Thanks for taking on this work and to Alan for the initial round of comments.
I've read this draft, and below are my comments as a contributor/individual.
===
Section 3
s/encrypted connections as defined/obfuscated connections as defined/
You mix encrypt and obfuscate in this document a few times, and I think, after
the long conversations on this, we should stick to obfuscate where it applies
to base T+.
===
Section 3.2
You make reference to the proper "TACACS+ Session", but there is no reference
either in your terminology section or to the T+ RFC. I feel a reference is
needed here.
===
Section 4's title should use Obfuscation instead of Encryption
===
Section 4
You mix the terms deprecate and obsolete, which have been used in other areas
like SNMP MIBs and YANG modules to mean “present but not recommend” and “not
present; not functional” respectively. I would think that in T+/TLS these
mechanisms are obsolete and must be dropped.
===
Section 4
"The TACACS+ server or client receiving TACACS+ Packets MUST process
the packet as if TAC_PLUS_UNENCRYPTED_FLAG was set. The actual value
of TAC_PLUS_UNENCRYPTED_FLAG flag in the TACACS+ header MUST be
ignored."
But what if the flag isn’t set and obfuscation is used? That’s an error, and
MUST result in the termination of the Session (at least that’s what I would
think). This should be clarified, and I would suggest stronger language to
indicate that no obfuscation can be done when TLS is used.
===
Overall, I think this document warrants an Operators Considerations section to
describe interoperability with legacy T+. That is, thoughts around configuring
a fallback legacy T+ server along side a tacacss server (or servers); thoughts
on migrating from a shared key to certificate-based validation; etc.
You address some of this in different parts of the document where you talk
about PSKs, mixing legacy and tacacss on a single server, and the need to
provide some port flexibility, but I think a centralized section might help
bring focus to those migrating to this.
Additionally, if there are working or PoC implementations of this, some lessons
learned (perhaps in an appendix) could be useful.
Thanks.
Joe
On 6/3/22 00:36, heasley wrote:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : TACACS+ TLS 1.3
Authors : Thorsten Dahm
Douglas Gash
Andrej Ota
John Heasley
Filename : draft-dahm-tacacs-tls13-00.txt
Pages : 11
Date : 2022-06-02
Abstract:
The TACACS+ Protocol [RFC8907] provides device administration for
routers, network access servers and other networked computing devices
via one or more centralized servers. This document, a companion to
the TACACS+ protocol [RFC8907], adds Transport Layer Security
(currently defined by TLS 1.3 [RFC8446]) support and deprecates
former inferior security mechanisms.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-dahm-tacacs-tls13/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-dahm-tacacs-tls13-00.html
This draft represents the TLS support portion of the original draft.
The separation was requested by the Chairs and Alan DeKok.
_______________________________________________
OPSAWG mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/opsawg
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
