Re: [OPSAWG] Alissa Cooper's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)

"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Mon, 24 June 2019 05:59 UTC

Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31DC512028C; Sun, 23 Jun 2019 22:59:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=MrGJvV3x; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=jaHCYiHe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BtjHFmHrG1DG; Sun, 23 Jun 2019 22:59:43 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B623C12029A; Sun, 23 Jun 2019 22:59:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5096; q=dns/txt; s=iport; t=1561355983; x=1562565583; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=CRz3OUeavgah8vlH2AjYLJ/Gz6fy2geWb7Ou4pc6Unc=; b=MrGJvV3xZmrgUcS0g2C8PdPL39D0w4yuFlf6+7x2xgl5wA1Gh3PB2d5w GnvaOOxfdXSJE8xQZD8hQ5lFa6vUATyo+P9TIbpcC1z16ptW26gR5Ibo2 7F2mj+x+o7s5C5zVnFsPeTZD8vNS8wmWzGZIekskbGhCnN7QPZo3HYpNB 8=;
IronPort-PHdr: =?us-ascii?q?9a23=3A+7TP/BLT+YFgE3lVKNmcpTVXNCE6p7X5OBIU4Z?= =?us-ascii?q?M7irVIN76u5InmIFeBvad2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUg?= =?us-ascii?q?Mdz8AfngguGsmAXEHwKfHjdCwSF8VZX1gj9Ha+YgBY?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AlAADnZRBd/4UNJK1kGwEBAQEDAQE?= =?us-ascii?q?BBwMBAQGBVAUBAQELAYFDUANqVSAECyiEFoNHA45hmhOBLhSBEANUCQEBAQw?= =?us-ascii?q?BASMKAgEBhEACF4JMIzUIDgEDAQEEAQECAQVtijcMhUsCBBIREQwBATcBDwI?= =?us-ascii?q?BCBoCJgICAjAVEAIEAQ0FIoMAAYFqAx0BDpdHAoE4iF9xgTGCeQEBBYFGQYJ?= =?us-ascii?q?zGIIRAwaBDCgBi10XgX+BECgfgkw+gmECAQIBgSoBEQIBBi+CczKCJotuEoJ?= =?us-ascii?q?OjU6NcQkCghSGTYkrg2obgiiHDY4SjEkJVIEvhgCPVAIEAgQFAg4BAQWBUgE?= =?us-ascii?q?1Z1gRCHAVZQGCQYJBN4M5hRSFP3IBgSiPCQEB?=
X-IronPort-AV: E=Sophos;i="5.63,411,1557187200"; d="scan'208";a="287811554"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Jun 2019 05:59:41 +0000
Received: from XCH-ALN-013.cisco.com (xch-aln-013.cisco.com [173.36.7.23]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id x5O5xfFA020196 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 24 Jun 2019 05:59:41 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-013.cisco.com (173.36.7.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 24 Jun 2019 00:59:40 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 24 Jun 2019 00:59:40 -0500
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 24 Jun 2019 00:59:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CRz3OUeavgah8vlH2AjYLJ/Gz6fy2geWb7Ou4pc6Unc=; b=jaHCYiHekvaDCNLVAcB3ZnUGNj7jd7I9ioO7QUh13wBnBydGd1aDdi0dm23HKm5x/lqxeID6bzIElvRlQTAkObnMnbjb8XUy4a/Ly+343pivRSokw1rc5WUpeaywdlXxlBvCneILKLmmHI9QgC/YNhE1keb6ULpe+ePppRQy76Y=
Received: from DM5PR11MB1322.namprd11.prod.outlook.com (10.168.104.140) by DM5PR11MB1290.namprd11.prod.outlook.com (10.168.104.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Mon, 24 Jun 2019 05:59:39 +0000
Received: from DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd]) by DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd%2]) with mapi id 15.20.2008.014; Mon, 24 Jun 2019 05:59:39 +0000
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: Alissa Cooper's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
Thread-Index: AQHVKlICneP82Xn+3ECl55djXhZcIw==
Date: Mon, 24 Jun 2019 05:59:38 +0000
Message-ID: <9C7F99CA-193C-41F4-AE49-C56A1CB122CA@cisco.com>
References: <155794654061.30693.7206500631491410439.idtracker@ietfa.amsl.com>
In-Reply-To: <155794654061.30693.7206500631491410439.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.26.0.170902
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dcmgash@cisco.com;
x-originating-ip: [2001:420:c0e0:1006::4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e26a0f34-83d7-47fa-5164-08d6f86924c3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR11MB1290;
x-ms-traffictypediagnostic: DM5PR11MB1290:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR11MB129028E3D9B0225EA9DA6063B7E00@DM5PR11MB1290.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 007814487B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(136003)(366004)(39860400002)(396003)(189003)(199004)(51914003)(186003)(7736002)(68736007)(305945005)(486006)(76116006)(6246003)(66476007)(64756008)(66446008)(6116002)(66556008)(446003)(11346002)(2616005)(476003)(6512007)(6306002)(53936002)(14444005)(229853002)(76176011)(99286004)(102836004)(36756003)(6506007)(86362001)(91956017)(71200400001)(71190400001)(5660300002)(256004)(478600001)(73956011)(316002)(966005)(8936002)(53546011)(54906003)(6486002)(4326008)(46003)(58126008)(14454004)(66946007)(25786009)(8676002)(81166006)(6436002)(2906002)(81156014)(33656002)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1290; H:DM5PR11MB1322.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 69sJjyNLs+UOydLl9Et7nbY5aksNHfKy+KWDwlE1r+LkpiMLwc9lUnLGqbaO5a7OOzteAou9SaNG/dp7f7h0hZ10LZFffgPSo/iRbqolpnltpNMjJ4W1kCdR0Xg6XrkBvJhNOnpMeKXgiEAmO/hg3F68cf3xV2/nx5BF+mp/JI0VCEPhPZJKTnTvnyKFdtYfS3DkQCayeA7HWYbYRrm8q34swyxKKujk/qi0nkr86khJ+BT9eKSRisQ1zIE1Ve5VeJVPYVl4DsOGzMDZHyKUDkIRHLDL2K8rrhYTnPsWzLLMVSRW4/gFMLBBf/Ejn6xNtq+pgRm6eGEpk2Jg4b2U48Qd+uFKL+tZ8kcc/wt22KU2IE+cyU4D3t7AkTxw0fIaMWYcwsu7r0i7gw24IrqmNNMC2JGmHkU3XHvDqTdmvOg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <B953248A685D004DA94E84A2E4597105@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e26a0f34-83d7-47fa-5164-08d6f86924c3
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2019 05:59:38.9666 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dcmgash@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1290
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.23, xch-aln-013.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/t0VAAks6ZN8pGNI7W1SQzILnTIg>
Subject: Re: [OPSAWG] Alissa Cooper's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2019 05:59:45 -0000

Many thanks for the comments.

Please see responses from authors inline, marked “TA”. Action items from this mail to update the document are marked: [AI-TA] to mean: “action item for the authors”.

On 15/05/2019, 19:55, "Alissa Cooper via Datatracker" <noreply@ietf.org> wrote:

    Alissa Cooper has entered the following ballot position for
    draft-ietf-opsawg-tacacs-13: Discuss
    
    When responding, please keep the subject line intact and reply to all
    email addresses included in the To and CC lines. (Feel free to cut this
    introductory paragraph, however.)
    
    
    Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    for more information about IESG DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/
    
    
    
    ----------------------------------------------------------------------
    DISCUSS:
    ----------------------------------------------------------------------
    
    (1) The Gen-ART reviewer Stewart Bryant (SB) asked the following:
    
         TAC_PLUS_PRIV_LVL_MAX := 0x0f
    
         TAC_PLUS_PRIV_LVL_ROOT := 0x0f
    
         TAC_PLUS_PRIV_LVL_USER := 0x01
    
         TAC_PLUS_PRIV_LVL_MIN := 0x00
    
    SB> Where are these defined?
    
    Please define the semantics of these values.

TA> Agreed,  will add definition [AI-TA]
    
    (2) Stewart also noted the following:
    
         TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01
    
         TAC_PLUS_AUTHEN_TYPE_PAP := 0x02
    
         TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03
    
         TAC_PLUS_AUTHEN_TYPE_ARAP := 0x04 (deprecated)
    
         TAC_PLUS_AUTHEN_TYPE_MSCHAP := 0x05
    
         TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 := 0x06
    
    SB> There are lots of lists similar to the above.
    SB> I have not checked them all, but a number of the types
    SB> in this and subsequent parts of the design don't seem
    SB> to be defined or have a definitive reference
    
    The way I would say this is that the document seems to be written for people
    who have already deployed this protocol, and elides details that would make it
    comprehensible to a new implementor. But it also contemplates the prospect of
    new implementations. If new implementations are actually expected (which I was
    surprised about, but can believe), I agree with Stewart that each of the field
    values need a definition that explains its semantic. If new implementations are
    not expected, then the reference to new implementations should be removed.
    
TA> There  is  some coverage in  section: “5.4.2.  Common Authentication Flows”. The document does not help at all though as there is no reference from the enumeration to 5.4.2, we will add that. [AI-TA]


    (3) How is "secure deployment" defined? Since this is used as a restriction in
    several places, I think it needs to be defined precisely.
TA> Will define that early in the document. [AI-TA]
    
    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------
    
    I agree with Deborah's comment, and would further suggest that the lack of
    modern security mechanisms in this protocol needs to be called out in the
    introduction, with a reference to Section 10.
TA> Agreed [AI-TA]

    Please respond to the Gen-ART review, which makes several suggestions for
    needed clarifications.
    
    In Section 2, please use the RFC 8174 boilerplate.
TA> Agreed [AI-TA]