139,140c139,140
< is fully applicable here and will not be repeated, though might be
< augmented. The following terms are also used in this document.
is fully applicable here and will not be repeated. The following
terms are also used in this document.
149,151c149
< 2.2. Peer
<
< This refers to a TACACS+ Server or Client.
2.2. TLS Connection
153,154d150
< 2.3. TLS Connection
<
156,157c152,154
< encryption used by TACACS+ for transport, similar to a Connection as
< defined in TACACS+ Protocol [RFC8907].
encryption used by TACACS+ for transport. The TLS Connection for
TACACS+ is always between one Client and one Server as defined in
TACACS+ Protocol [RFC8907].
159c156
< 2.4. Obfuscation
2.3. Peer
161,163c158,160
< Inferior form of encryption used in TACACS+, referred to as
< obfuscation in [RFC5425], Section 5.2 to indicate that it is not
< encryption and is utterly insufficient.
In the context of a TLS Connection, the peer of a TACACS+ Client is
the Server, and the peer is the TACACS+ Server is the Client.
Together, the ends of a TLS Connection are referred as the peers.
168d164
< Dahm, et al. Expires 6 December 2023 [Page 3]
169a166,169
Dahm, et al. Expires 7 December 2023 [Page 3]
172a173,178
2.4. Obfuscation
Inferior form of encryption used in TACACS+, referred to as
obfuscation in [RFC5425], Section 5.2 to indicate that it is not
encryption and is utterly insufficient.
206c212
< deployment, see (Section 5.2). TACACS+ TLS will therefore follow
deployment, see (Section 8). TACACS+ TLS will therefore follow
212c218
< though Section 5.2 should still be considered.
though Section 8 should still be considered.
214d219
< 3.2. TLS Connection
216,220d220
< A TACACS+ Client initiates a TLS connection by making a TCP
< connection to a configured Server on the TACACS+ TLS well-known port
< ([TBD]) (Section 3.1). Once the TCP connection is established, the
< Client MUST immediately begin the TLS negotiation before sending any
< TACACS+ protocol data.
224c224
< Dahm, et al. Expires 6 December 2023 [Page 4]
Dahm, et al. Expires 7 December 2023 [Page 4]
228a229,236
3.2. TLS Connection
A TACACS+ Client initiates a TLS connection by making a TCP
connection to a configured Server on the TACACS+ TLS well-known port
([TBD]) (Section 3.1). Once the TCP connection is established, the
Client MUST immediately begin the TLS negotiation before sending any
TACACS+ protocol data.
267,271d274
<
< Unless disabled by configuration, a Peer MUST disconnect a Peer that
< offers an invalid TLS Certificate.
<
< 3.2.2.1. TLS Certificate Path Verification
273,274d275
< Implementations MUST support certificate Path verification as
< described in [RFC5280].
278a280
Dahm, et al. Expires 7 December 2023 [Page 5]
280,281d281
< Dahm, et al. Expires 6 December 2023 [Page 5]
<
284a285,292
Unless disabled by configuration, a Peer MUST disconnect a Peer that
offers an invalid TLS Certificate.
3.2.2.1. TLS Certificate Path Verification
Implementations MUST support certificate Path verification as
described in [RFC5280].
320a329,340
Dahm, et al. Expires 7 December 2023 [Page 6]
Internet-Draft TACACS+ TLS 1.3 June 2023
334,340d353
<
<
< Dahm, et al. Expires 6 December 2023 [Page 6]
<
< Internet-Draft TACACS+ TLS 1.3 June 2023
<
<
347,348c360,361
< behavior corresponds to the behavior defined in RFC8907 Section 4.5.
< Data Obfuscation [RFC8907] for TAC_PLUS_UNENCRYPTED_FLAG or key
behavior corresponds to that defined in RFC8907 Section 4.5. Data
Obfuscation [RFC8907] for TAC_PLUS_UNENCRYPTED_FLAG or key
357,358d369
< 5.1. TLS
<
363,365c374,376
< That role is to diligently follow current best practices for
< maintaining the integrity of network devices and selection of TLS key
< and encryption algorithms.
That role is to follow current best practices for maintaining the
integrity of network devices and selection of TLS key and encryption
algorithms.
367c378
< 5.1.1. TLS Use
5.1. TLS Options
369,375c380,386
< TLS encryption SHOULD be used in deployments when both the Clients
< and Servers support it. Servers that support TLS encryption MAY be
< configured to allow Unsecure Connections when TLS encryption is not
< supported by the Client, but this is NOT RECOMMENDED because of the
< threat of downgrade attacks, as described in Section 5.2. Unsecure
< Connections would be better served by separate Servers from the TLS
< Servers.
No single and timely TLS recommendations document exists. Therefore,
implementers and operators SHOULD refer to TLS RFCs to ensure the
versions are current and which algorithms should be supported,
deprecated, obsoleted, or abandoned, in the absence of updates to
this document. Useful examples are the TLS specifications themselves
(TLS 1.3 [RFC8446]), which prescribes mandatory support in Section 9,
and TLS Recommendations [RFC7525].
377,379d387
< It is NOT RECOMMENDED to deploy TACACS+ without TLS authentication
< and encryption, including TLS using the NULL algorithm, except for
< within test and debug environments. Also see [RFC3365].
381d388
< 5.1.2. TLS 0-RTT
382a390,398
Dahm, et al. Expires 7 December 2023 [Page 7]
Internet-Draft TACACS+ TLS 1.3 June 2023
5.2. TLS 0-RTT
389a406
5.3. TLS PSK
391,398d407
<
< Dahm, et al. Expires 6 December 2023 [Page 7]
<
< Internet-Draft TACACS+ TLS 1.3 June 2023
<
<
< 5.1.3. TLS PSK
<
407,415c416
< 5.1.4. TLS Options
<
< Unfortunately, no single and timely TLS recommendations document
< exists. Therefore, implementers and operators SHOULD make use of the
< various RFCs to determine which TLS versions and algorithms should be
< supported, deprecated, obsoleted, or abandoned, in the absence of
< updates to this document. Useful examples are the TLS specifications
< themselves (TLS 1.3 [RFC8446]), which prescribes mandatory support in
< Section 9, and TLS Recommendations [RFC7525].
This section outlines considerations which are specific to operators.
It is important that operators ensure their deployments address the
considerations in Section 5.
419,424c422
< Operators SHOULD be cognizant of the potential of Server and/or
< Client isolation from their Peer's CA by network failures. Isolation
< from a public key certificate's CA will cause the verification of the
< certificate to fail and thus TLS authentication of the Peer to fail.
< Operators SHOULD consider loading certificate chains on devices and
< servers to avoid this failure.
6.1. TLS Use
426,428c424,428
< Certificate caching and Raw Public Keys [RFC7250] are other methods
< to help address this, but both are out of scope for this document.
< Certificate fingerprints are another option.
TLS encryption SHOULD be used in deployments when both the Clients
and Servers support it. In order to prevent downgrade attacks,
Servers SHOULD keep separate and disjoint lists of clients supporting
TLS and Unsecure Connections. Unsecure Connections would be better
served by separate Servers from the TLS Servers.
430c430,432
< 5.1.6. TLS Server Name Indicator (SNI)
It is NOT RECOMMENDED to deploy TACACS+ without TLS authentication
and encryption, including TLS using the NULL algorithm, except for
within test and debug environments. Also see [RFC3365].
432,434c434
< Operators SHOULD be aware that the TLS SNI extension is part of the
< TLS client hello, and is therefore subject to eavesdropping. Also
< see [RFC6066], Section 11.1.
6.2. Migration to TLS
436c436,438
< 5.2. Well-Known TCP/IP Port
When Migrating from legacy service to TLS, any mixture of Unsecure
Connected Servers and TLS-Protected Servers in the same redundant
lists on clients SHOULD be minimised.
438,439c440,441
< A new port is considered appropriate and superior to a "STARTTLS"
< command or other negotiation method because it allows:
After migration, the production deployment SHOULD NOT mix Legacy and
TLS-Protected Servers within Server lists configured on clients.
441,442d442
< * ease of blocking the unobfuscated or obfuscated connections by the
< TCP/IP port number,
448c448
< Dahm, et al. Expires 6 December 2023 [Page 8]
Dahm, et al. Expires 7 December 2023 [Page 8]
453,454c453
< * passive Intrusion Detection Systems (IDSs) monitoring the
< unobfuscated to be unaffected by the introduction of TLS,
6.3. Downgrade attacks in TLS
456,457c455,457
< * avoidance of Man in the Middle (MitM) attacks that can interfere
< with STARTTLS,
All clients and servers in a deployment should be configured with
consistent algorithm and cypher options Section 5.1 to prevent harm
from downgrade attacks.
459,479c459
< * and helps prevent the accidental exposure of sensitive information
< due to misconfiguration.
<
< However, co-existence of inferior authentication and obfuscated,
< whether an Unsecure Connection or deprecated parts that compose TLS,
< also presents opportunity for down-grade attacks. Causing failure of
< connections to the TLS-enabled service or the negotiation of shared
< algorithm support are two such down-grade attacks.
<
< Servers and Clients could maintain a cache of Peers that have engaged
< in TACACS+ TLS connections and demand TLS from that point forward.
< However, this too has potential to be a Denial of Service (DoS)
< vector, whereby an attacker causes a server to believe that a client
< that does not support TLS has successfully connected with TLS.
<
< The simplest way to address exposure from Unsecure Connection methods
< is to refuse Unsecure Connections at the server entirely, perhaps
< using separate servers for Unsecure Connections and TLS.
<
< Another approach is mutual configuration that requires TLS. Clients
< and Servers SHOULD support configuration that requires Peers,
Clients and Servers SHOULD support configuration that requires Peers,
484c464
< 6. Operator Considerations
6.4. Unreachable Certificate Authority (CA)
486,489c466,471
< Operational and deployment considerations are spread throughout the
< document. While avoiding repetition, it is useful for the impatient
< to direct particular attention to Section 5.2 and Section 5.1.5.
< However, it is important that the entire Section 5 is observed.
Operators SHOULD be cognizant of the potential of Server and/or
Client isolation from their Peer's CA by network failures. Isolation
from a public key certificate's CA will cause the verification of the
certificate to fail and thus TLS authentication of the Peer to fail.
Operators SHOULD consider loading certificate chains on devices and
servers to avoid this failure.
490a473,482
Certificate caching and Raw Public Keys [RFC7250] are other methods
to help address this, but both are out of scope for this document.
Certificate fingerprints are another option.
6.5. TLS Server Name Indicator (SNI)
Operators SHOULD be aware that the TLS SNI extension is part of the
TLS client hello, and is therefore subject to eavesdropping. Also
see [RFC6066], Section 11.1.
500c492
< known port name. This allocation is justified in Section 5.2.
known port name. This allocation is justified in Section 8.
501a494,495
RFC EDITOR: this port number should replace "[TBD]" and the service
name should replace "[TBDN]" within this document.
502a497
Discussion on Separate port vs Negotiated TLS
504c499,500
< Dahm, et al. Expires 6 December 2023 [Page 9]
The authors concluded that a new port is considered superior to
negotiation of TLS using "STARTTLS" command because:
505a502,505
Dahm, et al. Expires 7 December 2023 [Page 9]
509,510c509,510
< RFC EDITOR: this port number should replace "[TBD]" and the service
< name should replace "[TBDN]" within this document.
it allows easy blocking the unobfuscated or obfuscated connections
by the TCP/IP port number,
512c512,514
< 8. Acknowledgments
passive Intrusion Detection Systems (IDSs) monitoring the
unobfuscated deployments will be unaffected by the introduction of
TLS,
513a516,523
Man in the Middle (MitM) attacks that can interfere with STARTTLS
will be avoided
helps prevent the accidental exposure of sensitive information due
to misconfiguration.
Acknowledgments
519c529
< 9. Normative References
Normative References
544a555,564
Dahm, et al. Expires 7 December 2023 [Page 10]
Internet-Draft TACACS+ TLS 1.3 June 2023
555,564d574
<
<
<
<
<
< Dahm, et al. Expires 6 December 2023 [Page 10]
<
Sorry for the poor diff, its probably better to put the files into a graphical differ:
80,82c80,82 < 2.2. Peer . . . . . . . . . . . . . . . . . . . . . . . . . . 3 < 2.3. TLS Connection . . . . . . . . . . . . . . . . . . . . . 3 < 2.4. Obfuscation . . . . . . . . . . . . . . . . . . . . . . . 3
139,140c139,140 < is fully applicable here and will not be repeated, though might be < augmented. The following terms are also used in this document.
172a173,178
284a285,292
< Internet-Draft TACACS+ TLS 1.3 June 2023 < < 347,348c360,361 < behavior corresponds to the behavior defined in RFC8907 Section 4.5. < Data Obfuscation [RFC8907] for TAC_PLUS_UNENCRYPTED_FLAG or key
< Internet-Draft TACACS+ TLS 1.3 June 2023 < < < 5.1.3. TLS PSK < 407,415c416 < 5.1.4. TLS Options < < Unfortunately, no single and timely TLS recommendations document < exists. Therefore, implementers and operators SHOULD make use of the < various RFCs to determine which TLS versions and algorithms should be < supported, deprecated, obsoleted, or abandoned, in the absence of < updates to this document. Useful examples are the TLS specifications < themselves (TLS 1.3 [RFC8446]), which prescribes mandatory support in < Section 9, and TLS Recommendations [RFC7525].
509,510c509,510 < RFC EDITOR: this port number should replace "[TBD]" and the service < name should replace "[TBDN]" within this document.
< Internet-Draft TACACS+ TLS 1.3 June 2023 < < 576c586 < 10. Informative References
< Internet-Draft TACACS+ TLS 1.3 June 2023 < < 662,672c672 < < < < < < < < < < < Dahm, et al. Expires 6 December 2023 [Page 12]