Hi, I've the gut feeling that
Peers MUST NOT use Obfuscation with TLS. A TACACS+ client initiating a TACACS+ TLS connection MUST set the TAC_PLUS_UNENCRYPTED_FLAG bit, thereby asserting that Obfuscation is not used for the Session. All subsequent packets MUST have the TAC_PLUS_UNENCRYPTED_FLAG set. A TACACS+ server that receives a packet with the TAC_PLUS_UNENCRYPTED_FLAG not set (cleared) over a TLS connection, MUST return an error of TAC_PLUS_AUTHEN_STATUS_ERROR, TAC_PLUS_AUTHOR_STATUS_ERROR, or TAC_PLUS_ACCT_STATUS_ERROR as appropriate for the TACACS+ message type, with the TAC_PLUS_UNENCRYPTED_FLAG set, and terminate the Session. isn't the best approach. This would break the transition process compatibility for devices that don't encrypt on their own which move TLS to an intermediate system (a reverse proxy, essentially). This might be a corner case, but I'd prefer a standard for TACACS+-over-TLS that just leaves the TACACS+ protocol as-is and simply encrypts/decrypts. TACACS+ over TLS shouldn't behave differently to plain TACACS+. Thanks, Marc
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
