nanog mailing list archives
Re: The state of TACACS+
From: Robert Drake <rdrake () direcpath com>
Date: Mon, 29 Dec 2014 12:00:48 -0500
On 12/28/2014 10:21 PM, Christopher Morrow wrote:
true.. even in large-ish environments centralized authentication presents problems and can have a limited merit. Up to some arbitrary size, nobody really can be bothered unless some business case comes up like splitting responsibilities between groups. Accounting is probably the best early reason to turn it on in small networks. Being able to see who made a change makes it easier to figure out why.and I wonder what percentage of 'users' a vendor has actually USE tac+ (or even radius). I bet it's shockingly low...
Well, the chance of two geographically close servers getting load-balanced made it not feasible for us to do. Not to mention the fact that we had only two tacacs servers and the use-case for anycasting wasn't worth the hassle of implementation.Maybe there is a simpler solution that keeps you happy about redundancy but doesn't increase complexity that much (possibly anycast tacacs, but the session basis of the protocol has always made that not feasible). It'sdoes it really? :)
With it being a TCP extension, my guess is that it's harder to find someone at those companies willing to change things inside the kernel because it's used by too many people, and if nobody is asking for it then they don't want to build it just to advertise they're first to market.juniper, cisco, arista, sun, linux, freebsd still can't get TCP-AO working... they don't all have ssl libraries in their "os" either...
Even the ISP's who probably asked for it ultimately don't put money on getting it done because the engineer who says they need it still doesn't turn down the new chassis that lacks support. The money is all flowing through the hardware guys now and if it's not directly related to moving packets quickly then they don't care.
Getting to some answer other than: "F-it, put it i clear text" for new protocols on routers really is a bit painful... not to mention ITARs sorts of problems that arise.
Now you're making me depressed. :)The question is should we be trying to move things along or just leave it as it is? There are certainly more important things on everyone's TODO list right now, but I'd rather the vendors have an open ticket in their queue saying "secure-tacacs+-rfc unimplemented" rather than letting them off the hook.
-chris
Robert
Current thread:
- Re: The state of TACACS+ Robert Drake (Dec 28)
- Re: The state of TACACS+ Christopher Morrow (Dec 28)
- Re: The state of TACACS+ Jimmy Hess (Dec 28)
- Re: The state of TACACS+ Randy Bush (Dec 28)
- Re: The state of TACACS+ Robert Drake (Dec 29)
- Re: The state of TACACS+ Jimmy Hess (Dec 28)
- Re: The state of TACACS+ Colton Conor (Dec 29)
- Re: The state of TACACS+ Scott Helms (Dec 29)
- Re: The state of TACACS+ Colton Conor (Dec 29)
- Re: The state of TACACS+ joseph . snyder (Dec 29)
- Re: The state of TACACS+ Jared Mauch (Dec 29)
- Re: The state of TACACS+ Scott Helms (Dec 29)
- Re: The state of TACACS+ Robert Drake (Dec 29)
- Re: The state of TACACS+ Berry Mobley (Dec 29)
- Re: The state of TACACS+ Michael Douglas (Dec 29)
- Re: The state of TACACS+ Colton Conor (Dec 29)
- Re: The state of TACACS+ Scott Helms (Dec 29)
- Re: The state of TACACS+ Christopher Morrow (Dec 28)