The authentication continue packet does not have a status field

haussli / draft-dahm-opsawg-tacacs-security

IETF draft for new tacacs+ security features

1 stars 1 forks source link

The authentication continue packet does not have a status field #4

Closed haussli closed 3 years ago

haussli commented 3 years ago

The authentication continue packet does not have a status field, only a flags field. This forces the ssh pubkey exchange to add flags to communicate progress: TAC_PLUS_CONTINUE_FLAG_FRAGMENT, _PASS, _FAIL, _ERROR.

Would adding a status field be a better solution?

dcmgashcisco commented 3 years ago

The continue packet doesn't have a status field because the server is normally managing the flow and so owns the status. In this case the client is owning the flow, so we'd like to allow the client to share status with the server.

I agree that adding flags does not look like the right way to go. Instead we need to support the (what I assume iwill continue to be an unusual case) of the client running the flow. Would it make sense to add an AVP client-status?

haussli commented 3 years ago

I had not thought about it in that sense; seems a bit of field name semantics, in which case flags seems more acceptable. An AVP seems more unnatural.

I could be convinced to leave the draft as is, or to add a status field or an AVP.

haussli commented 3 years ago

We decided to contemplate this further. Should the flags field be expanded to 4 octets? Would an enumeration (ie: status field) be better for the 4 (or 5, _ABORT) flags:

TAC_PLUS_CONTINUE_FLAG_FRAGMENT := 0x02
TAC_PLUS_CONTINUE_FLAG_PASS := 0x04
TAC_PLUS_CONTINUE_FLAG_FAIL := 0x08
TAC_PLUS_CONTINUE_FLAG_ERROR := 0x10

Compare this with TAC_PLUS_REPLY_FLAG_FRAGMENT, which augments the status in the REPLY.

If I have omitted anything from the discussion, please edit this as appropriate.

dcmgashcisco commented 3 years ago

Removed flags field (it only had one bin in use: abort), added a status field, and moved abort as an enumeration within the status

haussli commented 3 years ago

Seemed that the status field enumerations needed some explanation, which I have added. I also changed _STATUS_MORE to _STATUS_FRAGMENT to comply with our former discussion about this name.

I have also updated the former use of flags to the status field in S5.

Committed in cd9b5fefd9

haussli commented 3 years ago

One more question about the enumerations. If the session is a password authentication, is another enumeration needed for responding to other _REPLY packets? For example. what is the status if the CONTINUE is in response to a TAC_PLUS_AUTHEN_STATUS_GETDATA? It does not seem to be one of the define values.

dcmgashcisco commented 3 years ago

Added TAC_PLUS_AUTHEN_STATUS_NONE for this case