Thanks Alan... > On 13 Jul 2018, at 14:30, Alan DeKok <al...@deployingradius.com> wrote: > >> On Jul 13, 2018, at 1:00 AM, Douglas Gash (dcmgash) <dcmg...@cisco.com> >> wrote: >> 9.5 Deployment Best Practices >> >> With respect to the observations about the security issues described above, >> a network administrator MUST NOT rely on the obfuscation of the TACACS+ >> protocol and TACACS+ MUST be deployed over networks which ensure privacy and >> integrity of the communication. TACACS+ MUST be used within a secure >> deployment. Failure to do so may impact overall network security. > > "may"? It's much stronger than that. Secrets will leak, people will be > able to spoof credentials, etc. It *will* impact network security. Severely. >
Agreed, will update. >> The following recommendations are not part of the definition of the >> protocol. Rather, they impose restrictions on how the protocol is applied. >> Specific requirements of the TACACS+ server and TACACS+ client >> implementations are mandated to make it easier for the administrators who >> deploy TACACS+ to adopt the restrictions. > > That last sentence is unclear to me. And mandates don't make it easier, > they make it harder. But the mandates are necessary for security. > The intent is this: the implementors of the Servers and Clients receive the new mandatory MUST items in order to make it easier for the admins deploying TACACS+ to do the stipulated SHOULD items in the field. I think we can establish that shared responsibility for the recommended security practices. That is the intent of the sentence, I will clarify it... though would welcome thoughts on that intent. >> Some of the specific requirements mandated for TACACS+ servers and TACACS+ >> clients may not be present in currently deployed implementations. This is >> accepted as situational fact, and these implementations may still be >> regarded as correctly implementing the TACACS+ protocol as long as they >> conform to the details in other sections of this document. > > The spec doesn't need to say "yes, all existing implementations are OK". > > This list has had long discussions on that topic, which I suspect was due to > general unfamiliarity with the IETF process. I don't think it's necessary to > put that statement in the document. > > There have been many, many, historical protocols documented in the IETF. > None that I recall have a statement explicitly blessing existing > implementations. > > The document *should* say that it documents TACACS+ as per existing > implementation and practice. BUT for security reasons, certain parts of the > protocol and/or deployment practices are deprecated for security reasons. > >> New implementations, and upgrades of current implementations, SHOULD >> implement the recommendations. > > And that SHOULD means "you don't really need to adopt the recommendations". > > The spec needs to say "you MUST implement and deploy it in a secure manner". > That is reasonable and rereading last weeks comments aligns better, I will update to that effect. > Alan DeKok. > _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg