Re: [OPSAWG] Start of WGLC for TACACS+ document.
"Douglas Gash (dcmgash)" <dcmgash@cisco.com> Tue, 18 October 2016 07:12 UTC
Return-Path: <dcmgash@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C46112950E for <opsawg@ietfa.amsl.com>; Tue, 18 Oct 2016 00:12:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.952
X-Spam-Level:
X-Spam-Status: No, score=-14.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id juArkRpvErOW for <opsawg@ietfa.amsl.com>; Tue, 18 Oct 2016 00:12:01 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E89D51294F3 for <OpsAWG@ietf.org>; Tue, 18 Oct 2016 00:12:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11342; q=dns/txt; s=iport; t=1476774720; x=1477984320; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=ceAC1iJuXliuFReAcZsmZwHXZpXYebLq8OvmhzsnLNg=; b=R8ySsh0PGKYqyAQsCi2fnGbm+uZUZqn09SJvjY6IMLxi1v8WSea99Rcr pFdhTioJBqp72qF0wJxk6xnZpRvMRLWXBN+o9Dp5xwuykRX6DqqviHKwR AEFt6xLGgW1U1qtwt8ZoAqs+vJuT6imRJgsZEnmLP7GiFHZ3KPGO2L5H0 I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DgAQDnyQVY/51dJa1VBhsBAQEDAQEBCQEBAYM8AQEBAQEdgVMHjS2XBZIpgg+CCIJsgzYCgXI4FAECAQEBAQEBAV4nhGIBAQMBbAoDBQsCAQgwFjIlAgQBDQWISgjCPgEBAQEBAQEBAQEBAQEBAQEBAQEBAR2LEoQxAgYVR4R0HQWOeosMAZADgW6EZ4M3hWmHEIVrg38BHjZSgnkGG1cBe3KGKIEugQABAQE
X-IronPort-AV: E=Sophos;i="5.31,508,1473120000"; d="scan'208";a="336205326"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Oct 2016 07:11:59 +0000
Received: from XCH-ALN-012.cisco.com (xch-aln-012.cisco.com [173.36.7.22]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id u9I7BxuU021816 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 18 Oct 2016 07:11:59 GMT
Received: from xch-aln-014.cisco.com (173.36.7.24) by XCH-ALN-012.cisco.com (173.36.7.22) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 18 Oct 2016 02:11:58 -0500
Received: from xch-aln-014.cisco.com ([173.36.7.24]) by XCH-ALN-014.cisco.com ([173.36.7.24]) with mapi id 15.00.1210.000; Tue, 18 Oct 2016 02:11:58 -0500
From: "Douglas Gash (dcmgash)" <dcmgash@cisco.com>
To: Alan DeKok <aland@deployingradius.com>, Warren Kumari <warren@kumari.net>
Thread-Topic: [OPSAWG] Start of WGLC for TACACS+ document.
Thread-Index: AQHSKQ7qMG5uxhlHFkmqhKxqAd3Cew==
Date: Tue, 18 Oct 2016 07:11:58 +0000
Message-ID: <D42B8955.199855%dcmgash@cisco.com>
References: <CAHw9_iK-1=Epr5CLAtFayd0Bss6oZrsDTfyox6y2SfPJAav78Q@mail.gmail.com> <5019ABA9-BB74-4C69-A455-12C17A2958CE@deployingradius.com> <E6C64895-F0C6-40B8-A687-4DC56590B22E@deployingradius.com> <638AC1BA-02A7-4346-8DC0-B7E762DA334D@deployingradius.com> <BC047888-9A6C-45F3-A418-FBE452EA6807@deployingradius.com> <D037C608-361F-439F-9AEA-5C6109565217@deployingradius.com>
In-Reply-To: <D037C608-361F-439F-9AEA-5C6109565217@deployingradius.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.8.160830
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.1.3]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <40B788FBA318DD4996DAD59436D5A4BD@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/xZGpLU1eXl2ZBzW6_fVNUaXZKvM>
Cc: "opsawg@ietf.org" <OpsAWG@ietf.org>, "draft-ietf-opsawg-tacacs-05@tools.ietf.org" <draft-ietf-opsawg-tacacs-05@tools.ietf.org>, "opsawg-chairs@tools.ietf.org" <OpsAWG-chairs@tools.ietf.org>
Subject: Re: [OPSAWG] Start of WGLC for TACACS+ document.
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 07:12:02 -0000
Many thanks Alan for the thorough review. We¹ll collate all your comments and respond shortly. On 12/10/2016 22:35, "Alan DeKok" <aland@deployingradius.com> wrote: > My $0.02 on the contents of the Security Considerations section. I'm >sure I've missed things. > > Please also comment if the suggestions here are wrong or unworkable. > >---- >9. Security Considerations > >The protocol described in this document has been in widespread use >since specified in "The Draft" (1998). However it does not meet >modern security standards, and faces vulnerabilities with privacy and >authenticity. > >This section describes issues with the TACACS+ specification, then the >protocol, deployments, followed by recommendations for implementations. > >Because of the security issues with TACACS+, the authors intend to >follow up this document with an enhanced specification of the >protocol employing modern security mechanisms. > > >9.1 Security of The Draft Specification > >TACACS+ was originally specified in "The Draft" (1998). However, this >draft is incomplete, and leaves key points unspecified. As a result, >software authors have had to make implementation choices about what >should, or should not, be done in certain situations. These >implementation choices are somewhat constrained by ad hoc >interoperability tests. That is, all TACACS+ clients and servers >interoperate, so there is a rough consensus on how the protocol works. > >While the authors have made every effort to maintain compatibility, >there is no guarantee, however, that this specification matches the >behavior of current or historical implementations. We believe that >any incompatibilites are due to modern security requirements. We >therefore suggest that implementors should read this document, and >verify that their implementations follow the security practices >recommended here. > > >9.2 Security of The Protocol > >The major security issue with the TACACS+ protocol is the ad hoc >"encryption" defined in Section 3.6. This "encryption" is more >properly called "obfuscation", and has had no security analysis. That >is, the security or insecurity of the protocol is entirely unknown. > >Attacks on cryptographic hashes are well known and are getting better >with time, as discussed in [RFC4270]. The security of the TACACS+ >protocol is dependent on MD5 [RFC1321], which has security issues as >discussed in [RFC6151]. It is not known if the issues described in >[RFC6151] apply to TACACS+. <<AD: lifted from RFC 6929 Section 11 >> > >The choice of encrypting the body but not the packet header is >unusual. The lack of security on the packet header means that an >attacker can modify the header without detection. > >For example, a "session_id" can be replaced by an alternate one, which >could allow an unprivileged administrator to "steal" the authorization >from a session for a privileged administrator. An attacker could also >update the "flags" field to indicate that one or the other end of a >connection requires TAC_PLUS_UNENCRYPTED_FLAG, which could remove what >little security is available. > >What little security that exists is dependent on implementations >limiting access to known clients, and on the strenght of the secret >key. Attacks who can guess the key or break the obfuscastion method >can gain unrestricted and undetected access to all TACACS+ traffic. >This access permits the attacker to execute any command on any system, >leaving the attacker in complete control of the network. The negative >side effects of such a successful attack cannot be overstated. > >9.2.1 Security of Authentication Sessions > >There are a number of security issues with authentication sessions. >As the sessions enable the exchange of clear-text passwords, an >attacker capable of observing the unencrypted traffic or breakign the >encrypted traffic, can gain complete network access. Similarly, >MSCHAPv1 and MS-CHAPv2 offer little additional security, while ARAP is >insecure and MUST NOT be used. As of the publication of this >document, there has been no similar attacks on the CHAP protocol. > >Section 4.4.3 permits the redirection of a session to another server >via the TAC_PLUS_AUTHEN_STATUS_FOLLOW mechanism. As part of this >process, the secret key for a new server can be sent to the client. >This public exchange of secret keys means that once one session is >broken, it may be possible to leverage that attack to attacking >connections to other servers. Section 9.4, below, has recommendations >for securing this portion of the protocol. > >9.2.2 Security of Authorization Sessions > >The primary issue with authorization sessions is that unauthenticated >authorization is allowed. Almost as bad, authorization is permitted >where authentication was done by a third party, such as with >TAC_PLUS_AUTHEN_METH_KRB5. This third party authentication is based >entirely on the client claiming that the user has been authenticated, >and the server trusting that request. This practice is entirely >insecure. > >There is also no way to cryptographically tie an authorization session >to a particular authentication session. That is, when the client >indicates "authen_method" in the packet header, the authentication and >authorization sessions are tied together implicitly by the contents of >the other fields, such as "use", "port", "rem_addr", etc. > ><<AD: it would be good for Section 5.1 to contain recommendations on >how the server can use these fields to tie together authentication / >authorization sessions. Perhaps recommend that all AAA include a >"task_id"? >> > >The specification allows for the exchange of attribute-value pairs. >While a few such attributes are defined here, the protocol is >extensible, and vendors can define their own attributes. There is no >registry for such attributes, and in the absence of a published >specification, no way for a client or server to know the meaning of a >new attribute. > >As a result, vendors SHOULD NOT define new attribute-value pairs, >unless such pairs are used only to communicate between client and >server implementations both written by the same vendor. > >The "cmd" and "cmd-arg" attributes define shell commands and >arguments, but does not specify what these are. The specific >commands, therefore, are undefined. > > >9.2.3 Security of Accounting Sessions > >The security considerations for accounting sessions are largely the >same as for authorization sessions. This section describes additional >issues specific to accounting sessions. > >There is no way in TACACS+ to signal that accounting is required. >There is no way for a server to signal a client how often accounting >is required. The accounting packets are received solely at the >clients discretion. Adding such functionality would assist with >auditing of user actions. > >The "task_id" field is defined only for accounting packets, and not >for authentication or authorization packets. As such, it is difficult >to correlate accounting data with a previous authentication or >authorization request. > ><<AD: re-use the recommendations suggested for Section 5.1, above? >> > > >9.4 Security of Deployments > >Due to the above concerns with the protocol, it is critical that it be >deployed in a secure manner. > >Systems using TACACS+ MUST be configured so that TACACS+ traffic is >secured. Any user or service who is not interacting with the TACACS+ >protocol MUST NOT be able to observe TACACS+ traffic, even when >TACACS+ "encryption" is used. > >When used inside of enterprises, TACACS+ traffic MUST be sent over >management networks. When used on the wider internet, TACACS+ traffic >MUST be secured via a modern security protocol such as TLS or IPSec. >As this specification describes the historic protocol, recommendations >on TLS and IPSec parameters are outside of the scope of this document. > > >9.4 Recommendations for Implementations > >The following recommendations are for clients and servers which >implement the TACACS+ protocol. These recommendations describe end >user interaction or user interface design. While not part of the >protocol itself, good designs can prevent insecure configurations. > >Clients and servers MUST default to rejecting all connections which >have the TAC_PLUS_UNENCRYPTED_FLAG set. Clients and servers MAY >permit such connections when a debugging or test flag is set. Clients >and servers MUST NOT run with this flag set in normal environments. > >Similarly, the default for both clients and servers MUST be to require >a secret key when configuring a new server or client. The secret key >MUST NOT be empty, and SHOULD be at least eight (8) characters in >length. Clients and servers SHOULD permit the user of keys unique to >each server or client which they are connecting to. They SHOULD warn >the administrator if a secret key is re-used. Documentation for >implementations SHOULD recommend the use of strong secret keys. > >Servers should maintain list of known clients, and reject connections >which originate from other systems. Servers SHOULD NOT permit the >configuration of wildcard clients. e.g. clients which map to a >network range. > >Where a client or server detects that the secret key is incorrect, it >SHOULD terminate the underlying TCP connection, and log a message to >the system administrator. There is no good reason to keep a >connection open when the systems are unable to communicate in a >meaningful fashion. > >Implementions MUST default to using TAC_PLUS_AUTHEN_TYPE_CHAP for >authentication. We recognize, however, that this authentication >method is incompatible with many password storage systems. As a >result, other authentication methods are still in the protocol, and >can be used so long as administrators recognize the security issues >with their use. > >Clients MUST default to treating TAC_PLUS_AUTHEN_STATUS_FOLLOW as if >TAC_PLUS_AUTHEN_STATUS_FAIL had been received instead. Clients >SHOULD allow administrators to explicitly enable the >TAC_PLUS_AUTHEN_STATUS_FOLLOW functionality. When the functionality >is enabled, clients SHOULD permit administrators to specify ranges of >addresses, and/or sets of hosts, along with corresponding secret keys, >for which redirection will be permitted. Clients SHOULD ignore >redirects to hosts which are outside of the pre-configured range or >list. Clients SHOULD ignore any key provided via >TAC_PLUS_AUTHEN_STATUS_FOLLOW, and SHOULD instead use a preconfigured >key for that host. > >For authorization, servers SHOULD default to requiring >TAC_PLUS_AUTHEN_METH_TACACSPLUS. Servers SHOULD track authentication >sessions via methods "to be described" in Section 5.1. > >Where a server receives an unknown attribute-value pair, it SHOULD >reply with TAC_PLUS_AUTHOR_STATUS_FAIL. Where a server receives an >unrecognized values in authorization attributes such as "cmd", >"cmd-arg", "acl", etc., the server SHOULD reply with >TAC_PLUS_AUTHOR_STATUS_FAIL. When a client receives an unknown >authorization attribute, it SHOULD behave as if it had received >TAC_PLUS_AUTHOR_STATUS_FAIL. >
- [OPSAWG] Start of WGLC for TACACS+ document. Warren Kumari
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. t.petch
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)
- Re: [OPSAWG] Start of WGLC for TACACS+ document. t.petch
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Dan Romascanu
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Randy Bush
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)