Re: [netmod] EXTERNAL: Re: New Version Notification for draft-zheng-netmod-tacacs-yang-01.txt
"Wubo (lana)" <lana.wubo@huawei.com> Wed, 04 July 2018 10:04 UTC
Return-Path: <lana.wubo@huawei.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22A12130E17; Wed, 4 Jul 2018 03:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X1Y374hDWb4F; Wed, 4 Jul 2018 03:04:02 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90D6B130DC4; Wed, 4 Jul 2018 03:04:02 -0700 (PDT)
Received: from LHREML714-CAH.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 02A45E154B61; Wed, 4 Jul 2018 11:03:59 +0100 (IST)
Received: from DGGEMI421-HUB.china.huawei.com (10.1.199.150) by LHREML714-CAH.china.huawei.com (10.201.108.37) with Microsoft SMTP Server (TLS) id 14.3.382.0; Wed, 4 Jul 2018 11:04:00 +0100
Received: from DGGEMI526-MBX.china.huawei.com ([169.254.8.180]) by dggemi421-hub.china.huawei.com ([10.1.199.150]) with mapi id 14.03.0382.000; Wed, 4 Jul 2018 18:03:57 +0800
From: "Wubo (lana)" <lana.wubo@huawei.com>
To: Alex Campbell <Alex.Campbell@Aviatnet.com>, "netmod@ietf.org" <netmod@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: EXTERNAL: Re: [netmod] New Version Notification for draft-zheng-netmod-tacacs-yang-01.txt
Thread-Index: AdQTe7o/93VnK420SV28nIlmIEbcEA==
Date: Wed, 04 Jul 2018 10:03:56 +0000
Message-ID: <520ECC8D9CA1724BA1CE492DF898F6A3319ED1@DGGEMI526-MBX.china.huawei.com>
Accept-Language: en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.134.189.23]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/UU9Lf7hV_XUqvg9v8Y8hhCbjncQ>
Subject: Re: [netmod] EXTERNAL: Re: New Version Notification for draft-zheng-netmod-tacacs-yang-01.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 10:04:07 -0000
Hi Alex, Thanks for your valuable comments, please see my reply inline below: -----邮件原件----- 发件人: Alex Campbell [mailto:Alex.Campbell@Aviatnet.com] 发送时间: 2018年7月4日 8:00 收件人: Wubo (lana) <lana.wubo@huawei.com>; netmod@ietf.org; opsawg@ietf.org 主题: Re: EXTERNAL: Re: [netmod] New Version Notification for draft-zheng-netmod-tacacs-yang-01.txt Hi Bo, My comments: (ignoring simple typos and placeholder values as this is a first draft) * What is a TACACS+ template? To my knowledge this is not a standard concept. The word "template" does not appear in draft-ietf-opsawg-tacacs-10. [Bo]TACACS+ template is used to configure a sets of TACACS+ server with the defined domain. Each domain defined maintains a user list in the "user@domain" format. When a TACACS+ client receives a request from a user, the TACACS+ template is selected based on the domain carried with the user. * What is a domain name, in the context of usernames? "domain" also does not appear in draft-ietf-opsawg-tacacs-10. [Bo] Domain is used for management purpose same as the first comment. * I don't think ipv4-address-no-zone should be used by default, unless there is a good reason to prohibit the use of zones. Systems that do not implement zones can reject addresses containing zones; but some systems may require zones. [Bo] Good suggestion, we will consider to modify this type in the next version. * This module seems to imply a particular server selection algorithm (with the use of primary/secondary and current servers). What is the algorithm? Our TACACS+ code does not have a concept of a primary, secondary or current server. It has a prioritized list of servers, and tries each request towards each server in turn until it receives a pass or fail response (as opposed to an error). The assumption in this design is that servers are up most of the time. [Bo] Our proposal is that in each template there are only one primary server and several secondary servers which can be configured. Therefore, the primary server is selected first, and then the secondary server is selected according to the configuration order. The difference from your implementation is that we specify the primary server. We think specifying a primary server can help distribute user request processing. * Many of the leaves seem unnecessary and not terribly useful. For example, sec-author-srv-num (Total number of configured secondary authorization servers in the template). Is this value needed so frequently that it needs to be available as a separate value - instead of having the management client simply read the whole list of servers, and count how many are secondary and used for authentication? [Bo] Good point! In this version, we try to provide complete operational statistics. And I agree with you that it seems redundant, and if most folks believe it need to be simplified that we would like to refine this statistics leaves in the next version. * What is the public net? [Bo] Public net is used to specify whether a TACACS+ server is used in public Internet. * Why is there a maximum of 32 servers? [Bo] Good catch, it is a implementation limitation, we will remove it in the next version. * There should not need to be separate lists for ipv4 and ipv6 servers. I see that ipv6 servers don't support public-net, so I'll reserve judgment until I find out what public-net does. [Bo] Good suggestion, we will consider to use one merged list to represent two address families of a TACACS+ server. * What should implementations do if they don't support ietf-network-instance? [Bo]Good comment. Though we use ietf-network-instance as a key to configure TACACS+ server and our assumption is most TACACS+ clients can support VPN functionality, this may lead to an issue in some case. We will try to address this issue in the next version. As a related side note, I'd really like to see a standard for TACACS+ over TLS. Regards, Alex ________________________________________ From: netmod <netmod-bounces@ietf.org> on behalf of Wubo (lana) <lana.wubo@huawei.com> Sent: Monday, 2 July 2018 8:07 p.m. To: netmod@ietf.org; opsawg@ietf.org Subject: EXTERNAL: Re: [netmod] New Version Notification for draft-zheng-netmod-tacacs-yang-01.txt Dear Netmod, Opsawg, Please see our newly uploaded draft of TACACS+ YANG data model, which can be found at https://www.ietf.org/internet-drafts/draft-zheng-netmod-tacacs-yang-01.txt. This data model draft is based on the TACACS+ working group draft - https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-10. TACACS+ provides Device Administration for routers, network access TACACS+ servers and other networked computing devices via one or more centralized servers. With various TACACS+ Implementation, service provider may need different TACACS+ YANG modules to manipulate massive devices. So we propose to define a generic TACACS+ data model to alleviate this issue. We are looking forward to receiving your response. Best regards. Bo -----邮件原件----- 发件人: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] 发送时间: 2018年7月2日 14:15 收件人: wangzitao <wangzitao@huawei.com>; Wubo (lana) <lana.wubo@huawei.com>; Zhengguangying (Walker) <zhengguangying@huawei.com>; Wubo (lana) <lana.wubo@huawei.com>; wangzitao <wangzitao@huawei.com> 主题: New Version Notification for draft-zheng-netmod-tacacs-yang-01.txt A new version of I-D, draft-zheng-netmod-tacacs-yang-01.txt has been successfully submitted by Bo Wu and posted to the IETF repository. Name: draft-zheng-netmod-tacacs-yang Revision: 01 Title: Yang data model for Terminal Access Controller Access Control System Plus Document date: 2018-07-01 Group: Individual Submission Pages: 33 URL: https://www.ietf.org/internet-drafts/draft-zheng-netmod-tacacs-yang-01.txt Status: https://datatracker.ietf.org/doc/draft-zheng-netmod-tacacs-yang/ Htmlized: https://tools.ietf.org/html/draft-zheng-netmod-tacacs-yang-01 Htmlized: https://datatracker.ietf.org/doc/html/draft-zheng-netmod-tacacs-yang Diff: https://www.ietf.org/rfcdiff?url2=draft-zheng-netmod-tacacs-yang-01 Abstract: This document describes a data model of Terminal Access Controller Access Control System Plus (TACACS+). The YANG data model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in [RFC8342]. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
- Re: [netmod] New Version Notification for draft-z… Wubo (lana)
- Re: [netmod] EXTERNAL: Re: New Version Notificati… Alex Campbell
- Re: [netmod] EXTERNAL: Re: New Version Notificati… Wubo (lana)