| rfc9887v2.txt | rfc9887.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) T. Dahm | Internet Engineering Task Force (IETF) T. Dahm | |||
| Request for Comments: 9887 | Request for Comments: 9887 | |||
| Updates: 8907 J. Heasley | Updates: 8907 J. Heasley | |||
| Category: Standards Track NTT | Category: Standards Track NTT | |||
| ISSN: 2070-1721 D.C. Medway Gash | ISSN: 2070-1721 D.C. Medway Gash | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| A. Ota | A. Ota | |||
| Google Inc. | Google Inc. | |||
| November 2025 | December 2025 | |||
| Terminal Access Controller Access-Control System Plus (TACACS+) | Terminal Access Controller Access-Control System Plus (TACACS+) | |||
| over TLS 1.3 | over TLS 1.3 | |||
| Abstract | Abstract | |||
| This document specifies the use of Transport Layer Security (TLS) | This document specifies the use of Transport Layer Security (TLS) | |||
| version 1.3 to secure the communication channel between a Terminal | version 1.3 to secure the communication channel between a Terminal | |||
| Access Controller Access-Control System Plus (TACACS+) client and | Access Controller Access-Control System Plus (TACACS+) client and | |||
| server. TACACS+ is a protocol used for Authentication, | server. TACACS+ is a protocol used for Authentication, | |||
| skipping to change at line 110 ¶ | skipping to change at line 110 ¶ | |||
| Protocol" [RFC8907] provides device administration for routers, | Protocol" [RFC8907] provides device administration for routers, | |||
| network access servers, and other networked computing devices via one | network access servers, and other networked computing devices via one | |||
| or more centralized TACACS+ servers. The protocol provides | or more centralized TACACS+ servers. The protocol provides | |||
| authentication, authorization, and accounting services (AAA) for | authentication, authorization, and accounting services (AAA) for | |||
| TACACS+ clients within the device administration use case. | TACACS+ clients within the device administration use case. | |||
| The content of the protocol is highly sensitive and requires secure | The content of the protocol is highly sensitive and requires secure | |||
| transport to safeguard a deployment. However, TACACS+ lacks | transport to safeguard a deployment. However, TACACS+ lacks | |||
| effective confidentiality, integrity, and authentication of the | effective confidentiality, integrity, and authentication of the | |||
| connection and network traffic between the TACACS+ server and client. | connection and network traffic between the TACACS+ server and client. | |||
| The security mechanisms as described in Section 10 of [RFC8907] are | The security mechanisms as described in Section 4.5 of [RFC8907] are | |||
| extremely weak. | extremely weak. | |||
| To address these deficiencies, this document updates the TACACS+ | To address these deficiencies, this document updates the TACACS+ | |||
| protocol to use TLS 1.3 authentication and encryption [RFC8446], and | protocol to use TLS 1.3 authentication and encryption [RFC8446], and | |||
| obsoletes the use of TACACS+ obfuscation mechanisms (Section 10.5 of | obsoletes the use of TACACS+ obfuscation mechanisms. The maturity of | |||
| [RFC8907]). The maturity of TLS in version 1.3 and above makes it a | TLS in version 1.3 and above makes it a suitable choice for the | |||
| suitable choice for the TACACS+ protocol. | TACACS+ protocol. | |||
| 2. Technical Definitions | 2. Technical Definitions | |||
| The terms defined in Section 3 of [RFC8907] are fully applicable here | The terms defined in Section 3 of [RFC8907] are fully applicable here | |||
| and will not be repeated. The following terms are also used in this | and will not be repeated. The following terms are also used in this | |||
| document. | document. | |||
| Obfuscation: TACACS+ was originally intended to incorporate a | Obfuscation: TACACS+ was originally intended to incorporate a | |||
| mechanism for securing the body of its packets. The algorithm is | mechanism for securing the body of its packets. The algorithm is | |||
| categorized as Obfuscation in Section 10.5.2 of [RFC8907]. The | categorized as obfuscation in Section 10.5.2 of [RFC8907]. The | |||
| term is used to ensure that the algorithm is not mistaken for | term is used to ensure that the algorithm is not mistaken for | |||
| encryption. It should not be considered secure. | encryption. It should not be considered secure. | |||
| Non-TLS connection: This term refers to the connection defined in | Non-TLS connection: This term refers to the connection defined in | |||
| [RFC8907]. It is a connection without TLS, using the unsecure | [RFC8907]. It is a connection without TLS, using the unsecure | |||
| TACACS+ authentication and obfuscation (or the unobfuscated option | TACACS+ authentication and obfuscation (or the unobfuscated option | |||
| for testing). The use of well-known TCP/IP host port number 49 is | for testing). The use of well-known TCP/IP host port number 49 is | |||
| specified as the default for non-TLS connections. | specified as the default for non-TLS connections. | |||
| TLS connection: A TLS connection is a TCP/IP connection with TLS | TLS connection: A TLS connection is a TCP/IP connection with TLS | |||
| skipping to change at line 167 ¶ | skipping to change at line 167 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. TACACS+ over TLS | 3. TACACS+ over TLS | |||
| TACACS+ over TLS takes the protocol defined in [RFC8907], removes the | TACACS+ over TLS takes the protocol defined in [RFC8907], removes the | |||
| option for MD5 obfuscation, and specifies that TLS 1.3 be used for | option for obfuscation, and specifies that TLS 1.3 be used for | |||
| transport (Section 3.1 elaborates on TLS version support). A new | transport (Section 3.1 elaborates on TLS version support). A new | |||
| well-known default host port number is used. The next sections | well-known default host port number is used. The next sections | |||
| provide further details and guidance. | provide further details and guidance. | |||
| TLS is introduced into TACACS+ to fulfill the following requirements: | TLS is introduced into TACACS+ to fulfill the following requirements: | |||
| 1. Confidentiality and Integrity: The MD5 algorithm underlying the | 1. Confidentiality and Integrity: The MD5 algorithm underlying the | |||
| obfuscation mechanism specified in [RFC8907] has been shown to be | obfuscation mechanism specified in [RFC8907] has been shown to be | |||
| insecure [RFC6151] when used for encryption. This prevents | insecure [RFC6151] when used for encryption. This prevents | |||
| TACACS+ from being used in a deployment compliant with | TACACS+ from being used in a deployment compliant with | |||
| skipping to change at line 386 ¶ | skipping to change at line 386 ¶ | |||
| The use of external PSKs is less well established than certificate- | The use of external PSKs is less well established than certificate- | |||
| based authentication. It is RECOMMENDED that systems follow the | based authentication. It is RECOMMENDED that systems follow the | |||
| directions of [RFC9257] and Section 4 of [RFC8446]. | directions of [RFC9257] and Section 4 of [RFC8446]. | |||
| Where PSK authentication is implemented, PSK lengths of at least 16 | Where PSK authentication is implemented, PSK lengths of at least 16 | |||
| octets MUST be supported. | octets MUST be supported. | |||
| PSK identity MUST follow recommendations of Section 6.1 of [RFC9257]. | PSK identity MUST follow recommendations of Section 6.1 of [RFC9257]. | |||
| Implementations MUST support PSK identities of at least 16 octets. | Implementations MUST support PSK identities of at least 16 octets. | |||
| Although this document removes the option of MD5 obfuscation | Although this document removes the option of obfuscation (Section 4), | |||
| (Section 4), it is still possible that the TLS and non-TLS versions | it is still possible that the TLS and non-TLS versions of TACACS+ | |||
| of TACACS+ exist in an organization, for example, during migration | exist in an organization, for example, during migration | |||
| (Section 6.1). In such cases, the shared secrets configured for | (Section 6.1). In such cases, the shared secrets configured for | |||
| TACACS+ obfuscation clients MUST NOT be the same as the PSKs | TACACS+ obfuscation clients MUST NOT be the same as the PSKs | |||
| configured for TLS clients. | configured for TLS clients. | |||
| 3.6. TLS Resumption | 3.6. TLS Resumption | |||
| TLS Resumption [RFC8446] can minimize the number of round trips | TLS Resumption [RFC8446] can minimize the number of round trips | |||
| required during the handshake process. If a TLS client holds a | required during the handshake process. If a TLS client holds a | |||
| ticket previously extracted from a NewSessionTicket message from the | ticket previously extracted from a NewSessionTicket message from the | |||
| TLS TACACS+ server, it can use the PSK identity tied to that ticket. | TLS TACACS+ server, it can use the PSK identity tied to that ticket. | |||
| skipping to change at line 429 ¶ | skipping to change at line 429 ¶ | |||
| When processing TLS resumption, certificates must be verified to | When processing TLS resumption, certificates must be verified to | |||
| check for revocation during the period since the last | check for revocation during the period since the last | |||
| NewSessionTicket Message. | NewSessionTicket Message. | |||
| The resumption ticket_lifetime SHOULD be configurable, including a | The resumption ticket_lifetime SHOULD be configurable, including a | |||
| zero seconds lifetime. Refer to Section 4.6.1 of [RFC8446] for | zero seconds lifetime. Refer to Section 4.6.1 of [RFC8446] for | |||
| guidance on ticket lifetime. | guidance on ticket lifetime. | |||
| 4. Obsolescence of TACACS+ Obfuscation | 4. Obsolescence of TACACS+ Obfuscation | |||
| The obfuscation mechanism documented in Section 4.5 (Data | The obfuscation mechanism documented in Section 4.5 of [RFC8907] is | |||
| Obfuscation) of [RFC8907] is weak. | weak. | |||
| The introduction of TLS authentication and encryption to TACACS+ | The introduction of TLS authentication and encryption to TACACS+ | |||
| replaces this former mechanism, so obfuscation is hereby obsoleted. | replaces this former mechanism, so obfuscation is hereby obsoleted. | |||
| This section describes how the TACACS+ client and servers MUST | This section describes how the TACACS+ client and servers MUST | |||
| operate regarding the obfuscation mechanism. | operate regarding the obfuscation mechanism. | |||
| Peers MUST NOT use obfuscation with TLS. | Peers MUST NOT use obfuscation with TLS. | |||
| A TACACS+ client initiating a TACACS+ TLS connection MUST set the | A TACACS+ client initiating a TACACS+ TLS connection MUST set the | |||
| TAC_PLUS_UNENCRYPTED_FLAG bit, thereby asserting that obfuscation is | TAC_PLUS_UNENCRYPTED_FLAG bit, thereby asserting that obfuscation is | |||
| not used for the session. All subsequent packets MUST have the | not used for the session. All subsequent packets MUST have the | |||
| TAC_PLUS_UNENCRYPTED_FLAG bit set to 1. | TAC_PLUS_UNENCRYPTED_FLAG bit set to 1. | |||
| A TLS TACACS+ server that receives a packet with the | A TLS TACACS+ server that receives a packet with the | |||
| TAC_PLUS_UNENCRYPTED_FLAG bit not set to 1 over a TLS connection MUST | TAC_PLUS_UNENCRYPTED_FLAG bit not set to 1 over a TLS connection MUST | |||
| return an error of TAC_PLUS_AUTHEN_STATUS_ERROR, | return an error of TAC_PLUS_AUTHEN_STATUS_ERROR, | |||
| TAC_PLUS_AUTHOR_STATUS_ERROR, or TAC_PLUS_ACCT_STATUS_ERROR as | TAC_PLUS_AUTHOR_STATUS_ERROR, or TAC_PLUS_ACCT_STATUS_ERROR as | |||
| appropriate for the TACACS+ message type, with the | appropriate for the TACACS+ message type, with the | |||
| TAC_PLUS_UNENCRYPTED_FLAG bit set to 1, and terminate the session. | TAC_PLUS_UNENCRYPTED_FLAG bit set to 1, and terminate the session. | |||
| This behavior corresponds to that defined in Section 4.5 of [RFC8907] | This behavior corresponds to that defined in Section 4.5 of [RFC8907] | |||
| regarding Data Obfuscation for TAC_PLUS_UNENCRYPTED_FLAG or key | regarding data obfuscation for TAC_PLUS_UNENCRYPTED_FLAG or key | |||
| mismatches. | mismatches. | |||
| A TACACS+ client that receives a packet with the | A TACACS+ client that receives a packet with the | |||
| TAC_PLUS_UNENCRYPTED_FLAG bit not set to 1 MUST terminate the | TAC_PLUS_UNENCRYPTED_FLAG bit not set to 1 MUST terminate the | |||
| session, and SHOULD log this error. | session, and SHOULD log this error. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| 5.1. TLS | 5.1. TLS | |||
| skipping to change at line 479 ¶ | skipping to change at line 479 ¶ | |||
| practices for ensuring the integrity of network devices and selecting | practices for ensuring the integrity of network devices and selecting | |||
| secure TLS key and encryption algorithms. | secure TLS key and encryption algorithms. | |||
| [BCP195] offers substantial guidance for implementing and deploying | [BCP195] offers substantial guidance for implementing and deploying | |||
| protocols that use TLS. Those implementing and deploying Secure | protocols that use TLS. Those implementing and deploying Secure | |||
| TACACS+ must adhere to the recommendations relevant to TLS 1.3 | TACACS+ must adhere to the recommendations relevant to TLS 1.3 | |||
| outlined in [BCP195] or its subsequent versions. | outlined in [BCP195] or its subsequent versions. | |||
| This document outlines additional restrictions permissible under | This document outlines additional restrictions permissible under | |||
| [BCP195]. For example, any recommendations referring to TLS 1.2, | [BCP195]. For example, any recommendations referring to TLS 1.2, | |||
| including the mandatory support, are not relevant for Secure TACACS+ | including the mandatory support, are not relevant for Secure TACACS+, | |||
| as TLS 1.3 or above is mandated. | as TLS 1.3 or above is mandated. | |||
| This document concerns the use of TLS as transport for TACACS+ and | This document concerns the use of TLS as transport for TACACS+ and | |||
| does not make any changes to the core TACACS+ protocol, other than | does not make any changes to the core TACACS+ protocol, other than | |||
| the direct implications of deprecating obfuscation. Operators MUST | the direct implications of deprecating obfuscation. Operators MUST | |||
| be cognizant of the security implications of the TACACS+ protocol | be cognizant of the security implications of the TACACS+ protocol | |||
| itself. Further documents are planned, for example, to address the | itself. Further documents are planned, for example, to address the | |||
| security implications of password-based authentication and enhance | security implications of password-based authentication and enhance | |||
| the protocol to accommodate alternative schemes. | the protocol to accommodate alternative schemes. | |||
| skipping to change at line 537 ¶ | skipping to change at line 537 ¶ | |||
| Also, Section 9 of [RFC8446] prescribes mandatory supported options. | Also, Section 9 of [RFC8446] prescribes mandatory supported options. | |||
| 5.1.4. Unreachable Certificate Authority (CA) | 5.1.4. Unreachable Certificate Authority (CA) | |||
| Operators should be cognizant of the potential of TLS TACACS+ server | Operators should be cognizant of the potential of TLS TACACS+ server | |||
| and/or client isolation from their peer's CA by network failures. | and/or client isolation from their peer's CA by network failures. | |||
| Isolation from a public key certificate's CA will cause the | Isolation from a public key certificate's CA will cause the | |||
| verification of the certificate to fail and thus TLS authentication | verification of the certificate to fail and thus TLS authentication | |||
| of the peer to fail. The approach mentioned in Section 3.4.1 can | of the peer to fail. The approach mentioned in Section 3.4.1 can | |||
| help address this and should be considered where implemented. | help address this and should be considered. | |||
| 5.1.5. TLS Server Name Indicator (SNI) | 5.1.5. TLS Server Name Indicator (SNI) | |||
| Operators should be aware that the TLS SNI extension is part of the | Operators should be aware that the TLS SNI extension is part of the | |||
| TLS client hello, which is sent in cleartext. It is, therefore, | TLS client hello, which is sent in cleartext. It is, therefore, | |||
| subject to eavesdropping. Also see Section 11.1 of [RFC6066]. | subject to eavesdropping. Also see Section 11.1 of [RFC6066]. | |||
| 5.1.6. Server Identity Wildcards | 5.1.6. Server Identity Wildcards | |||
| The use of wildcards in TLS server identities creates a single point | The use of wildcards in TLS server identities creates a single point | |||
| End of changes. 10 change blocks. | ||||
| 15 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||