On 7/13/18 4:30 AM, Alan DeKok wrote:
<snip>
> There have been many, many, historical protocols documented in the IETF.
> None that I recall have a statement explicitly blessing existing
> implementations.
>
> The document *should* say that it documents TACACS+ as per existing
> implementation and practice. BUT for security reasons, certain parts of the
> protocol and/or deployment practices are deprecated for security reasons.
Yeah, I think it's quite fair to say that in many cases the existing way
things have run may not be sufficient / adequate. Doing so is providing
advice to both future and current operators.
As someone who has to explain to the auditors once or twice a year how
the network access controls work, providing guidance on what is
considered adequate feeds into how people implement and think about
their management systems.
>> New implementations, and upgrades of current implementations, SHOULD
>> implement the recommendations.
> And that SHOULD means "you don't really need to adopt the recommendations".
>
> The spec needs to say "you MUST implement and deploy it in a secure manner".
>
> Alan DeKok.
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>
_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg
