Hi Doug, all,
Thank you for preparing this update.
Please find below minor items that you may fix before or after the WGLC. Fixing
them before would be my preference, though :-)
* Header
OLD: Updates: RFC8907 (if approved)
OLD: Updates: 8907 (if approved)
* Title
OLD: TACACS+ over TLS 1.3
NEW: Terminal Access Controller Access-Control System Plus (TACACS+) over TLS
1.3
* Section 3: Redundant normative language
CURRENT: option for MD5 obfuscation, and specifies that TLS 1.3 MUST be used
and
CURRENT: TLS 1.3 [RFC8446] MUST be used for transport,
I suggest to revert back the first one.
* Section 3.2: nit
OLD: Single Connection Mode Section 4.3 of [RFC8907]
NEW: Single Connection Mode (Section 4.3 of [RFC8907])
* Section 3.2.1:
(1) nit
OLD:
Implementations MUST support the TLS 1.3 mandatory cipher suites (TLS
1.3 [RFC8446] Section 9.1).
NEW:
Implementations MUST support the TLS 1.3 mandatory cipher suites (Section
9.1 of
[RFC8446]).
(2) consistency: the text already says that it inherits the TLS1.3 MTI, which
is a reco.
OLD:
This document makes no cipher suite recommendations, please refer to
[BCP195] for guidance.
NEW:
This document makes no additional cipher suite recommendations. Readers
should refer to
[BCP195] for guidance.
* Section 3.2.2: normative language
OLD: Unless disabled by configuration, a peer MUST not permit connection
NEW: Unless disabled by configuration, a peer MUST NOT permit connection
* Section 3.2.2.1: nit
OLD: revocation must be handled as it is not part of the standard. .
NEW: revocation must be handled as it is not part of the standard.
* Section 5.1.1: expand on why 3365 readers should look at 3365.
CURRENT:
It is NOT RECOMMENDED to deploy TACACS+ without TLS authentication
and encryption, unless within test and debug environments. Also see
[RFC3365].
* Section 5.1.3: readability
OLD:
Also useful are TLS 1.3 specifications themselves (TLS 1.3
[RFC8446]), which prescribes mandatory support in Section 9.
NEW:
Also, Section 9 of [RFC8446] prescribes mandatory support in Section 9.
I'm tempted to simply delete that text given the discussion in 3.2.1.
* Section 8: Please list Tiru and Valery reviews. Thanks.
* Section 9:
(1) Move FIPS-140-3 to be listed as informative.
(2) Delete this entry as it is not cited in the text
[RFC7605] Touch, J., "Recommendations on Using Assigned Transport
Port Numbers", BCP 165, RFC 7605, DOI 10.17487/RFC7605,
August 2015, https://www.rfc-editor.org/info/rfc7605.
Cheers,
Med
De : Douglas Gash (dcmgash)
Envoyé : mardi 21 mai 2024 19:03
À : opsawg@ietf.org; BOUCADAIR Mohamed INNOV/NET
; tirumal reddy ; Valery
Smyslov (s...@elvis.ru)
Cc : Andrej Ota ; John Heasley ; Thorsten
Dahm
Objet : Re: New Version Notification for draft-ietf-opsawg-tacacs-tls13-09.txt
Dear OPSAWG et al,
We have uploaded a version with initial responses to the reviews and insights
kindly provided by Tirumal and Valery, and will be happy to make good any
omissions or needed corrections ASAP.
Many thanks,
The Authors.
From: internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>
mailto:internet-dra...@ietf.org>>
Date: Tuesday, 21 May 2024 at 17:57
To: Douglas Gash (dcmgash) mailto:dcmg...@cisco.com>>,
Douglas Gash (dcmgash) mailto:dcmg...@cisco.com>>, Andrej
Ota mailto:and...@ota.si>>, John Heasley
mailto:h...@shrubbery.net>>, Thorsten Dahm
mailto:thorsten.d...@gmail.com>>
Subject: New Version Notification for draft-ietf-opsawg-tacacs-tls13-09.txt
A new version of Internet-Draft draft-ietf-opsawg-tacacs-tls13-09.txt has been
successfully submitted by Douglas C. Medway Gash and posted to the
IETF repository.
Name: draft-ietf-opsawg-tacacs-tls13
Revision: 09
Title:TACACS+ over TLS 1.3
Date: 2024-05-21
Group:opsawg
Pages:15
URL: https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-09.txt
Status: https://datatracker.ietf.org/doc/draft-ietf-opsawg-tacacs-tls13/
HTML: https://www.ietf.org/archive/id/draft-ietf-opsawg-tacacs-tls13-09.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-tacacs-tls13
Diff:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-opsawg-tacacs-tls13-09
Abstract:
The Terminal Access Controller Access-Control System Plus (TACACS+)
Protocol provides device administration for routers, network access
servers and other networked computing devices via one or more
centralized servers. This document adds Transport Layer Security
(TLS 1.3) support to TACACS+ and obsoletes former inferior security
mechanisms.
This document updates RFC8907.
The IETF Secretariat
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doiv