IETF Logo Mail Archive

Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contributions, Status and Plans

Alan DeKok <aland@deployingradius.com> Tue, 23 May 2017 14:03 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCFD128C83; Tue, 23 May 2017 07:03:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6bs8vdVjzUyY; Tue, 23 May 2017 07:03:34 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 3F8941292F4; Tue, 23 May 2017 07:03:34 -0700 (PDT)
Received: from [192.168.20.47] (CPEf4cc552207f0-CM00fc8dce0fa0.cpe.net.cable.rogers.com [99.230.129.191]) by mail.networkradius.com (Postfix) with ESMTPSA id B2D5C2C5; Tue, 23 May 2017 14:03:32 +0000 (UTC)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <D545E6EC.235D3D%dcmgash@cisco.com>
Date: Tue, 23 May 2017 10:03:30 -0400
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "draft-ietf-opsawg-tacacs@ietf.org" <draft-ietf-opsawg-tacacs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <460D8E65-E5B1-4E32-9E5D-8965F2FB4F01@deployingradius.com>
References: <D53BBCC7.22ECC8%dcmgash@cisco.com> <61D9FC7A-6F10-44E6-8400-578C4FEE1988@deployingradius.com> <D53C62F4.22F82E%dcmgash@cisco.com> <E7D62944-46B9-4091-BF16-0AF8CA47626D@deployingradius.com> <fc8a1ff5-db6f-d463-8ff7-77ec03f1f25f@gmail.com> <006101d2cd9c$e8c0afe0$4001a8c0@gateway.2wire.net> <D53FAB1A.23396E%dcmgash@cisco.com> <010d01d2ce79$477ceda0$4001a8c0@gateway.2wire.net> <D5411107.2340EF%dcmgash@cisco.com> <632EB4D0-15C0-4BF7-9187-9AFCD7EDE306@ll.mit.edu> <D54116DA.23412A%dcmgash@cisco.com> <6B9DFA23-41BD-4896-B80C-EC0EAB51D5FD@deployingradius.com> <D545E6EC.235D3D%dcmgash@cisco.com>
To: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/tsb_vB75lkIr1Irnu5g8zeoYj-w>
Subject: Re: [OPSAWG] draft-ietf-opsawg-tacacs-06 Contributions, Status and Plans
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 14:03:37 -0000

On May 20, 2017, at 8:24 AM, Douglas Gash (dcmgash) <dcmgash@cisco.com> wrote:
>> If the field is unused, the spec should say the field is ignored, and
>> treated as if it did not exist.
> 
> Agreed, though I¹m not sure how an unused field would not be ignored,
> almost by definition,. The only circumstance I can think of where a field
> has data but is unused may not be ignored is for logging, are you thinking
> we should preclude such?

  No.  Nut the draft needs to say what to do.

  If the protocol has provisions for something to happen, then the draft needs to say what implementations should do when that thing happens.

  In this case, it should state that unused fields are ignored, and treated as if they were not present.

>> The original RADIUS RFC used a secret key, but didn't forbid a key of
>> zero length.  I ran into at least one vendor who didn't allow for the
>> entry of secret keys, and always set it to a zero-length string.  The
>> next rev of the RFC forbade that...
> 
> So I think the specification of secrets for obfuscated option is, as you
> say, critical, and will provide some guidance such as non-empty. Also will
> make sure we include that servers MUST support capability of secret per
> client-server tuple (see next comment).

  And it should suggest a minimum secret length.

> But I¹m not so sure what we should say about storage.

  "secret keys need to be kept secret". 

>> OK. And if there's still no username?
> 
> Do you mean, if client replies to the request to
> TAC_PLUS_AUTHEN_STATUS_GETUSER with an empty username. I would simply
> repeat the request in case it was a user error. We can document this. The
> protocol has a built-in limit of the number of interactions due to the
> seq_no, but implementations can limit interactions.
> 
> We can add this detail.

  Thanks.  My $0.02 is that the username SHOULD be in the first packet.  If not, it MUST be in the second packet.  If not, the session is broken, and the server returns ERROR.

  i.e. relying on the 256 packet limit for authentication is probably too lax.

...  RE: CHAP challenges and length
>> That reply make implementation-specific assumptions.  There are TACACS+
>> implementations which don't get the challenge from a third-party.
> 
> Just to clarify my comment: it is not an aspect of the processing of the
> T+ protocol that chooses the challenge. The protocol will get the
> challenge and response as pre-packaged unit.

   If the protocol transports data without looking at it, it's fine to treat that data as an opaque blob.  If the protocol looks at the data, the draft should have requirements on the data format.

   For an example, see:

https://tools.ietf.org/html/rfc2865#section-5.40

  The CHAP-Challenge attribute in RADIUS is defined to have at least 5 octets of challenge data.

> So I think we can demand that challenges be generated according to the
> spec for CHAP. But reaching into that spec to add our own criteria would,
> I think, be a mixing of concerns.

  Nope.  The TACACS+ server which authenticates the user should be secure by design.  This means rejecting zero-length challenges, and challenges which "too short".

  I would suggest that the challenges are a minimum of 8 octets in length.

... RE: password changes.
> Ok, I see what you mean. We can add the SHOULD not clause here.
> 
> Interesting though, as this is a significant use case for T+. Will be
> insteresting to see what the main objects were for why it was removed from
> RADIUS.

  It was insecure, and no one liked it.  The other reasons have been largely lost to time.

>>>   The START and STOP flags are mutually exclusive.  When the WATCHDOG
>>>   flag is set along with the START flag, it indicates that the update
>>>   record is a duplicate of the original START record.
>>> 
>>> * why would an update duplicate the original START record?  This seems
>>> redundant.
>>> [Well, here we are constrained by a clear definition form original
>>> draft.]
>> 
>> What does it mean, tho?  This document should say.  i.e. portions of
>> the protocol should not be left as "we have no idea what this means".
> 
> I think it is more a case of: it is redundant, but it was specified, so we
> cannot choose to change it to make it more efficient.

  It's not about being "more efficient".  It's about specifying what this means.

  I have no idea what it means to duplicate a START record.  Is the data in the second START the same?  Is it different?  What is done in either case?

  Again, you need to document the protocol.  I'm not sure this point is getting across.  If you don't know what a portion of the protocol means, then either find out and document it, or document that "this exists, but we have no idea what it is, what it does, and we don't recommend that people use it".

  Leaving portions of the protocol entirely undefined and implementation-defined is bad.

  In RADIUS, I've authored or co-authored about 4 RFCs fixing things which were missed or undefined, and which cause interoperability issues.  And I'm still finding things which are broken in the specs.  Two in the last month, in fact...

  If TACACS is to be a standard, it should be clear what portions are well defined, and what portions are "I dunno...".  That gives guidance for future drafts as to what works, and what needs fixing.

>>> * how often do the updates get sent?  Saying "implementation defined" is
>>> OK, but some recommendations would be good.  i.e. not more than 100x per
>>> second, and not less than 1 day apart (as extreme examples)
>>> [so lets stick with implementation defined, the range of T+ devices we
>>> see is so diverse and use cases are such that I would not like to
>>> constrain.]
>> 
>> It would be good to have recommendations.  e.g. "updates more than once
>> per second are NOT RECOMMEND, updates more than an hour apart are NOT
>> RECOMMENDED".
>> 
>> The goal is to guide implementors to choosing values which won't cause
>> problems for everyone else.
> 
> Sure, will recommend minimum of 5 seconds, but I¹m not sure we can specify
> an upper limit as it is not mandatory.

   It's always good to recommend best practices, even if the behaviour isn't mandatory.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email