On 4/21/19 20:56, Randy Bush wrote:
>> "TACACS+ MUST be used with an addition security mechanism to
>> protection of the communication such as IPSEC or a secure network such
>> as described in 10.5. "
>
> not operationaly viable
I don't deploy tacacs+ plus anymore, but when I did, concerted
>> Agreed to replace the section with a simple statement that
>> obfuscation provides no integrity or replay protection. I'm assuming
>> this refers just to 10.1 and not the whole of 10.
>>
> [Joe] I think you could probably replace a large portion of 10.2, 3 and 4
> as well.
hyperbole is not
On Mon, Apr 22, 2019 at 11:24 AM Andrej Ota wrote:
> Hi Joseph,
>
> Thank you for taking time to review the document. Answers are in-line.
>
> > On 22 Apr 2019, at 04:49, Joseph Salowey via Datatracker <
> nore...@ietf.org> wrote:
> >
> > Reviewer: Joseph Salowey
> > Review result: Serious
Hi Joseph,
Thank you for taking time to review the document. Answers are in-line.
> On 22 Apr 2019, at 04:49, Joseph Salowey via Datatracker
> wrote:
>
> Reviewer: Joseph Salowey
> Review result: Serious Issues
>
> As the draft mentions the MD5 based stream cipher used by TACACS+ is
>
> "TACACS+ MUST be used with an addition security mechanism to
> protection of the communication such as IPSEC or a secure network such
> as described in 10.5. "
not operationaly viable
randy
___
OPSAWG mailing list
OPSAWG@ietf.org
Reviewer: Joseph Salowey
Review result: Serious Issues
As the draft mentions the MD5 based stream cipher used by TACACS+ is
completely insecure. I think there is too much discussion in the security
considerations that may lead one to think that in some cases it provides
sufficient protection.
