Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Joe Clarke]

Thanks for the reply, Andrej.  Additional comments below.

On 5/10/18 10:45, Andrej Ota wrote:
 9.1.  General Security of The Protocol

   TACACS+ protocol does not include a security mechanism that would
   meet modern-day requirements.  Support for MD5-based crypto pad
   encryption fails to provide any kind of transport integrity, which
   presents at least the following risks:

  Accounting information may be modified by the man-in-the-middle
  attacker, making such logs unsuitable and untrustable for auditing
  purposes.

  Only the body of the request is encrypted which leaves all header
  fields open to trivial modification by the man-in-the-middle
  attacker.  For this reason, connections with
  TAC_PLUS_UNENCRYPTED_FLAG are disallowed, as mentioned in the
  recommendations section.
>>>
>>> JC: Disallowed for discouraged?  This is a doc defining a
>>> currently-deployed protocol.  Implementations MAY allow for this to
>>> work.  However, from a best current practice standpoint, this should be
>>> strongly discouraged.
> 
> So strongly to put it as SHOULD NOT or just "strongly"?

I think SHOULD NOT is fine.

> 
> 
> 
> I think this paragraph is a bit wonky as well as it sounds to me like header 
> is vulnerable, but the "encrypted" body isn't, which is very far from the 
> truth.
> 
> One thing is s/encrypted/obfuscated/.

Good catch.

> 
> The other thing is lack of integrity checking and known or chosen plaintext 
> combo leading to MitM, where I can claim I'm Ann or Bob, even though my 
> authorization attempt was using username Eve in most trivial of ways. I 
> wouldn't want to even remotely imply that the obfuscation is somewhat saver 
> that plain-text header, when I can do trivial MitM things like this.

I think additional clarification as to why this should not be used is
good.  I just want the document to maintain its connection to the fact
that T+ is deployed today.  While we can influence new implementations,
this is an informational doc on how this protocol is currently designed
while documenting known pitfalls to hopefully avoid.

>>>
>>>
 9.3.  Security of Authorization Sessions

   Authorization sessions MUST be used via secure transport only as it's
   trivial to execute a successful man-in-the-middle attacks that
   changes well-known plaintext in either requests or responses.
>>>
>>> JC: Your statement makes a lot of sense, but I struggle with how this
>>> can be achieved in the current implementation of T+.  To use normative
>>> language here, you are saying that all T+ servers and all NASes must
>>> implement something like an IPSec tunnel to exchange authz details?
>>> Again, I get the recommendation, but in light of existing, interoperable
>>> implementations, I don't see this being a reality.
>>>
> 
> Maybe we could reword this that it would be clear to the audience that one 
> could also declare a transport path where it's very unlikely to perform a 
> MitM, to be secure enough for the purpose of this RFC.
> 
> Ideally the RFC should make it clear that it is up to the operator to 
> determine what technology to deploy (IPSec or steel pipes without dynamic 
> routing protocols both work for me), but they should be acutely aware that no 
> matter what they do, T+ is inherently MitM prone and they really, really 
> should act accordingly.

Agreed.  I think some rewording is good.  In that context, I think
strong normative text is fine as there are options to a NAS-to-server
IPSec tunnel.

> 
>>>
 9.6.  TACACS+ Server Implementation Recommendations

   The following recommendations are made when implementing a TACACS+
   server:

   The Server SHOULD NOT accept any connections which have the
   TAC_PLUS_UNENCRYPTED_FLAG set and SHOULD reject those packets with
   applicable ERROR response for type of packet.

   The configuration of dedicated secret keys per individual client MUST
   be supported by the Server implementation.  It is also recommended
   that Servers SHOULD warn administrators if secret keys are not unique
   per client.

   If an invalid shared secret is detected, Servers MUST NOT accept any
   new sessions on a connection, and terminate the connection on
   completion of any sessions previously established with a valid shared
   secret.

   The Server implementation must allow the administrator to mandate:
>>>
>>> JC: Should this be MUST?  I ask while still grappling with the use of
>>> such strong language for an informational doc citing recommendations
>>> when so many existing implementations exist in the wild.
> 
> This one is a mixed bag and maybe we should throw this one out and simply 
> state that plain login has one set of problems (e.g. clear-text passwords on 
> the wire), but CHAP has the other set of problems (e.g. central repository of 
> clear-text 

Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Andrej Ota]

Hi Joe,


We did, but also all three of us got a bit bogged down by other work. I have to 
wrap up section 9 "digest" while Douglas and Thorsten are doing similar for 
other sections where they got through the mail history and they're wrapping 
that up to send out an e-mail as well.

Considering the amount of work that we have to do all at once, we definitely 
don't want more digests to happen.

The rest of the answer is interleaved below.


> On 10 May 2018, at 15:15, Joe Clarke  wrote:
> 
> Hello, T+ authors.  Did you have a chance to read over my comments
> below?  What thoughts do you have?  Some of these points admittedly need
> some discussion.
> 
> Thanks.
> 
> Joe
> 
> On 4/30/18 10:30, Joe Clarke wrote:
>> On 4/15/18 02:27, Douglas Gash (dcmgash) wrote:
>>> Hello Opsawg,
>>> 
>>> We have uploaded a new version of the TACACS+ informational draft which 
>>> includes corrections for typos over the document as a whole, but also 
>>> revised the security section. We anticipate this security section will get 
>>> most comments, so it is reproduced below.
>>> 
>>> We will endeavor to be much more reactive to comments, whether on section 
>>> below, or any other in rest of uploaded document.
>> 
>> Thank you, Douglas.  My individual comments on this new security
>> requirements section in line below (since you copied it to email).
>> 
>>> 9.1.  General Security of The Protocol
>>> 
>>>   TACACS+ protocol does not include a security mechanism that would
>>>   meet modern-day requirements.  Support for MD5-based crypto pad
>>>   encryption fails to provide any kind of transport integrity, which
>>>   presents at least the following risks:
>>> 
>>>  Accounting information may be modified by the man-in-the-middle
>>>  attacker, making such logs unsuitable and untrustable for auditing
>>>  purposes.
>>> 
>>>  Only the body of the request is encrypted which leaves all header
>>>  fields open to trivial modification by the man-in-the-middle
>>>  attacker.  For this reason, connections with
>>>  TAC_PLUS_UNENCRYPTED_FLAG are disallowed, as mentioned in the
>>>  recommendations section.
>> 
>> JC: Disallowed for discouraged?  This is a doc defining a
>> currently-deployed protocol.  Implementations MAY allow for this to
>> work.  However, from a best current practice standpoint, this should be
>> strongly discouraged.

So strongly to put it as SHOULD NOT or just "strongly"?



I think this paragraph is a bit wonky as well as it sounds to me like header is 
vulnerable, but the "encrypted" body isn't, which is very far from the truth.

One thing is s/encrypted/obfuscated/.

The other thing is lack of integrity checking and known or chosen plaintext 
combo leading to MitM, where I can claim I'm Ann or Bob, even though my 
authorization attempt was using username Eve in most trivial of ways. I 
wouldn't want to even remotely imply that the obfuscation is somewhat saver 
that plain-text header, when I can do trivial MitM things like this.


>> 
>>>   For these reasons, users deploying TACACS+ protocol in their
>>>   environments MUST limit access to known clients and MUST control the
>>>   security of the entire transmission path.  Attacks who can guess the
>>>   key or otherwise break the obfuscation will gain unrestricted and
>>>   undetected access to all TACACS+ traffic.  Ensuring that a
>>>   centralized AAA system like TACACS+ is deployed on a secured
>>>   transport is essential to managing security risk of such an attack.
>> 
>> JC: s/Attacks who/Attackers who/

Agreed.

>> 
>> 
>>> 9.3.  Security of Authorization Sessions
>>> 
>>>   Authorization sessions MUST be used via secure transport only as it's
>>>   trivial to execute a successful man-in-the-middle attacks that
>>>   changes well-known plaintext in either requests or responses.
>> 
>> JC: Your statement makes a lot of sense, but I struggle with how this
>> can be achieved in the current implementation of T+.  To use normative
>> language here, you are saying that all T+ servers and all NASes must
>> implement something like an IPSec tunnel to exchange authz details?
>> Again, I get the recommendation, but in light of existing, interoperable
>> implementations, I don't see this being a reality.
>> 

Maybe we could reword this that it would be clear to the audience that one 
could also declare a transport path where it's very unlikely to perform a MitM, 
to be secure enough for the purpose of this RFC.

Ideally the RFC should make it clear that it is up to the operator to determine 
what technology to deploy (IPSec or steel pipes without dynamic routing 
protocols both work for me), but they should be acutely aware that no matter 
what they do, T+ is inherently MitM prone and they really, really should act 
accordingly.

>> 
>>> 9.6.  TACACS+ Server Implementation Recommendations
>>> 
>>>   The following recommendations are made when implementing a TACACS+
>>>   server:
>>> 
>>>   The Server SHOULD NOT 

Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Joe Clarke]

Hello, T+ authors.  Did you have a chance to read over my comments
below?  What thoughts do you have?  Some of these points admittedly need
some discussion.

Thanks.

Joe

On 4/30/18 10:30, Joe Clarke wrote:
> On 4/15/18 02:27, Douglas Gash (dcmgash) wrote:
>> Hello Opsawg,
>>
>> We have uploaded a new version of the TACACS+ informational draft which 
>> includes corrections for typos over the document as a whole, but also 
>> revised the security section. We anticipate this security section will get 
>> most comments, so it is reproduced below.
>>
>> We will endeavor to be much more reactive to comments, whether on section 
>> below, or any other in rest of uploaded document.
> 
> Thank you, Douglas.  My individual comments on this new security
> requirements section in line below (since you copied it to email).
> 
>> 9.1.  General Security of The Protocol
>>
>>TACACS+ protocol does not include a security mechanism that would
>>meet modern-day requirements.  Support for MD5-based crypto pad
>>encryption fails to provide any kind of transport integrity, which
>>presents at least the following risks:
>>
>>   Accounting information may be modified by the man-in-the-middle
>>   attacker, making such logs unsuitable and untrustable for auditing
>>   purposes.
>>
>>   Only the body of the request is encrypted which leaves all header
>>   fields open to trivial modification by the man-in-the-middle
>>   attacker.  For this reason, connections with
>>   TAC_PLUS_UNENCRYPTED_FLAG are disallowed, as mentioned in the
>>   recommendations section.
> 
> JC: Disallowed for discouraged?  This is a doc defining a
> currently-deployed protocol.  Implementations MAY allow for this to
> work.  However, from a best current practice standpoint, this should be
> strongly discouraged.
> 
>>For these reasons, users deploying TACACS+ protocol in their
>>environments MUST limit access to known clients and MUST control the
>>security of the entire transmission path.  Attacks who can guess the
>>key or otherwise break the obfuscation will gain unrestricted and
>>undetected access to all TACACS+ traffic.  Ensuring that a
>>centralized AAA system like TACACS+ is deployed on a secured
>>transport is essential to managing security risk of such an attack.
> 
> JC: s/Attacks who/Attackers who/
> 
> 
>> 9.3.  Security of Authorization Sessions
>>
>>Authorization sessions MUST be used via secure transport only as it's
>>trivial to execute a successful man-in-the-middle attacks that
>>changes well-known plaintext in either requests or responses.
> 
> JC: Your statement makes a lot of sense, but I struggle with how this
> can be achieved in the current implementation of T+.  To use normative
> language here, you are saying that all T+ servers and all NASes must
> implement something like an IPSec tunnel to exchange authz details?
> Again, I get the recommendation, but in light of existing, interoperable
> implementations, I don't see this being a reality.
> 
> 
>> 9.6.  TACACS+ Server Implementation Recommendations
>>
>>The following recommendations are made when implementing a TACACS+
>>server:
>>
>>The Server SHOULD NOT accept any connections which have the
>>TAC_PLUS_UNENCRYPTED_FLAG set and SHOULD reject those packets with
>>applicable ERROR response for type of packet.
>>
>>The configuration of dedicated secret keys per individual client MUST
>>be supported by the Server implementation.  It is also recommended
>>that Servers SHOULD warn administrators if secret keys are not unique
>>per client.
>>
>>If an invalid shared secret is detected, Servers MUST NOT accept any
>>new sessions on a connection, and terminate the connection on
>>completion of any sessions previously established with a valid shared
>>secret.
>>
>>The Server implementation must allow the administrator to mandate:
> 
> JC: Should this be MUST?  I ask while still grappling with the use of
> such strong language for an informational doc citing recommendations
> when so many existing implementations exist in the wild.
> 
>>
>>TAC_PLUS_AUTHEN_TYPE_CHAP for authen_type
>>
>>TAC_PLUS_AUTHEN_METH_TACACSPLUS for authen_method in authorization
>>
>>Minimum length for shared secrets.
>>
>> 9.7.  TACACS+ Deployment Best Practices
>>
>>Due to above observations about the TACACS+ protocol, it is critical
>>to only deploy it using secure transport.  A secure transport for
>>TACACS+ is defined as any means that ensure privacy and integrity of
>>all data passed between clients and servers.  There are multiple
>>means of achieving this, all of them beyond the scope of this
>>document.
>>
>>Symmetric encryption key represents a possible attack vector at the
>>protocol itself.  For this reason, servers SHOULD accept only those
>>network connection attempts that arrive from known clients.  This
>>

Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Andrej Ota]

Hi Joe & opsawg,


>>> 2) Reactivity of the Authors.
>>> 
>>> As far as I know, we have responded to most posts regarding the content of 
>>> the document, with point-by-point replies,
>> 
>>  No.
>> 
>>  See the list archives, especially May 2017.  There are multiple people 
>> suggesting that you have *not* done this, and that you *should* do this.
> 
> I for one have asked for a summary of changes when I did my last review.
> I did not see it.  There was a subsequent revision that did seem to
> absorb my comments, but there wasn't a response to me email.  Typically,
> when authors receive feedback, they respond in line to either ack or
> discuss points (typos notwithstanding).

We're still going through a year's worth of archive to locate WG comments and 
link them to changes. Currently the focus is on security section as that one 
was the most contentious, but the goal is to get this information out in the 
open.

Going forward, we've done bad and we're learning+adjusting based on all 
feedback.


> 
>> 
>>  See line-by-line reviews done by me, which were generally ignored.  Despite 
>> that, I did *multiple* such reviews, until such time as it became clear that 
>> such reviews were entirely unproductive.
>> 
>>> but there has been, for various logistic reasons, long delays in submitting 
>>> the resulting new documents. Hopefully this has been addresses in last 
>>> versions and we will continue with more rapid uploads until process 
>>> completes one way or other.
>> 
>>  The issue isn't rapid uploads.  The issue is engagement.  It's not 
>> productive to ignore the messages on the mailing list for 6 months, and then 
>> to issue a new release saying "we fixed stuff".
> 
> Spot on.  One needs to engage.  I am pleased with the authors' attempts
> to do better these past couple of weeks.  I want to see this momentum
> continue.

We have the next e-mail for section 9 changes almost ready and we're taking 
care to be both watching and responding on the mailing list.

> 
>>> 3) Change Tracking
>>> 
>>> The uploads have generally had extensive changes relating to comments 
>>> (which should generally have been summarized by previous email responses to 
>>> comments). 
>> 
>>  Which I admit did happen sometimes, but not nearly as often as it should 
>> have.  Again, see mailing list archives from May 2017.  I'm not the only 
>> person who holds this opinion.  I'm just the main one pushing the point.
>> 
>>> Because of this, unless the updates have been for specific purposes (such 
>>> as the recent update of the security section) then I would leave the 
>>> changes to the diff tool which works pretty effectively.
>> 
>>  The diff tool lets us know what changed in the document.  It doesn't let us 
>> know if those changes addressed issues raise on the mailing list.
>> 
>>  To summarize:
>> 
>> * we have no idea if this revision of the document addresses multiple WG 
>> reviews
>> 
>> * we have no idea if the document even describes TACACS+ as currently 
>> implemented
>> 
>>  As such, it should not be put into working group last call, or much less 
>> published until such time as those issues are addressed.
> 
> I'm not sure what line-item changes are still outstanding.  Authors, I'm
> sure you could look back at your revisions and spot anything that needs
> to be addressed here.

We're in the process of both linking changes to where they were suggested from 
while checking that we haven't missed any.

> 
> I will be submitting an individual review of the new security
> requirements soon, and I would like to see this renewed sense of
> engagement on the list.


You can start with e-mail I've already sent that comes with commentary of what 
we changed and for what reason. There's going to be few more coming in to spare 
you from trying to diff all by yourself and spend time thinking about "why" 
something changed.



KR, Andrej.
___
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Joe Clarke]

On 4/15/18 02:27, Douglas Gash (dcmgash) wrote:
> Hello Opsawg,
> 
> We have uploaded a new version of the TACACS+ informational draft which 
> includes corrections for typos over the document as a whole, but also revised 
> the security section. We anticipate this security section will get most 
> comments, so it is reproduced below.
> 
> We will endeavor to be much more reactive to comments, whether on section 
> below, or any other in rest of uploaded document.

Thank you, Douglas.  My individual comments on this new security
requirements section in line below (since you copied it to email).

> 9.1.  General Security of The Protocol
> 
>TACACS+ protocol does not include a security mechanism that would
>meet modern-day requirements.  Support for MD5-based crypto pad
>encryption fails to provide any kind of transport integrity, which
>presents at least the following risks:
> 
>   Accounting information may be modified by the man-in-the-middle
>   attacker, making such logs unsuitable and untrustable for auditing
>   purposes.
> 
>   Only the body of the request is encrypted which leaves all header
>   fields open to trivial modification by the man-in-the-middle
>   attacker.  For this reason, connections with
>   TAC_PLUS_UNENCRYPTED_FLAG are disallowed, as mentioned in the
>   recommendations section.

JC: Disallowed for discouraged?  This is a doc defining a
currently-deployed protocol.  Implementations MAY allow for this to
work.  However, from a best current practice standpoint, this should be
strongly discouraged.

>For these reasons, users deploying TACACS+ protocol in their
>environments MUST limit access to known clients and MUST control the
>security of the entire transmission path.  Attacks who can guess the
>key or otherwise break the obfuscation will gain unrestricted and
>undetected access to all TACACS+ traffic.  Ensuring that a
>centralized AAA system like TACACS+ is deployed on a secured
>transport is essential to managing security risk of such an attack.

JC: s/Attacks who/Attackers who/


> 9.3.  Security of Authorization Sessions
> 
>Authorization sessions MUST be used via secure transport only as it's
>trivial to execute a successful man-in-the-middle attacks that
>changes well-known plaintext in either requests or responses.

JC: Your statement makes a lot of sense, but I struggle with how this
can be achieved in the current implementation of T+.  To use normative
language here, you are saying that all T+ servers and all NASes must
implement something like an IPSec tunnel to exchange authz details?
Again, I get the recommendation, but in light of existing, interoperable
implementations, I don't see this being a reality.


> 9.6.  TACACS+ Server Implementation Recommendations
> 
>The following recommendations are made when implementing a TACACS+
>server:
> 
>The Server SHOULD NOT accept any connections which have the
>TAC_PLUS_UNENCRYPTED_FLAG set and SHOULD reject those packets with
>applicable ERROR response for type of packet.
> 
>The configuration of dedicated secret keys per individual client MUST
>be supported by the Server implementation.  It is also recommended
>that Servers SHOULD warn administrators if secret keys are not unique
>per client.
> 
>If an invalid shared secret is detected, Servers MUST NOT accept any
>new sessions on a connection, and terminate the connection on
>completion of any sessions previously established with a valid shared
>secret.
> 
>The Server implementation must allow the administrator to mandate:

JC: Should this be MUST?  I ask while still grappling with the use of
such strong language for an informational doc citing recommendations
when so many existing implementations exist in the wild.

> 
>TAC_PLUS_AUTHEN_TYPE_CHAP for authen_type
> 
>TAC_PLUS_AUTHEN_METH_TACACSPLUS for authen_method in authorization
> 
>Minimum length for shared secrets.
> 
> 9.7.  TACACS+ Deployment Best Practices
> 
>Due to above observations about the TACACS+ protocol, it is critical
>to only deploy it using secure transport.  A secure transport for
>TACACS+ is defined as any means that ensure privacy and integrity of
>all data passed between clients and servers.  There are multiple
>means of achieving this, all of them beyond the scope of this
>document.
> 
>Symmetric encryption key represents a possible attack vector at the
>protocol itself.  For this reason, servers SHOULD accept only those
>network connection attempts that arrive from known clients.  This
>limits the exposure and prevents remote brute force attacks from
>unknown clients.
> 
>Due to the security deficiencies of the protocol, it is critical that
>it be deployed in a secure manner.  The following recommendations are
>made for those deploying and configuring TACACS+ as a solution for
>device 

Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Joe Clarke]

Alan, T+ authors, and opsawg,

Sorry for the noticeable absence from this thread.  I've been focused on
some dayjob projects these past couple of weeks.

I have followed the threads, though.  I want to hopefully bring some
things to closure and get us all to move forward to come to consensus on
this doc.


On 4/17/18 11:07, Alan DeKok wrote:
> On Apr 17, 2018, at 10:15 AM, Douglas Gash (dcmgash)  
> wrote:
>> Initially (up to around version 5) we included just a very simple security 
>> section admitting that T+ was insecure and that the second document would 
>> address the issue. This was deemed to be insufficient, and instead the WG 
>> collectively determined that more detail should be added to enumerate some 
>> of the issues, you kindly catalogued some of these, providing a proposed 
>> text which we took to be a genuine suggestion for text for the document.
> 
>   Which it was.
> 
>   The point I've been trying to make for over a year is apparently still 
> unclear.
> 
>   There was no excuse for plagiarizing the text in the first place.  Using it 
> verbatim was fine, so long as attribution was given.
> 
>   There was no excuse for ignoring every single email I made to the list 
> asking about this issue.
> 
>   There was no excuse for *continuing* to plagiarize the text for over a 
> year, across four separate revisions of the document.

I agree this was not handled well on many fronts, but we can only learn
and move forward.  As a co-chair, I take responsibility for our part and
apologize it took this long to get sorted.  The authors have added
attribution to your excellent contribution and apologized.

I would like to consider the matter, albeit belatedly, closed.

>> 2) Reactivity of the Authors.
>>
>> As far as I know, we have responded to most posts regarding the content of 
>> the document, with point-by-point replies,
> 
>   No.
> 
>   See the list archives, especially May 2017.  There are multiple people 
> suggesting that you have *not* done this, and that you *should* do this.

I for one have asked for a summary of changes when I did my last review.
 I did not see it.  There was a subsequent revision that did seem to
absorb my comments, but there wasn't a response to me email.  Typically,
when authors receive feedback, they respond in line to either ack or
discuss points (typos notwithstanding).

> 
>   See line-by-line reviews done by me, which were generally ignored.  Despite 
> that, I did *multiple* such reviews, until such time as it became clear that 
> such reviews were entirely unproductive.
> 
>> but there has been, for various logistic reasons, long delays in submitting 
>> the resulting new documents. Hopefully this has been addresses in last 
>> versions and we will continue with more rapid uploads until process 
>> completes one way or other.
> 
>   The issue isn't rapid uploads.  The issue is engagement.  It's not 
> productive to ignore the messages on the mailing list for 6 months, and then 
> to issue a new release saying "we fixed stuff".

Spot on.  One needs to engage.  I am pleased with the authors' attempts
to do better these past couple of weeks.  I want to see this momentum
continue.

>> 3) Change Tracking
>>
>> The uploads have generally had extensive changes relating to comments (which 
>> should generally have been summarized by previous email responses to 
>> comments). 
> 
>   Which I admit did happen sometimes, but not nearly as often as it should 
> have.  Again, see mailing list archives from May 2017.  I'm not the only 
> person who holds this opinion.  I'm just the main one pushing the point.
> 
>> Because of this, unless the updates have been for specific purposes (such as 
>> the recent update of the security section) then I would leave the changes to 
>> the diff tool which works pretty effectively.
> 
>   The diff tool lets us know what changed in the document.  It doesn't let us 
> know if those changes addressed issues raise on the mailing list.
> 
>   To summarize:
> 
> * we have no idea if this revision of the document addresses multiple WG 
> reviews
> 
> * we have no idea if the document even describes TACACS+ as currently 
> implemented
> 
>   As such, it should not be put into working group last call, or much less 
> published until such time as those issues are addressed.

I'm not sure what line-item changes are still outstanding.  Authors, I'm
sure you could look back at your revisions and spot anything that needs
to be addressed here.

I will be submitting an individual review of the new security
requirements soon, and I would like to see this renewed sense of
engagement on the list.

Joe

___
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Tianran Zhou]

Hi the Authors,

I remember you posted a list of Alan's comments in the mailing list, and 
mentioned what have been addressed and how, what will be addressed later. 
I think it's a good start. Why not continue doing this for your new revision.
It would be very helpful.

Tianran

> -Original Message-
> From: OPSAWG [mailto:opsawg-boun...@ietf.org] On Behalf Of Alan DeKok
> Sent: Tuesday, April 17, 2018 11:07 PM
> To: Douglas Gash (dcmgash) <dcmg...@cisco.com>
> Cc: opsawg@ietf.org; Andrej Ota <a...@google.com>; Thorsten Dahm
> <thorstend...@google.com>
> Subject: Re: [OPSAWG] New Version Notification for
> draft-ietf-opsawg-tacacs-10.txt
> 
> On Apr 17, 2018, at 10:15 AM, Douglas Gash (dcmgash) <dcmg...@cisco.com>
> wrote:
> > Initially (up to around version 5) we included just a very simple security
> section admitting that T+ was insecure and that the second document would
> address the issue. This was deemed to be insufficient, and instead the WG
> collectively determined that more detail should be added to enumerate some
> of the issues, you kindly catalogued some of these, providing a proposed text
> which we took to be a genuine suggestion for text for the document.
> 
>   Which it was.
> 
>   The point I've been trying to make for over a year is apparently still
> unclear.
> 
>   There was no excuse for plagiarizing the text in the first place.  Using
> it verbatim was fine, so long as attribution was given.
> 
>   There was no excuse for ignoring every single email I made to the list 
> asking
> about this issue.
> 
>   There was no excuse for *continuing* to plagiarize the text for over a year,
> across four separate revisions of the document.
> 
> > Subsequently we interpreted your proposal more accurately (as just a
> suggestion of the points to cover), and so we made sure that these were 
> covered,
> but without verbatim reuse of the text.  We hope that we have covered the
> thrust of your issues (and others), but without the plagiarism.
> 
>   I have no idea.  Because at this point, I'm pretty much done reviewing the
> document.
> 
> > 2) Reactivity of the Authors.
> >
> > As far as I know, we have responded to most posts regarding the content
> of the document, with point-by-point replies,
> 
>   No.
> 
>   See the list archives, especially May 2017.  There are multiple people
> suggesting that you have *not* done this, and that you *should* do this.
> 
>   See line-by-line reviews done by me, which were generally ignored.  Despite
> that, I did *multiple* such reviews, until such time as it became clear that
> such reviews were entirely unproductive.
> 
> > but there has been, for various logistic reasons, long delays in submitting
> the resulting new documents. Hopefully this has been addresses in last
> versions and we will continue with more rapid uploads until process completes
> one way or other.
> 
>   The issue isn't rapid uploads.  The issue is engagement.  It's not
> productive to ignore the messages on the mailing list for 6 months, and then
> to issue a new release saying "we fixed stuff".
> 
> > We have not generally responded to posts regarding procedural matters, and
> would leave such discussions to more knowledgeable stewards of the lists where
> possible,
> 
>   You haven't responded to posts where I ask about the plagiarism.  A simple
> reply of "oops, sorry, I'll fix it ASAP" has taken over a year to write.
> 
> > 3) Change Tracking
> >
> > The uploads have generally had extensive changes relating to comments (which
> should generally have been summarized by previous email responses to
> comments).
> 
>   Which I admit did happen sometimes, but not nearly as often as it should
> have.  Again, see mailing list archives from May 2017.  I'm not the only
> person who holds this opinion.  I'm just the main one pushing the point.
> 
> > Because of this, unless the updates have been for specific purposes (such
> as the recent update of the security section) then I would leave the changes
> to the diff tool which works pretty effectively.
> 
>   The diff tool lets us know what changed in the document.  It doesn't let
> us know if those changes addressed issues raise on the mailing list.
> 
>   To summarize:
> 
> * we have no idea if this revision of the document addresses multiple WG
> reviews
> 
> * we have no idea if the document even describes TACACS+ as currently
> implemented
> 
>   As such, it should not be put into working group last call, or much less
> published until such time as those issues are addressed.
> 
>   Alan DeKok.
> 
> ___
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg

___
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Alan DeKok]

On Apr 17, 2018, at 10:15 AM, Douglas Gash (dcmgash)  wrote:
> Initially (up to around version 5) we included just a very simple security 
> section admitting that T+ was insecure and that the second document would 
> address the issue. This was deemed to be insufficient, and instead the WG 
> collectively determined that more detail should be added to enumerate some of 
> the issues, you kindly catalogued some of these, providing a proposed text 
> which we took to be a genuine suggestion for text for the document.

  Which it was.

  The point I've been trying to make for over a year is apparently still 
unclear.

  There was no excuse for plagiarizing the text in the first place.  Using it 
verbatim was fine, so long as attribution was given.

  There was no excuse for ignoring every single email I made to the list asking 
about this issue.

  There was no excuse for *continuing* to plagiarize the text for over a year, 
across four separate revisions of the document.

> Subsequently we interpreted your proposal more accurately (as just a 
> suggestion of the points to cover), and so we made sure that these were 
> covered, but without verbatim reuse of the text.  We hope that we have 
> covered the thrust of your issues (and others), but without the plagiarism.

  I have no idea.  Because at this point, I'm pretty much done reviewing the 
document.

> 2) Reactivity of the Authors.
> 
> As far as I know, we have responded to most posts regarding the content of 
> the document, with point-by-point replies,

  No.

  See the list archives, especially May 2017.  There are multiple people 
suggesting that you have *not* done this, and that you *should* do this.

  See line-by-line reviews done by me, which were generally ignored.  Despite 
that, I did *multiple* such reviews, until such time as it became clear that 
such reviews were entirely unproductive.

> but there has been, for various logistic reasons, long delays in submitting 
> the resulting new documents. Hopefully this has been addresses in last 
> versions and we will continue with more rapid uploads until process completes 
> one way or other.

  The issue isn't rapid uploads.  The issue is engagement.  It's not productive 
to ignore the messages on the mailing list for 6 months, and then to issue a 
new release saying "we fixed stuff".

> We have not generally responded to posts regarding procedural matters, and 
> would leave such discussions to more knowledgeable stewards of the lists 
> where possible,

  You haven't responded to posts where I ask about the plagiarism.  A simple 
reply of "oops, sorry, I'll fix it ASAP" has taken over a year to write.

> 3) Change Tracking
> 
> The uploads have generally had extensive changes relating to comments (which 
> should generally have been summarized by previous email responses to 
> comments). 

  Which I admit did happen sometimes, but not nearly as often as it should 
have.  Again, see mailing list archives from May 2017.  I'm not the only person 
who holds this opinion.  I'm just the main one pushing the point.

> Because of this, unless the updates have been for specific purposes (such as 
> the recent update of the security section) then I would leave the changes to 
> the diff tool which works pretty effectively.

  The diff tool lets us know what changed in the document.  It doesn't let us 
know if those changes addressed issues raise on the mailing list.

  To summarize:

* we have no idea if this revision of the document addresses multiple WG reviews

* we have no idea if the document even describes TACACS+ as currently 
implemented

  As such, it should not be put into working group last call, or much less 
published until such time as those issues are addressed.

  Alan DeKok.

___
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg

Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Douglas Gash (dcmgash)]

Hi Alan,

I hope that we can address your concerns. I think the main points that you 
raise the we (the authors) need to address are:

1) The security section
2) Reactivity of the authors 
3) Change Tracking

1) The Security Section

The starting point is that we know that TACACS+ needs enhancement from security 
perspective. That was the reason that this process was initiated, the first 
document being mainly an adaption of the original draft with security features 
plus some minor cleansing. This plan was evolved into two documents, the first, 
that we are in process of preparing, that codifies the protocol, to be followed 
by the version with enhanced security.

Initially (up to around version 5) we included just a very simple security 
section admitting that T+ was insecure and that the second document would 
address the issue. This was deemed to be insufficient, and instead the WG 
collectively determined that more detail should be added to enumerate some of 
the issues, you kindly catalogued some of these, providing a proposed text 
which we took to be a genuine suggestion for text for the document. 
Subsequently we interpreted your proposal more accurately (as just a suggestion 
of the points to cover), and so we made sure that these were covered, but 
without verbatim reuse of the text.  We hope that we have covered the thrust of 
your issues (and others), but without the plagiarism.

2) Reactivity of the Authors.

As far as I know, we have responded to most posts regarding the content of the 
document, with point-by-point replies, but there has been, for various logistic 
reasons, long delays in submitting the resulting new documents. Hopefully this 
has been addresses in last versions and we will continue with more rapid 
uploads until process completes one way or other.

We have not generally responded to posts regarding procedural matters, and 
would leave such discussions to more knowledgeable stewards of the lists where 
possible,

3) Change Tracking

The uploads have generally had extensive changes relating to comments (which 
should generally have been summarized by previous email responses to comments). 
Because of this, unless the updates have been for specific purposes (such as 
the recent update of the security section) then I would leave the changes to 
the diff tool which works pretty effectively.

Please let us know if there are specific points below that you’d like to 
address which would not be covered above.

Many thanks,

Regards,

Doug


 Responding to:

“I have some concerns with the document, and with the process by which we've 
gotten here.

  Let me recap some history.  There's a lot to take
in, so I'll present concerns in point form.

  First, the document.

* my "Security Considerations" text was first plagarised in draft-06,

* when I pointed this out (May 9, 2017), there was no reply to my
  message by the authors, and no change was made to the document.

* the ADs did respond, and indicated that they had talked to the
  authors about the issue, and that it was a simple misunderstand and
  would be fixed.

* A year later, I raised the issue again (March 2018).  There as no
  reply to my concerns by the authors, and no change was made to the
  document.

* in all, 4 separate revisions of the document plagarized my text, for
  over a year, sometimes with minor edits, despite repeated requests
  to address the issue.

  Those issues alone are surprising.

* The text which was good enough to plagarize was then claimed to have
  deficiencies

* no one in the WG had noted any technical issues with the text

* the only issues were with attribution, not with the text in the
  Security Considerations section

* there is now a -10, which has essentially the same points as the
  previous text, just reworded






  I should point out that the RFC process is supposed to be about
content, not authorship.  There are many RFCs issued with text written
by multiple people.  Where the authors cannot all be acknowledged on
the first page, the primary editor can be listed with the (Ed.)
suffix, to indicate editorship.  Other authors can be named as authors
on the first page, or in the Acknowledgements section.

  Second, concerns with engagement with the WG.  It continues.

* multiple people in the WG have requested the authors engage with the
  Working Group.  Most notably, many messages in May 2017.

* multiple people in the WG have requested the authors explain what's
  changed in each new revision, or perhaps to acknowlege comments and
  reviews (May 2017 again, among other times).

* This engagement has been minimal, despite multiple revisions of
  the document being published after these WG requests.

* new revisions have most often been "thrown over the wall" with
  minimal (or no) explanation as to what changed, and why.

* this new draft is no different, i.e. it "revised the security
  section".  Why?  How?  What changed?  What were any alleged
  "deficiencies"?

* the author have 

Re: [OPSAWG] New Version Notification for draft-ietf-opsawg-tacacs-10.txt

[Douglas Gash (dcmgash)]

Hello Opsawg,

We have uploaded a new version of the TACACS+ informational draft which 
includes corrections for typos over the document as a whole, but also revised 
the security section. We anticipate this security section will get most 
comments, so it is reproduced below.

We will endeavor to be much more reactive to comments, whether on section 
below, or any other in rest of uploaded document.

Many thanks,

The authors.



9.  TACACS+ Security Considerations

   The original TACACS+ Draft[1] from 1998 did not address all of the
   key security concerns which are considered when designing modern
   standards.  This section addresses known limitations and concerns
   which will impact overall security of the protocol and systems where
   this protocol is deployed to manage central authentication,
   authorization or accounting for network device administration.

   Multiple implementations of the protocol described in the draft[1]
   have been deployed.  As the protocol was never standardized, current
   implementations may be incompatible in non-obvious ways, giving rise
   to additional security risks.  This section does not claim to
   enumerate all possible security vulnerabilities.

9.1.  General Security of The Protocol

   TACACS+ protocol does not include a security mechanism that would
   meet modern-day requirements.  Support for MD5-based crypto pad
   encryption fails to provide any kind of transport integrity, which
   presents at least the following risks:

  Accounting information may be modified by the man-in-the-middle
  attacker, making such logs unsuitable and untrustable for auditing
  purposes.

  Only the body of the request is encrypted which leaves all header
  fields open to trivial modification by the man-in-the-middle
  attacker.  For this reason, connections with
  TAC_PLUS_UNENCRYPTED_FLAG are disallowed, as mentioned in the
  recommendations section.

  Invalid or misleading values may be inserted by the man-in-the-
  middle attacker in various fields at known offsets to try and
  circumvent the authentication or authorization checks even inside
  the encrypted body.

   While the protocol provides some measure of transport privacy, it is
   vulnerable to at least the following attacks:

  Brute force attacks exploiting increased efficiency of MD5 digest
  computation.

  Known plaintext attacks which may decrease the cost of brute force
  attack.

  Chosen plaintext attacks which may decrease the cost of a brute
  force attack.

  No forward secrecy.

   Even though, to the best knowledge of authors, this method of
   encryption wasn't rigorously tested, enough information is available
   that it is best referred to as "obfuscation" and not "encryption".

   For these reasons, users deploying TACACS+ protocol in their
   environments MUST limit access to known clients and MUST control the
   security of the entire transmission path.  Attacks who can guess the
   key or otherwise break the obfuscation will gain unrestricted and
   undetected access to all TACACS+ traffic.  Ensuring that a
   centralized AAA system like TACACS+ is deployed on a secured
   transport is essential to managing security risk of such an attack.

   The following parts of this section enumerate only the session-
   specific risks which are in addition to general risk associated with
   bare obfuscation and lack of integrity checking.

9.2.  Security of Authentication Sessions

   Authentication sessions SHOULD NOT be used via insecure transport as
   the man-in-the-middle attack may completely subvert them.  Even CHAP,
   which may be considered resistant to password interception, is unsafe
   as it does not protect the username from a trivial man-in-the-middle
   attack.

   This document deprecates the redirection mechanism using the
   TAC_PLUS_AUTHEN_STATUS_FOLLOW option which was included in the
   original draft.  As part of this process, the secret key for a new
   server was sent to the client.  This public exchange of secret keys
   means that once one session is broken, it may be possible to leverage
   that key to attacking connections to other servers.  This mechanism
   SHOULD NOT be used in modern deployments.  It MUST NOT be used
   outside a secured deployment.

9.3.  Security of Authorization Sessions

   Authorization sessions MUST be used via secure transport only as it's
   trivial to execute a successful man-in-the-middle attacks that
   changes well-known plaintext in either requests or responses.

   As an example, take the field "authen_method".  It's not unusual in
   actual deployments to authorize all commands received via the device
   local serial port (a console port) as that one is usually considered
   secure by virtue of the device located in a physically secure
   location.  If an administrator would configure the authorization
   system to allow all commands entered by the user on a