IETF Logo Mail Archive

Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt

Peter Marrinon <peter.marrinon@microsoft.com> Tue, 11 July 2023 02:09 UTC

Return-Path: <peter.marrinon@microsoft.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42848C17EB4C for <opsawg@ietfa.amsl.com>; Mon, 10 Jul 2023 19:09:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TVtrSl0xW1Ko for <opsawg@ietfa.amsl.com>; Mon, 10 Jul 2023 19:09:51 -0700 (PDT)
Received: from HK2P15301CU002.outbound.protection.outlook.com (mail-eastasiaazon11020020.outbound.protection.outlook.com [52.101.128.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62CCCC151087 for <opsawg@ietf.org>; Mon, 10 Jul 2023 19:09:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bM1rdRYppXDs7KDOwQeZHQw2Xuiao2qjyBmNL68slDIdxicf/CevWjmRWjrglL8CZD3foAGFj5tGNTawZbmTgNagVgxy2im/admMhroEB0FDVlBspNYQpWWGhtKp3BGmA2PHKkNSTJkC3LrGcrQOhxqPAjKyDSAYZuavOTDR9Q67j7HBsP/dI2mYp0xo3cTWVWi5H7r04GbnB540rZmZ2VIDobt/YRtBYGCVSakOvgQ6NaRiHg10Rv+PCVWbebBKhhGJ8yURWURIpeIVoEQFrGxPrE1AAoR10R33ztvkXcU9GDhRdvdnhpcJ7se0BBTA1346oIr49eRqI1gkLmBz8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SoFwEmqb2G3OLj6Y3uoiwyez2kzpGgn7T8T3BybdFC8=; b=Pzfp1wW1uEf3VU3NC4BwDg2VRgznOIaXaSz86/odaTZuC7sNoS+lor/O4cxJECX7hCsugIDOGHv8hLsHSk7QbN1EHAXsbbWoMHRrbsNtTZ+qeIO76MOjN18DfdqOjzmTaSDDb7aPZsH7fYQrypPPRlazYUmOEBSrygiwDm98uKW6rIKBrq8pXrR24j7BN9iV520+8WP6E/EL+3Pp7J8pj+2PRXwl9a4BR5f/Jh4vcCLJ3B0fj6PmRfNv3cc/dQvzFiUP9Jcjt06HgBGPcoJvGxxj0phjqq9RtSLpR8wgLU5nn+mJyA8DafjCq79b/JdKh7PiGzrzOhEPDatlGfB1VQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SoFwEmqb2G3OLj6Y3uoiwyez2kzpGgn7T8T3BybdFC8=; b=gEDRxPW3nqoJyc3d9/DbuieLNe85Moa5039gMjYuY6lA6ncZg1Z5S0t7c8A01RN4E9UhQX3Ic9TTLm8tkb8vSHZivqJIcnS2lFcKElAtxFZe3yPqizuFHT+9WhQip/RGAQaSZ4FEcmVyQ4MN/bY77ZRtdnV0y0PtAhcdo/FqALo=
Received: from PSBP153MB0373.APCP153.PROD.OUTLOOK.COM (2603:1096:301:b::7) by TYZP153MB0429.APCP153.PROD.OUTLOOK.COM (2603:1096:400:5::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6609.5; Tue, 11 Jul 2023 02:09:46 +0000
Received: from PSBP153MB0373.APCP153.PROD.OUTLOOK.COM ([fe80::69a3:173e:3cf9:630a]) by PSBP153MB0373.APCP153.PROD.OUTLOOK.COM ([fe80::69a3:173e:3cf9:630a%3]) with mapi id 15.20.6609.003; Tue, 11 Jul 2023 02:09:46 +0000
From: Peter Marrinon <peter.marrinon@microsoft.com>
To: "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt
Thread-Index: AQHZr07sXYnRbdut8EuQgCqQhRQDJa+rRUGAgAADw4CAAQ3nAIAHbsAA
Date: Tue, 11 Jul 2023 02:09:46 +0000
Message-ID: <PSBP153MB0373B53CC86D57CDD517025E9331A@PSBP153MB0373.APCP153.PROD.OUTLOOK.COM>
References: <168805050611.46147.7135705558590726585@ietfa.amsl.com> <BN9PR11MB537112089669BC32EF2C0772B82FA@BN9PR11MB5371.namprd11.prod.outlook.com> <DU2PR02MB10160503322FB68A7CBFA3988882FA@DU2PR02MB10160.eurprd02.prod.outlook.com> <BN9PR11MB5371BABF4EBC116C901D16F2B82FA@BN9PR11MB5371.namprd11.prod.outlook.com> <DU2PR02MB101606103DE6014B5A2AE7348882CA@DU2PR02MB10160.eurprd02.prod.outlook.com>
In-Reply-To: <DU2PR02MB101606103DE6014B5A2AE7348882CA@DU2PR02MB10160.eurprd02.prod.outlook.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_ContentBits=0; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Enabled=true; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Method=Privileged; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_Name=unrestricted_parent.2; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SetDate=2023-07-05T14:47:52.0000000Z; MSIP_Label_07222825-62ea-40f3-96b5-5375c07996e2_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=f985a0f9-a513-4a0f-881c-49e21a6d52be; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2023-07-11T00:53:44Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PSBP153MB0373:EE_|TYZP153MB0429:EE_
x-ms-office365-filtering-correlation-id: 058a1bf3-a9bd-46d9-abba-08db81b3e61a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DLmlzOr8jQbeS8PBwEb4B5XeworTyV42WabG2z1NWFFSOqnPRa/Unkf+jM5Sky6X3tD7EvMxOQLQw4NWn5BJM5Io0gwy3Pvy2lYDtpHyUREKhYatUWrM0exk9DgNpkUdG2QFAQo3NQsY7PLoaxZTnlX4DXTAoL7Ufr/TD3pKAGWnthoM5BY0W1YN+AhT/9gJ2CGsnCciUsRSWnPtMt6b7kUTFm1C92wOtExIcVtHJvjgAbVrpquIrypkx3aNzgoUW+i2MPU+G3Y+Fv0G/HK4grFyD6F50wRt6ehNPABIOAm/Lv2Z2lAg4idQlCM7nq930ZkKrpDeUQfOquwfFw3L5OZN9aDG7h1h+i0jufOCaJDanOmtY+w7TTce8CVhSnIrza7PGs3RhMPDwhzb5TDl+mXrsRd84oAzyKZc/5vCqh2g6Df9iYhfTBuSFt+MDgiOYUjf2UKUGNkOyAOPzU9BLOBw8o8YBnF4Lbgs6K41yaLf108NjfrNEsr2balC3VDf9vLA1+WaylOgnYAMlZ+Dlqv2pnxQVlmiYJpOZOqv1r+MdekCsv+Ctntep4P+myuZ3vaFMVU35KMcjzXK8xC/FHgqLJh6COfYEGwudEZnUwWYibT9ReUSP4z8sFiyftxtDvulHEWA01hCjQXZ5l131031gbPOorZh9GuRUOiZeNviz8or/oPT2N3q/GxtEnKOuuPJCRttHcpjbez9n2yaZs//oW5IunLOtXS59Mc5V+Q=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PSBP153MB0373.APCP153.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(376002)(346002)(396003)(366004)(39860400002)(451199021)(19627405001)(66899021)(9686003)(38070700005)(10290500003)(7696005)(478600001)(64756008)(66446008)(6916009)(8990500004)(66476007)(71200400001)(66556008)(41300700001)(316002)(66946007)(76116006)(6506007)(86362001)(83380400001)(26005)(53546011)(66574015)(186003)(966005)(82960400001)(82950400001)(122000001)(99936003)(38100700002)(166002)(52536014)(2906002)(30864003)(9326002)(8676002)(5660300002)(8936002)(55016003)(44832011)(33656002)(579004)(19607625013); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: IM6gTcubBTLuyWljlkALka+8iDKQCort4Ez73zK74mbMkQOQqQnmUd+tVjmxnQ0/6sz7qTSQLcw4kiYYB+wrqo/F6+FRuoOHmuwGeVwSwz47ig3pHcZOGgFpsc6W5pS7Q0FnU5BVhJ5YDokJPV4/xJY0C1b+KwaqHEN6UO+KheHtDNUaAkn5BoGmVpb4ovqNhc1G70BA4iqgw4COWFlQ7xikgmfjBjwMIqXXSDk0bfgnmW8qjSHp8pWh7Gs7ndCiSr3OMZ6giRztj0uknfZJaMOSq6Esivli82kMi/y7y2xcAbxbnrWJ1XnQiJ7GJOtVIg5ccd6cLsUS7kRncEDj6v6W/DfXDfmHZcb+bKCjpNUBC0G3UASwKGbF+vyd6Ahs7jI/YhpJCW38BC3EVtfHdAk7WuotHyM3BrEBxsn0/rrKeoNoVUl6MQ0adMLprDRfEp2D5Llg7/Kf/L0TxRpCAEg4WglNZ58hFA6K771TGb21jUicTdB2g7jyKuhT50oQMls0n6njZVDKa4+jpDRBH75tPrGPolID8946gS6VQDNmyyTgczQYj58gzwkwBjkIyNQHAL4r7EMJ+0hJdMJNAGkW7zA2iXvyhCjeSAasquhZxmYl0kpBWWq8rVwbVDYaQki4onWT5r5IH/BoTeOiWcDH/hS4ta7fIt76R050ggkJ3qSSRkpyyvDlk7d05tZ3U1X/7zKBMLRh4gepSAiFUrVSsfvWdKwLtXHwDQdXeKgT6+cDDrgxe5jrTmeYgTJf559qGVrY7ZniwhXCDtsxi8RsOWnLFx3Fbx3iZ0O/SPUGdIiutzf0o2E95465IMCmrARahR/WtQ+3iqqWwPsBNnxH1mrPnUWAR7j2nxh5k0YaPBrnabcYw7q84nCuJQZKN5wERr4E7kG441k3RooxTXShyltou+gIKh6lvlrnVbe03K/gpUv2hMYPM5JQ1jVEM5wmNZDlRYt8f0mi5+xTNKMFoPXmuvibfXV8bXG49CTiYeM05e6iA5Dd5aUBPaR/hzjtBxOr1JUvzIMeG+woniSnL+ypx3F39bMnCSdN1X2F0o0rbpnjey5wWQjJcaZFaSCFudpS6te2KLAL2RAWd7bihBB9hKRDC6lSxD0Gr5F18BmqrhJXSZgoz2zRWj0zKbapm0Dwy7gNpaIjLjZdW2GcR8g6oMymMsk48B7nKSR9FNxvkoGYcr6Z50cEd9EppiVNyKTHCEkJKOQe10EZoLvWXoQsd8Fid063V7WArg+wrfirq3LePT9qG5DC0Znq2obf5Y/iaBib86rp3mmh6Hy7Dtn5qi+OKqUwA2BsNgysZzzNhs2eYHH/HUp5VZi22m9Ppmkzi9q1Oe7IDVzQIKWentnP80/D9NZfcw3ZafWuRK4cBNvicUYOfzpKyJqP9cPLF4Y74Rlf/MzJmrhcXKazPRXIIaFz5F3WyAvaoEkUNS4gOf1dQhsO9yEBUERLkdCvK8rNo8ODry+inLGwJf7bkYrbVCy0Y3TkYVDD/PdYvO5TXljuVpCiaBRlre6r
Content-Type: multipart/related; boundary="_004_PSBP153MB0373B53CC86D57CDD517025E9331APSBP153MB0373APCP_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PSBP153MB0373.APCP153.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 058a1bf3-a9bd-46d9-abba-08db81b3e61a
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2023 02:09:46.2330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DFjoXj/xsbRftPo0DxxNxo+8E34nLAYp/8lAJkccFbMYYZqlSzqqQbFsLTHZuXBubadmxh1+AI2uVyXTqSQxdw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZP153MB0429
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/rJL5ZjD-Nh15O_UMyejiCQNgs_A>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2023 02:09:53 -0000

Hello,

Thanks to the authors for their work on this.

This feedback is based on my own review and some comments from people in my team who will be implementing this in our internal TACACS+ system. Our issues are relatively minor; we generally believe we could take most of this standard and implement it as intended. The first four points highlight issues where the intent of wording was sufficiently unclear to cause confusion. The rest are mainly typos and minor clarity issues.


ISSUES THAT CAUSED CONFUSION

3.2 Based on some questions from a developer in my team, it may be beneficial to explicitly state that earlier versions of TLS MUST NOT be supported. I think the text implies it but explicitly stating it may stop someone also adding support for earlier versions.

3.2.1 Cipher Requirements: "The cipher suites offered or accepted SHOULD be configurable so that operators can adapt." It is slightly unclear what the operators are adapting. Is this meant to be "The cipher suites offered or accepted SHOULD be configurable by operators" or is there a subtlety I'm missing?

3.3 TLS identification: There does not appear to be any network location based validation methods in section 5.2 of RFC5425. Is it meant to be a reference to the using a wildcard with a domain?

6.1 TLS Use: "Unsecure Connections would be better served by separate Servers from the TLS Servers." It is not immediately obvious to me why this would be better than a good implementation on a single server that successfully manages TLS and unsecure connections in a way that prevents downgrade attacks. Some more context would be useful so that this sentence is interpreted as intended. If a recommendation is being made, perhaps "would be better served by" should be replaced by something with "MAY" in it.


TYPOS AND CLARITY

2.3 Peer: Change "the peer is the TACACS+ Server is the Client" to "the peer of the TACACS+ Server is the Client".

3 2. Peer Authentication: "The use of shared keys to add and remove the MD5 obfuscation..." in unclear.

3.2 TLS Connection: Missing full stop at end of third paragraph.

3.2.2.1 TLS Certificate Path Verification:
- Change "Path" to "path" in first sentence.
- Change "entire chain of the remote's certificate is stored on the local Peer" to "entire chain of the remote Peer's certificate is stored on the local Peer."
- Arguably the second paragraph is an operations consideration and should be removed or replaced by a reference to "6.4 Unreachable Certificate Authority (CA)". Alternatively, a cross reference could be added to the existing text.

6.1 TLS Use: "Redundant lists" and "Server lists" are undefined and used inconsistently. Possible rephrasing is: "When introducing TLS to TACACS+ within a network, there is likely to be a period where there is a mixture of TACACS+ servers and/or port combination that support TLS and those that do not. During this period, a mixture of the two types of servers in a single list of TACACS+ servers configured on a client SHOULD be minimised. After migration, the production deployment SHOULD NOT mix the two types of servers within a list configured on a client."

6.3. Downgrade attacks in TLS: missing "... in" after "options".

8. Discussion on Separate port vs Negotiated TLS: Change "it allows easy blocking the unobfuscated" to "it allows easy blocking of the unobfuscated".

I hope this is useful.

Regards,

Peter


Peter Marrinon
Principal Cloud Network Engineering Manager
Azure Networking
Office: +61 (2) 6122 4797
peter.marrinon@microsoft.com

[Microsoft Logo]

From: OPSAWG <opsawg-bounces@ietf.org> On Behalf Of mohamed.boucadair@orange.com
Sent: Thursday, July 6, 2023 5:24 PM
To: Joe Clarke (jclarke) <jclarke@cisco.com>; opsawg@ietf.org
Subject: [EXTERNAL] Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt

Hi Joe, all,

Thanks.

I went and reviewed the spec in more detail. I'm afraid that simply pointing to that section in 7605 is not sufficient, especially that the spec:

  *   requests for a service name: which can be used to discover address/port used by a server
  *   asks for implementations to support a configuration knob to provide alternate port number.
  *   Assumes that the IP address of the server has to be configured anyway. One would argue that the port number can be configured as well.
  *   recommends to separate unsecure vs secure servers: which means that the recommended deployment is to expose distinct IP addresses, and hence no demultiplexing issues.

I think that many parts can be simplified by leveraging existing specs, mainly: RFC9325 and draft-ietf-uta-rfc6125bis. Also, some considerations about provisioning are worth to be covered (even if this would be tagged as out of scope).

FWIW, some more comments can be found at:

  *   pdf: https://github.com/boucadair/IETF-Drafts-Reviews/blob/master/draft-ietf-opsawg-tacacs-tls13-03-rev%20Med.pdf
  *   doc: https://github.com/boucadair/IETF-Drafts-Reviews/raw/master/draft-ietf-opsawg-tacacs-tls13-03-rev%20Med.doc

Hope this helps.

Many thanks to the authors for their effort to progress this spec.

Cheers,
Med

De : Joe Clarke (jclarke) <jclarke@cisco.com<mailto:jclarke@cisco.com>>
Envoyé : mercredi 5 juillet 2023 17:18
À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>; opsawg@ietf.org<mailto:opsawg@ietf.org>
Objet : Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt

Fair point.  I was agreeing to the dedicated port for tacacss.  That said, I do believe tacacss meets the secure requirement set forth in 7605 with respect to creating a new, secure service that replicates and insecure service in a non-backwards compatible way.

That part of Section 7.1 should be cited as a justification for the assignment.

Joe

From: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>
Date: Wednesday, July 5, 2023 at 11:04
To: Joe Clarke (jclarke) <jclarke@cisco.com<mailto:jclarke@cisco.com>>, opsawg@ietf.org<mailto:opsawg@ietf.org> <opsawg@ietf.org<mailto:opsawg@ietf.org>>
Subject: RE: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt
Hi Joe, all,

On the port number point, I'm afraid that the arguments in Section 8 are more for justifying why distinct port numbers might be useful, not why a well-known port number has to be assigned. I would suggest to strengthen that part before making the request (see more in rfc6335#section-7.2 and also rfc7605#section-7).
Cheers,
Med

De : OPSAWG <opsawg-bounces@ietf.org<mailto:opsawg-bounces@ietf.org>> De la part de Joe Clarke (jclarke)
Envoyé : mercredi 5 juillet 2023 16:42
À : opsawg@ietf.org<mailto:opsawg@ietf.org>
Objet : Re: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt

Thanks for the update on this document.  I've reviewed this new version in its entirety.  To summarize:


·         TACACS+ TLS will use a dedicated "tacacss" TCP port number

·         Obfuscation is prohibited by TACACS+ TLS compliant clients/servers (within the tunnel)

These were two issues I believe were discussion points in the WG.  As a contributor, I am convinced that both make sense for the reasons put forth in the draft.  Hopefully during the migration process, implementors won't forget the obfuscation on non-TLS sessions.

I like the migration section, but I am curious why, after migration, one would need any legacy servers at all (regardless of server lists).  I can see having my "DEVICE_ADMIN" T+ list having both TLS servers first followed by legacy servers while I sus out the stability of the new implementation.  But when I'm satisfied, I likely would remove the legacy servers altogether.  Moreover, at least with Cisco config, I assume I'd have each server defined with various TLS attributes and it wouldn't matter what list they are in.

I guess what I'm suggesting is dropping the second paragraph in Section 6.2 and saying something to the effect of, when migration from legacy, obfuscated T+ to T+ TLS, insecure and secure servers MAY be mixed in redundant service lists.  However, secure servers SHOULD be tried first before falling back to insecure servers.

As a nit, Indication is misspelled in Section 3.3.

As co-chair:


·         WG, please review this draft!

·         Authors, any thoughts to what port number to use for tacacss or whatever IANA can assign?  I'd like to see a few more reviews before pinging the ADs on early allocation.

·         Are there any implementations of this thus far?  If so having an Appendix for them would help.

Joe

From: OPSAWG <opsawg-bounces@ietf.org<mailto:opsawg-bounces@ietf.org>> on behalf of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: Thursday, June 29, 2023 at 10:55
To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org> <i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>>
Cc: opsawg@ietf.org<mailto:opsawg@ietf.org> <opsawg@ietf.org<mailto:opsawg@ietf.org>>
Subject: [OPSAWG] I-D Action: draft-ietf-opsawg-tacacs-tls13-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts
directories. This Internet-Draft is a work item of the Operations and
Management Area Working Group (OPSAWG) WG of the IETF.

   Title           : TACACS+ TLS 1.3
   Authors         : Thorsten Dahm
                     Douglas Gash
                     Andrej Ota
                     John Heasley
   Filename        : draft-ietf-opsawg-tacacs-tls13-03.txt
   Pages           : 12
   Date            : 2023-06-29

Abstract:
   The TACACS+ Protocol [RFC8907] provides device administration for
   routers, network access servers and other networked computing devices
   via one or more centralized servers.  This document, a companion to
   the TACACS+ protocol [RFC8907], adds Transport Layer Security
   (currently defined by TLS 1.3 [RFC8446]) support and obsoletes former
   inferior security mechanisms.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-03.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-tacacs-tls13-03

Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org<mailto:OPSAWG@ietf.org>
https://www.ietf.org/mailman/listinfo/opsawg

____________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

____________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

v2.23.0 | Report a Bug | By Email