Hi Bo, My comments: (ignoring simple typos and placeholder values as this is a first draft)
* What is a TACACS+ template? To my knowledge this is not a standard concept. The word "template" does not appear in draft-ietf-opsawg-tacacs-10. * What is a domain name, in the context of usernames? "domain" also does not appear in draft-ietf-opsawg-tacacs-10. * I don't think ipv4-address-no-zone should be used by default, unless there is a good reason to prohibit the use of zones. Systems that do not implement zones can reject addresses containing zones; but some systems may require zones. * This module seems to imply a particular server selection algorithm (with the use of primary/secondary and current servers). What is the algorithm? Our TACACS+ code does not have a concept of a primary, secondary or current server. It has a prioritized list of servers, and tries each request towards each server in turn until it receives a pass or fail response (as opposed to an error). The assumption in this design is that servers are up most of the time. * Many of the leaves seem unnecessary and not terribly useful. For example, sec-author-srv-num (Total number of configured secondary authorization servers in the template). Is this value needed so frequently that it needs to be available as a separate value - instead of having the management client simply read the whole list of servers, and count how many are secondary and used for authentication? * What is the public net? * Why is there a maximum of 32 servers? * There should not need to be separate lists for ipv4 and ipv6 servers. I see that ipv6 servers don't support public-net, so I'll reserve judgement until I find out what public-net does. * What should implementations do if they don't support ietf-network-instance? As a related side note, I'd really like to see a standard for TACACS+ over TLS. Regards, Alex ________________________________________ From: netmod <[email protected]> on behalf of Wubo (lana) <[email protected]> Sent: Monday, 2 July 2018 8:07 p.m. To: [email protected]; [email protected] Subject: EXTERNAL: Re: [netmod] New Version Notification for draft-zheng-netmod-tacacs-yang-01.txt Dear Netmod, Opsawg, Please see our newly uploaded draft of TACACS+ YANG data model, which can be found at https://www.ietf.org/internet-drafts/draft-zheng-netmod-tacacs-yang-01.txt. This data model draft is based on the TACACS+ working group draft - https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-10. TACACS+ provides Device Administration for routers, network access servers and other networked computing devices via one or more centralized servers. With various TACACS+ Implementation, service provider may need different TACACS+ YANG modules to manipulate massive devices. So we propose to define a generic TACACS+ data model to alleviate this issue. We are looking forward to receiving your response. Best regards. Bo -----邮件原件----- 发件人: [email protected] [mailto:[email protected]] 发送时间: 2018年7月2日 14:15 收件人: wangzitao <[email protected]>; Wubo (lana) <[email protected]>; Zhengguangying (Walker) <[email protected]>; Wubo (lana) <[email protected]>; wangzitao <[email protected]> 主题: New Version Notification for draft-zheng-netmod-tacacs-yang-01.txt A new version of I-D, draft-zheng-netmod-tacacs-yang-01.txt has been successfully submitted by Bo Wu and posted to the IETF repository. Name: draft-zheng-netmod-tacacs-yang Revision: 01 Title: Yang data model for Terminal Access Controller Access Control System Plus Document date: 2018-07-01 Group: Individual Submission Pages: 33 URL: https://www.ietf.org/internet-drafts/draft-zheng-netmod-tacacs-yang-01.txt Status: https://datatracker.ietf.org/doc/draft-zheng-netmod-tacacs-yang/ Htmlized: https://tools.ietf.org/html/draft-zheng-netmod-tacacs-yang-01 Htmlized: https://datatracker.ietf.org/doc/html/draft-zheng-netmod-tacacs-yang Diff: https://www.ietf.org/rfcdiff?url2=draft-zheng-netmod-tacacs-yang-01 Abstract: This document describes a data model of Terminal Access Controller Access Control System Plus (TACACS+). The YANG data model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in [RFC8342]. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
