Re: [OPSAWG] Barry Leiba's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS)

"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Wed, 26 June 2019 04:33 UTC

Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F6FB120608; Tue, 25 Jun 2019 21:33:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=NF50IqzV; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=uMv/v7+B
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pVDlmqlYNVSH; Tue, 25 Jun 2019 21:33:53 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D61291200DB; Tue, 25 Jun 2019 21:33:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4176; q=dns/txt; s=iport; t=1561523633; x=1562733233; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=2tLaf+oRuyWweEAm7giavENe3BLyXCWeFLBpY4/C3EY=; b=NF50IqzVe1+rNBFIKuaSS811136mZBXzg0txtpmoC3tuTwYhCpUKSrGK wYphiHhBn2/eEWpwI0ve+7+tVoZSqOg9VoeL+5LQeEmcYlH5jEmRlSL8w c9X+Kurwk6eLGIanGfJK7XwVn/00bq1I3nQysXnE9gbU5QH8q6ylJjUoT M=;
IronPort-PHdr: =?us-ascii?q?9a23=3A17o18RTp1fkce7sSfu41FbEJaNpsv++ubAcI9p?= =?us-ascii?q?oqja5Pea2//pPkeVbS/uhpkESXBdfA8/wRje3QvuigQmEG7Zub+FE6OJ1XH1?= =?us-ascii?q?5g640NmhA4RsuMCEn1NvnvOiAxGctLT19N9HCgOk8TE8H7NBXf?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BxAABg9RJd/4YNJK1lHAEBAQQBAQc?= =?us-ascii?q?EAQGBVAYBAQsBgUNQA2pVIAQLKINVQINHA45jmhSBLhSBEANUCQEBAQwBASM?= =?us-ascii?q?KAgEBhEACF4JeIzUIDgEDAQEEAQECAQVtijcMhUsCBAwGEREMAQE3AQ8CAQY?= =?us-ascii?q?CGgIUBQ0CAgIwFRACBAENBSKDAAGBagMdAQ6KApBgAoE4iF9xgTGCeQEBBYF?= =?us-ascii?q?GQYMAGIIRAwaBDCgBiRSCSReBf4EQAScfgkw+gmECAQIBgSoBEQIBCBYXOII?= =?us-ascii?q?7MoImjAMEgk6NT410CQKCFYZQiTCDaxuCKYcOjhiNKIEwhgePWwIEAgQFAg4?= =?us-ascii?q?BAQWBUQE2Z1gRCHAVZQGCQYJBg3CFFIU/cgGBKItjgi4BAQ?=
X-IronPort-AV: E=Sophos;i="5.63,418,1557187200"; d="scan'208";a="291711469"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Jun 2019 04:33:52 +0000
Received: from XCH-ALN-013.cisco.com (xch-aln-013.cisco.com [173.36.7.23]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id x5Q4XpZr025911 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 26 Jun 2019 04:33:52 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-013.cisco.com (173.36.7.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 25 Jun 2019 23:33:51 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 25 Jun 2019 23:33:50 -0500
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 25 Jun 2019 23:33:50 -0500
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=xqe70KT/lEYmYZiPBBexYU7E+MY4ZdY2+IMbf/6aQwyq1b4EX1jm/7yh+cYhmAkaFftQDD1o1tMCW2UST/4U1X/8YuUc1+OIMPSTcbdn2GWbl/CTmsxP24D8oiXu04mf+YimrxG294NDhgqNXr9VjxS7XKcApg7hHmxVpgMuUAY=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2tLaf+oRuyWweEAm7giavENe3BLyXCWeFLBpY4/C3EY=; b=OvHrHI9zYH/lf+zFJw0PC9Cji5+l1jGo+u/4qFaW1MegY0LuztK1eBsxiOonzwnn5RNQUdr8vnfvVzjS4Z2sN89ZibT+F1AJBI2heOYnhtHAPzqgGNUPnHuL4eqreA/QzS8yy70garIWA6jLSUNZsX2PcyLgiKN6vRQFL7jOhwQ=
ARC-Authentication-Results: i=1; test.office365.com 1;spf=none;dmarc=none;dkim=none;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2tLaf+oRuyWweEAm7giavENe3BLyXCWeFLBpY4/C3EY=; b=uMv/v7+BA4uTjo+TDPPkB65LemBDF0uEJN/MFKWYxatoILIAbk9m2UHf0zRTD5C2c5f0ZuunpdwBvVJikLmksIkMhmP92a08f8T5kbubkNAkB0tyuGNd0tFEXRXyE6yUZtx9MDU4ZmAJAQmJW3dtjsV/BmeRU7ku70KajEcrZ20=
Received: from DM5PR11MB1322.namprd11.prod.outlook.com (10.168.104.140) by DM5PR11MB1609.namprd11.prod.outlook.com (10.172.36.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Wed, 26 Jun 2019 04:33:49 +0000
Received: from DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd]) by DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd%2]) with mapi id 15.20.2008.018; Wed, 26 Jun 2019 04:33:49 +0000
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Barry Leiba <barryleiba@computer.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: Barry Leiba's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS)
Thread-Index: AQHVK9hZitPZ9IYuIUCq2zjzd2vm4A==
Date: Wed, 26 Jun 2019 04:33:49 +0000
Message-ID: <199F01D2-2C4F-477F-908A-00582F64A22E@cisco.com>
References: <155798342993.30658.12691604092353398933.idtracker@ietfa.amsl.com>
In-Reply-To: <155798342993.30658.12691604092353398933.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.26.0.170902
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dcmgash@cisco.com;
x-originating-ip: [2001:420:c0c0:1008::12e]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9eb6c4a7-e761-49b6-d7e6-08d6f9ef7c08
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR11MB1609;
x-ms-traffictypediagnostic: DM5PR11MB1609:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR11MB1609CD9C9B8458C82CAF595BB7E20@DM5PR11MB1609.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00808B16F3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(366004)(346002)(396003)(376002)(51914003)(199004)(189003)(6512007)(14444005)(25786009)(73956011)(8936002)(46003)(8676002)(14454004)(316002)(256004)(66946007)(53546011)(110136005)(54906003)(11346002)(76176011)(2906002)(6506007)(2616005)(58126008)(6306002)(66574012)(66476007)(66556008)(478600001)(64756008)(66446008)(81166006)(76116006)(81156014)(53936002)(7736002)(966005)(476003)(4326008)(71190400001)(6116002)(486006)(91956017)(68736007)(446003)(5660300002)(305945005)(86362001)(6486002)(99286004)(36756003)(33656002)(71200400001)(229853002)(6246003)(102836004)(6436002)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1609; H:DM5PR11MB1322.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 2JfTYKCu1L8uSnVQ2paLwqv0KcSqnydKmtpRkVINDzFjivxA1l/hWmCTWaazhuzgWrpXD/buR6lTTCuRKuuMx2V6cgzgkvAGTvZWu4u+n5tE+WimSDUPjHa7/M9DHs1yMOnuDyil/JVPgq0wgqSgFQbrjPHFHfHJ71huHgnHHd+Nsbo/nAgiRy1Q8eV5VYKPG03OjO6VmcvNMRRiHQTEPUCeDqkjS9Mf45mghpZqJAeQj4a8Ns2TzMY2RdxRNN6gyeN8n5Ok3zMhNeGp7E95hwFeb6Ebl3J/gMQOjyilR3S2w5weagLbS97iXJIfUXlze6KwYOoPOGnB8LHsGiBfyiFL80or2rgVE0OlsfArLbZPr2BLIqpwk80zM8nmDaD+IbgPFONxYSyGJ9Hh81a7x3/YBHKneD0iBP7G1TLp5Rg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <72EC7A5C5BA8624D8FC28FE3F3443E74@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9eb6c4a7-e761-49b6-d7e6-08d6f9ef7c08
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2019 04:33:49.2177 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dcmgash@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1609
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.23, xch-aln-013.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/iJsJzyV3v38FUq0qtkBIA9zxtdc>
Subject: Re: [OPSAWG] Barry Leiba's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 04:33:55 -0000

Many thanks for the comments.

Please see responses from authors inline, marked “TA”. Action items from this mail to update the document are marked: [AI-TA] to mean: “action item for the authors”.

On 16/05/2019, 6:10, "Barry Leiba via Datatracker" <noreply@ietf.org> wrote:

    Barry Leiba has entered the following ballot position for
    draft-ietf-opsawg-tacacs-13: Discuss
    
    When responding, please keep the subject line intact and reply to all
    email addresses included in the To and CC lines. (Feel free to cut this
    introductory paragraph, however.)
    
    
    Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    for more information about IESG DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/
    
    
    
    ----------------------------------------------------------------------
    DISCUSS:
    ----------------------------------------------------------------------
    
    I support the DISCUSS ballots by Alexey and Roman, as well as the comments by
    Deborah and Alissa that more text be in the introduction about the status and
    limitations here.
    
    I also need to add to Alexey’s DISCUSS on 4.6, Text Encoding:
    
       To ensure interoperability of current deployments, the TACACS+ client
       and server MUST handle user fields and those data fields used for
       passwords as 8-bit octet strings.  The deployment operator MUST
       ensure that consistent character encoding is applied from the end
      client to the server.
    
    This is a mine field.  Treating passwords as raw octets without concern for
    encoding and normalization can cause authentication failures and can be used to
    attack systems where non-ASCII passwords are in use.
    
    Suppose I enter “crème brûlée” as my password. How that’s represented in UTF-8
    depends upon my input device, as there are at least two valid representations
    of each accented vowel.  Without normalization/canonicalization, passwords
    entered on different input devices might not match, blocking my access.  And we
    haven’t touched on bidirectional issues (mixing, say, Hebrew and English
    characters).
    
    The precis framework has detailed explanations of how to deal with usernames
    and passwords — see RFC 8265 (and, for the overall precis framework, RFC 8264).
    
TA> Thanks, we will take advantage of this work to help clarify the charset issues.  [AI-TA]

       The encoding SHOULD be UTF-8, and other
       encodings outside printable US-ASCII SHOULD be deprecated.”
    
    This doesn’t make sense with respect to how we use “deprecated”.  You need to
    say “are deprecated”, meaning that we recommend against using them.  There’s no
    BCP 14 “SHOULD” involved here.

TA Agreed, will resolve [AI-TA]