
   Date            : 2023-06-29

Abstract:
   The TACACS+ Protocol [RFC8907] provides device administration for
   routers, network access servers and other networked computing devices
   via one or more centralized servers.  This document, a companion to
   the TACACS+ protocol [RFC8907], adds Transport Layer Security
   (currently defined by TLS 1.3 [RFC8446]) support and obsoletes former
   inferior security mechanisms.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-03.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-tacacs-tls13-03

Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org<mailto:OPSAWG@ietf.org>
https://www.ietf.org/mailman/listinfo/opsawg

____________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email