IETF Logo Mail Archive

Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt

"Joe Clarke (jclarke)" <jclarke@cisco.com> Thu, 30 June 2022 15:07 UTC

Return-Path: <jclarke@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 187FFC13CDB1 for <opsawg@ietfa.amsl.com>; Thu, 30 Jun 2022 08:07:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.604
X-Spam-Level:
X-Spam-Status: No, score=-9.604 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=FUg068NH; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=W7Iqt2Tr
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jL730VHBkpR3 for <opsawg@ietfa.amsl.com>; Thu, 30 Jun 2022 08:07:21 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44273C15C7E5 for <opsawg@ietf.org>; Thu, 30 Jun 2022 08:07:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7321; q=dns/txt; s=iport; t=1656601641; x=1657811241; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=3/slO7HzdSLfwszRHWp+PZGzbsVOdabo+JxWhkVw+AM=; b=FUg068NHERMv1X1ALZjXgNPNPx7cKbxHGDs+wlrdjq0tNzvrLFlJNC4Q JA245GFk5SJ1LM687h5c32oVru9S2DYTAd01dq4n7YYdI6vM53GogUP5E eAPIEDQmMaQQ8pTP/RM77oNc5l5HMlSPcLGdCS+ObO1rNRTDffYoPk5ih c=;
X-IPAS-Result: A0AaAABqu71imIcNJK1aHQEBAQEJARIBBQUBQIE8BwELAYEgMSoofwJZOkSIGgOFMYULgwIDix2LE4UXgSyBJQNUCwEBAQ0BASwBCgsEAQGEP0UChUsCJTUIDgECBAEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAR0HBgwFDhAnhWgNhkIBAQEBAwEBEC4BASwLAQ8CAQgRAwECAS4hBgsdCAIEAQ0FCBqCWwGCDlcDMAMBDp9gAYE/AoofeIEzgQGCCAEBBgQEhQ4NC4I4AwaBPQGDFIMIgS2DEoQeJxyBSUSBWIJnPoIgQgEBgWIeDYNggi6NFIx3BzgDRy8SgSBuAQgGBgcKBTAGAgwYFAQCExJTHAISDAobDlQXDA8DEgMRAQcCCRIIFSsIAwIDCAMCAyALAgMWCQcKAx0IChwSEBQCBBEeCwgDGR4sCQIEDgNACAsKAxEEAxMYCRYIEAQGAwgvDScLAwUPDQEGAwYCBQUBAyADFAMFJAcDIQ8mDQ0EGwcdAwMFJQMCAhsHAgIDAgYVBgICbi4NCAQIBDckDwUCBy8FBBAfAh4EBQYRCAIWAgYEBQIEBBYCEAgCCCcXBxMzGQEFWRAJIRwpCgYFBhYDIW4FRQ8oNDY8LB8bCoEaLCsWAwQEAwIGGgMDIgIQKQYyAxYGMQUEHwGbQHUOXARTWyCBCQ8CF0uMUohUik+ODZIfawqDTpkVgQOGGhWoZJZzIJBvlgsCBAIEBQIOAQEGgWMCNoFbcBU7gmhRGQ+OIBmBDQECBYJEhRSFSnU7AgYLAQEDCY4nXgEB
IronPort-PHdr: A9a23:+MG6ChLXHrfNq1BMQtmcuWEyDhhOgF28FgIW659yjbVIf+zj+pn5J 0XQ6L1ri0OBRoTU7f9Iyo+0+6DtUGAN+9CN5XYFdpEfWxoMk85DmQsmDYaMAlH6K/i/aSs8E YxCWVZp8mv9P1JSHZP1ZkbZpTu56jtBcig=
IronPort-Data: A9a23:lkD8D6+4Td68ebmgDGrDDrUDVn6TJUtcMsCJ2f8bNWPcYEJGY0x3m GsYWGuDb/eMMWX3Lt8nYIix8EkHsJHTm4BgTQJu/3pEQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEjmE4E3F3oHJ9RGQ74nQLlbHILOCa3oZqTNMEn9700o9wLZh2OaEvPDga++zk YKqyyHgEAfNNw5cagr4PIra9XuDFNyr0N8plgRWicJj5TcypFFJZH4rHpxdGlOjKmVi8kFWc M6YpF2x1juxEx7AkbpJmJ6jGqEBaua60QRjFhO6VoD66iWuqBDe3Y4VG6ofakFlkg6rpM99w fB3m72pFAU2a/ikdOQ1C3G0Egl3OalAvbTAO3X664qYzlbNdD3nxPAG4EMeZNJDvL0pRzgVs 6VDdVjhbTjb7w6y6LCwTuB2hckLJ8jwN4RZsXZlpd3cJad+Hc+eE/uVvLe02h8ZvodtOdTUY /AnUmVPTE7sYi0WYnc+XcdWcOCA3ymjLGIwREiujbY35HLI0AF3lrTkMN/9ddmDRMETlUGdz krP+WjjDxMyM8CWjyGEmlqrnvTGgizTWY8OGvu/7PECqF2ez3c7Ex0MSFGxrOOozEizR7p3I kgd/CYGoaUq8Eu6T9/yRRS0oWOf+BUbXrJt//YS4QWJzO/f5ByUQzJCRT9aY9tgv8gzLdA36 rOXt/3GVT9sto+MclCm6budiAmcGDFIL3BXMEfoUjA5y9XkpYgyiDfGQdBiDLO5g7XJ9dfYn m/iQM8W2ul7sCIb60mo1Quc2mvz+PAlWiZwt1uJATP8hu9sTNT9D7FE/2Q3+hqpwGyxZ12Fs X5sdyO2s71WVMrleMBgvIww8FyB7vKBNnjXhkRiWsNn/DW28HnldodViN2fGKuLGptbEdMKS BaO0e+02HO1FCDxBUOQS9nrY/nGNYC6SbzYugn8N7KimKRZeg6d5z1JbkWNxW3rm0VEufhhZ MnGK5nwVilAWf4PIN+KqwE1jO9DKscWmD27eHwH50/PPUe2PSTMEu5VbDNikMhgt/7ZyOkqz zqvH5Lal0oAOAEPSiLW6oUUZUsbNmQ2AIueliCkXrDrH+aSI0l4U6W56ep4I+RNxv0J/s+Vr yrVchIJlzLX2yadQS3UMS8LVV8adcslxZ7NFXZwZwzANrlKSdvH0ZrzgLNpLed5r7U9kqYco jtsU5zoP8mjgw/vo1w1BaQRZqQ4HPh3rWpi5xaYXQU=
IronPort-HdrOrdr: A9a23:vG9rt6H1uj6tDrmNpLqFVpHXdLJyesId70hD6qkvc3Jom52j+P xGws526fatskdsZJkh8erwXJVoMkmsiqKdgLNhcItKOTOGhILGFvAb0WKP+UyDJ8S6zJ8h6U 4CSdkzNDSTNykAsS+S2mDReLxMoKjlzEnrv5al854Hd3AMV0gU1XYBNu/tKDwReOApP+tdKL Osou584xawc3Ueacq2QlMfWfLYmtHNnJX6JTYbGh8O8mC1/HyVwY+/NyLd8gYVUjtJz7tn23 PCiRbF6qKqtOz+4gPA1lXU849dlLLau5V+7Y23+4kowwfX+0WVjbdaKv+/VfcO0aSSAWMR4Z nxStEbToBOAj3qDyaISFDWqnfdOX4Vmg7fIBmj8D3eSQiTfkNjNyKH7rgpKycxonBQzO1Uwe ZF2XmUuIFQCg6FlCPh58LQXxUvjUasp2E++NRjx0C3fLFuHoO5l7ZvtX99AdMFBmb3+YonGO 5hAIXV4+tXa0qTazTcsnN0yNKhU3wvFlPeK3Jy8PC9wnxThjR03kEYzMsQkjMJ8488UYBN46 DBPr5znL9DQ8cKZeZ2BfsHQ8GwFmvRKCi8e166MBDiDuUKKnjNo5n47PE84/yrYoUByN8olJ HIQDpjxBkPkoLVeLmzNbFwg2LwqT+GLEfQI+lllu1EhoE=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.92,234,1650931200"; d="scan'208,217";a="904758671"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 30 Jun 2022 15:07:20 +0000
Received: from mail.cisco.com (xfe-aln-002.cisco.com [173.37.135.122]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 25UF7KCv018974 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 30 Jun 2022 15:07:20 GMT
Received: from xfe-rtp-001.cisco.com (64.101.210.231) by xfe-aln-002.cisco.com (173.37.135.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Thu, 30 Jun 2022 10:07:19 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-001.cisco.com (64.101.210.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Thu, 30 Jun 2022 11:07:19 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mGCV9KMMD+ujeIdgxrHygmMXuA9bSX87cpLeAGTGh5gsZYk32DF74DfbRTQfNu7W0DeA+m3m/vzU0FTLTeQnxMZys0YT3JOSZ1Fc+ofhc+1DUhpov0HE1rbrkh80phS5bLFYqdb8vSvdFAnn+p6+hgHtc8VS8tchiUMvAqk5kVcpc8v7RWN2k4e2LBNeBHovDROPYBtK8LbCThkg7cDryo9U1psYSuhwsa4GMh0KNG4CHk1Mo3fNyHsjI5ZdorJHv0JKn07A6J7kdkMYXVPY46qaeN/FBPPURQz+gbqfHwmSDKax6cV6aQsAD65Nj42rWVYxDa0GU0GbajWGt8Fcew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bVjzzGjydiFZ9DX9piLKyOcGS9WEpBAKbzC+PLAbhH8=; b=BMd7S0yIenzr/8Sb9ynUtAKFWYoohJgnd1Uchl/9TpHZ+exU/ESOn0fv3cL+bdjn1x05dTBl5wrbz3unxig7NytGLMbDrLhDAPDSjQ2Ui1OM+x7CAnRbFEYdHv1FDinNGX1EzUzJ41zFN8xIN9AmxWfdouO6m/bTa9DZiiemtTrQHN2qOB1UswdRunRLmLLD0RONKvdH8HOYCKW07df6mOUQGvms4KX/yHvZn4K6DJkqJurmbthbdYB+utGYETF8VHpDhyjoPd/D0eWx8azTS3a1jHTYJm4LLibXA3XPr+R9kvzMLF/siYHqfh0kHk8u7J3R2XUrj8nfuMVc85Ct8Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bVjzzGjydiFZ9DX9piLKyOcGS9WEpBAKbzC+PLAbhH8=; b=W7Iqt2Tr2I59Vu5mB8HdP+rLnCVXInO/6sKkFKVbAcF590b56baMps5gESiSl/y0/qsJnRvkh7io2FnwpBn884v+pGjQTfZ+GgllqtK6826v5ySBXi7xIMnYjTTIRb0vrYLH8OdaHFKIye4yyypORjxVXpwLGuMTJ/Eh6GKopKo=
Received: from BN9PR11MB5371.namprd11.prod.outlook.com (2603:10b6:408:11c::11) by DM6PR11MB3017.namprd11.prod.outlook.com (2603:10b6:5:6f::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5395.15; Thu, 30 Jun 2022 15:07:18 +0000
Received: from BN9PR11MB5371.namprd11.prod.outlook.com ([fe80::e8f6:a55d:824e:d66c]) by BN9PR11MB5371.namprd11.prod.outlook.com ([fe80::e8f6:a55d:824e:d66c%7]) with mapi id 15.20.5395.014; Thu, 30 Jun 2022 15:07:18 +0000
From: "Joe Clarke (jclarke)" <jclarke@cisco.com>
To: Alan DeKok <aland@deployingradius.com>, heasley <heas@shrubbery.net>
CC: "opsawg@ietf.org" <opsawg@ietf.org>, "Douglas Gash (dcmgash)" <dcmgash@cisco.com>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Thread-Topic: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
Thread-Index: AQHYi+XXzoqigg7BlUGqrcw2LRd4s61m6AIAgAEl51w=
Date: Thu, 30 Jun 2022 15:07:18 +0000
Message-ID: <BN9PR11MB5371D3375FEB7727BCA96921B8BA9@BN9PR11MB5371.namprd11.prod.outlook.com>
References: <YryZcYAjzaUr/Er1@shrubbery.net> <D14D7902-487E-4C8C-8D1A-99CE0CF03FAF@deployingradius.com>
In-Reply-To: <D14D7902-487E-4C8C-8D1A-99CE0CF03FAF@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4d50ca8f-9d5a-4b9e-053c-08da5aaa399c
x-ms-traffictypediagnostic: DM6PR11MB3017:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XnvG9GblU21nr6vKdB2H8F3vmq51j2nmhB6aL4plHH/Yp/+v+lu0I/AoBJJgmkJFdEGwLXeRW8R8xefyegICuMkWsfFS/ud179Pp6rJsJGDpKtieoG50tQowwp9xNPeOgBtUj+xqFPYkXPQUKf/V0nxqVgw9BQjXJu4X/nlB0g+5LzvhEBi04+LTHTEPM3T1qDu85kdm9ci1zKjVuqBeKbQijOHflZFhcP+bjAiuo03+HNUhYADDvUQwfi73eS3W4qbMTXyhOQplQWfssrJ89pKWL532Zg0D4QLw7PL7nHUPDVBu8ynD/g+XMSJz9UJJPfO9cmgF4A+0bLlW7hDp0s6zoAMX5KcnXPH67h45FLCrmXoLvpX6MFIinY4amR6AMs5bxK6A1FDR0s3deR7Qg5Lr2t3ZLD5Lk2xHBqO2KxfrUeC2MPXa9lTsxJznvdMibGUUUoJHAg1EhRWSI7lZzmP84N9kAFaESyQTvPvE2KoY1Nu8Es31LimGItsVsXYsLn+7leE3p/mbfRrPt4QaUarSCvog0qN10UjVmKaGo35Y6DDqDIXhJuZ+KeRtjN7xNBEHU//n1HtY+ud8ojbirec57sPwe30UN7my49K3tuc06YS7jCRZs/ZByHUHgEmUtZ89Q3BB9z9XLyfr3Vn2f/J8177PXeuMu3qUgbNrYfRPlGuZmRww21rgFN47twmXuiAhCxfu77u7bhjCK/SzAsXVWSVEjXSj8vNCZl1EOVHThmpZmZ/1lGMQUHPL8Vhz0BSHVI+YEUSdIcARSO+TkA7NiGcbMics1xBSNlprB2ZICPjiCmb+brZF1Oz1rrtKTO/oOo/UmWCDbnKpgYqmdg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN9PR11MB5371.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(396003)(39860400002)(376002)(346002)(136003)(366004)(166002)(122000001)(4326008)(8676002)(38070700005)(316002)(55016003)(66446008)(66476007)(64756008)(76116006)(66946007)(83380400001)(66556008)(38100700002)(186003)(966005)(9686003)(33656002)(2906002)(86362001)(41300700001)(5660300002)(71200400001)(15650500001)(110136005)(54906003)(91956017)(53546011)(52536014)(478600001)(8936002)(7696005)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9wO9l5xXZyAn5diY7EuJWs03KUkz74VgL4e+bx7rFPas8sXPXLPXku2IAlFlIlF8BSKGCewqhGtM4Louu+Y5O9XsE75M4hhFFMiusChPQD7biRgSUp9vwFsdXHss/f2G61fNiiIcFEy1xFbS0mqMaFy0ZUYEAa03bSXUHuoWUmOVt+gqn7sZ8yNxPmbqyW59BMSUbsmqrcYdPW2ZxGqLinRs97ot1TYeYDbjjRF5n7VP3ZHjuUGO+IAh4Yx8n4/hi3zrb8jKTkNOQWylO2ytz0ZN/P4mwiX5Cya/LwOITTvFEEQXifIOP6c5xWc1xExug+Wb/KtqomC1ZMV0OlPt66XVGzabNaGmlyAIa5ejEaXVpPBxsKYcGKNkL4JsFpHmqDZ6EKWY+UfiKx7uQCqHjkyUGokB7C49grTR70TGMqdDAU55EqpeV6zLUJ2+HWDYGOfyb/TME6rxm+qfanuEWrsHPZgxV5ALC/xGGcNYyHMDpBjHq0BO/42uBe79N96BjvgmOq7ly0HLDBmDOQWchgCz+vPVlWRRoBSr7LnAT3Nj4UqSR1kE+YJzAigjbIqxY2pn81VXMrREo+lPrftfqlQCfIoPu1kZzHa7WfrqmgjD2B6IzxUV8Hmcg/mx2xAJxkj92JjvUlB7MALaiqA9M8W4B8HYQJhuegLj/Zc1bOtridljMh7PtQcwuzfdQSpAL+ZMS9gROnC9ImsfXv/vXg9F+FZYLci3sPgSnzz77qh//apeDuD7PPpG3Ddufd4Zl5oJ2FQykfndusBpTDYOgPi+4CHr+TgcHpqssIJYNdwMIRwph7LP0lcxsK+rsojjh8ppf10HwbEmMn3WJ3QoDCupRbB+2ttmGFsxQe+c+xIorUVjVeo70YMjpxlKt9W9jZxa6oO3ulwL4n59Ig/WnS6/31GJnwXHV2/Kyz1LoQSr4xzDKYhmlYNWC2YIcAi8AyWvpA2szDbROlpGfuE9GH2FwuBUUH7nw4KqE+BcKSKRxt4EEVfgAJnrzvfwcuii5MhvFNLy4qr6HOSPYj72MQ6sRHgM8igI1DgjSx0x4y6mt+L8H4lhMG6Ynm+0CrtgcCktbBIk/CDpvHYyIzQisCjrGsFXV1GqhEv8Khuo6Vw0wpwcNv4uK87AiFJC0T8htCLf8G66pSA5C2G2jgC4LRSusyn4NI7p+mgTxeNESzbKEwsLgpjUpy3rIBE+4iicg8U1MnvxaUxOmpUSNWpPmRKoCzgn3lCiViLs33PQDXBXsI3ebNiHHlvvhIcj4F4SOvcmCcRNldzVmiVM6bajlrz0zv7gNn1yeBmFvn4hFxgKphmM/bh3F+EUgFR9h9cFQobG29+m+/CDebFb9NQCv6kz/wWDw9GIEHrxp/MFEQl58EX0LbNLI2Msb3SgNI55LRJl4Mk6Fy7ULWYY7LV1JQWPzhAaySA/HpF+DPK486CKe+irgo4PmckCumMbQFUNdpMCM9h7qSwegFHTFgJqFnbfPUKTj6K4tQxvRr8qzB3CAve4Xt5Gws5AshUNLPxax7I2Ea2zfOI1dlgxlmWbyuSbpk5u9c5jbLQQ6t7qVflEKDFqIbhLXko/H0y+1YUmOTKxNZv0vdDznIQq+SZTGSv2e+vwZuI1EjoOBQdgIYqy3I2TGqowmJEnCnX7dpSrfjXv+/H8GtjazR7Z5qddaA==
Content-Type: multipart/alternative; boundary="_000_BN9PR11MB5371D3375FEB7727BCA96921B8BA9BN9PR11MB5371namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN9PR11MB5371.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d50ca8f-9d5a-4b9e-053c-08da5aaa399c
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2022 15:07:18.3656 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pqjhj9GsARjSo8JWxp4kPXp+6Mm2Y6Oju/ujC4d3oqRyIccYPtqpLzOvD2V97ILIW+3HjLNx6elsvVKu+o+uBQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3017
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.135.122, xfe-aln-002.cisco.com
X-Outbound-Node: alln-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/xUwyNgI-uVv1MEc1yab15HHxNSU>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2022 15:07:25 -0000

Thanks for your continued attention to this work, Alan.  Your insight is very much appreciated.</chair>

As an contributor, I rather like the simpler TLS encap over T+ approach described in the tls13 draft.  I’d personally not over-engineer something that isn’t immediately required.  T+ has been around for a while and is heavily used.  I don’t know that we need to spend time adding extensibility.

Joe

From: OPSAWG <opsawg-bounces@ietf.org> on behalf of Alan DeKok <aland@deployingradius.com>
Date: Wednesday, June 29, 2022 at 17:34
To: heasley <heas@shrubbery.net>
Cc: opsawg@ietf.org <opsawg@ietf.org>, Douglas Gash (dcmgash) <dcmgash@cisco.com>, Andrej Ota <andrej@ota.si>, Thorsten Dahm <thorsten.dahm@gmail.com>
Subject: Re: [OPSAWG] I-D Action: draft-dahm-opsawg-tacacs-security-00.txt
On Jun 29, 2022, at 2:26 PM, heasley <heas@shrubbery.net> wrote:
> We have received no comments about this draft, which I presume means no
> technical objections exist.  So, I would like to ask the Chairs for an
> adoption call.

  I would suggest that ~3 weeks is a little too short a time frame to claim that there are no objections.   I'll point to the previous TACACS+ document, where there were multiple reviews which got addressed by the authors many months later.

  I'll also point to my earlier review of draft-dahm-tacacs-tls13-00.txt, where I had concerns with extending the 1990s style TACACS+ packet format.  The same concerns apply here.

  If we're going to extend TACACS+ by adding major new features, I would suggest that it's a priority to design these features correctly, the first time.  Experience shows that it is extremely difficult to extend fixed-field packet formats.  It's almost always better to use an extensible format, as with DHCPv4, DHCPv4, DNS options, YANG, RADIUS, Diameter, etc.

  Using a format with fixed fields now makes it more difficult to extend TACACS+ in the future.  There will just be one complex format added after another.  The alternative is instead to define an extensible format, in which case new extensions become trivial.

  Alan DeKok.



_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

v2.23.0 | Report a Bug | By Email