Re: [OPSAWG] Action Items on TACACS+ informational draft v 10

Tue, 10 Jul 2018 08:43:26 -0700 



On 07/10/2018 03:48 PM, Alan DeKok wrote:

On Jul 10, 2018, at 10:11 AM, Andrej Ota <and...@ota.si> wrote:

Actually, both PAP and CHAP are irrelevant in this case. If Eve is in a 
position to intercept TACACS+ traffic, she can flip a single bit in the 
authentication response and that will ensure that the device (client) will 
consider authentication to have succeeded. Obfuscation doesn't help, only 
secured transport does.


   Yes.


Thus it's irrelevant to specifically mention any particular currently used 
authentication method as all of them fail in exactly the same way *and* it's 
irrelevant to distinguish between obfuscated and non-obfuscated variety as MitM 
will succeed regardless.


   Yes and no.  It's still bad to send clear-text passwords over a clear 
channel.  That can be called out and explained.


Agreed.




Since this makes secured transport a minimal necessary requirement for any 
secure deployment, what benefit is there to try and find further examples of 
what can be mandated if none of the mandates would meaningfully change the end 
result?


   It's useful to explain *what* behaviours are insecure, and *why* they are 
insecure.



Agreed. We (authors) were trying to put in more of the background as to 
what are the threats for this reason - empowering those who need to 
deploy the protocol to make the correct call.



Though I'd flip this and put emphasis on what behaviours are secure and 
declare others explicitly unsecure.




   The alternative is to leave the reader to fend for himself.  "Hmm... the authors 
didn't say this was bad, so let's do it!"


No, that would be really bad outcome and I agree we must avoid it.


Let us (authors) take this recent feedback on board and reword things 
along the lines:
 - Use MUST where we want programmers to do the right thing, but be 
careful not to distort the actual protocol as currently implemented. 
Handling secrets, passwords seem like good targets for this.

 - Keep and improve verbiage documenting known risks.

 - Give either MUST verbiage where there's only one thing to do (e.g. 
secured transport is a MUST).
 - Give SHOULD where there's multiple things (e.g. PAP vs. CHAP is 
closely related to password management on the server side).


Would this be the right way or not really?


Andrej.

_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg





























					Reply via email to