IETF Logo Mail Archive

[yang-doctors] [Ladislav Lhotka] Re: Yangdoctors last call review of draft-ietf-opsawg-tacacs-yang-03

Ladislav Lhotka <ladislav.lhotka@nic.cz> Tue, 05 May 2020 14:31 UTC

Return-Path: <ladislav.lhotka@nic.cz>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F4C73A077F; Tue, 5 May 2020 07:31:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42n9rBcUOmT8; Tue, 5 May 2020 07:31:54 -0700 (PDT)
Received: from trail.lhotka.name (trail.lhotka.name [77.48.224.143]) by ietfa.amsl.com (Postfix) with ESMTP id D84C13A0538; Tue, 5 May 2020 07:31:53 -0700 (PDT)
Received: by trail.lhotka.name (Postfix, from userid 109) id F25BA86007F; Tue, 5 May 2020 16:31:52 +0200 (CEST)
Received: from localhost (unknown [172.29.2.100]) by trail.lhotka.name (Postfix) with ESMTPSA id 04F56860052; Tue, 5 May 2020 16:31:52 +0200 (CEST)
From: Ladislav Lhotka <ladislav.lhotka@nic.cz>
To: opsawg@ietf.org, YANG Doctors <yang-doctors@ietf.org>
References: <87zhamsc04.fsf@nic.cz>
Date: Tue, 05 May 2020 16:31:51 +0200
Message-ID: <87r1vysbag.fsf@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/v9CvnsfYGc0nW8iyU-W_twcCRW8>
Subject: [yang-doctors] [Ladislav Lhotka] Re: Yangdoctors last call review of draft-ietf-opsawg-tacacs-yang-03
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 14:31:56 -0000

Resending to the mailing lists - I changed my company mail address to ladislav.lhotka@nic.cz and it causes problems once in a while.

Lada

-------------------- Start of forwarded message --------------------
From: Ladislav Lhotka <lhotka@nic.cz>
Date: Tue, 05 May 2020 16:16:27 +0200

"Joe Clarke (jclarke)" <jclarke@cisco.com> writes:

> Thank you for your review, Lada.  One item came up in WGLC about the server-type leaf (and you have called that out below).
>
> Right now, this is an enumeration.  As you say (and also Tom Petch
> pointed out) that typically a server will have multiple types (i.e.,

In fact, Tom pointed out other things that I also had in my review (I didn't know about that thread before, I swear:-).

> a server will be used for authn, authz, and acct).  So Bo proposed a
> leaf-list solution whereby one could specify multiple values for
> server-type.  Tom counter-proposed a bit string (akin to chmod and
> NACM CRUDX handling).  As a contributor, I liked the leaf-list idea,
> but Tom is still leaning toward the bit string.  We wanted to get
> YAND Doc’s opinion on this.

I was also thinking about the "bits" type, it is IMO designed for cases like this. Note that in XML or JSON representation (not in CBOR, though), the on-the-wire instance encoding is also self-describing, e.g.

<server-type>authentication authorization</server-type>

Lada

>
> The full thread can be found at https://mailarchive.ietf.org/arch/msg/opsawg/Q_ov6M-PZF4rlsCae0qZh1aE6tg/ .  If you could provide some guidance on this that would be appreciated.
>
> Joe
>
> On May 4, 2020, at 09:16, Ladislav Lhotka via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
>
> Reviewer: Ladislav Lhotka
> Review result: Ready with Nits
>
> The YANG module specified in this I-D defines a relatively simple augmentation
> of the "ietf-system" module that enables configuration of TACACS+
> authentication. The ietf-system-tacacsplus module is in a good shape, I found
> no substantial problems.
>
> **** Comments
>
> - In sec. 3, the text says: 'The ietf-system-tacacsplus module is intended to
> augment the "/sys:system" path defined in the ietf-system module with
> "tacacsplus" grouping.' It would be more precise to say '... with the contents
> of the "tacacsplus" grouping.'
>
> - Description of the leaf
> /ietf-system-tacacsplus:tacacsplus/statistics/sessions is cryptic and unclear.
>
> - Typo in error-message of
> /ietf-system:system/ietf-system-tacacsplus:tacacsplus: s/sysytem/system/
>
> - Is it correct that the server type may be either one of "authentication",
> "authorization" or "accounting", or all of them? Is it impossible for a server
> to be authentication & authorization but not accounting? Such a variant cannot
> be configured.
>
> - The "case" statements in ietf-system-tacacsplus:tacacsplus/source-type are
> unnecessary because each contains only one leaf of the same name; I suggest to
> remove them.
>
> - Security Considerations should specifically address the "shared-secret" leaf.
>
> - The purpose of Appendix A is unclear, the information it provides is (or
> should be) in the previous text, the YANG module, and RFC 7317. Instead, it
> would be useful to provide an example of TACACS+ configuration, e.g. in JSON
> representation.
>
>
>

-- 
Ladislav Lhotka 
Head, CZ.NIC Labs
PGP Key ID: 0xB8F92B08A9F76C67
-------------------- End of forwarded message --------------------

-- 
Ladislav Lhotka 
Head, CZ.NIC Labs
PGP Key ID: 0xB8F92B08A9F76C67

v2.23.0 | Report a Bug | By Email