Hi Mohamed,
I was about to write an email regarding OPSWAG recharter and how the WG will
continue to address the operational issues with TACACS+ (which will remain even
after the publication of tacacs-tls draft). The discussion you started on the
expected level of work of the WG ("minor") and the proposal to clarify it make
me feel this is the right time to do it.
TACACS+ is widely deployed for Authentication and Authorization on equipments
in a lot of networks (large companies, telcos, etc.). Being supported by most
vendors, having various functional benefits, and this large deployment base, it
seems it is here to stay. As already discussed in [1], the protocol is old and
suffers from two major security issues:
1/ weak protection of traffic;
2/ total reliance on passwords.
Bit flipping and other issues (which currently allow for trivial access to
equipments) associated with 1/ will be addressed by what has been specified in
tacacs-tls draft. This effort is a good step forward but does not address 2/,
which is the fundamental problem of TACACS+. Even after equipments ship with
tacacs-tls, administrators (or supervision tools, etc.) on networks with
TACACS+ deployed will still disseminate their (usually unique full power)
password, which will be available in cleartext on all the equipments under
TACACS+ control. A TACACS+ domain is one where an attacker just has to
compromise a single weaker equipment and wait for a cleartext password to
arrive to then have valid credentials to access ALL the equipments.
My questions would be:
- is the problem described above a subject to be addressed by the WG?
- if it is, what is the expected way forward? Specifying support for pushing
SSH public-keys (draft-dahm-opsawg-tacacs-security-01?)? or X.509 certificate
anchors? Other options?
- if it is not, where can it be addressed? What would be the way forward?
Cheers,
Arnaud
[1]: https://mailarchive.ietf.org/arch/msg/opsawg/vdhi_wqIOLTOA7CN42WYk__d2-g/
-----Message d'origine-----
De : [email protected] <[email protected]>
Envoyé : lundi 14 avril 2025 09:55
À : Gunter Van de Velde <[email protected]>; The IESG
<[email protected]>
Cc : [email protected]; [email protected]
Objet : [OPSAWG]Re: Gunter Van de Velde's No Objection on
charter-ietf-opsawg-04-04: (with COMMENT)
Hi Gunter,
There are many OPS-related protocols out there for which we don't have a home
(IPFIX, DIAMETER, etc.). OPSAWG should not be the place to develop major
changes (e.g. new versions) of these protocols.
For example, we used to have opsawg be tagged as maintenance group for RADIUS
(https://mailarchive.ietf.org/arch/msg/radext/ygSshqCzKe0uN5aPiN08U_k-gx8/). I
wasn't personally happy with that at the time for the reasons mentioned in that
thread. Happily, RADEXT was resurrected since then and has its own WG (which is
the right thing to do).
I suggest we keep "minor" to make the scope clear. We can characterize it if
needed, though.
Thank you.
Cheers,
Med
> -----Message d'origine-----
> De : Gunter Van de Velde via Datatracker <[email protected]> Envoyé :
> lundi 14 avril 2025 09:25 À : The IESG <[email protected]> Cc :
> [email protected]; [email protected] Objet : Gunter Van de Velde's
> No Objection on charter-ietf-opsawg-
> 04-04: (with COMMENT)
>
>
> Gunter Van de Velde has entered the following ballot position for
> charter-ietf-opsawg-04-04: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut
> this introductory paragraph, however.)
>
> -------------------------------------------------------------------
> COMMENT:
> -------------------------------------------------------------------
>
> This charter is refreshingly short, clear in its objective, and keeps
> things nice and simple. Just a small comment on the text:
>
> "
> Examples include the advancement of documents on the standards track,
> application statements, maintenance, and minor extensions of documents
> that were developed in working groups that have concluded, e.g.,
> IPFIX, network or service level YANG modules, and tools for the
> Operations and Management Area. "
>
> The word "minor" caught my attention. It might be open to
> interpretation and could lead to debates later on about what qualifies
> as "minor" versus something more substantial. Would it make sense to
> drop that word to avoid any unnecessary restrictions or ambiguity down
> the line?
>
>
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites
ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez
le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les
messages electroniques etant susceptibles d'alteration, Orange decline toute
responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law; they should not be distributed, used
or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
_______________________________________________
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Les données à caractère personnel recueillies et traitées dans le cadre de cet
échange, le sont à seule fin d’exécution d’une relation professionnelle et
s’opèrent dans cette seule finalité et pour la durée nécessaire à cette
relation. Si vous souhaitez faire usage de vos droits de consultation, de
rectification et de suppression de vos données, veuillez contacter
[email protected]. Si vous avez reçu ce message par erreur, nous vous
remercions d’en informer l’expéditeur et de détruire le message. The personal
data collected and processed during this exchange aims solely at completing a
business relationship and is limited to the necessary duration of that
relationship. If you wish to use your rights of consultation, rectification and
deletion of your data, please contact: [email protected]. If you have
received this message in error, we thank you for informing the sender and
destroying the message.
_______________________________________________
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
