Re: [OPSAWG] TACACS+ RFC: Regarding submission
"Black, David" <david.black@emc.com> Mon, 15 June 2015 21:15 UTC
Return-Path: <david.black@emc.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E4601B2A68 for <opsawg@ietfa.amsl.com>; Mon, 15 Jun 2015 14:15:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1g_uQd6OBs-e for <opsawg@ietfa.amsl.com>; Mon, 15 Jun 2015 14:15:08 -0700 (PDT)
Received: from mailuogwdur.emc.com (mailuogwdur.emc.com [128.221.224.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E70951B2A6A for <opsawg@ietf.org>; Mon, 15 Jun 2015 14:15:06 -0700 (PDT)
Received: from maildlpprd54.lss.emc.com (maildlpprd54.lss.emc.com [10.106.48.158]) by mailuogwprd53.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id t5FLF2Zn018382 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 15 Jun 2015 17:15:03 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd53.lss.emc.com t5FLF2Zn018382
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1434402903; bh=w1ukBhX3tefxshswJfRbw5C9MMU=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:MIME-Version; b=rd0UrGPc6uOIRvSpTpZhQ1fBDzVTnckPsmm56dOswHsyfqgd71Tw5wf72IRGVHlab iWnzjQwlWqQuxkSwgD7GdjEE43gVm9MqrwDvJJUqDUolfnUpTUfbD8kSUsL2K4S9mm SkP4LtgPItogA1WXYon+ouBWM3ArZ+h2nhcmJGVY=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd53.lss.emc.com t5FLF2Zn018382
Received: from mailusrhubprd51.lss.emc.com (mailusrhubprd51.lss.emc.com [10.106.48.24]) by maildlpprd54.lss.emc.com (RSA Interceptor); Mon, 15 Jun 2015 17:14:31 -0400
Received: from mxhub26.corp.emc.com (mxhub26.corp.emc.com [10.254.110.182]) by mailusrhubprd51.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id t5FLEimX024935 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 15 Jun 2015 17:14:45 -0400
Received: from MXHUB101.corp.emc.com (10.253.50.15) by mxhub26.corp.emc.com (10.254.110.182) with Microsoft SMTP Server (TLS) id 8.3.327.1; Mon, 15 Jun 2015 17:14:44 -0400
Received: from MX104CL02.corp.emc.com ([169.254.8.123]) by MXHUB101.corp.emc.com ([::1]) with mapi id 14.03.0224.002; Mon, 15 Jun 2015 17:14:43 -0400
From: "Black, David" <david.black@emc.com>
To: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] TACACS+ RFC: Regarding submission
Thread-Index: AQHQpQGbxfgfcV4DnUaXepkPf0DRU52pFiyAgAAlgmCABNJUAP//4kjw
Date: Mon, 15 Jun 2015 21:14:43 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949360B377E16@MX104CL02.corp.emc.com>
References: <D1A07A34.69BB3%dcmgash@cisco.com> <557AD5ED.3050003@cisco.com> <CE03DB3D7B45C245BCA0D243277949360B373C10@MX104CL02.corp.emc.com> <D1A4BE70.708EA%dcmgash@cisco.com>
In-Reply-To: <D1A4BE70.708EA%dcmgash@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.45.57]
Content-Type: multipart/alternative; boundary="_000_CE03DB3D7B45C245BCA0D243277949360B377E16MX104CL02corpem_"
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd51.lss.emc.com
X-RSA-Classifications: DLM_1, public
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsawg/jkST89BHhXg_1EwglS_RLHw2mF4>
Cc: Andrej Ota <aota@google.com>, Thorsten Dahm <thorstendlux@google.com>
Subject: Re: [OPSAWG] TACACS+ RFC: Regarding submission
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2015 21:15:15 -0000
Hi Doug,
> 2: Originally we were going to use a separate port, however, when the start-TLS mechanism was proposed this seemed more elegant, it seemed to be
> the precedent for other recent protocols that had TLS added (SMTP etc) and of course, meant that a new port did not need to be allocated. So the use of
> a separate port was deprecated because we believe that reusing the current was the "right thing to do".
In other words, use of a separate port for TACACS+ over TLS has already been considered, and the result is that
a single port with start-TLS seems like the "right thing to do" for TACACS+, which sounds like a fine conclusion to me.
> 3a: Registering the AV-Pairs with IANA: Certainly, makes sense. Just a sanity check though: it would be good to know the implications of doing this.
> In current deployments, many vendors freely use their own av-pairs. Would registering these with IANA this impose an overhead that we do not
> currently have, in vendors adding attributes?.
How do current deployments avoid collisions between av-pairs defined by different vendors, specifically two vendors using the same attribute name for different attributes? This can be avoided by using IANA registration as a low-overhead collision-avoidance mechanism. In RFC 5226 this is about the difference between "Private Use" (collisions possible) and "First Come First Served" (IANA registration prevents collisions) in Section 4.1:
https://tools.ietf.org/html/rfc5226#section-4.1
> 3b: Adding protocol constants to IANA: Certainly. However, most of these enumerations are part of the protocol and should really be locked (such as status,
> Authentication action etc) in order to achieve reasonable levels of interoperability. By registering with IANA, can we still provide sufficient control to ensure
> that they are not adversely adjusted?
Yes, by specifying a suitably restrictive allocation policy. RFC 6580 is a worked example where analogous constants from another protocol were put into IANA registries - the suitably restrictive "magic words" used there are:
Allocation Policy: Standards Action [RFC5226]
That allocation policy requires a standards-track RFC to make additions or changes, see Section 4.1 of RFC5226.
Thanks,
--David
From: Douglas Gash (dcmgash) [mailto:dcmgash@cisco.com]
Sent: Monday, June 15, 2015 12:44 PM
To: Black, David; opsawg@ietf.org
Cc: Thorsten Dahm; Andrej Ota
Subject: Re: [OPSAWG] TACACS+ RFC: Regarding submission
Hi David,
Many thanks for the review and the insightful comments!
1: Thanks, yes, we will add the security considerations section as suggested.
2: Originally we were going to use a separate port, however, when the start-TLS mechanism was proposed this seemed more elegant, it seemed to be the precedent for other recent protocols that had TLS added (SMTP etc) and of course, meant that a new port did not need to be allocated. So the use of a separate port was deprecated because we believe that reusing the current was the "right thing to do". This is exactly the right place to find out if we were correct! If there is any thought that we proceeded down the wrong path here, we will, of course, be happy to change.
3a: Registering the AV-Pairs with IANA: Certainly, makes sense. Just a sanity check though: it would be good to know the implications of doing this. In current deployments, many vendors freely use their own av-pairs. Would registering these with IANA this impose an overhead that we do not currently have, in vendors adding attributes?.
3b: Adding protocol constants to IANA: Certainly. However, most of these enumerations are part of the protocol and should really be locked (such as status, Authentication action etc) in order to achieve reasonable levels of interoperability. By registering with IANA, can we still provide sufficient control to ensure that they are not adversely adjusted?
4: Thanks yes, we will add/correct a reference to the original draft.
Many thanks!
(The doc authors collective).
From: <Black>, David <david.black@emc.com<mailto:david.black@emc.com>>
Date: Friday, 12 June 2015 20:37
To: Douglas Gash <dcmgash@cisco.com<mailto:dcmgash@cisco.com>>, "opsawg@ietf.org<mailto:opsawg@ietf.org>" <opsawg@ietf.org<mailto:opsawg@ietf.org>>
Subject: RE: [OPSAWG] TACACS+ RFC: Regarding submission
This generally seems like a good idea.
> However, included in the document is a new feature that we propose for discussion: Support for TLS using
> a new packet type allows the TACACS protocol to upgrade itself to a TLS tunnel. Please see section 3.6.2.
> This is added in a way that is intended not to interfere with any current implementations of TACACS+.
I think this feature is a good addition. The draft currently lacks a Security Considerations section - that would a good place to say that TLS is preferable to legacy TACACS encryption (3.6.1) *when there is a choice* and discuss the circumstances under which there is no choice (e.g., interoperability required with deployed systems).
Please consider the design alternative of using a separate port for TACACS-over-TLS (NB: "consider" *not* "change to"). There is no protocol-independent IETF consensus on whether separate ports should be used for secure and insecure variants of the same protocol, see section 7.4 of draft-ietf-tsvwg-port-use, currently at the RFC Editor:
https://tools.ietf.org/html/draft-ietf-tsvwg-port-use-11#section-7.4
Hence, using a single port is fine, and is preferable in the absence of other considerations, as one less port is used.
I also see no IANA Considerations section - at a minimum, the AVPs in Section 7 should be put into a new IANA registry, as that's an intended area of extensibility. I also see a number of lists of values in Sections 4-6 that may also benefit from being put into IANA registries if there's a reasonable possibility of future additions.
> TACACS+ is a protocol widely deployed, based upon a draft specification that Cisco submitted in 1998, but never completed to RFC status.
> The original draft has been tidied and lightly enhanced and resubmitted, with the intent to finally get it published as a standard.
Some sort of reference to that original draft should be provided. The current [TheDraft] reference to RFC 2200 for this purpose doesn't get that job done. It looks like that expired draft is draft-grant-tacacs-02. Is RFC 1492 also relevant?
Thanks,
--David
From: OPSAWG [mailto:opsawg-bounces@ietf.org] On Behalf Of Benoit Claise
Sent: Friday, June 12, 2015 8:52 AM
To: Douglas Gash (dcmgash); opsawg@ietf.org<mailto:opsawg@ietf.org>
Subject: Re: [OPSAWG] TACACS+ RFC: Regarding submission
For information, the draft is at: http://datatracker.ietf.org/doc/draft-dahm-opsawg-tacacs/
Regards, B;
Please note the following concerning the document content:
The majority of the document is a cleaned and tidied refresh of the original draft.
However, included in the document is a new feature that we propose for discussion: Support for TLS using a new packet type allows the TACACS protocol to upgrade itself to a TLS tunnel. Please see section 3.6.2. This is added in a way that is intended not to interfere with any current implementations of TACACS+.
Also, a note in relation to TACACS+ and RADIUS. Although the protocols were probably about equivalent in 1998, the addition of EAP and other enhancements mean that RADIUS is the default protocol for Network Access. By reviving the TACACS+ draft we have no intention of influencing this status quo. However, TACACS+ does have a continued and widely deployed use case for Device Administration. This is due to its strict separation of authorisation from authentication which allows per-command authorisation, and its TCP transport for allowing effective accounting. It is to support this use case that TACACS+ is proposed for progress to a standard, and informed the thoughts for the potential selection of a workgroup, however if this selection is misguided, please let us know.
Many thanks,
Regards,
Doug.
From: Douglas Gash <dcmgash@cisco.com<mailto:dcmgash@cisco.com>>
Date: Friday, 12 June 2015 08:23
To: "opsawg@ietf.org<mailto:opsawg@ietf.org>" <opsawg@ietf.org<mailto:opsawg@ietf.org>>
Cc: Thorsten Dahm <thorstendlux@google.com<mailto:thorstendlux@google.com>>, Andrej Ota <aota@google.com<mailto:aota@google.com>>, "Michael Keenan (mikeenan)" <mikeenan@cisco.com<mailto:mikeenan@cisco.com>>, "Satyanarayana Danda (sdanda)" <sdanda@cisco.com<mailto:sdanda@cisco.com>>, "John Delaney (jodelane)" <jodelane@cisco.com<mailto:jodelane@cisco.com>>
Subject: TACACS+ RFC
Hi,
TACACS+ is a protocol widely deployed, based upon a draft specification that Cisco submitted in 1998, but never completed to RFC status. The original draft has been tidied and lightly enhanced and resubmitted, with the intent to finally get it published as a standard.
The best fit that we could see was for the opsawg.
Many thanks,
Regards,
Doug.
_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org<mailto:OPSAWG@ietf.org>
https://www.ietf.org/mailman/listinfo/opsawg
- [OPSAWG] TACACS+ RFC: Regarding submission Douglas Gash (dcmgash)
- Re: [OPSAWG] TACACS+ RFC: Regarding submission Benoit Claise
- Re: [OPSAWG] TACACS+ RFC: Regarding submission Black, David
- Re: [OPSAWG] TACACS+ RFC: Regarding submission Randy Bush
- Re: [OPSAWG] TACACS+ RFC: Regarding submission Douglas Gash (dcmgash)
- Re: [OPSAWG] TACACS+ RFC: Regarding submission Black, David