On Jul 15, 2016, at 11:24 AM, Alan DeKok <[email protected]> wrote: > The Security Considerations section is in the middle of the document, where > it's typically at the end. That's a minor nit. The larger one is that the > Security Considerations section is pretty minimal. It should describe > operational issues with the protocol, and comments as to what the security > implications are for network management traffic to be sent in the clear.
For example: Security Considerations This specification describes a protocol as originally designed in 199X, and as such does not use modern security practices. A later document will update TACACS+ to meet modern security standards. There are a number of issues with the protocol design and common use-cases. The most significant are issues related to privacy and authentication. The protocol includes an obfuscation mechanism referred to in the original draft as Body Encryption. This obfuscation method has not had security analysis, and should be assumed to be broken. Portions of the protocol are sent clear-text, while others are sent obfuscated. An attacker may be able to modify the clear-text portions without detection. When the obfuscation mechanism is not used, the protocol is entirely unauthenticated. Anyone capable of spoofing or intercepting traffic for the source or destination of the TCP connection can masqeurade as the client or server without detection. This attack would allow a malicious after unrestricted access to the management devices allegedly "protected" by this protocol. When the obfuscation mechanism is not used, the protocol is also completely open. All traffic is visible to an eavesdropper, which can leak information about the network. An eavesdropper may also be able to intercept, and modify, packets without detection. etc. The section should list the possible attacks, and how to defend against them. Alan DeKok _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
