On Jul 5, 2023, at 3:25 PM, Marc Huber <marc.hu...@web.de> wrote: > I still unsure whether the > > Obsolescence of TACACS+ Obfuscation > > section could hinder implementations and migrations using TLS wrappers (load > balancers, e.g.). I'd still suggest to change the "MUST" clauses regarding > obufuscation to "SHALL". There's no gain to change the protocol at this > point, it's sufficient to wrap it in TLS. If a client insists in using > obfuscation-over-TLS, that should be fine, even if it's of no use.
We did that for RADIUS. i.e. leave in MD5-based "crypto" when we did RADIUS/TLS 10 years ago. We're now ripping it out. I would suggest that using obfuscation over TLS is a bad idea. While it's tempting to just say "wrap it in TLS", leaving MD5 in has other costs. Most notably FIPS, where insecure digests like MD5 are banned. Reading the fine print of FIPS suggests that using MD5 in this way is allowed for a protocol like TACACS+TLS. But few people read the fine print, and taking out the MD5-based captor is likely best. > Regarding a dedicated TCP port: Is there really a need for that, or would > this rather be an convenience option? A specific port number limits the > attack surface to a single port, and I don't see any need for that. I think a dedicated port for TACACS+TLS would be good. Alan DeKok. _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
