IETF Logo Mail Archive

Re: [OPSAWG] AD review of draft-ietf-opsawg-tacacs-yang-07

"Rob Wilton (rwilton)" <rwilton@cisco.com> Mon, 15 March 2021 09:12 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BAF53A0EA4; Mon, 15 Mar 2021 02:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.62
X-Spam-Level:
X-Spam-Status: No, score=-9.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=lJYsE2j7; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=q8vIGBe4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pbn1o0KMEwQq; Mon, 15 Mar 2021 02:12:19 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBBE83A0E9E; Mon, 15 Mar 2021 02:12:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=23898; q=dns/txt; s=iport; t=1615799538; x=1617009138; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=ibrUdNSXmkVZEVfgDU+Y7RZA591uDygOyd6rdGEG/k8=; b=lJYsE2j7fLdCFoUdIued8yHBuUSdziaXqBR7ndb8NrILiRELSvze9jhD hPjWN2+aaiFT6SVNgRyMm6VMTERRPKnDEiGvO5G7tqDVyFGBW3Vf2383c BO3n1MBZA+Z5XRLjtqaLdFPyJgoWB/gDcWBCbLi0JUxiR/I94RS5ObmK9 M=;
IronPort-PHdr: A9a23:RNh1ihWR5NtxTmzwB1HxRhnMj2jV8K0IAWYlgqEPgq9Scqml45XpNVDe4vMollLSQIHH8Jpsi/ffrK3hH2cH5MXJvHMDdclKUBkIwYUTkhc7CcGIQUv8MLbxbiM8EcgDMT0t/3yyPUVPXsqrYVrUry6y8DcNFxS5Pg1wdaz5H4fIhJGx0Oa/s5TYfwRPgm+7ZrV/ZBW7pAncrI8Ym4xnf60w0RDO5HBPfrc++A==
IronPort-HdrOrdr: A9a23:A20d06srxaD3hvM6Ohbgsy9D7skCD4cji2hD6mlwRA09T+WxrOrrtOgH1BPylTYaUGwhn9fFA6WbXXbA7/dOgLU5FYyJGC3ronGhIo0n14vtxDX8Bzbzn9Qy6Y5JSII7MtH5CDFB4vrSyAOzH888hPyO9661jenTpk0dMT1CQadm8gt/F0K/Gkp5WAFJCfMCZeWhz+BAoCetfmlSU9+yAWMLU/OGi9rAkp/nZhBuPW9o1CClizS05LnmVyWJxxt2aUIB/Z4O00jg1zb46KKqru2hxnbnt1P7wpxKlLLau6N+LeOWjMx9EESIti+JY8BbV6SGrHQJpoiUmSsXuf3thztlAMhp8XPWeQiO0FrQ8i3tyiwn5XOn6XLwuwqZneXDSDg3C9VMiOtiG3OzgSdNzbIMsp5j5G6Xu4FaChnNhk3GlqL1fit3nUm5q2dKq591s1VjUJATYLIUjYsT8FI9KuZ4IAvG6ZsqGOQrMcfE5Pw+SyL9U1nluABUsbiRd0V2Oi3DblkJu8ST3TQTtmt+1VEkyMsWmWpF3I4hSrFfjt60cphApfVrdIs7fKh9DOAOTY+cEWrWWy/BN2qUPBDOCLwHAXTQsJT6iY9Fp92CSdgt9t8fiZ7BWFRXuSoZYET1E/CD25VN71TrTHiiWy/ujuVT/YJwtLG5ZLeDC1zAdHke1++b59kPCMzSXPi+fLhMBeX4EGfoEYFVmwLkXZ1fLmQfTd0Vtt43V0nmmLOOFqTa8sjgNNrDLrvkFjgpHknlBGEYYTT1LMJcqkCnM0WIxyT5ajfIQAjS7JhwGK/V86w4044WLLBBtQATlBC87sGPIjtSr7wucCJFUfXau5L+gVPz0XfD7m1vNBYYJF1S+q/cX3RDohJPNVj1f7YFs9CWYntTw3ODOx96Q6rtYUtijmUy3ZjyA42bxCgkBd7iGHmdlWEvqHWDSIpZhreO/t7/epQzDo8vXat4EQmjLW0tpS9a7EN4LCMUTE7WET3jzZi/hJsPHefFap1XmwGwO/NZrnrZqGSRrcwiXWEgQjarSMKb6DxeHwZ8txlUyes/iKDFsSuzIWE/6d5ITmFkWSCyOvZ6KyirIK9TgavmfQlsS3ziv03qtzgDPkzw90sTgWT9KzazYv+jOCsHhlloloD37VhzamKRO2V3Z3wSi/whKU32/lBuzOSMeq2/l1G0V2JH6OQcPDbZCAFieD9Gz8yr1RKThTaJHWgnwJJrJeDGELE/adjoqwOQAZzNmqccE/BO+pF5cNjor+8QSOqaPxSYNTXiFooSqkaoj2dgPCl/s38/l/z0nBXj8WijxXY6aMCiaGhOVvUeI9uG6XLjSOvN2JJljcgtte/1NmnqcNaJxeXWaDFEQymj6lKeXqUtqZpOu7g1u6Y2F57HUSHQ3HUCxQ4gNq7P5TQjabU+5KqENp5kfsQUdS4c9l01lM6XJE9utgDtGOcxcVwkknezBaLF35PY7b40RkGRrgr5PleStzdQ+PrIRCOP378XAaBYGxUeVGEsrHB5uO+SfYzZDwunM/xZ9F2hK3mnbftTTrOGFbh4lGc33/iY2+uMMyz21wDbsWElfuZA82O7TdizBwzJE+hS6NC+MUmNhKzv4MPbtkaDdRKrL0ADwYtCfggMa84GjD8ohog+yDKzRaz6uVhNqSop3Rh30lr2npG762LaF1xcOQLXgp9KTSBeW0L4//jt4KydzjDh+zBL1pnICVdIctxPE9YWSJLrLy0GE7llgJe4u6w1gipCZx8yD2kzzDDlttkWrouE5A==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C9AAA6JE9g/5hdJa1aGgEBAQEBAQEBAQEDAQEBARIBAQEBAgIBAQEBQIFPgVNRB3ZaNjEKhDeDSAOFOYhBA48figyBQoERA1QLAQEBDQEBKAoCBAEBhE0CF4FfAiU4EwIDAQELAQEFAQEBAgEGBHGFNAEsDYZEAQEBAQIBIwQNDAEBOAsEAgEGAhEEAQEDAhQPAwICAjAUAQgIAQEEARIIgmmCVQMOIQEDCz2QMJBqAooed38zgwQBAQaBNwKDaRiCFAMGgQ8qgnaECYJSgkOBLwcfHIFKQoFUgVp+PoJgAQECARV/IA4CGk2CRzWCK4FYARBbBhcnJgQNEBIUBwcCIAJjEywlAQEWAgQGBQIXCwMBCwEukEaDKIgCngoKgwKJSocPjAeDPopcj2+GDJR0gg2JQ5F9AjkJBYQ+AgQCBAUCDgEBBoEjSCOBV3AVGiGCaVAXAg2BGgWNAINvhRSFRXM4AgYBCQEBAwl8iykBDxUCB4EHATFdAQE
X-IronPort-AV: E=Sophos;i="5.81,249,1610409600"; d="scan'208";a="859384185"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Mar 2021 09:12:17 +0000
Received: from mail.cisco.com (xbe-rcd-007.cisco.com [173.37.102.22]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 12F9CHds000969 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Mon, 15 Mar 2021 09:12:17 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xbe-rcd-007.cisco.com (173.37.102.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Mon, 15 Mar 2021 04:12:16 -0500
Received: from xfe-aln-003.cisco.com (173.37.135.123) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Mon, 15 Mar 2021 04:12:16 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-003.cisco.com (173.37.135.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Mon, 15 Mar 2021 04:12:16 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NsEuJhr55QTzmo83CIKtxffnIWRpcACbt6ZGHXyAN1q1dU4KxQLyTW7jD/I6GlMOLyljh0mE8iIMFvYo3ze7g38ipx2zpGs6tXaGbjGxXrQB5ZBOgjAclCp+gLf8BYuq8rR5xEOaAiU5t/v0YzJduPDbttMJvjzvtYxzx3l7lWLxAaaFFDU3bxwLtSTCzB8rB7Z1UXqEsZuJyhWo5Uf75lmN+1VNOTF5h8Al05jfcq8ASVRG5KCPj6ptqjbZVraxaaDHwRDEADolxrScyI3fgMBQRuChlURhLJmuWfJWnWYDs0djHBXNixQ/YxCuhCJn0e/ibv945CVGu1FeNKx1GQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ibrUdNSXmkVZEVfgDU+Y7RZA591uDygOyd6rdGEG/k8=; b=cR/9iy+FuGsnO+JeFcH1ykma1qod/20TLKRe4nNENIPSbzt9WV+/Wja8MTsBsoZBzy4TLtw06lmh2bc/3N/iDAHRBSPnE6Ei4IOdZvNl5DacN/crAv8CA/OkwLtV18seByt/RG05Y5mp4c7bTDROkt+NMNuOyCUupn/PnAbmE4xvWJKl8T/L0/Zb8aAzhuhqv0IWXqAHdkf/c05oliJEnbbR19eeGFBMbOkd0qhHVg4FjxhrEnpcLdeIjZQ1h5Zx2ChnvvqYyJlGTSAkEcvIz4+JlpaKlYL/MqVLCUBMsS4KTk994PWFdJ1S8mQxbaB1b7UPZApnCgV5FCbcb4UleA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ibrUdNSXmkVZEVfgDU+Y7RZA591uDygOyd6rdGEG/k8=; b=q8vIGBe4Ygx3DUYljDGXs1fDYS7TK2B0GjHnENWuiFi/dhTVcgNZl/7RRfZ71zoKbFWUbSpJtyxV3AYQxWFPM19fEsYbkaHgcRA6+yGdpMslmE3AVZKpF/zbLahyq4vR9n8+eD3nKdQEu8iueGXU0Qgz1HeVGwnrLdLialbQUAs=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) by MN2PR11MB4549.namprd11.prod.outlook.com (2603:10b6:208:26d::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.31; Mon, 15 Mar 2021 09:12:15 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::24c4:4c09:f6f0:5510]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::24c4:4c09:f6f0:5510%2]) with mapi id 15.20.3933.032; Mon, 15 Mar 2021 09:12:14 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "Wubo (lana)" <lana.wubo@huawei.com>, opsawg <opsawg@ietf.org>, "draft-ietf-opsawg-tacacs-yang.all@ietf.org" <draft-ietf-opsawg-tacacs-yang.all@ietf.org>
Thread-Topic: AD review of draft-ietf-opsawg-tacacs-yang-07
Thread-Index: AdcXKbrnfDt6F+XWSnWe0h83JpzUrACUW5cA
Date: Mon, 15 Mar 2021 09:12:14 +0000
Message-ID: <MN2PR11MB4366F86B60FFED7CBA39772CB56C9@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <879645b2f955435089dfd5a8b3ad9405@huawei.com>
In-Reply-To: <879645b2f955435089dfd5a8b3ad9405@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [82.12.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2e1a2301-e91d-47b9-c54b-08d8e7926cd2
x-ms-traffictypediagnostic: MN2PR11MB4549:
x-microsoft-antispam-prvs: <MN2PR11MB4549E689DB2933EF138D4A85B56C9@MN2PR11MB4549.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gtHQZRMAoEMUEOP/5QXsjQRelmAgETgzL519t3tc+/9gj0gCpOXyRtpvXEaYvrI6lEkhgDJP5UqmbeJryPXdH5HO8/xIfcowvai9Kkod3hFAC8nbRtgQlDqVAPP0nqJ345BxjkzDI8q1VgoWE1j63PSheP+Cg+sIHTuLD3Jk0befUNLJiPzpcDfth/sNGBw0JOgK6xRzwCwUtAjv2B0g3pv5TSXtJBvlp4au/tHI/tTXSdqb+SJ39xVfWHLtgcAR8tduPB7j8Xir5ScC+iRh1YMB6e5nyVzeTobwYSUcvQk2Z1zF9RPFwfOLrBh/k0kheNo0EyTpN0GSt62ajbgIh9Fyr18Sh1/p8wCSnLWbQxDD7NTEVkBOgR/gZL0nwKYzxr+SHTm3cLgGV+FHxse++T0kJd2xFK5MqFLa/tl84gfjBlshoc9Y6mzC8wDH0zfSXu3EeclYf7rRfSVwsEuuS7ArhHrZA4mQkzI7xDMSOOFtU3kL2GBjj7SIfBt/8lFjy/ZFCJMm5lKoeRjYgMDgL2+s8DUDQGMcG40geEctTJTrKeaguikk+JxnG1/o4mQPZZXhWMbCNzMToGV11Pwsj7RE21drljc8mBPVlwQ+NJ8OSMQwFivO9q7JP1735T8UJqW7v4daYbKMSyNdGcn/iw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4366.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(136003)(376002)(366004)(39860400002)(346002)(64756008)(55016002)(53546011)(30864003)(7696005)(9686003)(66946007)(66446008)(66556008)(110136005)(316002)(186003)(26005)(76116006)(52536014)(966005)(5660300002)(478600001)(6506007)(33656002)(8936002)(86362001)(2906002)(8676002)(83380400001)(66476007)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: htxYEwbhu9I15TWmBwPZKMZ1DZxLU/kEzTru/aEr48bErEd6vpUt6USLWPaCeOA5qrO51U4CQMGODCcyJiNfMsF8eMIH3WRWoYBfeSiroxUn4qr9Co4zLGW0zF/adcglxnq+fV53jTDcEeEGeVW6FJqZZVjrmUiJD2eCCjdsNCRHwdWoalkQ9fyYvtUu5KAxHKkRLq1KQNOo6knLBgHc/ij0aZs6JQosOv5FBdVfSmFxTUF0nypu74yH6ZoDzucis0sRECLtUj8Z8AT9kDbkaXsePjN/GI1VH++8tVirY7Wf9bkdd0nQHYk2Hu+deWNgU9GzRlGHBl3pmLE/tVyseO78tY2d5ymIBhTljS1zrb2BohaQv0P4IWEnApLtPgdZHYwSFbNnSdU/fG04BB9yIu2TUORNz9hh3m7UC1utjRMw2cZxoQPqHz3zLuj8pJsUZ5+XBPQgKyF4rLE+tSOYLh3DBkh4j1OkkIaOwJYRIuzrXkMQbYuNZB5knfWpBdKNao9B+KpoI+2rpsmwhKD+966A+2i5F13R9hDfSkiDqT/JwtjOk4r+DLfRq8gwdt4fVrx8pllUVEPzhLOTgBC171f6uyivTDXqeNKtpu2l4Os3I7JOgWuH2zkQ7VLgD4YQY5M6auUdfX7B5TPsOjuLHHdHFTVuQvbG+euos1VMnlL7ZY2WHkJEuE1raQBOFNNqZALbaDO2O3UUjzU05U6cGvuVrMl3MAqnN1kMfLmdOKwpP9OULICAAckCkR2auMLX7SWg2wA56SaWJRk+1LpyYk6H1ejmQDq2rZ8D8NdzwzGfaeev+uvPln47tXTRf3r/Uq7UrAqgYRCxa8AiV7F0iWs3uw3Dpf9gI51maMnOY8JeGONVMFG4WIz2B5kGOq4ooxeQqRJ0PKQ/fCurAU0KGvxLPFGNFGLkgiS3Vwz2xLVUWsjynQ3yV2VB0iKLwty+PVe/XTut5jk/2hDKv0m3RmINWxERTZRu9u1Ktl3Y21D7nDp6o2jV/sC15ZYfevwmdcqS74SRws3X6Zy1+xtV117hs4rIJPubJoDO3WZwt/Xw03IGeZvfu++gIz8+Nedc8daZzAugy6RiA9DZo3QG/x5CO+Dl3vGJIZ9tPKCniSH8ZpecJ8xWHUkb9wRfN2/ZriGSV7wwGC9/vwtzqM5CO9M4mdQYI2iOdontRPmuP9E30Wm/ltsHnKAly/S0qI12VAQb7Dk7VMB7PpLFUdOBypDqBJBjtvZBOmjeBz1D7fmGSU0Rir5Pv/jRxi5NvP26IGvmrmEloE1Yi+Yw0XKigQzYC0eJiohJiV5XAXZ+JmLYf/bTeEAiFtF11ntqsG4o
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4366.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2e1a2301-e91d-47b9-c54b-08d8e7926cd2
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2021 09:12:14.6990 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nccMYY9ChNmBwKe1cffc9cv5LUbqKLMTPPPkRYTwuRliJxcSM9Vm4Xa40meqcIRETYaVFctMfKrawaPAztZstQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4549
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.22, xbe-rcd-007.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/tMxFOeyPmuyJSe8nSRUp-Pt2dMU>
Subject: Re: [OPSAWG] AD review of draft-ietf-opsawg-tacacs-yang-07
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 09:12:22 -0000

Hi Bo,

Thanks for addressing my comments, and your work on this document.  I've now requested IETF LC on this document.

Regards,
Rob


> -----Original Message-----
> From: Wubo (lana) <lana.wubo@huawei.com>
> Sent: 12 March 2021 10:31
> To: Rob Wilton (rwilton) <rwilton@cisco.com>; opsawg <opsawg@ietf.org>;
> draft-ietf-opsawg-tacacs-yang.all@ietf.org
> Subject: Re: AD review of draft-ietf-opsawg-tacacs-yang-07
> 
> Hi Rob,
> 
> We have posted a -09 version that fixes the issues from you and Tom Petch.
> Please see below:
> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-
> tacacs-yang-09
> 
> Thanks,
> Bo
> 
> -----邮件原件-----
> 发件人: Rob Wilton (rwilton) [mailto:rwilton@cisco.com]
> 发送时间: 2021年3月11日 19:23
> 收件人: Wubo (lana) <lana.wubo@huawei.com>; opsawg <opsawg@ietf.org>;
> draft-ietf-opsawg-tacacs-yang.all@ietf.org
> 主题: RE: AD review of draft-ietf-opsawg-tacacs-yang-07
> 
> Thanks Bo.
> 
> Perhaps make the choice description:
> 
>  "Encryption mechanism between TACACS+ client and server".
> 
> Let me know when you are done, and I'll start the IETF LC.
> 
> Regards,
> Rob
> 
> 
> > -----Original Message-----
> > From: Wubo (lana) <lana.wubo@huawei.com>
> > Sent: 11 March 2021 10:46
> > To: Rob Wilton (rwilton) <rwilton@cisco.com>; opsawg
> > <opsawg@ietf.org>; draft-ietf-opsawg-tacacs-yang.all@ietf.org
> > Subject: Re: AD review of draft-ietf-opsawg-tacacs-yang-07
> >
> > Hi Rob,
> >
> > Thanks for your comments. I will submit rev-09 to resolve the issues
> > below.
> > For the "shared-secret", will change the leaf to:
> >
> > 		choice encryption {
> >            mandatory true;
> >            description
> >              "A choice amongst available encryption types.";
> >            case shared-secret {
> > 		     leaf shared-secret {
> > ...
> >       }
> >
> > Best regards,
> > Bo
> >
> > -----邮件原件-----
> > 发件人: Rob Wilton (rwilton) [mailto:rwilton@cisco.com]
> > 发送时间: 2021年3月10日 20:06
> > 收件人: Wubo (lana) <lana.wubo@huawei.com>; opsawg <opsawg@ietf.org>;
> > draft-ietf-opsawg-tacacs-yang.all@ietf.org
> > 主题: RE: AD review of draft-ietf-opsawg-tacacs-yang-07
> >
> > Hi Bo,
> >
> > Sorry, this doc slipped off my radar.
> >
> > I've provided comments inline, but I think that it is only the
> > "shared- secret" part that needs to be resolved.
> >
> >
> >
> > > -----Original Message-----
> > > From: Wubo (lana) <lana.wubo@huawei.com>
> > > Sent: 19 September 2020 08:47
> > > To: Rob Wilton (rwilton) <rwilton@cisco.com>; opsawg
> > > <opsawg@ietf.org>; draft-ietf-opsawg-tacacs-yang.all@ietf.org
> > > Subject: Re: AD review of draft-ietf-opsawg-tacacs-yang-07
> > >
> > > Hi Rob,
> > >
> > > Thanks for the reply. Please see inline.
> > >
> > > Best regards,
> > > Bo
> > >
> > > -----邮件原件-----
> > > 发件人: Rob Wilton (rwilton) [mailto:rwilton@cisco.com]
> > > 发送时间: 2020年9月15日 18:53
> > > 收件人: Wubo (lana) <lana.wubo@huawei.com>; opsawg <opsawg@ietf.org>;
> > > draft-ietf-opsawg-tacacs-yang.all@ietf.org
> > > 主题: RE: AD review of draft-ietf-opsawg-tacacs-yang-07
> > >
> > > Hi Bo,
> > >
> > > Thanks for addressing my previous comments.
> > >
> > > Please see inline ...
> > >
> > > > -----Original Message-----
> > > > From: Wubo (lana) <lana.wubo@huawei.com>
> > > > Sent: 29 August 2020 09:40
> > > > To: Rob Wilton (rwilton) <rwilton@cisco.com>; opsawg
> > > > <opsawg@ietf.org>; draft-ietf-opsawg-tacacs-yang.all@ietf.org
> > > > Subject: Re: AD review of draft-ietf-opsawg-tacacs-yang-07
> > > >
> > > > Hi Rob,
> > > >
> > > > v-08 is posted, to address most of the your comments in the two AD
> > > > reviews.
> > > > https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-tacacs-yang-08
> > > >
> > > > There are still some comments to confirm with you.
> > > >
> > > > 3. "shared-secret", should that be put under a choice statement?
> > > > Is it likely that alternative methods of authenticating the server
> > > > are likely in future?
> > > > [Bo] This issue has been discussed in WG before, and it was
> > > > recommended that the module be updated when the new TACACS+
> > > > protocol defined. What's your opinion?
> > > [RW]
> > >
> > > I'm not sure I entirely follow.
> > >
> > > By "be updated when the new TACACS+ protocol defined", do you mean:
> > > https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-11, or
> > > something else?
> > >
> > > If it is this draft, then this is a normative reference and will be
> > > published shortly.  I had presumed that this model covered the
> > > client functionality from draft-ietf-opsawg-tacacs-11?
> > >
> > > [Bo] Yes, this model is defined to cover the client functionality
> > > from
> > > draft-ietf-opsawg-tacacs-11 or the latest version.
> > > "shared-secret" is used to encrypt the TACACS+ packet body, and is
> > > the only body encryption method defined in the TACACS+ protocol.
> > > During WG discussion, a similar issue has been discussed and it was
> > > suggested that in future an augmented model to be defined to reflect
> > > alternative methods, such as TLS encryption.
> > [RW]
> >
> > So, the problem that I see is that the shared-secret leaf is mandatory.
> > I.e., even if an alternative method was specified then a shared-secret
> > would still always need to be specified.  I don't know whether that it
> > is a reasonable constraint to put on the model.
> >
> > If there will always be a shared secret then your augmentation
> > approach should be fine.
> >
> > But, if it is plausible or likely that a shared-secret would not
> > always be required then I would be better to have a mandatory choice
> > statement with shared-secret as one of the choices.
> >
> >
> >
> > >
> > > >
> > > >
> > > > 5. Does the tcsplus-server-type indicate what the server is, or
> > > > how the server is used?  E.g., could a server have the
> > > > authentication bit set, but then not be used for user
> > > > authentication?  Or should that be prevented with a must statement?
> > > > [Bo]Yes, tcsplus-server-type indicates what type the server is.
> > > > But I don't quite understand this comment.
> > > [RW]
> > >
> > > The distinction that I was trying to make is:
> > >
> > > Server 'S', might have the capabilities of an authentication and
> > > accounting server, but Network Device 'D', that is making use of
> > > Server 'S', might only be making use of its authentication
> > > capabilities.  In this scenario, do the configuration bits on device
> > > 'D' list Server 'S' as supporting authentication and accounting
> > > (since that is what the server
> > > supports) or do they only list Server 'S' capabilities as
> > "authentication"
> > > (since that is what is being used by 'D')?
> > >
> > > If the intended behaviour is the latter, then I think that we should
> > > tweak the descriptions to be clear.
> > >
> > > [Bo] Yes, the intention is the latter.
> > > Perhaps you mean the YANG descriptions of 'tcsplus-server-type' are
> > > not clear enough. Please let us know if this addresses your concerns
> > > or if there is anything else.
> > >
> > >   typedef tacacs-plus-server-type {
> > >     type bits {
> > >       bit authentication {
> > >         description
> > >           "When set, the server is an authentication server."
> > >          ->
> > > 		  "When set, the device use the server for authentication
> > service.";
> > [RW]
> > Yes, I think that is fine, but I propose perhaps "Indicates that the
> > TACACS server is providing authentication services".  The other two
> > comments should be adjusted similarly.
> >
> >
> >
> > >
> > >       }
> > > ...
> > >     }
> > >     description
> > >       "tacacs-plus-server-type can be set to
> > >        authentication/authorization/accounting
> > >        or any combination of the three types. When all three types are
> > >        supported, all the three bits are set.";
> > >      ->
> > > 	 "When all the three bits are set, the device use all available
> > > services on the server.";
> > [RW]
> >
> > The last sentence probably isn't needed and could just be removed?
> >
> > Regards,
> > Rob
> >
> >
> > >   }
> > >
> > > >
> > > >
> > > > 6. Should there be a limit on the length of a server name?
> > > > [Bo]The TACACS+ protocol does not have any restrictions, and I
> > > > also think this model could follow current ietf-system model,
> > > > since this module is the augmentation of the system model and
> > > > there is no restriction on the RADIUS server name in the ietf-system
> model.
> > > > How do you think?
> > > [RW]
> > >
> > > I agree that being consistent with ietf-system is a good choice.
> > >
> > > I do wonder more generally if this will mean that different vendors
> > > will impose different limits using deviations, which would
> > > effectively make interop harder.  But that doesn't need to be solved
> here/now.
> > >
> > > [Bo]Thanks for the suggestion.
> > >
> > >
> > > >
> > > >
> > > > 7. I dont' know whether this matters, but the must statement
> > > > doesn't seem to be quite complete, in that it would still allow
> > > > TACACS+ to be listed as an authentication mechanims, but only
> > > > include an accounting server in the TACACS+ server list.
> > > > [Bo] Thanks. Agree that the must statement does not prohibit
> > > > accounting or authorization TACACS+ server configuration.
> > > > I updated the must statement with authentication server type
> > validation.
> > > [RW]
> > >
> > > Okay.
> > >
> > > Regards,
> > > Rob
> > >
> > >
> > > >
> > > > Thanks,
> > > > Bo
> > > >
> > > > -----邮件原件-----
> > > > 发件人: Rob Wilton (rwilton) [mailto:rwilton@cisco.com]
> > > > 发送时间: 2020年8月20日 18:38
> > > > 收件人: opsawg <opsawg@ietf.org>; draft-ietf-opsawg-tacacs-
> > > > yang.all@ietf.org
> > > > 主题: RE: AD review of draft-ietf-opsawg-tacacs-yang-07
> > > >
> > > > Ok, my bad.  It seems that I had already done an AD review of this
> > > > document :-)
> > > >
> > > > Bo, there may be some additional comments that you would like to
> > > > consider below in your -08 update.
> > > >
> > > > Regards,
> > > > Rob
> > > >
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Rob Wilton (rwilton) <rwilton@cisco.com>
> > > > > Sent: 20 August 2020 11:23
> > > > > To: opsawg <opsawg@ietf.org>;
> > > > > draft-ietf-opsawg-tacacs-yang.all@ietf.org
> > > > > Subject: AD review of draft-ietf-opsawg-tacacs-yang-07
> > > > >
> > > > > Hi,
> > > > >
> > > > > This is my AD review of draft-ietf-opsawg-tacacs-yang-07.  Sorry
> > > > > that it has been a little while in coming.
> > > > >
> > > > > Thank you for this document, I believe that it is in good shape.
> > > > > I've given my slightly more significant comments first, followed
> > > > > by some editorial comments.
> > > > >
> > > > >
> > > > > COMMENTS:
> > > > >
> > > > > "Section 3":
> > > > >
> > > > >    The "statistics" container under the "server list" is to record
> > > > >    session statistics and usage information during user access
> which
> > > > >    include the amount of data a user has sent and/or received
> > > > > during
> > a
> > > > >    session.
> > > > >
> > > > > 1. Looking at the module, the statistics only seem to cover the
> > > > > number of messages rather than the amount of data.  Possibly
> > > > > delete the part of the sentence from "which include" ... to the
> > > > > end of the
> > > sentence.
> > > > >
> > > > >
> > > > > "Regarding the YANG module":
> > > > >
> > > > > 2. I suggest changing "tacacsplus" to "tacacs-plus" (e.g., in
> > > > > the module title and top level nodes).
> > > > >
> > > > > 3. "shared-secret", should that be put under a choice statement?
> > > > > Is it likely that alternative methods of authenticating the
> > > > > server are likely in future?
> > > > >
> > > > > 4. I'm not sure that the "tacacsplus" feature is required.
> > > > > Supporting the ietf-system-tacacsplus module should be
> > > > > sufficient to indicate that the device supports TACACS+ client
> configuration.
> > > > >
> > > > > 5. Does the tcsplus-server-type indicate what the server is, or
> > > > > how the server is used?  E.g., could a server have the
> > > > > authentication bit set, but then not be used for user
> > > > > authentication?  Or should that be prevented with a must
> statement?
> > > > >
> > > > > 6. Should there be a limit on the length of a server name?
> > > > >
> > > > > 7. I dont' know whether this matters, but the must statement
> > > > > doesn't seem to be quite complete, in that it would still allow
> > > > > TACACS+ to be listed as an authentication mechanims, but only
> > > > > include an accounting server in the
> > > > > TACACS+ server list.
> > > > >
> > > > >
> > > > > "Security section":
> > > > >    /system/tacacsplus/server:  This list contains the objects
> > > > > used
> > to
> > > > >       control the TACACS+ servers used by the device.
> Unauthorized
> > > > >       access to this list could cause a user management failure
> > > > > on
> > the
> > > > >       device.
> > > > >
> > > > > 8. I don't know TACACS+, but I would presume that the risk of
> > > > > accessing this list is much greater than just user management
> > failure.
> > > > > If it was possible to modify this configuration to point to a
> > > > > compromised TACACS+ server then would it not be possible to
> > > > > obtain complete control over the device?  If, so I think then I
> > > > > think that it would be helpful to make this risk clear.  [As a
> > > > > nit, we should probably also use 'data nodes' rather than
> > > > > 'objects']
> > > > >
> > > > >
> > > > > "References":
> > > > >
> > > > > 9. Please can you ensure that your normative references to all
> > > > > RFCs that define YANG modules that are imported by the YANG
> > > > > modules defined in this document.  From a quick scan, it looked
> > > > > like some might be
> > > > missing.
> > > > >
> > > > >
> > > > >
> > > > > EDITORIAL COMMENTS:
> > > > >
> > > > >
> > > > > Abstract:
> > > > > 1. that augment -> that augments 2. in the RFC 7317 with TACACS+
> > > > > client model. -> in RFC 7317 with a
> > > > > TACACS+ client data model.
> > > > >
> > > > > 3. The data model of Terminal Access Controller Access Control
> > > > >    System Plus (TACACS+) client allows ...-> The Terminal Access
> > > > > Controller Access Control System Plus (TACACS+) client data
> > > > > model allows ...
> > > > >
> > > > > Introduction:
> > > > >
> > > > > 4. This document defines a YANG module that augment the System
> > > > >    Management data model defined in the [RFC7317] with TACACS+
> > client
> > > > >    model.
> > > > >
> > > > >    ->
> > > > >
> > > > >    This document defines a YANG module that augments the System
> > > > >    Management data model defined in [RFC7317] with a TACACS+
> client
> > > > >    data model.
> > > > >
> > > > > 5. TACACS+ provides Device Administration ->
> > > > >    TACACS+ provides device administration
> > > > >
> > > > > 6. TACACS+ provides Device Administration for routers, network
> > access
> > > > >    servers and other networked computing devices via one or more
> > > > >    centralized servers which is defined in the TACACS+ Protocol.
> > > > >    [I-D.ietf-opsawg-tacacs]
> > > > >
> > > > >    ->
> > > > >
> > > > >    TACACS+ [I-D.ietf-opsawg-tacacs] provides Device
> > > > > Administration
> > for
> > > > >    routers, network access servers and other networked computing
> > > devices
> > > > >    via one or more centralized servers.
> > > > >
> > > > > 7. o  User Authentication Model: Defines a list of usernames and
> > > > >       passwords and control the order in which local or RADIUS
> > > > >       authentication is used.
> > > > >
> > > > >    ->
> > > > >
> > > > >    o  User Authentication Model: Defines a list of local
> > > > > usernames
> > and
> > > > >       passwords.  It also controls the order in which local or
> > RADIUS
> > > > >       authentication is used.
> > > > >
> > > > > 8.  System Management model -> System Management Model?
> > > > >
> > > > > 9.  The YANG model can be used -> The YANG module can be used
> > > > >     The YANG data model in this document" => The YANG module in
> > > > > this document
> > > > >
> > > > >
> > > > > "3.  Design of the Data Model"
> > > > >
> > > > > 10. Recommend changing heading to "Design of the TACAS+ Data
> Model"
> > > > >
> > > > > 11. client on the device -> client on a device
> > > > >
> > > > > 12. user's name and password -> user's username and password?
> > > > >
> > > > > 13. user and accounting -> user, and accounting
> > > > >
> > > > > 14. is intended to augment -> augments
> > > > >
> > > > > 15. A couple of places "e.g." should be replaced with "e.g.,"
> > > > >
> > > > > Appendix A:
> > > > >
> > > > > 16. In the example, possibly delete the "single-connection" leaf
> > > > > since that is a default value.
> > > > >
> > > > > Regards,
> > > > > Rob

v2.23.0 | Report a Bug | By Email