Hi Doug, all,
Thank you for preparing this update.
Please find below minor items that you may fix before or after the WGLC. Fixing
them before would be my preference, though :-)
* Header
OLD: Updates: RFC8907 (if approved)
OLD: Updates: 8907 (if approved)
* Title
OLD: TACACS+ over TLS 1.3
NEW: Terminal Access Controller Access-Control System Plus (TACACS+) over TLS
1.3
* Section 3: Redundant normative language
CURRENT: option for MD5 obfuscation, and specifies that TLS 1.3 MUST be used
and
CURRENT: TLS 1.3 [RFC8446] MUST be used for transport,
I suggest to revert back the first one.
* Section 3.2: nit
OLD: Single Connection Mode Section 4.3 of [RFC8907]
NEW: Single Connection Mode (Section 4.3 of [RFC8907])
* Section 3.2.1:
(1) nit
OLD:
Implementations MUST support the TLS 1.3 mandatory cipher suites (TLS
1.3 [RFC8446] Section 9.1).
NEW:
Implementations MUST support the TLS 1.3 mandatory cipher suites (Section
9.1 of
[RFC8446]).
(2) consistency: the text already says that it inherits the TLS1.3 MTI, which
is a reco.
OLD:
This document makes no cipher suite recommendations, please refer to
[BCP195] for guidance.
NEW:
This document makes no additional cipher suite recommendations. Readers
should refer to
[BCP195] for guidance.
* Section 3.2.2: normative language
OLD: Unless disabled by configuration, a peer MUST not permit connection
NEW: Unless disabled by configuration, a peer MUST NOT permit connection
* Section 3.2.2.1: nit
OLD: revocation must be handled as it is not part of the standard. .
NEW: revocation must be handled as it is not part of the standard.
* Section 5.1.1: expand on why 3365 readers should look at 3365.
CURRENT:
It is NOT RECOMMENDED to deploy TACACS+ without TLS authentication
and encryption, unless within test and debug environments. Also see
[RFC3365].
* Section 5.1.3: readability
OLD:
Also useful are TLS 1.3 specifications themselves (TLS 1.3
[RFC8446]), which prescribes mandatory support in Section 9.
NEW:
Also, Section 9 of [RFC8446] prescribes mandatory support in Section 9.
I'm tempted to simply delete that text given the discussion in 3.2.1.
* Section 8: Please list Tiru and Valery reviews. Thanks.
* Section 9:
(1) Move FIPS-140-3 to be listed as informative.
(2) Delete this entry as it is not cited in the text
[RFC7605] Touch, J., "Recommendations on Using Assigned Transport
Port Numbers", BCP 165, RFC 7605, DOI 10.17487/RFC7605,
August 2015, https://www.rfc-editor.org/info/rfc7605.
Cheers,
Med
De : Douglas Gash (dcmgash) <[email protected]>
Envoyé : mardi 21 mai 2024 19:03
À : [email protected]; BOUCADAIR Mohamed INNOV/NET
<[email protected]>; tirumal reddy <[email protected]>; Valery
Smyslov ([email protected]) <[email protected]>
Cc : Andrej Ota <[email protected]>; John Heasley <[email protected]>; Thorsten
Dahm <[email protected]>
Objet : Re: New Version Notification for draft-ietf-opsawg-tacacs-tls13-09.txt
Dear OPSAWG et al,
We have uploaded a version with initial responses to the reviews and insights
kindly provided by Tirumal and Valery, and will be happy to make good any
omissions or needed corrections ASAP.
Many thanks,
The Authors.
From: [email protected]<mailto:[email protected]>
<[email protected]<mailto:[email protected]>>
Date: Tuesday, 21 May 2024 at 17:57
To: Douglas Gash (dcmgash) <[email protected]<mailto:[email protected]>>,
Douglas Gash (dcmgash) <[email protected]<mailto:[email protected]>>, Andrej
Ota <[email protected]<mailto:[email protected]>>, John Heasley
<[email protected]<mailto:[email protected]>>, Thorsten Dahm
<[email protected]<mailto:[email protected]>>
Subject: New Version Notification for draft-ietf-opsawg-tacacs-tls13-09.txt
A new version of Internet-Draft draft-ietf-opsawg-tacacs-tls13-09.txt has been
successfully submitted by Douglas C. Medway Gash and posted to the
IETF repository.
Name: draft-ietf-opsawg-tacacs-tls13
Revision: 09
Title: TACACS+ over TLS 1.3
Date: 2024-05-21
Group: opsawg
Pages: 15
URL: https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-09.txt
Status: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/
HTML: https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-09.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-tacacs-tls13
Diff:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-tacacs-tls13-09
Abstract:
The Terminal Access Controller Access-Control System Plus (TACACS+)
Protocol provides device administration for routers, network access
servers and other networked computing devices via one or more
centralized servers. This document adds Transport Layer Security
(TLS 1.3) support to TACACS+ and obsoletes former inferior security
mechanisms.
This document updates RFC8907.
The IETF Secretariat
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
_______________________________________________
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
