IETF Logo Mail Archive

Re: [OPSAWG] Submission of new version of TACACS+ TLS Spec (V4)

"Joe Clarke (jclarke)" <jclarke@cisco.com> Thu, 22 February 2024 19:15 UTC

Return-Path: <jclarke@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35B5FC1D3D43 for <opsawg@ietfa.amsl.com>; Thu, 22 Feb 2024 11:15:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.604
X-Spam-Level:
X-Spam-Status: No, score=-14.604 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m6gdioDF1xLa for <opsawg@ietfa.amsl.com>; Thu, 22 Feb 2024 11:15:27 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E1A0C1D3D44 for <opsawg@ietf.org>; Thu, 22 Feb 2024 11:15:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=23078; q=dns/txt; s=iport; t=1708629327; x=1709838927; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=R7szafzvp/2qHlLDYhVUuXVnny61V2SMZM9Y/elOmXY=; b=mscgkHBd3AQ1xYxo/B2p1jhLCU3vEP8mMatjru163MYGCWpcLU+X5b3B nvQ722Gtlg/J0XX3DTwmzaSlwW23cE+w/0hW0flUSaJMM2MSlKoOALV+r pB7EU6HhyJYgmV9e9ciSHFx1GffZV0/sdrgqw7x4SEF+WgcdvN/hkEaIi s=;
X-CSE-ConnectionGUID: TK5v8enWTJmAFN8bZQjNtA==
X-CSE-MsgGUID: m/+jorNDQ9OGQKEqptYAlw==
X-IPAS-Result: A0ABAADanNdlmJpdJa1QChoBAQEBAQEBAQEBAwEBAQESAQEBAQICAQEBAUAlgRYFAQEBAQsBgTUxUnoCgQUSSIgeA4ROX4hqA5FBjEUUgREDVg8BAQENAQE9BwQBAYUGAodtAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEGAQEFAQEBAgEHBRQBAQEBAQEBAR4ZBQ4QJ4VsDYZOAQEBAQECEmcQAgEIEQMBAhYLDjEdCAIEAQ0FCBqCXgGCF0gDARAGpBUBgUACiih4gTSBAYIWBYE9A7E6BoFIAYgLGgEFZWiEAYRYJxuBSUSBV4JoPoEFAYFbAgEBgRcNBQEHCwEJGh4fg1WCLwSBEyMGVoJgW4EmgQUDUTGGLwIlghsBhhobHQ9dgSaFU1R5IgN9CARaDRsQHjcREBMNAwhuHQIxOgMFAwQyChIMCx8FEkIDQAZJCwMCGgUDAwSBMAUNGgIQGgYMJgMDEkkCEBQDOAMDBgMKMTBVQQxQA2cfMgk8DwwaAhsbDSQjAixAAwkKEAIWAx0WBDARCQsmAyoGNgISDAYGBl0jFgkEJQMIBANUAyF0EQMECgMTBwsHeIIJgT0EE0cQgTQGiiAMgjEDRB1AAwttPTUGDhsFBB8BgRkFnVd3AgGBYXIBLBAmBBQeIQ0VYQIMBz0oBhACARFQkiwJjymOS5NEgToKhBGMCJVOF4QFjHqGd5FLZJhZIIIzixyVPRMNhQMCBAIEBQIOAQEGgWQ6LT5wcBWDIlIZD44sAQwJg1iPeXgCOQIHAQoBAQMJhkiEHwEB
IronPort-PHdr: A9a23:xO5SPh1MRNCSbW6KsmDPYFBlVkEcU/3cJAUZ7N8gk71RN//l9JX5N 0uZ7vJo3xfFXoTevupNkPGe87vhVmoJ/YubvTgcfYZNWR4IhYRenwEpDMOfT0yuBPXrdCc9W s9FUQwt5Gm1ZHBcA922fFjOuju35D8WFA/4MF93LeD8AI3fp8+2zOu1vZbUZlYAiD+0e7gnN Byttk2RrpwMjIlvIbp5xhrS931PfekXjW89LlOIlBG67cC1lKM=
IronPort-Data: A9a23:tdiLEa3a5NiPimtKSvbD5a9xkn2cJEfYwER7XKvMYLTBsI5bp2QAy jZJWGjXO/uNNjT0eo9ybIu19EsEv8XUytIwHgY/3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZ1yFjmE4E71btANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXV5 7sen+WFYAX5g2QuaDpIg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauG4ycbjG o4vZJnglo/o109F5uGNy94XQWVWKlLmBjViv1INM0SUbreukQRpukozHKJ0hU66EFxllfgpo DlGncTYpQvEosQglcxFOyS0HR2SMoV62+LZcXW5jvCxymToVSvm8cxsKl0faNhwFuZfWQmi9 NQCIzwLKxuEne/zm/SwS/JngYIoK8yD0IE34y47i2qGS6d9B8meH80m5vcAtNs0rsJFGf/EZ McxYjt0ZxOGaBpKUrsSIMtvwLzy1imuI1W0rnqQ4uk15HL14DUg95fUE/fMYsC7bMFKyxPwS mXupDmhXUpAa7Rz0wGt9Wq3j/DAtSL2RIxUE6e3nsOGm3WJzWAVTRYRT1b++r+yi1W1XJRUL El8FjcSQbYayG/2UInwWSKEgnutkDhMUehpEcsmwVTYokbL2DqxCm8BRz9HTdUpss4qWDAnv mNlefu0VVSDV5XIGRqgGqeokN+kBcQCwYY/icIsVwAJ5Zzop5s+y0mJRdd4G6nzhdrwcd0R/ 9xohHZj71nwpZdXv0lewbwhq2nxznQuZlVljjg7pkr/smtEiHeNPuREE2Tz4/daN5q+RVKcp nUCkMX2xLlRVcHQyHTXH7tdQenBCxO53Nv03A8H834JqmXFxpJfVd84DMxWfR42YpheJVcFn meD51M5CGBv0IuCNvIvPNnrVKzGPIDrFM/uUbjPf8FSb51qPA6B92cGWKJj9z6FraTYqolmY c3zWZ/1VR4yUP07pBLoHL11+eFwmUgDKZb7GMqTI+KPi+TOPRZ4iN4tbTOzUwzOxPjU+VqMq okGaZviJtc2eLSWXxQ7OLU7dDgiBXM6Hpvx7cdQc4a+zsBOQQnN19e5LWsdRrFY
IronPort-HdrOrdr: A9a23:J7jG+KgzFBIubfYajwHjR/mvoHBQX5p23DAbv31ZSRFFG/FwyP re/8jzhCWVtN9OYhAdcIi7Sde9qBPnmaKc4eEqTNGftXrdyRqVxeBZnMTfKlLbalfDH4JmpM Ndmu1FeaLN5DtB/IjHCWuDYqsdKbC8mcjC65a9vhJQpENRGt1dBmxCe3+m+zhNNXJ77O0CZe KhD6R81l2dUEVSRP6WQlMCWO/OrcDKkpXJXT4qbiRM1CC+yRmTxPrfCRa34jcyOgkj/V4lyw f4uj28wp/mn+Cwyxfa2WOWxY9RgsHdxtxKA9HJotQJKx334zzYJLhJavmnhnQYseuv4FElnJ 3nuBE7Jfl+7HvXYyWcvQbt4Q/9yzwjgkWSimNwwEGT4/ARdghKT/aptrgpNScxLHBQ+u2U5Z g7ml5xcaAnVC8o0h6Nv+QgHCsa5nZc6UBS4tL7yUYvELf3rNRq3NYiFIQ/KuZaIMr3hbpXYt VGHYXS4u1bfkidaG2ctm5zwMa0VnB2BRueRFMe0/blmQS+sUoJh3fw/vZv1Uso5dY4Ud1J9u 7EOqNnmPVHSdIXd7t0AKMETdGsAmLATBrQOCbKSG6XWJ0vKjbIsdr68b817OaldNgBy4Yzgo 3IVBdduXQpc0zjBMWS1NlA8wzLQm+6QTPxo/suqqRRq/n5Xv7mICeDQFchn4+ppOgeGNTSX7 KpNJdfE5bYXCLT8EZyrnvDsrVpWA4juZcuy6MGsnq107b2FrE=
X-Talos-CUID: 9a23:SmUB4GjY3ZPXxZNXmDjM/aQWMzJuTl6A0ifdJXCEK2NAZpvFQ22p+oV4up87
X-Talos-MUID: 9a23:p4PxVwzO3tJYEi49YeSSNVTkCqSaqKHpS0IKi7MqgpijGhVTFi6FkAWeRpByfw==
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-4.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Feb 2024 19:15:26 +0000
Received: from rcdn-opgw-3.cisco.com (rcdn-opgw-3.cisco.com [72.163.7.164]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 41MJFQKT028684 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <opsawg@ietf.org>; Thu, 22 Feb 2024 19:15:26 GMT
X-CSE-ConnectionGUID: mHHjhCZmTguoWz6uwQoRrA==
X-CSE-MsgGUID: 6YF7n1OGTRK7UNCJNWSxuA==
Authentication-Results: rcdn-opgw-3.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=jclarke@cisco.com; dmarc=pass (p=reject dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.06,179,1705363200"; d="scan'208,217";a="14143052"
Received: from mail-bn8nam12lp2169.outbound.protection.outlook.com (HELO NAM12-BN8-obe.outbound.protection.outlook.com) ([104.47.55.169]) by rcdn-opgw-3.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Feb 2024 19:15:25 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c5BjUKE5B2rhyxrlWIvGqnGgj2ngPcDkqCiMJCqdX7cbqMjLOdwPpb6JyOP9MK6dOKN+VoYztHEVnrZmiVTNftG1MOtuF9vdtWIWcLiimc+Vh9G8gyfa01VA8ewmBhDQElbWgSSySbJYZ/at4zK8xdtst7MmuzR1DWRumyu9AW5fZDrww5U9wZq2K4SE+S1nlFajUMRxaFray5VnSgiRqkSgzEVqpd6Slfd/gmhKlF+R5Sj/6PxXBpplVj4GHYrki7ovq928VlXEqphQMmfFMLkAweDorvfuKBs5V0rtX30UADRWZnKLDy09q0hZl2u6mr2ywfYNoSgJEgYNcgcC4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=R7szafzvp/2qHlLDYhVUuXVnny61V2SMZM9Y/elOmXY=; b=SQ27HjA//herlFG+2Gbe/SEGYRC+65u9RcFTsHQyhg3VA4zvMS/0R1vW4xCaj6BqyazJieGgV0zYvb/hicEVCAyR63HVbUVbB26EO5uoQSMFBjhqTdSS4qaAyj87Pq6pzODdcPV29JxEWCTfOKKXbgZhdKxArGR9h3HyMnMy4XD9l+7mylICjMYX9IuRj9da8PkkvDR4z5rZ/yFeDs1XJp8sHb5d4zLVzqmqojG92VmDWkAh/WnmO+9LcaBHmmlDS1n8xw6HXknVuwESUmJfybXqh06bOjGmGn5TahwfsehLcD3085G6iw0WJkhFtaAERjheB9NeRmaIu8Lece5Ssw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
Received: from BN9PR11MB5371.namprd11.prod.outlook.com (2603:10b6:408:11c::11) by PH7PR11MB6745.namprd11.prod.outlook.com (2603:10b6:510:1af::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7292.39; Thu, 22 Feb 2024 19:15:21 +0000
Received: from BN9PR11MB5371.namprd11.prod.outlook.com ([fe80::d782:9577:ffdc:dd41]) by BN9PR11MB5371.namprd11.prod.outlook.com ([fe80::d782:9577:ffdc:dd41%7]) with mapi id 15.20.7316.018; Thu, 22 Feb 2024 19:15:21 +0000
From: "Joe Clarke (jclarke)" <jclarke@cisco.com>
To: "Douglas Gash (dcmgash)" <dcmgash=40cisco.com@dmarc.ietf.org>, "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "opsawg@ietf.org" <opsawg@ietf.org>
CC: John Heasly <heas@shrubbery.net>, Andrej Ota <andrej@ota.si>
Thread-Topic: Submission of new version of TACACS+ TLS Spec (V4)
Thread-Index: AQHaNPX0ejHHIV+6kEWYbEbyJeE0bbDqyWyQgAAP2AGALEKJww==
Date: Thu, 22 Feb 2024 19:15:21 +0000
Message-ID: <BN9PR11MB537147B83E59D03224F53AF1B8562@BN9PR11MB5371.namprd11.prod.outlook.com>
References: <BL3PR11MB63644D3F5582B72ECC98B6BEB794A@BL3PR11MB6364.namprd11.prod.outlook.com> <DU2PR02MB1016022202D515B9E8B9B5F81887A2@DU2PR02MB10160.eurprd02.prod.outlook.com> <BL3PR11MB63643F7618C1CF2823ED7324B77A2@BL3PR11MB6364.namprd11.prod.outlook.com>
In-Reply-To: <BL3PR11MB63643F7618C1CF2823ED7324B77A2@BL3PR11MB6364.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=True; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2024-01-25T14:30:42.0000000Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN9PR11MB5371:EE_|PH7PR11MB6745:EE_
x-ms-office365-filtering-correlation-id: d8649b9a-03c2-492b-9dd4-08dc33da9d56
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: c892sZQW+CB/RyO32tWMJR6Ky1qEgEQIC79eg08GBhzZNJnE8Lg7C2qz4+rc5HO+Owfb4YR/gMMCldkEnGMdQYLpnCPCohf/j4pye3Cy0QCq6QVjnpISa4FyvbqF3hbzgTsCo051r+tRjNvYb8K+2+LYIB4Qt/LwXqLG0eF4+FG9yjeEALz2CjaN1/oUu05O9z5q9Hl0GhVFdrLmup7ig7uvCxdvOdQDQ58EpAdOVM9AGLypMb7BknV2HcxgNypXvA7W/zE4hPSkQp2bnSpOd/Fgq3qCH10zNYvbRdeW+/hhctcWyK7KFX8XVkpULO8GkQHxveacuEmXXIiibnNCmRJPsI30mkqabyepSM7BLHAUI0CFd8u4Drb03P2GccNyqNIQAQP/RX7vFmxDjxp2gPa/tQawWJyKxacXoGMcyDdnTdublYGiIwnCir80Y7DeNYPK9liv6RdhqZgFgb41bs9ZLAylr05nIeLLfSSPvvZu1fH1sObsbZmWb54yz8Kx1V4bvy4lbNaQsm4XGmQ5efLaCxlU7NrTOemri0Nd0Ut1pDUa3AHRjTD2GsFQTR6Tng0wHypS2MoM/OUSQLF0snzRkbcE6aqFQ7WOyLkN1ms=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN9PR11MB5371.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(230473577357003)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: LB5s7iJ19p+c+mLNVshDhnnL07kKW/xXksodWcgueFZ03RmQRB5hnmqRIgvMArL2IeuOeqELqZDH9IjfvNb+/P6HHuBhsBt923fzCFX2vxdJ/Equxr0mVAeBjI4xkP4k9BTPD9Wz6oF7ggIK6GF5Qf5rHdzm8K3Hr8H9ZofCi05kwUZam6AOsC1Ciu49mkyWHpLH4b2qzyeqpVoEMimAX/IbXO0gM+EN3M8+LhtWfB/DMFu97pQhB9pBOYpQ9DX1OPXiG4l4Ln8VugmiUeBOtvh0+kyDvV8eyNxZDXAo9al76IbDuteBuyotEJczl75bT6/C9z+stUMfkB2t7Zn5LGwIN83Ch5ryk0OrnzM8/E/sS9KJSx7jPOnKsUCEQuYxKPA3XI9uPs9WxuBn4bnRseTlG9DCF5huiVktqnYxNKEPDFMGbqTcomTu9UE0+RlSv39weQyIoM5DgbV3nK9pfulQLjK2/BkKMS3Ts3OxhRgaMdPaWbNRCVvmnguqwoacT6OloSbroqfbRcfiOUX9GSotEtQNmNHSQwbMsF334scf+ArK1DNhRfR2AWe+W94ytkNnuE1BNbCqPRmizucYBrMd9gNUUElMlnnlGih3GcGEqdI7GgKpf8pPytTzY4c2CgDM7dpXUd60pm0SzrKoEwHxxpJAcr5Qo4XHX+mvxpyOVFG/vx71giEAp31u7AOCH9FpLUzmngKmb0hhbCtZUu0wVB6B6k60TZJr3IZAL6BN0+ui/IfOK4Uk+WKc1UuVSquwtX8DfgQkFMhSYXutluI7gYj9IJoeDQMoGSEYJA7DzOLuBSK65RPaDyo78jg+sV5z8UpLpHClmfYk1jeKzpjmNRNG0H6Sdnkex3qepP9Rld/lvndKzsVxQMe4NomI06nqKO2VMm2FrFWx/4twOoDWkHb93HKr6D67H+4vs/7jaD1iPLfekOxGkStaFS2ImRD0l1jmVyuiWEZD06qDOStTgELhm6Zlnp8gT4Qw34dL5jWvvdQy+zkdu2pXikqeePA/TsLCtWjnG8xNAKZ2tk3Q7HAq1ARLqTL50FoqIYI+ehFUFLplnA56XSs3qymQ11OJD6l+O0CxjmgG7dkMrA7j9p0ie0knAIkK4xWcIbYePtzk30XiTK1n8Dj3zAcnv4uP+3AXj+qpqt392hdF0O+MVAsbagUwDvhthYB5DXwy9pHWmlgn2mkhXGX9rmD1evi4RlyE7uhv5oACZWVBO0K+OkG2/BLcXAkKCw4zgrCVzP6W+5kUHq2K79LJXFq9nShV/BUjQpqKefsYcwxGxVj8RYWBBarJYZp2e7wwpgnu95jLKHpfSQ+UisGGIzSW5nUt6Jbkj4+wmuS8D2MfV73dtOdeO8BdIJV7uL720reCzuyX+54FbXiE0BJlEb9PsJkjzsMRdjxIItUp2ziVouP9C2eGq5R+3ouo/FWmuPfLJYs4E34Zx79XRqgdLsiHUpGp6+R6lSECjg72OQg3Lj4jdaapSGtqRCjartI1sNfzHrqOX0yZPjkCOnk8hZFQQSNs6kTgXcfDFxZO2vmd8pFXZJ0kejIQtIK+i8yZdtGGCxmHl6QmeBwv2Zyw9NKebLP+oI2ETwKwxY/ykPnFnQ==
Content-Type: multipart/alternative; boundary="_000_BN9PR11MB537147B83E59D03224F53AF1B8562BN9PR11MB5371namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN9PR11MB5371.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d8649b9a-03c2-492b-9dd4-08dc33da9d56
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2024 19:15:21.5139 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: f5jI800ySnJj2cXmbAGMd+kCs5PQiDnXdKqPtxKFRK0yVtzkeuA/t4CqxH95Au9YlqR9XQMym53E/kAFipcwJQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB6745
X-Outbound-SMTP-Client: 72.163.7.164, rcdn-opgw-3.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/p-TpZIeIVU_pBhwnbHKG4aCv3_s>
Subject: Re: [OPSAWG] Submission of new version of TACACS+ TLS Spec (V4)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2024 19:15:31 -0000

Hello, Douglas (and other authors).  Seeing as since we’re gearing up for IETF 119, I wanted to check to see when you might have a response and another version of the document planned in order to update the WG on progress.  Ultimately, this is the reason we did the original T+ informational draft, and I know there are interested parties in seeing this work progress.

Thanks.

Joe

From: OPSAWG <opsawg-bounces@ietf.org> on behalf of Douglas Gash (dcmgash) <dcmgash=40cisco.com@dmarc.ietf.org>
Date: Thursday, January 25, 2024 at 10:22
To: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>, opsawg@ietf.org <opsawg@ietf.org>
Cc: John Heasly <heas@shrubbery.net>, Andrej Ota <andrej@ota.si>
Subject: Re: [OPSAWG] Submission of new version of TACACS+ TLS Spec (V4)
Hi,

Thanks for your further review.

We will check through your comments against the latest version and identify the missing items, then continue this thread on what their acceptable resolution could be.

Thanks,

The Authors.

From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
Date: Thursday, 25 January 2024 at 14:34
To: Douglas Gash (dcmgash) <dcmgash@cisco.com>, opsawg@ietf.org <opsawg@ietf.org>
Cc: John Heasly <heas@shrubbery.net>, Andrej Ota <andrej@ota.si>
Subject: RE: Submission of new version of TACACS+ TLS Spec (V4)
Hi Authors, all,

Many thanks for your effort on this document.

I managed finally to read the new version. I’m afraid that some of the comments in https://github.com/boucadair/IETF-Drafts-Reviews/blob/master/draft-ietf-opsawg-tacacs-tls13-03-rev%20Med.pdf were not addressed or at least I fail to see how they are.

For example, I still don’t think that we can separate the discussion of the port number from how the IP address of the server is configured. I still also think that cipher suite discuss can be offloaded to RFC9325 (which btw should be cited as normative; also, please note that RFC7525 is now obsoleted by RFC9325).

Cheers,
Med

De : OPSAWG <opsawg-bounces@ietf.org> De la part de Douglas Gash (dcmgash)
Envoyé : vendredi 22 décembre 2023 17:54
À : opsawg@ietf.org
Cc : John Heasly <heas@shrubbery.net>; Andrej Ota <andrej@ota.si>
Objet : [OPSAWG] Submission of new version of TACACS+ TLS Spec (V4)

Dear OPSAWG,

Many thank for all the comments on the Secure TACACS+ (TLS) draft v3.

We have submitted a revised doc which intention to address the concerns and comments. It is rather later than originally planned, our apologies for the delay. We will look forward to addressing the corresponding issues form this revision in a timelier manner.

Some brief notes regarding the broader topics raised in v3, all items of course, are open for re-aligning as the group sees fit.

Regarding the allocation of a specific port, a key motivation concerns the pervasive use of default ports in current configurations. Ensuring the client implementations work correctly with default ports now TLS is introduced, to minimise burden for operators whilst avoiding wrinkles with downgrade attacks does require said new default port to be allocated, and we will explicitly mention this in a new section in the new doc. We hope this should help account for our request for an allocated port.
RFC9325 does look a timely reference, and we have tried to delegate what we can from the new TACACS+ doc to it.
Tracking the discussion on the deprecation of obfuscation option inside TLS, our current reading is that:
All TLS traffic must NOT use obfuscation.
Setting the non-obfuscation option (TACACS has a flag for unencrypted)  is mandatory for all TLS TACACS+ traffic.
The aim is to avoid any ambiguity and to remove MD5 operations from this level of the protocol.
We hope we have addressed the raised issues nits and ambiguities.

Best regards, the Authors.


____________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

v2.23.0 | Report a Bug | By Email