Dear OPSAWG,
Many thank for all the comments on the Secure TACACS+ (TLS) draft v3.
We have submitted a revised doc which intention to address the concerns and
comments. It is rather later than originally planned, our apologies for the
delay. We will look forward to addressing the corresponding issues form this
revision in a timelier manner.
Some brief notes regarding the broader topics raised in v3, all items of
course, are open for re-aligning as the group sees fit.
* Regarding the allocation of a specific port, a key motivation concerns
the pervasive use of default ports in current configurations. Ensuring the
client implementations work correctly with default ports now TLS is introduced,
to minimise burden for operators whilst avoiding wrinkles with downgrade
attacks does require said new default port to be allocated, and we will
explicitly mention this in a new section in the new doc. We hope this should
help account for our request for an allocated port.
* RFC9325 does look a timely reference, and we have tried to delegate what
we can from the new TACACS+ doc to it.
* Tracking the discussion on the deprecation of obfuscation option inside
TLS, our current reading is that:
* All TLS traffic must NOT use obfuscation.
* Setting the non-obfuscation option (TACACS has a flag for unencrypted)
is mandatory for all TLS TACACS+ traffic.
* The aim is to avoid any ambiguity and to remove MD5 operations from
this level of the protocol.
* We hope we have addressed the raised issues nits and ambiguities.
Best regards, the Authors.
_______________________________________________
OPSAWG mailing list
OPSAWG@ietf.org
https://www.ietf.org/mailman/listinfo/opsawg
