IETF Logo Mail Archive

[OPSAWG] TACACS TLS 1.3 was Status of T+/TLS work

tom petch <ietfc@btconnect.com> Thu, 03 November 2022 16:54 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F581C14CF14; Thu, 3 Nov 2022 09:54:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJ9dJ2VHqTAv; Thu, 3 Nov 2022 09:54:13 -0700 (PDT)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2104.outbound.protection.outlook.com [40.107.247.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B657C14CE23; Thu, 3 Nov 2022 09:54:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PCUc+Nk714wVslkQhd6LctxWoVKTZEiHKE4+Uj4z6mreNAzw4joiYmzwtAkWgGN1yRPKDI/6gIrPZvkSG9Yy56ID4VT/mj3g0LeM0X3MgDN+49n1dddQqEyKWKua8nr+cewTpPyNnFJVrLOj6ALyHKlDWfc4Wa0wORu6Absx7Tq+by7p+CsYUj47FQK2Zb/nEWG0CBTGctQvPVKErAY+WVfJJSZ1o89d8K43OoXgPqCui9L/7EWeGneionKBUN56HQBZwWhr2fdd8YmdINvb2BHmHBJFOidGtmWaSCRHlcV2LeShPsyxHje01W4tD9+BTpcGuxdqi0m4H7Me2U9GWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=O/P64JLrS1AKYAF7+dgU+9oxDGVCObZDnMwQTHhIs9g=; b=Ped+7or+Gq2219TetfnwJ7BcEJbrrT2N6BQ5Ze1myqTd9rIzKcBDRPiupehTU+/1MQnW2nnvmRA8wmDjfpB6D7JVXEUrfkS1gfFDo63dExDD5xc4KPIDrMvMWQyJrcj0v5GRGji2iKxLGwELwgqoVppS/PJF6qgpBruY2oRtMIWnRrD0Eaa5JbO5llA0eIUlgs0l313KyavnMbC5eEbGZlwSq04DPXp2k0WvfQTnbSlea2OlbkHzToBG8MJ4Fbx4xACM3tTe10UWKx7bqCAci2p3W0fzRHWxmjoVCD42AsQ0049LoD6l+ebf4Xzr/+WrYDcDMKQ0OTXq9r316aURFQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O/P64JLrS1AKYAF7+dgU+9oxDGVCObZDnMwQTHhIs9g=; b=atlCKFQ1GQqpLcKrjJvzD0ogkeKowlTIMZZZFLqXE0WQpr5W1f5agWHD0q0xpNKHvGMXDSDE3MR0H2gmx2u5t9flkGn1v/AiHhhgSxt/k/ZP5qdGBvIU2Lu3XwMA3x7JO4y/Zf4g5OYQgxXveLqJC7wjTDQitXTcD/qCvMoj1U4=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by DB9PR07MB7819.eurprd07.prod.outlook.com (2603:10a6:10:2a4::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.20; Thu, 3 Nov 2022 16:54:08 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::14b7:7703:7123:2901]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::14b7:7703:7123:2901%3]) with mapi id 15.20.5791.022; Thu, 3 Nov 2022 16:54:08 +0000
From: tom petch <ietfc@btconnect.com>
To: heasley <heas@shrubbery.net>, "Joe Clarke (jclarke)" <jclarke@cisco.com>
CC: "draft-ietf-opsawg-tacacs-tls13@ietf.org" <draft-ietf-opsawg-tacacs-tls13@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] TACACS TLS 1.3 was Status of T+/TLS work
Thread-Index: AQHY76Tjb+6l6GcGu0aYZ+otC4ow6w==
Date: Thu, 03 Nov 2022 16:54:08 +0000
Message-ID: <AM7PR07MB6248EEE3EB12EED0D6710887A0389@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <BN9PR11MB5371D855AE5B6031B1FAEEBDB8289@BN9PR11MB5371.namprd11.prod.outlook.com> <Y1GQBX+k4kv9W5ti@shrubbery.net> <BN9PR11MB5371FAD027509E566F37E4B9B8379@BN9PR11MB5371.namprd11.prod.outlook.com> <Y2AFKsOjGoBlWWpu@shrubbery.net>
In-Reply-To: <Y2AFKsOjGoBlWWpu@shrubbery.net>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM7PR07MB6248:EE_|DB9PR07MB7819:EE_
x-ms-office365-filtering-correlation-id: 37927c58-8b21-4352-52bb-08dabdbc0652
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FuuQztF0OrrdhV2Hf+wNTbRRoKpBMRtNLmEkyBqxUXC6Gd/zFoSiyKbaF7Uew147+Ws9rw2rYuIWTVKLgKAYlK4D3iJyWdJcx1jYALIISft8pc0xr4IU+jLrKTBz3HpOM6Lij57mI31mHG+j9uad3J4P2iyIijWm6+lrtvDtqrtNvXLXFbhcjIGs0TZbXtnwMEM7uL3uRdlsPuZN6kSEh1kfQLlSF0kNsLN5n3gOsbK+cv3ZFntvAjepdsTUcJiM2D+FRid6KwYgXrpEWEKY6HlnKUR6UUrI2HaQrUH3zRQKV57Fyn0hapNNIlSvdUpc90iHvXH0mxJ8qK9jalfgJF7HNW4R5Xvm8cBZFZzA34uISFMDZaL+EylikL+P8cw+LsnQQOZj3fI9lyWVyzoCvP5XLBmTjU1WbtibX1gIuM4MQJP1RY5GaxerRL6rrSDid+6H76Ea1qIH3k43ATVhOEi/TMEEhfT7AgArInasT6g+Eh0JTgNUuvMnviLlzZ5LqdKGSbrp6NQ4xkORXZ23DpARfdrXGku9b/PvgTaMeU6DCR/56Ygo3VlhhonDfv9LTciqMQTkxx9sErYRl6Ma580mwpBV91/icPKFjb3/QUKusLGgHH23pbdNK5Qm+PmPfh+aDs5WCYICdc32UEIzop86iaDtDRadw+BBm8UVeqQ0tU84F2Ux9s0T5a9D4Xx2yscSA8wDC5XtBhhuPz0eLGOowCZiHS69ThahLIdMgBZHrJUm863TT0VsrWWsyISAVPQ8km1IjTlg1+ug9BnFOHqawDeFfPxqSP7Yow0cEEQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(136003)(376002)(396003)(39860400002)(346002)(366004)(451199015)(66946007)(8676002)(66476007)(64756008)(4326008)(41300700001)(66556008)(8936002)(76116006)(316002)(2906002)(5660300002)(91956017)(54906003)(7696005)(26005)(6506007)(66574015)(9686003)(478600001)(53546011)(110136005)(52536014)(66446008)(966005)(71200400001)(55016003)(38100700002)(122000001)(83380400001)(186003)(86362001)(33656002)(38070700005)(82960400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jVXHkMtOualLjB2R3LBnAg/pHcTPrDh4pt/wiCGepggS9FWjiyjRQ+BVQNAqwNBbVUCNwLSeZexGuf1MyZG9QY6BZEM5wIUbktNCRB30OrDhHTf0IGTVKoFDlLjT9AbnlRxtmuylOqNBhpW7sD/1YKfhQBsEWBLlSnq2no+QE1RhiyulQWC0vpYGS4VYfdg/bxdKhTtmWoQr0KJkJeETMTrDGk3LA2f8ygcI2dRLKn4zBFjxOdPpwVeQwptv91Dp/JxDEA1Cij92vd6gAWLD9qB1ppgm1kR3JcsAyZD5cQWmtEW4ceAOKFYrWYqnocSmvwvkge8bgXreVH+ZbX4nppT+Kqvuyk8s+kVBG7Jv1hM7zaUGShOQXcH85PH4kmVY1Z1DcE2uZZhIJ+0OR844UYwRgQgMxOU2fk8OOED8uO2UjOu/Ymj79eD2a1KAHY2JgxGdSQt6fjTw6SHQzs5YIYiaOSMW+njCF3rccwY52sWFmBwEjwJQDcrJ4NMO7S9ndM9ctqPkLMugILrtVCiKc4yPCiStIiXi304XXVyPfjSnfCHqG8Ax7Cpgjw2Ar+B3rN4pCFcKe8+hC4cVhJE2s9M0EmoUbehHmQTxNQlFm6WbEJ1SkI47ioXVrcQ87oCLlDBMBrU1KSAKOdblXspU1DJWYeFLYopvt78HwQ5pXXVM/jiVOuz8V3Qktfm3cmBcknpqx+Z2tm6LSTq2kgzQBV272mb8JZd0ulIhI72GaQcxNedpipK675zS8/wZ9FbKAYPvn7SczvmrLDV6QHQFlkrVucYAi4ezv5GFAdgGLH/h1WvUz+fBJomiowj+wNNtO0FXqTX8Nnj5M/BQYJL4yisbJi6nNjFwvgyRCZXzRnnqr4Q+r5Zn6mOw5uJKbQDrcntripnlhsvnBkhzD7KAWHKWaqw+CYL384xvKP0Bvyq+IcMYjuN+rNF6ooSqfbWWjIzbPHSXA2VBnFYtIRQxJsvapcXdwRFVIFIOh1+Ji1Hj3BS5qdyvGmL/layxDSscaAT/mCe408f9v7akyH2NmYCjwnP/ckiHuLGOtH1GB33vFE7EsSeCSnjNeRUu47U0na2PTCcfMkDbBxssb/0JuDimjOOiWwkY62DVQjS+WuqZI646qatpDxPtwNB4iNvA62hYl+0lKMJ8c7rKAiFVt9wvBZEetbKCbMQGExK1qBQztff0mYCxLikQ7f9m5z+0RsyzMyYR7A0LCqhw5cgoXfTiakKtAZ+F+9yA53/JMUy+k735iYLlLRtshTY05N5MvzZZT2IuCGmmyQa06NN4mTzRuIYRdvo9fRELUisLL+SqXhaiWaMwhHnV0DeqSz/xz3Dtp4KLCrTZpBOxJhFRMKNNSMAgPBrGPBaV/8l6QnyE/t3wfg+nBPWT52mDdFCnPwjOSFUNAJ6fi6OY/8KXlDT//2S4R83/YlSMKtGbVtanDSUEE+Jqxd+lRCqB3zelWZNoTxz9qEw8yfVLMZQOUxearMQEVWP0leuBWN4DSZIBUsLIBGdQnoLXmK3ANldX8idIMJboCsbHcG/LCQCRPoAoGZ3rY7g+8D++5vopxIjc6e0kZ4E4kTaPWVohziT1
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 37927c58-8b21-4352-52bb-08dabdbc0652
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2022 16:54:08.3437 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BTCxh3sufG3j5GNmnCiaMyq+EEWysTiPe2i5qxTBBFJ84iLX7CQG4QSAA8v1xlaC9jUEoIfj7mKWvN9saFa/hw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB7819
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/tw0flzvgRzbPCaiC9Bjc42GElrI>
Subject: [OPSAWG] TACACS TLS 1.3 was Status of T+/TLS work
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2022 16:54:14 -0000

From: OPSAWG <opsawg-bounces@ietf.org> on behalf of heasley <heas@shrubbery.net>
Sent: 31 October 2022 17:26
To: Joe Clarke (jclarke)
Cc: heasley; draft-ietf-opsawg-tacacs-tls13@ietf.org; opsawg@ietf.org
Subject: Re: [OPSAWG] Status of T+/TLS work

Mon, Oct 31, 2022 at 04:59:33PM +0000, Joe Clarke (jclarke):
> Thanks for the summary, heas.
>
> I re-read the text, and, yes, you do cover a number of the situations (including potential ways to handle clients with TLS going forward).  On another doc I reviewed as part of the OPS DIR, it was decided that grouping text about (in that case) forward-looking considerations was worth it.
>
> In this case, the document is short, and perhaps that isn’t needed.  I defer to the general views of the WG and the authors on this.

Super; thanks!  I will publish the current version with the other fixes that
you requested later today.

<tp>

Looking back to see what has happened to get to where we are I find a challenge.  One I-D, then two, name changes. comments seemingly posted against one I-D with the Subject: of the other and nothing anywhere to say what has happened, how we got to where we are.

I see it as necessary for the TACACS.TLS13 I-D to record how it came into being.  The datatracker cannot cope with what has happened.  Nothing major, just this was first published as ... the Wg decided to split the I-D into two, one for ... and the other for the addition of TLS13 and nothing more, the latter first appearing as ..  and then as in...  filling the dots with the appropriate identifiers.

I would leave such a paragraph in the document permanently but suspect that the consensus will be to remove it from the RFC.

After this, I am not surprised to find that the terminology in the I-D is IMHO a nonsense.  There are repeated references to 'TCP/IP connections '; if only.  If we had them, then the Internet would be so much simpler, faster and more reliable; we could abolish several WG and put them to work on something productive!  I trust you know what I mean.

More generally, I suspect that every reference to 'TCP/IP' is wrong.  For me, this needs fixing first before e/g/ seeing if the challenges of TLS13 are met.   Terminology needs to be consistent but it also needs to be accurate.

The I-D does not say, but perhaps should, that nothing therein applies to TLS1.2

Tom Petch
_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

v2.23.0 | Report a Bug | By Email