IETF Logo Mail Archive

Re: [OPSAWG] AD review of draft-ietf-opsawg-tacacs-yang-07

"Rob Wilton (rwilton)" <rwilton@cisco.com> Wed, 10 March 2021 12:05 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07AD03A2250; Wed, 10 Mar 2021 04:05:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.62
X-Spam-Level:
X-Spam-Status: No, score=-9.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=dZFcriaI; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=K08yay6X
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kqoidecf3rxY; Wed, 10 Mar 2021 04:05:44 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 707673A21A6; Wed, 10 Mar 2021 04:05:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18544; q=dns/txt; s=iport; t=1615377944; x=1616587544; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=mxeRziAiZV7AfhfxNVJnl+oKj2bjtXGcWHWb8xyyGUE=; b=dZFcriaIvm7JUVe0fvKPrwve1CDk8LotyxXRtQM0mecA8zQiQZiWsGrI sPf72y2QOwmqtQ0PF8vrPjS1Vm/I+H8w8wSlUr/6pyHOYAI2LRun5T5XO M5354aS1wJoGbc+vT1tZq8NhamI2y8EUEB80+vcVEN4pdVk4rv3pRCzv0 Q=;
X-IPAS-Result: A0ANAABas0hgmJFdJa1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQIE+AgEBAQELAYFSIy59WjYxCoQ3g0gDhTmIWAOPFIoHgUKBEQNUCwEBAQ0BASgKAgQBAYRNAheBWwIlNwYOAgMBAQEDAgMBAQEBBQEBAQIBBgQUAQEBAQEBAQGGCQEsDYZEAQEBBCMEDQwBATgLBAIBBgIRBAEBAwIUDwMCAgIwFAEICAEBBAESCIJoAYJVAy8BDj2RAZBqAooedn8zgwQBAQaBNwKDWhiCEwMGgQ8qAYJ1hAmCUoJDgS8HHxyBSUKBVIFafj6CXAEBAgEVfyAOAhpNgkc0giuBWAEQeCcmBA0QEhQHBwIgZRMsJQEBFgIKBQIXCwMBCwGQa4Moh3+dfwqDAIlEhwuMAIM8iliVbJRrgg2JP5F1AjkJhD8CBAIEBQIOAQEGgSNHIoFZcBUaIYJpUBcCDYEaBY0AGYNWhRSFRXM4AgYBCQEBAwl8iUABDxUCB4EGATFdAQE
IronPort-PHdr: 9a23:HDKFyBeekE6WP8aiCT9zGd9qlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwaQA9fb9vtbhuuQuKflCiQM4peE5XYFdpEEFxoIkt4fkAFoBsmZQVb6I/jnY21ffoxCWVZp8mv9PR1TH8DzNF3Pq2K/7HgZHRCsfQZwL/7+T4jVicn/3uuu+prVNgNPgjf1Yb57IBis6wvLscxDiop5IaF3wRzM8XY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,237,1610409600"; d="scan'208";a="652435087"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 10 Mar 2021 12:05:40 +0000
Received: from mail.cisco.com (xbe-aln-006.cisco.com [173.36.7.21]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 12AC5Uve003822 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Wed, 10 Mar 2021 12:05:40 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xbe-aln-006.cisco.com (173.36.7.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Wed, 10 Mar 2021 06:05:36 -0600
Received: from xfe-aln-004.cisco.com (173.37.135.124) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Wed, 10 Mar 2021 06:05:34 -0600
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-004.cisco.com (173.37.135.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Wed, 10 Mar 2021 06:05:34 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jysbKx8+r1V/m7S+2QvYlgZRtb/8QSuXqKWDFpyJCeUPhXsEdpg0eMqlEnAUd1nrLU7OiBz4UFd2YdsbQzdvjupvkrmv3fQYvSe8ocGe8rdH+SdNWLAV6xlonIxlb1NJ3kCObWJF/B4aVskI3+XxxqJSiWsq5xoCNnKSASw/kaoLl6tzZYFefSTdc+KEKjoG5L+Iu5ae5+/aaGSEy2me4tmARcn0ndyymnYw2j5AQsggaRxodpZe7wnMEVXelIOC+GEBrwkuihy/cDTBhQYj5M7/tL5RQ7cWND0CDgeyVjeVarnvlYdXB4aVax+jaGg5xsOJcnfuv7fwWkJJZEmPAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mxeRziAiZV7AfhfxNVJnl+oKj2bjtXGcWHWb8xyyGUE=; b=GtzCpy9vc0wrhpw+Fm6pSOz5XLt2XcuySsK3Qr06+GBhtVryad2mH62gl32JuP3PxD8spNVSC9GfsoB+HsQgLly7TJjtb9KbQvYObmONknJ5qJw0aimEGdPBkwQ+HWKgcehVUDOcqyu48IfizfVLGcbd44nrfpEaDrsHV6a2CvakN3SlMRIQNZZm6lNx66OVMrguQNWln4IUGnotepqkkaplteIx9cz4nYcFe8S5akK1EqfG37yWjP2bDotycYjBd0Yy1ALHG5TiotQRl6PaFOM7js3zI2sB8m1YWRGhQntAnXD4zB14TZl+Q7brm+CRmLWCIeRhy4oel042xGXBzA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mxeRziAiZV7AfhfxNVJnl+oKj2bjtXGcWHWb8xyyGUE=; b=K08yay6XcVsApvtt0TY9mhC4Ak0aKxJ2nm5QxjxZ6iSlwNP1vaOz/QKxi7asUgUFR7fU5lLp/TLFtAAUuLqlxKzvzB4lSbOsCejKu/rGh+fiIEdByB45RCsgDWBelkdCljp6tc3xPVQjABtUAE3hMRHStAAcKucvFG8Ul6uIoiM=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) by MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.19; Wed, 10 Mar 2021 12:05:33 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::24c4:4c09:f6f0:5510]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::24c4:4c09:f6f0:5510%2]) with mapi id 15.20.3912.027; Wed, 10 Mar 2021 12:05:33 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "Wubo (lana)" <lana.wubo@huawei.com>, opsawg <opsawg@ietf.org>, "draft-ietf-opsawg-tacacs-yang.all@ietf.org" <draft-ietf-opsawg-tacacs-yang.all@ietf.org>
Thread-Topic: AD review of draft-ietf-opsawg-tacacs-yang-07
Thread-Index: AdaOJ+r2g6iry3KkQNSN2UgDw37YXCHd+aiw
Date: Wed, 10 Mar 2021 12:05:32 +0000
Message-ID: <MN2PR11MB4366335111AF28DC08ABA4D2B5919@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <b66fd196168d494aa57784e7b97b69cb@huawei.com>
In-Reply-To: <b66fd196168d494aa57784e7b97b69cb@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [64.103.40.26]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bfb2cbf6-a51c-4d06-8ac6-08d8e3bcce9b
x-ms-traffictypediagnostic: MN2PR11MB4366:
x-microsoft-antispam-prvs: <MN2PR11MB4366E1E4DB25C8C9C48A9ED0B5919@MN2PR11MB4366.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7YsX9ZfJmQrMz7A3DCBxoDVmszjEa7fDNHBVCHjP3y41E4Bx67mUc+RCmN03pN7AtKVG5p3iw6Ftt0rdMSR5NgOsvR4UhSczjwCtJSp/2JH1lCmanOITCvekWpRsF8K+dg8eyFsWSI0qCum1Q8ZFYNnYEitVeugr1BzLKXvr8vyymUvMCsgCR6znsbUVLDbypxiubfutufTbq6RsCW3LvVgBAuLM/HlHjvQ59c9Q7sbfOu3ktfCEYU3z5vx9sRV+DzvxSTBYfgDtl0Cmf90qywsaaM1hdDNJ40cvS6Lx2GHU3ZHrTU8vqeAn8VgIcp8HZN22qUCrITxS5Wa5TvWyytcFgNrvgVTibfxqzENBxjzB5W+ZJHAvyL+prImsWiOMuvl5TzlT90FOWtI1Vg/14vhtBviB7Vi35pmyDdt2v8DhqT5icoQ7eALiPWWukceydYdiVedBieafLirM+tNLGbDZamTdH6dlvPfr6zqh82G9G5tKFUh2jIRF/WsEQypnJqoEJPA3bDBim8IRDW0gdsvMZDFFQijJqfC5XgQstPOzuJkIVHrxDtFXXMdtiad1AdkbI3ouDgW1C8Hi9Ky5jMM7pHYQJcVXz7RZlwoo1kA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4366.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(396003)(136003)(366004)(346002)(376002)(66946007)(76116006)(316002)(6506007)(55016002)(52536014)(30864003)(2906002)(66446008)(64756008)(478600001)(8676002)(83380400001)(66556008)(26005)(186003)(8936002)(71200400001)(5660300002)(66476007)(9686003)(110136005)(966005)(86362001)(53546011)(33656002)(7696005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 2arzGChT/FtIXd9JBWSDCs/o8fDhG1IoEBe+MSRAsQsPzMYO9gjqYRq9fIJaJYOe7cCCXd/SArl4gfxpnrBa9rXkZohirmugvw4TzjLI95VLwlO5RirPGnSHkkIjPciqN9VuPkUsA0arul960TKjGoS5hiGH+DBsN7xKNB1IwntE/wkRAk57qqowHQuvOn4rRkbiwr2ON1/idPNwqQ1ZuHZj0PjhaDVEEqKA09HVwP2I3zwgezV2ZZEWbwv13QKqVOonhtb63iet5zCdoa2PZTefqytK5beQwsVE5Yx5qgbmAM4gFJvrcurMMrHUxCuh9qDFkpzbGPCm2z0zJ2lPoMWPJQHVnvNNzpVy8d81ZLy4GhsFkQXOX+80CxIRK9P8u5OwNiLlFew7avZPqlNxBc0aTbOX6eh7ZxJ9AqYva/6CkINkEnG9ZjYrOw4WZfsOCZmP/yycl9m7hH37SBlc4It2m3S65VvcmhxDbeWv2aI/fpAFNismZ0FYCkTnwkYsWngcF9OMFXlY7Wdh29KN5lLzcby354TOJSSQn5bYYSs/5VxtFVr88HAszfrEyA595OpxQAogMnX7uqxPyJSk2NERFAPZehBk4bhAGHscSz16pBGqsZfVAFWy22fDdXssYuuzXKWJSw101iswyi6yRoTRwvGMUBOi0VTKgTugr70rHXlhH/soC6dJ6ciXfz7qW48OgAZztWSO8/joj83uK+VHPVr4TbujvGaDaMXVNj1SUmxt69I+l8eJXhpTb8QAKrpTtkYPayTUjmpn7ZCTdV8zXa7ichazSpKTwLvobHHsr46pTGf5ksIIi8gfZL98Gfmh/wXa/2tdjwH9Q8HIzcUP2C5pQEUlur2DZMmb+kcJ/AH7pBBR38j0RAT7fe5d0o+OypPgIzg1wECh39sej2taiiGnS5qtLlxkE5yGJzlehc0gJYTRJHiVsqeXJrBl7XA7e6qARRNVfnNmlHdU0iajyUryGO/k10hzbywtY7osRQsn2Pr+zfea58t6Tg3vVAlx8c8fREz6kSF715rsrWf46v29N21CVj3tt9T/UTdOCEk1VRNKnywKnpFA6Dmb0UHCtII4mDEk7VilUewl08ew9EoxxNqOtuie6Gdtr1uEBn0IDmrsp/Ijoo5fSGrg5AjrXGE2QrXs6kPsGreXr5HJp2RpQfRDq5LIw4mFAUDIqsp5ENdPqJrm0JY7iFEsmwgs01p6WWuWTQcEXqe+sG4B1kH2OBlY8ON1J3Cs1uJ4RLG4ji6l8vNEPrkN3FN0t5vHhgWxlT2sEPP2HXfS/Q4rEkB/qyEYN6dsWjvxqFg=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4366.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bfb2cbf6-a51c-4d06-8ac6-08d8e3bcce9b
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2021 12:05:33.1182 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ktJJwt15P0OHN/7Fnv+Gx/9MUhVyB/qnOIDAhODoy5FzqLQp90Zhf+/ENkD1Z4NBgrV87UJTzXqCme9csRgxgg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4366
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.21, xbe-aln-006.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/XGTksjc1WCFUnPugrn0XB4bRjsw>
Subject: Re: [OPSAWG] AD review of draft-ietf-opsawg-tacacs-yang-07
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2021 12:05:47 -0000

Hi Bo,

Sorry, this doc slipped off my radar.

I've provided comments inline, but I think that it is only the "shared-secret" part that needs to be resolved.



> -----Original Message-----
> From: Wubo (lana) <lana.wubo@huawei.com>
> Sent: 19 September 2020 08:47
> To: Rob Wilton (rwilton) <rwilton@cisco.com>; opsawg <opsawg@ietf.org>;
> draft-ietf-opsawg-tacacs-yang.all@ietf.org
> Subject: Re: AD review of draft-ietf-opsawg-tacacs-yang-07
> 
> Hi Rob,
> 
> Thanks for the reply. Please see inline.
> 
> Best regards,
> Bo
> 
> -----邮件原件-----
> 发件人: Rob Wilton (rwilton) [mailto:rwilton@cisco.com]
> 发送时间: 2020年9月15日 18:53
> 收件人: Wubo (lana) <lana.wubo@huawei.com>; opsawg <opsawg@ietf.org>;
> draft-ietf-opsawg-tacacs-yang.all@ietf.org
> 主题: RE: AD review of draft-ietf-opsawg-tacacs-yang-07
> 
> Hi Bo,
> 
> Thanks for addressing my previous comments.
> 
> Please see inline ...
> 
> > -----Original Message-----
> > From: Wubo (lana) <lana.wubo@huawei.com>
> > Sent: 29 August 2020 09:40
> > To: Rob Wilton (rwilton) <rwilton@cisco.com>; opsawg
> > <opsawg@ietf.org>; draft-ietf-opsawg-tacacs-yang.all@ietf.org
> > Subject: Re: AD review of draft-ietf-opsawg-tacacs-yang-07
> >
> > Hi Rob,
> >
> > v-08 is posted, to address most of the your comments in the two AD
> > reviews.
> > https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-tacacs-yang-08
> >
> > There are still some comments to confirm with you.
> >
> > 3. "shared-secret", should that be put under a choice statement?  Is
> > it likely that alternative methods of authenticating the server are
> > likely in future?
> > [Bo] This issue has been discussed in WG before, and it was
> > recommended that the module be updated when the new TACACS+ protocol
> > defined. What's your opinion?
> [RW]
> 
> I'm not sure I entirely follow.
> 
> By "be updated when the new TACACS+ protocol defined", do you mean:
> https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-11, or something
> else?
> 
> If it is this draft, then this is a normative reference and will be
> published shortly.  I had presumed that this model covered the client
> functionality from draft-ietf-opsawg-tacacs-11?
> 
> [Bo] Yes, this model is defined to cover the client functionality from
> draft-ietf-opsawg-tacacs-11 or the latest version.
> "shared-secret" is used to encrypt the TACACS+ packet body, and is the
> only body encryption method defined in the TACACS+ protocol.
> During WG discussion, a similar issue has been discussed and it was
> suggested that in future an augmented model to be defined to reflect
> alternative methods, such as TLS encryption.
[RW] 

So, the problem that I see is that the shared-secret leaf is mandatory.  I.e., even if an alternative method was specified then a shared-secret would still always need to be specified.  I don't know whether that it is a reasonable constraint to put on the model.

If there will always be a shared secret then your augmentation approach should be fine.

But, if it is plausible or likely that a shared-secret would not always be required then I would be better to have a mandatory choice statement with shared-secret as one of the choices.



> 
> >
> >
> > 5. Does the tcsplus-server-type indicate what the server is, or how
> > the server is used?  E.g., could a server have the authentication bit
> > set, but then not be used for user authentication?  Or should that be
> > prevented with a must statement?
> > [Bo]Yes, tcsplus-server-type indicates what type the server is. But I
> > don't quite understand this comment.
> [RW]
> 
> The distinction that I was trying to make is:
> 
> Server 'S', might have the capabilities of an authentication and
> accounting server, but Network Device 'D', that is making use of Server
> 'S', might only be making use of its authentication capabilities.  In this
> scenario, do the configuration bits on device 'D' list Server 'S' as
> supporting authentication and accounting (since that is what the server
> supports) or do they only list Server 'S' capabilities as "authentication"
> (since that is what is being used by 'D')?
> 
> If the intended behaviour is the latter, then I think that we should tweak
> the descriptions to be clear.
> 
> [Bo] Yes, the intention is the latter.
> Perhaps you mean the YANG descriptions of 'tcsplus-server-type' are not
> clear enough. Please let us know if this addresses your concerns or if
> there is anything else.
> 
>   typedef tacacs-plus-server-type {
>     type bits {
>       bit authentication {
>         description
>           "When set, the server is an authentication server."
>          ->
> 		  "When set, the device use the server for authentication
> service.";
[RW] 
Yes, I think that is fine, but I propose perhaps "Indicates that the TACACS server is providing authentication services".  The other two comments should be adjusted similarly.



> 
>       }
> ...
>     }
>     description
>       "tacacs-plus-server-type can be set to
>        authentication/authorization/accounting
>        or any combination of the three types. When all three types are
>        supported, all the three bits are set.";
>      ->
> 	 "When all the three bits are set, the device use all available
> services on the server.";
[RW] 

The last sentence probably isn't needed and could just be removed?

Regards,
Rob


>   }
> 
> >
> >
> > 6. Should there be a limit on the length of a server name?
> > [Bo]The TACACS+ protocol does not have any restrictions, and I also
> > think this model could follow current ietf-system model, since this
> > module is the augmentation of the system model and there is no
> > restriction on the RADIUS server name in the ietf-system model.
> > How do you think?
> [RW]
> 
> I agree that being consistent with ietf-system is a good choice.
> 
> I do wonder more generally if this will mean that different vendors will
> impose different limits using deviations, which would effectively make
> interop harder.  But that doesn't need to be solved here/now.
> 
> [Bo]Thanks for the suggestion.
> 
> 
> >
> >
> > 7. I dont' know whether this matters, but the must statement doesn't
> > seem to be quite complete, in that it would still allow TACACS+ to be
> > listed as an authentication mechanims, but only include an accounting
> > server in the TACACS+ server list.
> > [Bo] Thanks. Agree that the must statement does not prohibit
> > accounting or authorization TACACS+ server configuration.
> > I updated the must statement with authentication server type validation.
> [RW]
> 
> Okay.
> 
> Regards,
> Rob
> 
> 
> >
> > Thanks,
> > Bo
> >
> > -----邮件原件-----
> > 发件人: Rob Wilton (rwilton) [mailto:rwilton@cisco.com]
> > 发送时间: 2020年8月20日 18:38
> > 收件人: opsawg <opsawg@ietf.org>; draft-ietf-opsawg-tacacs-
> > yang.all@ietf.org
> > 主题: RE: AD review of draft-ietf-opsawg-tacacs-yang-07
> >
> > Ok, my bad.  It seems that I had already done an AD review of this
> > document :-)
> >
> > Bo, there may be some additional comments that you would like to
> > consider below in your -08 update.
> >
> > Regards,
> > Rob
> >
> >
> >
> > > -----Original Message-----
> > > From: Rob Wilton (rwilton) <rwilton@cisco.com>
> > > Sent: 20 August 2020 11:23
> > > To: opsawg <opsawg@ietf.org>;
> > > draft-ietf-opsawg-tacacs-yang.all@ietf.org
> > > Subject: AD review of draft-ietf-opsawg-tacacs-yang-07
> > >
> > > Hi,
> > >
> > > This is my AD review of draft-ietf-opsawg-tacacs-yang-07.  Sorry
> > > that it has been a little while in coming.
> > >
> > > Thank you for this document, I believe that it is in good shape.
> > > I've given my slightly more significant comments first, followed by
> > > some editorial comments.
> > >
> > >
> > > COMMENTS:
> > >
> > > "Section 3":
> > >
> > >    The "statistics" container under the "server list" is to record
> > >    session statistics and usage information during user access which
> > >    include the amount of data a user has sent and/or received during a
> > >    session.
> > >
> > > 1. Looking at the module, the statistics only seem to cover the
> > > number of messages rather than the amount of data.  Possibly delete
> > > the part of the sentence from "which include" ... to the end of the
> sentence.
> > >
> > >
> > > "Regarding the YANG module":
> > >
> > > 2. I suggest changing "tacacsplus" to "tacacs-plus" (e.g., in the
> > > module title and top level nodes).
> > >
> > > 3. "shared-secret", should that be put under a choice statement?  Is
> > > it likely that alternative methods of authenticating the server are
> > > likely in future?
> > >
> > > 4. I'm not sure that the "tacacsplus" feature is required.
> > > Supporting the ietf-system-tacacsplus module should be sufficient to
> > > indicate that the device supports TACACS+ client configuration.
> > >
> > > 5. Does the tcsplus-server-type indicate what the server is, or how
> > > the server is used?  E.g., could a server have the authentication
> > > bit set, but then not be used for user authentication?  Or should
> > > that be prevented with a must statement?
> > >
> > > 6. Should there be a limit on the length of a server name?
> > >
> > > 7. I dont' know whether this matters, but the must statement doesn't
> > > seem to be quite complete, in that it would still allow TACACS+ to
> > > be listed as an authentication mechanims, but only include an
> > > accounting server in the
> > > TACACS+ server list.
> > >
> > >
> > > "Security section":
> > >    /system/tacacsplus/server:  This list contains the objects used to
> > >       control the TACACS+ servers used by the device.  Unauthorized
> > >       access to this list could cause a user management failure on the
> > >       device.
> > >
> > > 8. I don't know TACACS+, but I would presume that the risk of
> > > accessing this list is much greater than just user management failure.
> > > If it was possible to modify this configuration to point to a
> > > compromised TACACS+ server then would it not be possible to obtain
> > > complete control over the device?  If, so I think then I think that
> > > it would be helpful to make this risk clear.  [As a nit, we should
> > > probably also use 'data nodes' rather than 'objects']
> > >
> > >
> > > "References":
> > >
> > > 9. Please can you ensure that your normative references to all RFCs
> > > that define YANG modules that are imported by the YANG modules
> > > defined in this document.  From a quick scan, it looked like some
> > > might be
> > missing.
> > >
> > >
> > >
> > > EDITORIAL COMMENTS:
> > >
> > >
> > > Abstract:
> > > 1. that augment -> that augments
> > > 2. in the RFC 7317 with TACACS+ client model. -> in RFC 7317 with a
> > > TACACS+ client data model.
> > >
> > > 3. The data model of Terminal Access Controller Access Control
> > >    System Plus (TACACS+) client allows ...-> The Terminal Access
> > > Controller Access Control System Plus (TACACS+) client data model
> > > allows ...
> > >
> > > Introduction:
> > >
> > > 4. This document defines a YANG module that augment the System
> > >    Management data model defined in the [RFC7317] with TACACS+ client
> > >    model.
> > >
> > >    ->
> > >
> > >    This document defines a YANG module that augments the System
> > >    Management data model defined in [RFC7317] with a TACACS+ client
> > >    data model.
> > >
> > > 5. TACACS+ provides Device Administration ->
> > >    TACACS+ provides device administration
> > >
> > > 6. TACACS+ provides Device Administration for routers, network access
> > >    servers and other networked computing devices via one or more
> > >    centralized servers which is defined in the TACACS+ Protocol.
> > >    [I-D.ietf-opsawg-tacacs]
> > >
> > >    ->
> > >
> > >    TACACS+ [I-D.ietf-opsawg-tacacs] provides Device Administration for
> > >    routers, network access servers and other networked computing
> devices
> > >    via one or more centralized servers.
> > >
> > > 7. o  User Authentication Model: Defines a list of usernames and
> > >       passwords and control the order in which local or RADIUS
> > >       authentication is used.
> > >
> > >    ->
> > >
> > >    o  User Authentication Model: Defines a list of local usernames and
> > >       passwords.  It also controls the order in which local or RADIUS
> > >       authentication is used.
> > >
> > > 8.  System Management model -> System Management Model?
> > >
> > > 9.  The YANG model can be used -> The YANG module can be used
> > >     The YANG data model in this document" => The YANG module in this
> > > document
> > >
> > >
> > > "3.  Design of the Data Model"
> > >
> > > 10. Recommend changing heading to "Design of the TACAS+ Data Model"
> > >
> > > 11. client on the device -> client on a device
> > >
> > > 12. user's name and password -> user's username and password?
> > >
> > > 13. user and accounting -> user, and accounting
> > >
> > > 14. is intended to augment -> augments
> > >
> > > 15. A couple of places "e.g." should be replaced with "e.g.,"
> > >
> > > Appendix A:
> > >
> > > 16. In the example, possibly delete the "single-connection" leaf
> > > since that is a default value.
> > >
> > > Regards,
> > > Rob

v2.23.0 | Report a Bug | By Email