IETF Logo Mail Archive

Re: [OPSAWG] Start of WGLC for TACACS+ document.

Dan Romascanu <dromasca@gmail.com> Fri, 07 October 2016 05:51 UTC

Return-Path: <dromasca@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC0A7129447 for <opsawg@ietfa.amsl.com>; Thu, 6 Oct 2016 22:51:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VA-Xco6U2Qki for <opsawg@ietfa.amsl.com>; Thu, 6 Oct 2016 22:50:59 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ACEF127078 for <OpsAWG@ietf.org>; Thu, 6 Oct 2016 22:50:59 -0700 (PDT)
Received: by mail-qk0-x22b.google.com with SMTP id o68so34760164qkf.3 for <OpsAWG@ietf.org>; Thu, 06 Oct 2016 22:50:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8QSW0B8C47nVzxDL2B7UuO19mdZxUjiY1BAZFncpKCo=; b=hXm11QJet2TL+LQRqGk2PQjwl+vSZW8u+c27pkEwqUm1LYTGoTH58M23XBwoLzjZGR heceJBeCoRPRF4SD6NQi+6mqjYHqnVF6tCFQXYxBzArnqghZWxDzLn7m1PkvjnEZnxdI fgBqbt/Wau4oE9qaKgCV+3KKAQ8f9HJq9sqAb6Nwz4XIzWn9hN+jIEQdiL613LEvIVyx 4jxlaSU2hRBAJHfD9O2oPnbUKw3OcdTYsPhMlA8AYw0nl2KEsCx+U2JXlJHNkSKQVjUO xWdfc7ldTFITmv/e9PbDxQwp0MDboCPQ8ad4NIMNoHI9nFKGuqbylm8KdqLH2mE/pOo3 /jOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8QSW0B8C47nVzxDL2B7UuO19mdZxUjiY1BAZFncpKCo=; b=N2QDojDur5h8Z6HTkcAQ/6pz6cB50XX0kme5AoYinuGtj20J8oChphgk+HoL23B9RQ VqN08aWxn0QfpySdvc7UMy7cXSQg8twQrvsczpjcTxniJwnrdQppOH01uiy8aunGvFg7 4jiKMOneRDQEh/+c/UCL18pXEZiyOyQ9Raz2WruiCST+9onfsvd7xTAAmRU80QuiR8Sa CO8cvwrd8iEcpnUsp3Fke1oDtpBw2Y6+V74KdATAIPBhrfNErYiDvURs4nfnkGZvU8g5 j1MIGAQmw51p5jWI1iTo3pZC1BYqKMxfAWANJVWB/5y517WQF7KwBVZHaQJ/xkoOo7ZN KXhg==
X-Gm-Message-State: AA6/9RmnwQHKwdH5/E8635kS0VKd30n5ClNmMue20wosJViQoiV9f47z6kM5yY5QqQA3MnI3+LBagw4ONt5iHg==
X-Received: by 10.55.135.1 with SMTP id j1mr3865588qkd.46.1475819458386; Thu, 06 Oct 2016 22:50:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.21.228 with HTTP; Thu, 6 Oct 2016 22:50:57 -0700 (PDT)
In-Reply-To: <003101d21fed$6978cb80$4001a8c0@gateway.2wire.net>
References: <CAHw9_iK-1=Epr5CLAtFayd0Bss6oZrsDTfyox6y2SfPJAav78Q@mail.gmail.com> <5019ABA9-BB74-4C69-A455-12C17A2958CE@deployingradius.com> <E6C64895-F0C6-40B8-A687-4DC56590B22E@deployingradius.com> <025401d21fb8$71906e20$4001a8c0@gateway.2wire.net> <2769B0A9-00DE-41F8-9971-9C0AABDC8109@deployingradius.com> <003101d21fed$6978cb80$4001a8c0@gateway.2wire.net>
From: Dan Romascanu <dromasca@gmail.com>
Date: Fri, 07 Oct 2016 08:50:57 +0300
Message-ID: <CAFgnS4Xajfk=w6RXwTh3O0oS1ECYPECSO+bTwdiFDS1=N0w_+g@mail.gmail.com>
To: "t.petch" <ietfc@btconnect.com>
Content-Type: multipart/alternative; boundary="94eb2c073c1091feef053e3ffea4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/nQ56wVNu3F6ZfWqv3QD_HZod4p4>
Cc: "opsawg@ietf.org" <OpsAWG@ietf.org>, "opsawg-chairs@tools.ietf.org" <OpsAWG-chairs@tools.ietf.org>, draft-ietf-opsawg-tacacs-05@tools.ietf.org
Subject: Re: [OPSAWG] Start of WGLC for TACACS+ document.
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 05:51:03 -0000

FWIW - I agree with much of Alan's observation and with his approach here.
Documenting an existing protocol does not mean changing it. Asking for
changes in the content of the document (including more details about
implementation of parts of the protocols, and security implications of
deploying this technology in today's Internet) does not mean changing the
protocol. These are legitimate comments and IMO necessary changes to ask at
WGLC phase. Keeping 'changes to the minimum, omissions or contradictions
and those required  by the publication process' is not a WGLC goal.

Regards,

Dan

On Thu, Oct 6, 2016 at 7:19 PM, t.petch <ietfc@btconnect.com> wrote:

> ----- Original Message -----
> From: "Alan DeKok" <aland@deployingradius.com>
> Sent: Thursday, October 06, 2016 2:56 PM
>
>
> On Oct 6, 2016, at 6:00 AM, t.petch <ietfc@btconnect.com> wrote:
> > Alan is right to pick up on the style - philosophical - and the
> > security - lack of.
> >
> > But do we want to change it all at this time?
>
>   Please show where I'm trying to change the protocol.
>
> <tp>
>
> Alan
>
> You are not, and I did not mean to imply that you were.  I mean that
> your changes seem to me reflect a different approach, a different style
> which I do not see as that of the authors.  I see the existing style as
> unusual, but not wrong, and am content to leave it as is for an
> Informational RFC which documents what is, or perhaps what has been. You
> used the word 'philosophical' and I agreed.
>
> So I would keep changes to the minimum, omissions or contradictions and
> those required  by the publication process (such as splitting References
> into Informative and Normative).  It is, after all, WGLC.
>
> On Security, I would invite the chairs to ask for an early review by the
> Security Directorate, explaining the context of this document, asking
> them how much more is needed and how it should be expressed.  It might
> not be very much although my experience is that I never know in advance
> what they are going to come up with.
>
> Tom Petch
>
> > This is an Informational document describing the state of play as of
> > some time past, perhaps not as far back as 1997 but not for 2016.  It
> > would require many changes to make it a 2016 Standards Track document
> > but that is not what I see us doing except that is how I take Alan's
> > comments.
>
>   Then you're not reading my comments.
>
>   I would like to implement historical TACACS+.  I have *NO IDEA* what
> to do for huge swaths of the protocol.
>
>   I would like to deploy historical TACACS+. I have *NO IDEA* what the
> security implications are of using it.
>
> > The analogy I have in mind is when SSL v3 was published, long after it
> > had been superseded by anyone who took security seriously, but was
> > needed as an RFC to refer to, although it would not pass muster
> because
> > the security thereof was too weak.  It would not have met the
> standards
> > of the day but was published  despite that.
>
>   I'm not asking that the protocol be *fixed* in this document.  I'm
> asking that it be *documented*.  That shouldn't be hard to understand.
> I've been saying it for about a year now, for anyone who bothers to read
> my messages.
>
>   I'll note that RFC 6101 is "Category: Historic", and has substantial
> text about the security (or lack thereof) of the protocol.  It has
> substantial text about how the historical protocol works. I'm suggesting
> we do the same here.
>
>   I'm suggesting the the TACACS+ protocol be documented as designed, in
> sufficient detail that someone can read the document and create an
> inter-operable implementation.  I'm suggesting that the  TACACS+
> protocols security (or lack thereof) be documented.
>
>   Which is (so far as I'm aware) still IETF practice for informational
> specifications.
>
>   If the goal for the document is something else, fine.  Update the
> document to say that.   Something like:
>
>   "This document attempts to specify the historical TACACS+ protocol.
> However, there are many portions of the protocol which are
> under-specified or unspecified.  We cannot second-guess twenty years of
> practice here.  As a result, this specification is incomplete,
> under-specified, insecure, and should not be used by anyone to implement
> anything.  Please wait for the Standards track document to get the
> actual TACACS+ specification that people can implement".
>
>   If the document can be updated with such text, I'll withdraw all of my
> review comments.  But I predict that the document won't pass security
> area review.  And they'll make all of the same comments as I've made
> here, with a recommendation that the document not be published until
> it's fixed.
>
>   Alan DeKok.
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>

v2.23.0 | Report a Bug | By Email