On Thu, Feb 11, 2016 at 12:00 AM, Alan DeKok <[email protected]> wrote:
> The IETF created a process to specify requirements for AAA protocols. This > process is documented in RFC 2989 [1] (2000), which had about 20 authors from > all major networking companies at the time. It solicited submissions, and > established a panel to evaluate the submissions. The results are documented > inRFC 3127 [2] (2003). TACACS+ was not even considered, as it did not meet > the requirements set out in RFC 2989. > 2989 is titled: "Criteria for Evaluating AAA Protocols for Network Access" 2989 is explicitly not about 'device management' or 'device administration' access management (AAA). tacacs+ is explicitly about 'device management' or 'device administration' access management (AAA). I don't think 2989 applies at all to this discussion. 3127 says: "This memo represents the process and findings of the Authentication, Authorization, and Accounting Working Group (AAA WG) panel evaluating protocols proposed against the AAA Network Access Requirements," again, not applicable to 'device management' / 'device administration' ... so not applicable to this discussion, at all. > Standardizing a new AAA protocol without IETF-wide discussion means we're > ignoring the requirements of RFC 2989, and discarding the results shown in > RFC 3127. > it doesn't seem like 'IETF-wide discussion' is being missed at all, actually. > The document draft-ietf-opsawg-tacacs-00.txt *explicitly* describes itself > as an AAA protocol in it's abstract. Despite the authors stating it is for > "device administration", that phrase *does not appear in the document*. > Despite claims that it is not an AAA protocol, the document itself claims > TACACS+ is an AAA protocol. The document discusses user authentication, > authorization, and accounting, in a manner which overlaps 100% with RADIUS. > perhaps, but you seem to have content questions, did you make these comments to the authors? > In fact, RADIUS has more capability than TACACS+. RADIUS is standardized > to transport many more attributes which describe hundreds of possible pieces > of information. The TACACS+ document documents little more than the base > protocol, and a less than 30 kinds of information it can transport. > I'm not sure that the three points here are relevant to the discussion, we don't always want more things in the knife drawer, we want the right knife for the job. > The TACACS+ functionality therefore *explicitly* overlaps 100% with RADIUS. > It is explicitly *not* "device authorization". It is uniformly inferior to > RADIUS in functionality and capability. It meets none of the requirements > set out in RFC 2989, and wasn't even considered in RFC 3127. > because 2989 and 3127 are not about the problem tac+ solves. For network operations the meaning of AAA is different than that used for 'dialup users' (or equivalent as the technology advances). o Authorizing users of your network access to the network is different than authorizing administration/management of the devices which make the network. o Accounting for the device administration activities is not the same acocunting for bits/time spent on a customer o Authenticating a device administrator is likely very different from authenticating a user of the network > The only *technical* capability that TACACS+ has which RADIUS doesn't is > "device administration". Perhaps what is meant here is "command > authorization", in which individual administrator commands are authorized via > the AAA protocol. However, this capability is *not* documented in the draft, > which means that any "device administration" remains a proprietary vendor > extension, and entirely outside of the control of the IETF. > I think you mean to rephrase and aim this comment to the editors... so they can add a note about it in the draft. I do see discussion of authorization and why it's important/used in the original grant-tacacs-02 draft, and in the draft-dahm version 02 there's this: https://tools.ietf.org/html/draft-dahm-opsawg-tacacs-01#section-5 this seems to have some level of detail and useful information about the authorization process/work/packets. > > The document overturns nearly two decades of IETF consensus. It competes > directly with an established IETF protocol. It's functionality is explicitly > inferior to RADIUS. It's suggested use-case is entirely undocumented in the > draft. > i don't know that 'two decades' is particularly important, much has changed over the last 20 yrs in the IETF and the Internet and in stuff provided by vendors/etc. Making device administration better and more secure over time is a win for operations, networks and users. -chris _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
