Re: [OPSAWG] Start of WGLC for TACACS+ document.
Alan DeKok <aland@deployingradius.com> Wed, 05 October 2016 16:15 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3975129540 for <opsawg@ietfa.amsl.com>; Wed, 5 Oct 2016 09:15:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f76tbZ5058O3 for <opsawg@ietfa.amsl.com>; Wed, 5 Oct 2016 09:15:50 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 7D501129463 for <OpsAWG@ietf.org>; Wed, 5 Oct 2016 09:15:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id AC67F1F38; Wed, 5 Oct 2016 16:15:49 +0000 (UTC)
Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07yeP7Gz1SNZ; Wed, 5 Oct 2016 16:15:49 +0000 (UTC)
Received: from [192.168.100.59] (69-196-165-104.dsl.teksavvy.com [69.196.165.104]) by mail.networkradius.com (Postfix) with ESMTPSA id F045E172E; Wed, 5 Oct 2016 16:15:48 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAHw9_iK-1=Epr5CLAtFayd0Bss6oZrsDTfyox6y2SfPJAav78Q@mail.gmail.com>
Date: Wed, 05 Oct 2016 12:15:46 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <5019ABA9-BB74-4C69-A455-12C17A2958CE@deployingradius.com>
References: <CAHw9_iK-1=Epr5CLAtFayd0Bss6oZrsDTfyox6y2SfPJAav78Q@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/xjvUKh2LNNeYw-a4DrSKS1x4WCo>
Cc: "opsawg@ietf.org" <OpsAWG@ietf.org>, draft-ietf-opsawg-tacacs-05@tools.ietf.org, "opsawg-chairs@tools.ietf.org" <OpsAWG-chairs@tools.ietf.org>
Subject: Re: [OPSAWG] Start of WGLC for TACACS+ document.
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2016 16:15:53 -0000
Some comments. Mostly little nits and clarifications. The major points for me are related to security. The "Security Considerations" section is almost empty, and will certainly not pass a review from the security area. They will in all likelihood block publication until substantive comments have been added. ------ 3.3. Single Connect Mode The packet header (see below) contains a flag to allow sessions to be multiplexed on a connection. * it would be good to name the flag here. If the server sets this flag in the first reply packet in response to the first packet from a client, this indicates its willingness to support single-connection over the current connection. The server may set this flag even if the client does not set it, but the client is under no obligation to honor it. * what happens if the client does not honour the flag? The flag is only relevant for the first two packets on a connection, to allow the client and server to establish single connection mode. The flag MUST be ignored after these two packets since the single- connect status of a connection, once established, must not be changed. The connection must instead be closed and a new connection opened, if required. Why would it be required to change the mode? It would be good to explain the use-cases, and why (or not) they make sense. TAC_PLUS_UNENCRYPTED_FLAG := 0x01 If this flag is set, then body encryption is not used. If this flag is cleared, the packet is encrypted. Unencrypted packets are intended for testing, and are not recommended for normal use. * it would be good to have a pointer to the security considerations, with a discussion of the implications. * Also, it's odd that a completely insecure mode is just "not recommended for normal use". I would suggest more panic-inducing phrasing. e.g. ."Unencrypted packets offer a complete compromise of all security related to the protocol and MUST NOT be used outside of a testing environment" TAC_PLUS_SINGLE_CONNECT_FLAG := 0x04 This flag is ussequernt, ed to allow a client and server to agree whether multiple sessions may be multiplexed onto a single connection. * I find the "agree" phrasing odd. I've mentioned before that the tone of the document is often philosophical. Perhaps saying instead "this flag signals whether the client and server are capable of performing session multiplexing" * i.e. the flag is a signal, not a capability for the systems to agree. session_id The Id for this TACACS+ session. The session id is to be selected randomly. This field does not change for the duration of the TACACS+ session. (If this value is not a cryptographically strong random number, it will compromise the protocol's security, see RFC 1750 * it would be good to update the paragraph to be more prescriptive. i.e. The Id for this TACACS+ session. The session id MUST be taken fro a cryptographically strong random number generation. If not, the protocol's security will be compromised. See RFC 1750 for further information ... length The total length of the packet body (not including the header). This value is in network byte order. Packets are never padded beyond this length. * Why is the text on "padding" there? The TACACS+ packets are sent over TCP, not UDP. So any "padding" would be outside of the scope of the current packet, and be seen by the other end as a subsequent, but invalid, TACACS+ packet. 3.5 ... - Unused fixed length fields SHOULD have values of zero. * what happens when they don't? I suggest adding text saying that the fields are ignored. - There will be no padding in any of the fields or at the end of a packet. * I wonder again what "padding" means here. 3.6. Encryption The body of packets may be encrypted. ... * Which is not a standard encryption method. Security people will complain here. I suggest (as before) using the term "obfuscated". With a note that for historical reasons, the flags / fields / etc. refer to TACACS+ "encryption". ... This document does not discuss the management and storage of those keys. ... * there should be some discussion in the Security Considerations section about this. Otherwise, this subject will be brought up in the security review. ... It is an implementation detail of the server and client, as to whether they will maintain only one key, or a different key for each client or server with which they communicate. For security reasons, the latter options MUST be available, but it is a site dependent decision as to whether the use of separate keys is appropriate. * those sentences seem to disagree with each other. It's an "implementation detail", but it MUST be supported. I suggest requiring the capability of per-server and per-client keys. ... The session id is used in network byte order. * nit: if the session ID is a 32-bit opaque token, it's not in any byte order. Maybe just "as taken from the packet header" ? When a server detects that the secret(s) it has configured for the device mismatch, it MUST return ERROR. The handling of the TCP connection by the server is implementation independent. * I repeat my objection here. There is just no reason for the TCP connection to remain open after the connection has been determined to be fraudulent. This subject also came up in the RADIUS over TCP drafts. The consensus there was the same: if it's not a real / known / good client, there is every reason to close the connection, and zero reasons to keep it open. After a packet body is decrypted, the lengths of the component values in the packet are summed. If the sum is not identical to the cleartext datalength value from the header, the packet MUST be discarded, and an error signalled. The underlying TCP connection MAY also be closed, if it is not being used for other sessions in single- connect mode. * This last sentence is confusing. Are there different secrets for different packets in one TCP stream? If so, nothing in the document says so. If not, then there is every reason to believe that the secret is mismatched. And, the *next* packet will decrypt incorrectly. Which means (again) you might as well just close the TCP connection. If an error must be declared but the type of the incoming packet cannot be determined, a packet with the identical cleartext header but with a sequence number incremented by one and the length set to zero MUST be returned to indicate an error. * this mix of clear-text and encrypted signalling opens up the protocol to an attacker. Since this "NAK'" is not protected, an attacker can forge the NAK at any time, and force the connection to be closed. * this attack (along with all others) should be noted in the Security Considerations section. ... Packet fields are as follows: action This describes the authentication action to be performed. Legal values are: * what happens if a client/server receives values outside of the legal range? I suggest sending ERROR, and closing the TCP connection. * similar comments apply for other fields with "legal values". While it's good to define what happens when things go as planned, it's also good to define what happens when things *don't* go according to plan. * review of 4.2 and subsequent sections will follow in a later message.
- [OPSAWG] Start of WGLC for TACACS+ document. Warren Kumari
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. t.petch
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)
- Re: [OPSAWG] Start of WGLC for TACACS+ document. t.petch
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Blumenthal, Uri - 0553 - MITLL
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Dan Romascanu
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Randy Bush
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Alan DeKok
- Re: [OPSAWG] Start of WGLC for TACACS+ document. Douglas Gash (dcmgash)