On 8/2/18 00:23, Douglas Gash (dcmgash) wrote:
> Apologies for the interruption in the conversation.
>
> Attached should incorporate yours and Alan’s latest comments, and some client
> side comments have been addressed.
>
> Please find attached.
Thanks, Douglas.
I read through these changes,
Apologies for the interruption in the conversation.
Attached should incorporate yours and Alan’s latest comments, and some client
side comments have been addressed.
Please find attached.
Many thanks.
On 16/07/2018, 6:56, "Douglas Gash (dcmgash)" wrote:
Hi Joe,
Thanks Joe,
Hi Joe,
Thanks Joe, all useful comments. I believe that most of them were caught in the
previous upload (in which we responded to Alan’s last mail), I will make sure
that any missing are in the next.
On 16/07/2018, 0:20, "Joe Clarke" wrote:
On 7/14/18 00:57, Douglas Gash (dcmgash) wrote:
On 7/14/18 00:57, Douglas Gash (dcmgash) wrote:
> 9.5 Deployment Best Practices
>
> With respect to the observations about the security issues described above, a
> network administrator MUST NOT rely on the obfuscation of the TACACS+
> protocol and TACACS+ MUST be deployed over networks which
Thanks Alan…
On 14/07/2018, 15:00, "Alan DeKok" wrote:
On Jul 14, 2018, at 12:57 AM, Douglas Gash (dcmgash)
wrote:
>
> Dear Alan,
>
> Do the changes below clarify the intent sufficiently? (please find diff
below) The changes are mainly in first section with a few tweaks
On Jul 14, 2018, at 12:57 AM, Douglas Gash (dcmgash) wrote:
>
> Dear Alan,
>
> Do the changes below clarify the intent sufficiently? (please find diff
> below) The changes are mainly in first section with a few tweaks in later
> sections.
Let's see...
> 9.5 Deployment Best Practices
>
>
Dear Alan,
Do the changes below clarify the intent sufficiently? (please find diff below)
The changes are mainly in first section with a few tweaks in later sections.
Many thanks.
9.5 Deployment Best Practices
With respect to the observations about the security issues described above, a
On 7/13/18 4:30 AM, Alan DeKok wrote:
> There have been many, many, historical protocols documented in the IETF.
> None that I recall have a statement explicitly blessing existing
> implementations.
>
> The document *should* say that it documents TACACS+ as per existing
>
On Jul 13, 2018, at 11:39 AM, Randy Bush wrote:
>>
>> Also, we have *no idea* if the document matches current implementations or
>> deployments. The proponents of TACACS+ have been surprisingly silent on
>> this topic.
>
> i am missig the example of where it does not.
There are probably
> There are still unaddressed comments. Do we do WG last calls for
> unfinished documents?
>
> Also, we have *no idea* if the document matches current implementations or
> deployments. The proponents of TACACS+ have been surprisingly silent on this
> topic.
>
> So everyone wants the
On Jul 13, 2018, at 11:30 AM, Joe Clarke wrote:
>
> I am hoping to start a WGLC at the Tuesday meeting, and cary it over to
> the list to make it official.
There are still unaddressed comments. Do we do WG last calls for unfinished
documents?
Also, we have *no idea* if the document
>>> I think the current proposals are pretty close, at least from my end.
>>> I think it's just word smithing from now on.
>>
>> good. so it should be fiished by the time the drafts door re-opens on
>> monday?
>
> I am hoping to start a WGLC at the Tuesday meeting, and cary it over to
> the
On 7/13/18 10:37, Randy Bush wrote:
>> I think the current proposals are pretty close, at least from my end.
>> I think it's just word smithing from now on.
>
> good. so it should be fiished by the time the drafts door re-opens on
> monday?
I am hoping to start a WGLC at the Tuesday meeting,
> I think the current proposals are pretty close, at least from my end.
> I think it's just word smithing from now on.
good. so it should be fiished by the time the drafts door re-opens on
monday?
randy
___
OPSAWG mailing list
OPSAWG@ietf.org
On Jul 13, 2018, at 10:29 AM, Randy Bush wrote:
> i do not think we are gonna 'fix' the security model. this is a widely
> deployed antique we are just trying to document so new victims can
> interoperate.
That has been the goal all along. Along with the goal of documenting
security issues.
as one of the many folk who have been using this protocol since the
'90s, i gotta wonder how many angels we can sit on the head of this
bikeshed.
i do not think we are gonna 'fix' the security model. this is a widely
deployed antique we are just trying to document so new victims can
Thanks Alan...
> On 13 Jul 2018, at 14:30, Alan DeKok wrote:
>
>> On Jul 13, 2018, at 1:00 AM, Douglas Gash (dcmgash)
>> wrote:
>> 9.5 Deployment Best Practices
>>
>> With respect to the observations about the security issues described above,
>> a network administrator MUST NOT rely on the
On Jul 13, 2018, at 1:00 AM, Douglas Gash (dcmgash) wrote:
> 9.5 Deployment Best Practices
>
> With respect to the observations about the security issues described above, a
> network administrator MUST NOT rely on the obfuscation of the TACACS+
> protocol and TACACS+ MUST be deployed over
Dear OPSAWG,
Below is a revised version of the recommendations. I have understood the
consensus to be, that we should keep the strength of the recommendations, but
explain how these should be applies in the real world with many, potentially
very old implementations in place.
Consequently,
Hi Joe,
Thanks for the comments. We will be sending out a new version of the
recommendations section today. It actually intends to clarify in the first
section how the guidance should be interpreted, which I think should allow our
strong recommendations to be kept, as I hope it will answer
On 10/07/2018 01:58, Alan DeKok wrote:
On Jul 9, 2018, at 5:51 PM, Andrej Ota wrote:
Is it worth asking everyone or even expecting anyone to migrate to
new-improved-and-still-insecure revision of T+ that requires exactly same
amount of operational solutions to secure deployment?
Is
On Jul 9, 2018, at 5:36 PM, Joe Clarke wrote:
> I hear and understand what you're saying. And if this were a net new
> protocol, I'd agree with you 100%. But the mandate for this document is
> to describe how T+ is implemented today[1].
So...
a) we rubber-stamp existing practices and
>> I think that if the WG punts on security, the security area directorate
will punt the document back to the WG. And say "fix it".
>>
>> This isn't about invalidating current implementations. It's about
telling people that *new* implementations, or new *releases*, have to be as
> On 9 Jul 2018, at 22:11, Alan DeKok wrote:
>
> On Jul 9, 2018, at 4:54 PM, Joe Clarke wrote:
>> Below are some of my comments. They mainly revolve around the strength
>> of the normative language with respect to the fact that this draft is
>> supported to document the protocol as it is
On 7/9/18 17:11, Alan DeKok wrote:
> On Jul 9, 2018, at 4:54 PM, Joe Clarke wrote:
>> Below are some of my comments. They mainly revolve around the strength
>> of the normative language with respect to the fact that this draft is
>> supported to document the protocol as it is today. To me, the
On Jul 9, 2018, at 4:54 PM, Joe Clarke wrote:
> Below are some of my comments. They mainly revolve around the strength
> of the normative language with respect to the fact that this draft is
> supported to document the protocol as it is today. To me, the security
> considerations should reflect
Hi,
Below is revised version of the subsection, based upon Alan’s comments,
Many thanks.
9.5 TACACS+ Deployment Best Practices
In view of the observations about the security issues described above, a
network administrator MUST NOT rely on the obfuscation of the TACACS+ protocol
and
Hi Alan,
Thank you for the response. Please see responses below.
On 28/06/2018, 14:22, "Alan DeKok" wrote:
On Jun 28, 2018, at 2:03 AM, Douglas Gash (dcmgash)
wrote:
>
> Dear Opsawg,
>
> The TACACS+ Draft Version 9 contains a security section, the last three
On Jun 28, 2018, at 2:03 AM, Douglas Gash (dcmgash)
wrote:
>
> Dear Opsawg,
>
> The TACACS+ Draft Version 9 contains a security section, the last three
> subsections of which are recommendations. There is some overlap and
> repetition between sections where the same issues are covered from
Dear Opsawg,
The TACACS+ Draft Version 9 contains a security section, the last three
subsections of which are recommendations. There is some overlap and repetition
between sections where the same issues are covered from different angles, which
we believe may lead to ambiguity.
So instead we
30 matches
Mail list logo
