[OPSAWG] AD review of draft-ietf-opsawg-tacacs-yang-07
"Rob Wilton (rwilton)" <rwilton@cisco.com> Fri, 10 July 2020 16:52 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7B263A0064; Fri, 10 Jul 2020 09:52:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=IyLBf0U7; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=id30eh0T
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BHq_FUkQRKl4; Fri, 10 Jul 2020 09:52:45 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 987E63A05A0; Fri, 10 Jul 2020 09:52:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7750; q=dns/txt; s=iport; t=1594399961; x=1595609561; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=Om9/4B+WIbll5PVJ0CsDSSzdbGlvpJS5P8va9gEibZM=; b=IyLBf0U7hh76hAhlzixl0A79mqgQ3SCQKeTrDpJUQ8cc03INGr7bI4aY dftM5jCCVxn7kRkoq/c36AXIT7YgDqt7S0gQUqExwlQo1tJdkhn9Vp3g+ CEad0a6kwrFJyVcmQQAGl4h4ZentRANRuxKKKTJeH7wo5sB+v8HqLIYAm I=;
IronPort-PHdr: 9a23:iysXghzWY5TbXSPXCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5ZRWFt/RgkFGPWp/UuLpIiOvT5qbnX2FIoZOMq2sLf5EEURgZwd4XkAotDI/gawX7IffmYjZ8EJFEU1lorHC2LUYTH9zxNBXep3So5msUHRPyfQN+OuXyHNvUiMK6n+C/8pHeeUNGnj24NLhzNx6x6w7Ws5ob
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BnAQBFnAhf/4MNJK1gHAEBAQEBAQcBARIBAQQEAQFAgTkEAQELAYFRUQeBRy8sCodvA6YrglMDVQsBAQEMAQEtAgQBAYRNAoIWAiQ3Bg4CAwEBCwEBBQEBAQIBBgRthS4BLAELhWgKFhUTBgEBNwERAT5CJgEEDg0aEweFNgMuAQOfEwKBOYhhdIEBM4MBAQEFRoRdGIEgbgmBOAGCaYoHGoFBP4FUhyAQGjaDEYItjzKJe5pqgQQKgl2Of4p2gnOJNJJ/kWSebwIEAgQFAg4BAQWBaSSBV3AVO4JpUBcCDYEZBY0AERKDTopWdDcCBggBAQMJfIxTASYHgQYBMV8BAQ
X-IronPort-AV: E=Sophos;i="5.75,336,1589241600"; d="scan'208";a="510710623"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 10 Jul 2020 16:52:40 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 06AGqe2X015061 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 10 Jul 2020 16:52:40 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 10 Jul 2020 11:52:40 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 10 Jul 2020 11:52:39 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 10 Jul 2020 11:52:39 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RQUsfgSaL8zt4EhQV8+3M7ro25488V01lHiLhU8hFaj/Qh1t7PlnADhanXonLMmmYVOREkogVSocllZn6W4ozpIJnjJtipbgc86atMrwdJv+QU4d1WFZnCNydlORA5IoVqORlvJ4iAFKlx9jVGRyhhphtJfXFeeKU6lgyEFtIXFtAwTqszJfVi5QKZbiy+LBBcHvD3NEH5MOi981lk4hODCNTSOHC0oa+YZM4H0b8DLChF83P2yvKfjdZ4WdMmCRku7L6dbfD61AVfkMJYeaj9vbLSn0QIJCNpNZqQvtUSM6/t4u/MsByVCek5FY483W4JhhICAADTI1KJtMYh2/Mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0Cs5kPRmQS9v8QaZBszKaJIT8CX9tydcp4H0eFEe5L0=; b=mSVgtuUjmmAg3+wTtFI4Kkb4a5vjXp+s0rEV8Ggdd/s5IYTNBLV+Ro7MIZNtrqcJ9H2pZkB4bIa8zFeKeOokLl2i6aQ/3GrzWHDv0MxvS+bWpXAeaLu0fw7WHrMhs/Mex3fDE2+rZIyj0Y0pbQqX2eCWTOxd+nfxQzJbpeq4hR8h6Xe8xWwoE2lLa8qrVuMbIZ534quvPpe+OTlqR3IEojXuLM6/EHQhdiGSyfesJBuOxFdrqFbtv934LE0puygCYT8WrQvaszvfPUJeIM0vZDpYj/of88r5V3kAJG5nFSkVP6SToQtnXd2BERdraU3kysh2Q+DwocoylcyXAqt9SQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0Cs5kPRmQS9v8QaZBszKaJIT8CX9tydcp4H0eFEe5L0=; b=id30eh0TM0nJ6tTNJpgtUWANGvaQifvhFWMHrOg5046JYMjrjgSb89ohR/BBLJgyg2Jb21B6fI1Z8A4vYtgSTOpDVuI2T++g+w/YKcVXYPksc669Me64SIjp+ZzqFX+3MvDJxJ7Sht9AiPXInNlumXqSxkudNI4WU6VSY4/rPiA=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) by MN2PR11MB4550.namprd11.prod.outlook.com (2603:10b6:208:267::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3174.22; Fri, 10 Jul 2020 16:52:38 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::e9d4:79b5:aef1:be18]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::e9d4:79b5:aef1:be18%5]) with mapi id 15.20.3174.023; Fri, 10 Jul 2020 16:52:38 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "draft-ietf-opsawg-tacacs-yang.all@ietf.org" <draft-ietf-opsawg-tacacs-yang.all@ietf.org>
CC: opsawg <opsawg@ietf.org>
Thread-Topic: AD review of draft-ietf-opsawg-tacacs-yang-07
Thread-Index: AdZW2lnspRS1VWiiT9qRjIzfKMZsMA==
Date: Fri, 10 Jul 2020 16:52:37 +0000
Message-ID: <MN2PR11MB436612630CAFCACF3A89BD56B5650@MN2PR11MB4366.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [82.15.79.32]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f85607a3-4d6a-4956-3465-08d824f1a70d
x-ms-traffictypediagnostic: MN2PR11MB4550:
x-microsoft-antispam-prvs: <MN2PR11MB4550214657CC825DFFA493D2B5650@MN2PR11MB4550.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8PdY4kDLUWJNsonJZV2uyQ2iOn8nxhKtj7eVJS2jpF1/vggZKEvjJZj/kJVNuPHS3gKKLZrIdP+0+/kzUHcH6akxwnXRsexukeASdH2jJRZpwZg/JapgPvRpjUj7yK2VLgKkxziE5Fum4YZ054v2Oj3XtXNUiwjlmPnQEsSkrO+vRscdoVTKCcfrR4UIQeNWe/th3ORh3sAHutmhoRx2NqgQCWPvICeWPbLgBzoq/Q4s1BI4DG7alN/T1ouKMRU1//huU1gwX0UP+W7h6KSw/oC2eB0vcJNUH2Uv7S4nBz0y4nc2QgCrC3VcZ9x2ww5KaZG55Sb/+c05axkrW1+fJQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4366.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(346002)(136003)(39860400002)(396003)(376002)(9686003)(86362001)(450100002)(66574015)(7696005)(478600001)(66946007)(316002)(71200400001)(2906002)(55016002)(76116006)(83380400001)(6506007)(6916009)(33656002)(66446008)(64756008)(66556008)(66476007)(52536014)(5660300002)(26005)(8936002)(4326008)(8676002)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: cl6grHPIL3EBdneiJzVEuoCgG6vCnkkOOA3YDSJkLJ4ZvXr8LraHEdaMpQEwoXWz3qVlmiRXgYquiwTMynnBbtQy0weydqAa3HfLP8amSwl8fIo7wzNhKzYLwBmSYZwJ2bdWzC+DtQLzLY9tiz5pR20qH/OAKvmH74mqAUM6dwNAQy2CZnkN6PNFmKN9AR+YqvRefe0JZvwqiynCIF7VJ2gytiwdndrWNq7ZzK5GTVwqV0fP+y8kEtsQ1P6obuD2dNZ78XzFe96bUaKw5zJbrACg8qNMBtIpL7zkegZnr7PTVe+DqeiESWn6m706W/x3vtT9p2FE1VLI35Mcemmt3GTXocmVHaS9voQtGx0J41W6ZEKjshgG5o96EIu4u5bXUo61SuMG/zEKWZG7xI17VaMlyEd4HdUEVGaqVn2KXpUFqgYQrrRIbyphHrpKUxUW10GAL/+CYzj+Gdf89oOC58Hk5Ex5C895g2dAK1z9/Yg=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4366.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f85607a3-4d6a-4956-3465-08d824f1a70d
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2020 16:52:37.6016 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 154UK7QX1XreGZGhw9jYuZo3WKAR/vOMAEh5i4VubTj47cXZyKe/an2G2VB/itB+pdNW7cOFPW6dSOx+WZAXAQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4550
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/FboKaDJzmp3jODDKvpHIp-7xz00>
Subject: [OPSAWG] AD review of draft-ietf-opsawg-tacacs-yang-07
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 16:52:48 -0000
Apologies for the delay, but please find my AD review of the TACACS+ YANG module draft. I would like to thank the authors for their work on this document, and the WG for providing reviews and input in this document. I believe that the document is in good shape but propose some minor changes to some of the wording in places. One particular question that I would like to pull to the top is the naming of the module and identifiers: These generally use "tacacsplus", but I think that "tacacs-plus" might be better and more readable. Full comments are inline in the document below (marked as #) The YANG model can be used with network management protocols such as NETCONF[RFC6241] to install, manipulate, and delete the configuration of network devices. Abstract This document defines a YANG module that augment the System Management data model defined in the RFC 7317 with TACACS+ client model. The data model of Terminal Access Controller Access Control System Plus (TACACS+) client allows the configuration of TACACS+ servers for centralized Authentication, Authorization and Accounting. # Perhaps tweak the first paragraph of the abstract slightly to: This document defines a TACACS+ client YANG module, that augments the System Management data model, defined in RFC 7317, to allow devices to make use of TACACS+ servers for centralized Authentication, Authorization and Accounting. This document defines a YANG module that augment the System Management data model defined in the [RFC7317] with TACACS+ client model. # augment -> augments # with TACACS+ client -> to support the configuration and management of TACACS+ clients. TACACS+ provides Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers which is defined in the TACACS+ Protocol. [I-D.ietf-opsawg-tacacs] # TACACS+ provides -> "TACACS+ [I-D.ietf-opsawg-tacacs] provides" [and remove the reference at the end of the paragraph]. # networked computing devices -> networked devices # centralized servers which ... -> delete from which ... to the end of the sentence. The System Management Model [RFC7317] defines two YANG features to support local or RADIUS authentication: #two YANG features -> separate functionality #or -> and o User Authentication Model: Defines a list of usernames and passwords and control the order in which local or RADIUS authentication is used. # I suggest modifying this to -> o User Authentication Model: Defines a list of usernames with associated passwords and a configuration leaf to decide the order in which local or RADIUS authentication is used. o RADIUS Client Model: Defines a list of RADIUS servers that a device uses. # device uses. -> devices uses to manage users. Since TACACS+ is also used for device management and the feature is not contained in the System Management model, this document defines a YANG data model that allows users to configure TACACS+ client functions on a device for centralized Authentication, Authorization and Accounting provided by TACACS+ servers. # I suggest rewording this paragraph to something like: The System Management Model is augmented with the TACACS+ YANG module defined in this document to allow the use of TACACS+ servers as an alternative to RADIUS servers or local user configuration. Zheng, et al. Expires December 22, 2020 [Page 2] Internet-Draft TACACS+ YANG model June 2020 The YANG model can be used with network management protocols such as NETCONF[RFC6241] to install, manipulate, and delete the configuration of network devices. # I would suggest deleting "to install ..." to the end. The ietf-system-tacacsplus module is intended to augment the "/sys:system" path defined in the ietf-system module with the contents of the"tacacsplus" grouping. Therefore, a device can use local, Remote Authentication Dial In User Service (RADIUS), or Terminal Access Controller Access Control System Plus (TACACS+) to validate users who attempt to access the router by several mechanisms, e.g. a command line interface or a web-based user interface. #intended to augment -> augments #I think that you should just use RADIUS and TACACS+ here rather then spelling our the full names. The "server" list is directly under the "tacacsplus" container, which holds a list of TACACS+ servers and uses server-type to distinguish between the three protocols. The list of servers is for redundancy. # I was confused by "the three protocols" (thought you meant RADIUS, TACACS+ and local), hence suggest explicitly listing the AAA elements here. Most of the parameters in the "server" list are taken directly from the TACACS+ protocol [I-D.ietf-opsawg-tacacs], and some are derived from the various implementations by network equipment manufacturers. For example, when there are multiple interfaces connected to the TACACS+ client or server, the source address of outgoing TACACS+ packets could be specified, or the source address could be specified through the interface setting, or derived from the out-bound interface from the local FIB. For the TACACS+ server located in a Virtual Private Network(VPN), a VRF instance needs to be specified. # Unclear what is meant by "or the source address could be specified through the interface setting"? # out-bound -> outbound The "statistics" container under the "server list" is to record session statistics and usage information during user access which include the amount of data a user has sent and/or received during a session. # Does it measure the amount of data sent or recieved, or the number of messages? # Also the statistics don't appear to be per user at all, but instead per server? 4. TACACS+ Client Module This YANG module imports typedefs from [RFC6991]. # Do you want to list the RFCs of the other modules that are referenced in the YANG module? <CODE BEGINS> file "ietf-system-tacacsplus@2020-05-22.yang" module ietf-system-tacacsplus { # This might be worth discussing, but I'm not sure whether "tacacs-plus" wouldn't be better than "tacacsplus" in all the identifiers below. typedef tcsplus-server-type { # I think that this should be "tacacsplus-server-type", shortening the name here is probably not helpful. feature tacacsplus { description "Indicates that the device can be configured as a TACACS+ client."; reference "RFC XXXX : The TACACS+ Protocol "; } # This feature isn't required and can be deleted. Support for TACACS+ is implicit by whether or not this YANG module is supported. list server { key "name"; ordered-by user; description "List of TACACS+ servers used by the device."; leaf name { type string; description "An arbitrary name for the TACACS+ server."; # Any restrictions? Are spaces allowed in the TACACS+ server name? Does the TACACS+ protocol limit this at all? } Regards, Rob
- [OPSAWG] AD review of draft-ietf-opsawg-tacacs-ya… Rob Wilton (rwilton)
- Re: [OPSAWG] AD review of draft-ietf-opsawg-tacac… Joe Clarke (jclarke)
- Re: [OPSAWG] AD review of draft-ietf-opsawg-tacac… Rob Wilton (rwilton)
- Re: [OPSAWG] AD review of draft-ietf-opsawg-tacac… Wubo (lana)