IETF Logo Mail Archive

[OPSAWG] Review of draft-zheng-opsawg-tacacs-yang-01

Joe Clarke <jclarke@cisco.com> Mon, 08 April 2019 19:26 UTC

Return-Path: <jclarke@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18E71120422 for <opsawg@ietfa.amsl.com>; Mon, 8 Apr 2019 12:26:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z2m9sq0xnlJr for <opsawg@ietfa.amsl.com>; Mon, 8 Apr 2019 12:26:25 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DAC5120436 for <opsawg@ietf.org>; Mon, 8 Apr 2019 12:26:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1638; q=dns/txt; s=iport; t=1554751583; x=1555961183; h=to:from:subject:message-id:date:mime-version: content-transfer-encoding; bh=IM3+d9683f5kRw2TLqE6LeF0iTYoWiOfN/SEVWyLfs0=; b=cUNImy4ohjtgcCWJ/8M5EIcikySxwve+Xkzz7//7pDtqRVYhvi5rFX15 ILsuUo9YhW8ugkw3Hl4ZH3WnTMCNHMS/taDiFserMStXDLQzZlYeTkQ1U wIPbezldFtWqAdJJX5q93l3cu2omTI5dosZKXu+rGhyqTeIMHZGlIMTvy 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B0AgCZn6tc/4gNJK1lHAEBAQQBAQcEAQGBVAQBAQsBghBrTjKENZM8nE4QilMiNwYNAQEDAQEJAQIBAm0dC4V0DwF7AiYCXw0IAQGDHoF2nz2OeIEviiqBCyUBi0YXgUA/gTiCa4RsgyCCVwOmBgmCBZF4BhqLWIkEi1OUJoFlIoFWTSMVO4JtkGcjA5EdAQE
X-IronPort-AV: E=Sophos;i="5.60,326,1549929600"; d="scan'208";a="545269093"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Apr 2019 19:26:22 +0000
Received: from [192.168.10.113] (rtp-jclarke-nitro5.cisco.com [10.118.87.86]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTP id x38JQKqT026796 for <opsawg@ietf.org>; Mon, 8 Apr 2019 19:26:21 GMT
To: "opsawg@ietf.org" <opsawg@ietf.org>
From: Joe Clarke <jclarke@cisco.com>
Openpgp: preference=signencrypt
Autocrypt: addr=jclarke@cisco.com; prefer-encrypt=mutual; keydata= mQINBFx0f7kBEACpXvK/9vZPCzcdpjMCFxTYDJSbYGPBj4jAct6j26evawhP4nQFuk8a/N0T u/l5KhN8nj0F+4wYLBBm/Vq6OYnXcuu/Qnaa5SeN6A8xp0KGFvY81x2BzPMqoM1XLnBAgcHU BlO+OikGlQSouJYagtw1qhlJpmtjwdcJ91Sun5N0SLd8iJVTU2ndCBdlj4PFuDBae9urft7D lkL3sDeAimsnPp8SJF8L2wdMWBXuht666lla+xYzwQ76+ibEmH+zr9Xy3JWySCcS75pbIikj eV/LF/YdyVPr6YGPXawO+srQGiiaqAcUY4oeWYEuFZuG0zGiCDNl106Sc4GVPOTOragqFMZv 1DoFvdaHvmBz3dbKQJ7L+W/paaBxk9F7uu73g9pPWgdio/Bh63iDlEfOm360qIQI3cbisSPF yR9RLnQTUWsy3aolG3NmxSJ+YPDwunNS9soPvPwZixbL6XUy05sUyu6d4lFKMtfo135VJ8N0 SgxNlBn/MZwFsuj66nLq015rz+bud5kz1EIK428q9+Kn4t92uq61oa/9un42qm9Xp/mm4j0J LUdNXXp987F1lZdZltcqkoYlY66OWmUr+YcVB+JAGPCA+C0T7CDjXgxkeyA3/9y7/jtVEDSx UWzCzLhzU/78QqC3NtMyUVRG7feRF0NWRzcc+d4ZEsojicmdEwARAQABtCtKb2UgQ2xhcmtl IChqY2xhcmtlKSAoKSA8amNsYXJrZUBjaXNjby5jb20+iQJOBBMBCAA4FiEE40r9XruLwkD8 nwY9s2u9ges9Y6oFAlx0f7kCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQs2u9ges9 Y6oT1Q//Vjy5ZVYA2Hy6eDz0jrmdkwQZklLU/MXvRgI8WWj6wGs2JKugdKSkkfwvDbD7Rg7b nqkMaZDcLK5eh/492CcwXwvcJKo/9bH1gUPYcDbu5INahiEagkgOS9GOjuHQs4cVr1JNiExf UZ/UcF0R+agP9jfqlJ7eiUN74w1cddZUfhfM0U0cLJ5TJtTjqnqsOCefNiWBLdSn+9RX8c6y cW77N4TVO6Vtv03SvLs5KniLmb6r7qwg6gkU2Vw6TDCk9UdJWSsKHEiOBmq1aGGmZHfBq9iZ GxwCaEqUBdN438JYN8RJMB2qv7EzTsv+KVz2E96jUBzeWdTFqu2xPikg4mwwUmJ1SAqc6AGI JZ8ICNr50xONoPpfdR+1QQzImnua8TuV28pracEDKex8r/ieDZQh8UyVM3mdGL7RSVa4/+EO iKCVmFfHLdnbuwhJLUhsHOlfeYSmRzmHUwS9K1sERMPUJCImMJUOAynQEoeTuLc6dDWq0oTP 6kJ3my7eMcg5MsFsGob8qtUDujiGof7LKZYHOqwYjCzrK4s4vwyX1Yh228sLRiEuNbCpvlD1 U/iKBv/VL5FMbI1kd0FPXvY+ygW+aobZYUOYXOvvdTeq9phCL2aHa5hHG7QNhSF6NsCuZhg6 mnOFOdAF7imXVmLa6cYEYqV17SGgceDKotNea2AxL965Ag0EXHR/uQEQAOIdXbR7GqhQdITX a+tCgi9r8p0o5e2Q2Rq22YIMR6FiyeWFTO2RQpW2NZW4yDfpGZnvBdFTWB62MWxu5Z7FwA09 ZON0l7c4IK7TFJ7Vx9azx1Ebx7r1p5hcARSmvU4CmlJZGPR0m9b+p9rPx27B5vCIWITQbWB/ PPgbksEdxXYYHCVJCWHk6LxL5iZJFVjoQGvHX/3PtzxByHtnVWQ937PZRCHaSAgERr6qVNWd XaO9ZlHm8l2yqMxKk+LUxOtj0FYY/vVdVwFFaGGkhXzhr4f6FJ7+j6Q+aOBbCvO2z/xfw/mh Tlg8W3cQYFwQcaW//FzdTprIRD8AiBRuEH5daLHZAhqj1M1srMv1SRyE7wu/e233ngUZ7UbZ J52bE2RsmA4sUVQVPB57/mn1U9xXW1pyus0n45sQi0GRsFl8fHujeQeAVPWIZl9AL8FiNlLZ +VDvMV0V24vChwRo7OVgohJNkc9NkIb7zYsv8Hqo2OinXWmQmMsluQzU9nSkGdC2eSgOPzVF fzY1KEcifF5O7A5PH2DPNsC1hPer+4vVZbMEQwW5mBIl04IvuCA3S3j+Vvfj3yyPuhf5ExjM 0YtaP5x0S4pqXVKNhzrHX/YtV13c3BP6Zx56MW2t5KnmV0MF97h2vejh/DHPSymz5blUv2Mr 0kknFYhJ+tp/rqP7B8+HABEBAAGJAjYEGAEIACAWIQTjSv1eu4vCQPyfBj2za72B6z1jqgUC XHR/uQIbDAAKCRCza72B6z1jqpFIEACKHqK4wdmimwJU+uq3HJcDBP12vnISDxkrcq19xWCv 01EWp1DR4izRLJXFIke7jlGk1GWfHKkjpUmkXOdujxYZvrVUXD9BwnNDWfDlZaPgpQNoMIlH Pcnq+MovlsuHiLnA29RRxUfRRn49fnpB4MQhB9tzsHGcghApFxB0h/CLs8ZWLTP6EDyDSNem ynEeJ8YjsbyBDqmAHs/+PS14FS7R6jHW8XNonzu5qKVvwkfA5EAI17CLJWTLkFwa3y7vOL6v x6qsoGNPvN4kolAGhz8cm2zqyZ/ts3paYnjZnBWnziYATv3hZzijcLKlLKBJaP7dUlkdNePN yzLkeN+oCVcz1DTGBhfIzlp+Dk3ySFoV2bYyEqiFmttpaDcBbPoB1LKvVZE/C1/f0Z9Tc0Fi VYQ2R60npDISUCanFF0JsN14PGoJdaV90Ouitr8GBzUJpKXFYi93L4M8gHCnSGWmjqAFGNj9 374pUwI8wbBAK5GI1hmjQZLA1UFM/SJ9J86gBzPUPNFR1xTSU+GTEufGHtcQ7wL42X+xz/lv 2pzhluScPl2WWXnwMSiE1a8AaVIhJvsrHuBxNH2l0RHuknWvJOjKtn6wdvPnEURJMH5dQ0jl QFqXPmJVYpL5AvqTYKXtS0Jy1z9oQN6ZUngZoaIYLDogKSQ9DOYd8WvdmOE24auWtA==
Organization: Cisco
Message-ID: <9513957f-9dc1-ddca-bdd4-27ad075b9997@cisco.com>
Date: Mon, 08 Apr 2019 15:26:20 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Outbound-SMTP-Client: 10.118.87.86, rtp-jclarke-nitro5.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/7g9C-qo50yv2vKFTdF86WWkEsuE>
Subject: [OPSAWG] Review of draft-zheng-opsawg-tacacs-yang-01
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 19:26:27 -0000

As promised at the mic during opsawg at IETF 104, here is my more
detailed review of this draft.

As I stated during the meeting, I think the AAA module should be taken
out of this document.  I believe Alan has commented the same.  A AAA
module may be required, but I don't want to muddle the TACACS+ work with
that.  Plus, I'm not convinced opsawg would be the correct place for a
more general AAA module.

Secondly, I like the fact that you're extending the ietf-system module
in a manner similar to RADIUS.  I think that this work fits nicely there
for device admin.  I would remove the AAA moniker from the module for
now.  Leave it as ietf-tacacs-plus.

I recall seeing a comment on-list that any reference to "tacacs" must be
"tacacs+" or "tacacs_plus" or similar.  TACACS without the plus is a
very different beast.  Let's not confuse what we're trying to do here.

Maybe I'm being overly pedantic here, but why is "options" separated
from other rw objects by the statistics branch?  I would think you'd
want to group the rw objects together.

The word "accounting" is misspelled throughout this document.  In
general, I would run a spell checker over it.  After listening to
Heather at the keynote, we should do our best to help out RFC Editor,
even early on in the document lifecycle.

What is the intent of network-instance?  Is this like specifying a VRF
on which to reach the T+ server?  The description was not very clear.

You have a source IP option, but I know some vendors also implement a
source-interface.  I think it would be useful to have that as well
(maybe a choice there).

Joe

v2.23.0 | Report a Bug | By Email