Re: [OPSAWG] Alissa Cooper's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Mon, 24 June 2019 05:59 UTC
Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31DC512028C; Sun, 23 Jun 2019 22:59:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=MrGJvV3x; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=jaHCYiHe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BtjHFmHrG1DG; Sun, 23 Jun 2019 22:59:43 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B623C12029A; Sun, 23 Jun 2019 22:59:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5096; q=dns/txt; s=iport; t=1561355983; x=1562565583; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=CRz3OUeavgah8vlH2AjYLJ/Gz6fy2geWb7Ou4pc6Unc=; b=MrGJvV3xZmrgUcS0g2C8PdPL39D0w4yuFlf6+7x2xgl5wA1Gh3PB2d5w GnvaOOxfdXSJE8xQZD8hQ5lFa6vUATyo+P9TIbpcC1z16ptW26gR5Ibo2 7F2mj+x+o7s5C5zVnFsPeTZD8vNS8wmWzGZIekskbGhCnN7QPZo3HYpNB 8=;
IronPort-PHdr: 9a23:+7TP/BLT+YFgE3lVKNmcpTVXNCE6p7X5OBIU4ZM7irVIN76u5InmIFeBvad2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUgMdz8AfngguGsmAXEHwKfHjdCwSF8VZX1gj9Ha+YgBY
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AlAADnZRBd/4UNJK1kGwEBAQEDAQEBBwMBAQGBVAUBAQELAYFDUANqVSAECyiEFoNHA45hmhOBLhSBEANUCQEBAQwBASMKAgEBhEACF4JMIzUIDgEDAQEEAQECAQVtijcMhUsCBBIREQwBATcBDwIBCBoCJgICAjAVEAIEAQ0FIoMAAYFqAx0BDpdHAoE4iF9xgTGCeQEBBYFGQYJzGIIRAwaBDCgBi10XgX+BECgfgkw+gmECAQIBgSoBEQIBBi+CczKCJotuEoJOjU6NcQkCghSGTYkrg2obgiiHDY4SjEkJVIEvhgCPVAIEAgQFAg4BAQWBUgE1Z1gRCHAVZQGCQYJBN4M5hRSFP3IBgSiPCQEB
X-IronPort-AV: E=Sophos;i="5.63,411,1557187200"; d="scan'208";a="287811554"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Jun 2019 05:59:41 +0000
Received: from XCH-ALN-013.cisco.com (xch-aln-013.cisco.com [173.36.7.23]) by alln-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id x5O5xfFA020196 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 24 Jun 2019 05:59:41 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-013.cisco.com (173.36.7.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 24 Jun 2019 00:59:40 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 24 Jun 2019 00:59:40 -0500
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 24 Jun 2019 00:59:40 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CRz3OUeavgah8vlH2AjYLJ/Gz6fy2geWb7Ou4pc6Unc=; b=jaHCYiHekvaDCNLVAcB3ZnUGNj7jd7I9ioO7QUh13wBnBydGd1aDdi0dm23HKm5x/lqxeID6bzIElvRlQTAkObnMnbjb8XUy4a/Ly+343pivRSokw1rc5WUpeaywdlXxlBvCneILKLmmHI9QgC/YNhE1keb6ULpe+ePppRQy76Y=
Received: from DM5PR11MB1322.namprd11.prod.outlook.com (10.168.104.140) by DM5PR11MB1290.namprd11.prod.outlook.com (10.168.104.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Mon, 24 Jun 2019 05:59:39 +0000
Received: from DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd]) by DM5PR11MB1322.namprd11.prod.outlook.com ([fe80::3167:9c96:1d74:4fcd%2]) with mapi id 15.20.2008.014; Mon, 24 Jun 2019 05:59:39 +0000
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
CC: "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>, "Joe Clarke (jclarke)" <jclarke@cisco.com>, "opsawg-chairs@ietf.org" <opsawg-chairs@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: Alissa Cooper's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
Thread-Index: AQHVKlICneP82Xn+3ECl55djXhZcIw==
Date: Mon, 24 Jun 2019 05:59:38 +0000
Message-ID: <9C7F99CA-193C-41F4-AE49-C56A1CB122CA@cisco.com>
References: <155794654061.30693.7206500631491410439.idtracker@ietfa.amsl.com>
In-Reply-To: <155794654061.30693.7206500631491410439.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.26.0.170902
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dcmgash@cisco.com;
x-originating-ip: [2001:420:c0e0:1006::4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e26a0f34-83d7-47fa-5164-08d6f86924c3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR11MB1290;
x-ms-traffictypediagnostic: DM5PR11MB1290:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR11MB129028E3D9B0225EA9DA6063B7E00@DM5PR11MB1290.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 007814487B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(136003)(366004)(39860400002)(396003)(189003)(199004)(51914003)(186003)(7736002)(68736007)(305945005)(486006)(76116006)(6246003)(66476007)(64756008)(66446008)(6116002)(66556008)(446003)(11346002)(2616005)(476003)(6512007)(6306002)(53936002)(14444005)(229853002)(76176011)(99286004)(102836004)(36756003)(6506007)(86362001)(91956017)(71200400001)(71190400001)(5660300002)(256004)(478600001)(73956011)(316002)(966005)(8936002)(53546011)(54906003)(6486002)(4326008)(46003)(58126008)(14454004)(66946007)(25786009)(8676002)(81166006)(6436002)(2906002)(81156014)(33656002)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1290; H:DM5PR11MB1322.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 69sJjyNLs+UOydLl9Et7nbY5aksNHfKy+KWDwlE1r+LkpiMLwc9lUnLGqbaO5a7OOzteAou9SaNG/dp7f7h0hZ10LZFffgPSo/iRbqolpnltpNMjJ4W1kCdR0Xg6XrkBvJhNOnpMeKXgiEAmO/hg3F68cf3xV2/nx5BF+mp/JI0VCEPhPZJKTnTvnyKFdtYfS3DkQCayeA7HWYbYRrm8q34swyxKKujk/qi0nkr86khJ+BT9eKSRisQ1zIE1Ve5VeJVPYVl4DsOGzMDZHyKUDkIRHLDL2K8rrhYTnPsWzLLMVSRW4/gFMLBBf/Ejn6xNtq+pgRm6eGEpk2Jg4b2U48Qd+uFKL+tZ8kcc/wt22KU2IE+cyU4D3t7AkTxw0fIaMWYcwsu7r0i7gw24IrqmNNMC2JGmHkU3XHvDqTdmvOg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <B953248A685D004DA94E84A2E4597105@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e26a0f34-83d7-47fa-5164-08d6f86924c3
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2019 05:59:38.9666 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dcmgash@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1290
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.23, xch-aln-013.cisco.com
X-Outbound-Node: alln-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/t0VAAks6ZN8pGNI7W1SQzILnTIg>
Subject: Re: [OPSAWG] Alissa Cooper's Discuss on draft-ietf-opsawg-tacacs-13: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2019 05:59:45 -0000
Many thanks for the comments. Please see responses from authors inline, marked “TA”. Action items from this mail to update the document are marked: [AI-TA] to mean: “action item for the authors”. On 15/05/2019, 19:55, "Alissa Cooper via Datatracker" <noreply@ietf.org> wrote: Alissa Cooper has entered the following ballot position for draft-ietf-opsawg-tacacs-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- (1) The Gen-ART reviewer Stewart Bryant (SB) asked the following: TAC_PLUS_PRIV_LVL_MAX := 0x0f TAC_PLUS_PRIV_LVL_ROOT := 0x0f TAC_PLUS_PRIV_LVL_USER := 0x01 TAC_PLUS_PRIV_LVL_MIN := 0x00 SB> Where are these defined? Please define the semantics of these values. TA> Agreed, will add definition [AI-TA] (2) Stewart also noted the following: TAC_PLUS_AUTHEN_TYPE_ASCII := 0x01 TAC_PLUS_AUTHEN_TYPE_PAP := 0x02 TAC_PLUS_AUTHEN_TYPE_CHAP := 0x03 TAC_PLUS_AUTHEN_TYPE_ARAP := 0x04 (deprecated) TAC_PLUS_AUTHEN_TYPE_MSCHAP := 0x05 TAC_PLUS_AUTHEN_TYPE_MSCHAPV2 := 0x06 SB> There are lots of lists similar to the above. SB> I have not checked them all, but a number of the types SB> in this and subsequent parts of the design don't seem SB> to be defined or have a definitive reference The way I would say this is that the document seems to be written for people who have already deployed this protocol, and elides details that would make it comprehensible to a new implementor. But it also contemplates the prospect of new implementations. If new implementations are actually expected (which I was surprised about, but can believe), I agree with Stewart that each of the field values need a definition that explains its semantic. If new implementations are not expected, then the reference to new implementations should be removed. TA> There is some coverage in section: “5.4.2. Common Authentication Flows”. The document does not help at all though as there is no reference from the enumeration to 5.4.2, we will add that. [AI-TA] (3) How is "secure deployment" defined? Since this is used as a restriction in several places, I think it needs to be defined precisely. TA> Will define that early in the document. [AI-TA] ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I agree with Deborah's comment, and would further suggest that the lack of modern security mechanisms in this protocol needs to be called out in the introduction, with a reference to Section 10. TA> Agreed [AI-TA] Please respond to the Gen-ART review, which makes several suggestions for needed clarifications. In Section 2, please use the RFC 8174 boilerplate. TA> Agreed [AI-TA]
- [OPSAWG] Alissa Cooper's Discuss on draft-ietf-op… Alissa Cooper via Datatracker
- Re: [OPSAWG] Alissa Cooper's Discuss on draft-iet… Douglas Gash (dcmgash)