Hi all, I'll happily take part in the discussion.
I think it would be useful to have some kind of shared problem statement (not necessarily a separate document) so that we all agree both on the issue and the goals of that work. Then, some possible solutions should be considered based either on IETF previous work (e.g. draft-dahm-opsawg-tacacs-security) and/or other initiatives (some vendors are currently pushing in their products the ability to use SSH certificates for authentication coupled w/ tacacs+ for authorization based on the identity in the certificate). I can try and start a list of topics to be addressed if you think it would help (authorization-only vs authentication+authorization, revocation, ability to support HTTPS w/ X.509 client authentication and not only SSH, etc.). Cheers, Arnaud -----Message d'origine----- De : mohamed.boucad...@orange.com <mohamed.boucad...@orange.com> Envoyé : mercredi 8 octobre 2025 08:50 À : EBALARD Arnaud <arnaud.ebal...@ssi.gouv.fr>; Douglas Gash (dcmgash) <dcmg...@cisco.com>; opsawg@ietf.org Objet : [OPSAWG]draft-dahm-opsawg-tacacs-security: update plan? Hi all, Now that we are about close to get the TACACS+TLS RFC out of those door, I'd like we start discussing (and hopefully converge on a plan) about how to address a key pending operational issue that we recorded in the T+TLS spec: This document concerns the use of TLS as transport for TACACS+, and does not make any changes to the core TACACS+ protocol, other than the direct implications of deprecating obfuscation. Operators MUST be cognizant of the security implications of the TACACS+ protocol itself. Further documents are planned, for example, to address the security implications of password based authentication and enhance the protocol to accommodate alternative schemes. See also the discussion in [1]. Some of these points can be addressed by refreshing draft-dahm-opsawg-tacacs-security. Thoughts, suggestions, and volunteers to drive this work are welcome. Cheers, Med [1] https://mailarchive.ietf.org/arch/msg/opsawg/neElBSTsv4s64434gN8MCaqZLCk/ > > -----Message d'origine----- > > De : EBALARD Arnaud <arnaud.ebal...@ssi.gouv.fr> Envoyé : mardi > 15 > > avril 2025 12:15 À : BOUCADAIR Mohamed INNOV/NET > > <mohamed.boucad...@orange.com>; Gunter Van de Velde > > <gunter.van_de_ve...@nokia.com>; The IESG <i...@ietf.org> Cc : > > opsawg-cha...@ietf.org; opsawg@ietf.org Objet : RE: Gunter Van > de > > Velde's No Objection on charter-ietf- > > opsawg-04-04: (with COMMENT) > > > > > > Hi Mohamed, > > > > I was about to write an email regarding OPSWAG recharter and how > the > > WG will continue to address the operational issues with TACACS+ > (which > > will remain even after the publication of tacacs-tls draft). > > The discussion you started on the expected level of work of the > WG > > ("minor") and the proposal to clarify it make me feel this is > the > > right time to do it. > > > > TACACS+ is widely deployed for Authentication and Authorization > on > > equipments in a lot of networks (large companies, telcos, etc.). > > Being supported by most vendors, having various functional > benefits, > > and this large deployment base, it seems it is here to stay. As > > already discussed in [1], the protocol is old and suffers from > two > > major security issues: > > > > 1/ weak protection of traffic; > > 2/ total reliance on passwords. > > > > Bit flipping and other issues (which currently allow for trivial > > access to equipments) associated with 1/ will be addressed by > what has > > been specified in tacacs-tls draft. This effort is a good step > forward > > but does not address 2/, which is the fundamental problem of > TACACS+. > > Even after equipments ship with tacacs-tls, administrators (or > > supervision tools, etc.) on networks with > > TACACS+ deployed will still disseminate their (usually unique > full > > power) password, which will be available in cleartext on all the > > equipments under TACACS+ control. A TACACS+ domain is one where > an > > attacker just has to compromise a single weaker equipment and > wait for > > a cleartext password to arrive to then have valid credentials to > > access ALL the equipments. > > > > My questions would be: > > - is the problem described above a subject to be addressed by > the WG? > > - if it is, what is the expected way forward? Specifying > support for > > pushing SSH public-keys (draft-dahm-opsawg-tacacs-security- > > 01?)? or X.509 certificate anchors? Other options? > > - if it is not, where can it be addressed? What would be the > way > > forward? > > > > Cheers, > > > > Arnaud > > > > [1]: > > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F > m > > > ailarchive.ietf.org%2Farch%2Fmsg%2Fopsawg%2Fvdhi_wqIOLTOA7CN42WYk_ > _ > > d2- > > > g%2F&data=05%7C02%7Cmohamed.boucadair%40orange.com%7C87891078d2174 > c > > > 4c9f5d08dd7c066f9e%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C63 > 8 > > > 803089278435320%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIl > Y > > > iOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D% > 7 > > > C0%7C%7C%7C&sdata=UQUBk6TBrNVyXGIgVPYM5MteldQ%2F%2FR2ld3re57wuB7c% > 3 > > D&reserved=0 > > > > -----Message d'origine----- > > De : mohamed.boucad...@orange.com <mohamed.boucad...@orange.com> > > Envoyé : lundi 14 avril 2025 09:55 À : Gunter Van de Velde > > <gunter.van_de_ve...@nokia.com>; The IESG <i...@ietf.org> Cc : > > opsawg-cha...@ietf.org; opsawg@ietf.org Objet : [OPSAWG]Re: > Gunter Van > > de Velde's No Objection on charter-ietf-opsawg-04-04: (with > > COMMENT) > > > > Hi Gunter, > > > > There are many OPS-related protocols out there for which we > don't have > > a home (IPFIX, DIAMETER, etc.). OPSAWG should not be the place > to > > develop major changes (e.g. new versions) of these protocols. > > > > For example, we used to have opsawg be tagged as maintenance > group for > > RADIUS > > > (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2 > F > > > mailarchive.ietf.org%2Farch%2Fmsg%2Fradext%2FygSshqCzKe0uN5aPiN08U > _ > > k- > > > gx8%2F&data=05%7C02%7Cmohamed.boucadair%40orange.com%7C87891078d21 > 7 > > > 4c4c9f5d08dd7c066f9e%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C > 6 > > > 38803089278454972%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUs > I > > > lYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3 > D > > > %7C0%7C%7C%7C&sdata=bnia3snSx6nrcCus5DbPD7AZ2DchFFecJsMsSQ%2FOkF4% > 3 > > D&reserved=0). I wasn't personally happy with that at the time > for the > > reasons mentioned in that thread. Happily, RADEXT was > resurrected > > since then and has its own WG (which is the right thing to do). > > > > I suggest we keep "minor" to make the scope clear. We can > characterize > > it if needed, though. > > > > Thank you. > > > > Cheers, > > Med > > > > > -----Message d'origine----- > > > De : Gunter Van de Velde via Datatracker <nore...@ietf.org> > > Envoyé : > > > lundi 14 avril 2025 09:25 À : The IESG <i...@ietf.org> Cc : > > > opsawg-cha...@ietf.org; opsawg@ietf.org Objet : Gunter Van de > > Velde's > > > No Objection on charter-ietf-opsawg- > > > 04-04: (with COMMENT) > > > > > > > > > Gunter Van de Velde has entered the following ballot position > for > > > charter-ietf-opsawg-04-04: No Objection > > > > > > When responding, please keep the subject line intact and reply > to > > all > > > email addresses included in the To and CC lines. (Feel free to > > cut > > > this introductory paragraph, however.) > > > > > > -------------------------------------------------------------- > --- > > -- > > > COMMENT: > > > -------------------------------------------------------------- > --- > > -- > > > > > > This charter is refreshingly short, clear in its objective, > and > > keeps > > > things nice and simple. Just a small comment on the text: > > > > > > " > > > Examples include the advancement of documents on the standards > > track, > > > application statements, maintenance, and minor extensions of > > documents > > > that were developed in working groups that have concluded, > e.g., > > > IPFIX, network or service level YANG modules, and tools for > the > > > Operations and Management Area. " > > > > > > The word "minor" caught my attention. It might be open to > > > interpretation and could lead to debates later on about what > > qualifies > > > as "minor" versus something more substantial. Would it make > sense > > to > > > drop that word to avoid any unnecessary restrictions or > ambiguity > > down > > > the line? > > > > > > > > > > > __________________________________________________________________ > _ > > _________________________________________ > > Ce message et ses pieces jointes peuvent contenir des > informations > > confidentielles ou privilegiees et ne doivent donc pas etre > diffuses, > > exploites ou copies sans autorisation. Si vous avez recu ce > message > > par erreur, veuillez le signaler a l'expediteur et le detruire > ainsi > > que les pieces jointes. Les messages electroniques etant > susceptibles > > d'alteration, Orange decline toute responsabilite si ce message > a ete > > altere, deforme ou falsifie. > > Merci. > > > > This message and its attachments may contain confidential or > > privileged information that may be protected by law; they should > not > > be distributed, used or copied without authorisation. > > If you have received this email in error, please notify the > sender and > > delete this message and its attachments. > > As emails may be altered, Orange is not liable for messages that > have > > been modified, changed or falsified. > > Thank you. > > > > _______________________________________________ > > OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an > email to > > opsawg-le...@ietf.org Les données à caractère personnel > recueillies et > > traitées dans le cadre de cet échange, le sont à seule fin > d'exécution > > d'une relation professionnelle et s'opèrent dans cette seule > finalité > > et pour la durée nécessaire à cette relation. Si vous souhaitez > faire > > usage de vos droits de consultation, de rectification et de > > suppression de vos données, veuillez contacter > > contact.r...@sgdsn.gouv.fr. Si vous avez reçu ce message par > erreur, > > nous vous remercions d'en informer l'expéditeur et de détruire > le > > message. The personal data collected and processed during this > > exchange aims solely at completing a business relationship and > is > > limited to the necessary duration of that relationship. If you > wish to > > use your rights of consultation, rectification and deletion of > your > > data, please contact: > > contact.r...@sgdsn.gouv.fr. If you have received this message in > > error, we thank you for informing the sender and destroying the > > message. ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org Les données à caractère personnel recueillies et traitées dans le cadre de cet échange, le sont à seule fin d’exécution d’une relation professionnelle et s’opèrent dans cette seule finalité et pour la durée nécessaire à cette relation. Si vous souhaitez faire usage de vos droits de consultation, de rectification et de suppression de vos données, veuillez contacter contact.r...@sgdsn.gouv.fr. Si vous avez reçu ce message par erreur, nous vous remercions d’en informer l’expéditeur et de détruire le message. The personal data collected and processed during this exchange aims solely at completing a business relationship and is limited to the necessary duration of that relationship. If you wish to use your rights of consultation, rectification and deletion of your data, please contact: contact.r...@sgdsn.gouv.fr. If you have received this message in error, we thank you for informing the sender and destroying the message. _______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
