On Feb 10, 2016, at 5:32 PM, Andrej Ota <[email protected]> wrote: > Current TACACS+ draft work is continuation of original work which stalled in > 1997.
"Stalled"? I don't think that's an accurate description. More accurately, the IETF consensus for the past 20 years was that the official IETF AAA protocol was RADIUS. Wide-spread adoption of a vendor protocol is insufficient reason to make it an IETF standard. There is no *technical* reason to make the document an IETF standard. The goal of documenting TACACS+ could be done by publishing it as an informational RFC. So I have to ask, why is it being proposed (much less accepted) as an IETF standard document? The only conclusion is that it's to get the "stamp of approval" from the IETF, as an official IETF AAA protocol. I suggest that the IETF should be *very* parsimonious with such approvals. We already have two AAA protocols, and TACACS+ adds *no technical benefits* over either RADIUS or Diameter. As such, it is entirely inappropriate for the IETF to approve this document as a standards track document. > Stating this is "a third AAA protocol" is a false statement and one I find to > be intellectually dishonest. At worst one could call it the 2nd AAA protocol. Please keep the ad hominems out of this discussion. We already have two IETF AAA protocols. There is no good reason to add a third one. The fact that TACACS+ was originally proposed 20 years ago is irrelevant. The IETF is already doing work in the space. > On the topic of "competes directly with ...": > The goals and aims are completely different. So it's not a AAA protocol? Your argument is logically inconsistent. Either it is a AAA protocol, and competes directly with RADIUS and Diameter, or it isn't a AAA protocol, and your accusation that I was being "intellectually dishonest" is itself dishonest. > This is not a new protocol, it's almost 20 years old (00 draft was published > in October 1996). It's not a new development trying to compete with anything > or anyone. You're saying that an AAA protocol with 100% overlap with RADIUS isn't competing with RADIUS. Um... no. It's pretty obviously competing with RADIUS. The only reason TACACS+ is alive today is because of major vendors pushing it *against* RADIUS. > Draft is attempting to standardise the current ground truth while providing a > single relevant addition to the original draft, which the use of TLS "tunnel". Note "standardise", not "document". So the goal is an IETF standard stamp on the document, not a document describing the protocol. > In connection with the quote from charter under item no. 7, I claim the > following statements to be true: > - Ground truth is that TACACS+ is widely deployed protocol for device > management AAA. > - Ground truth is that new device vendors and new devices are entering > market which are implementing TACACS+. The protocol is not dying out. > - Ground truth is that DIAMETER has no penetration in the area of network > device management AAA. The truth is that there is 100% overlap in functionality between TACACS+ and RADIUS. > - Ground truth is that TACACS+ implementations are based on an IETF draft > which expired in 1997. No. It was an *individual* draft. I could write a draft claiming I'm a genius, and it would mean nothing. Similarly, some random person publishing a draft in 1997 doesn't mean it's an "IETF" draft. It's just another person with an idea that was *rejected by the IETF*. > Combination of these statements, which I claim to be all true, is causing > current and relevant operational issues for network operators. None of that is relevant to the IETF process. > As such I think this draft is well within the scope of the OPSAWG. I believe > the community at large will benefit if it will be maintain it's current > strict and narrow focus and ultimately get approved as an RFC. If it turns > out that the protocol which already has a widespread adoption and had it for > more than a decade, can actually be beaten by other alternatives, may it > happen on the basis of actual operational merit and not based on attempt to > disqualify TACACS+ as an "entry too late" item in WG queue. It is not too > late, it is an active protocol, it is not standardised, lack of a standard is > causing issues by itself. This last item I believe can and should be > addressed. That is entirely mischaracterizing my position. The IETF consensus for the last 20 years has been that RADIUS was chosen over TACACS+. There is no *technical* reason to re-visit that decision. Alan DeKok. _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
