On May 1, 2022, at 9:32 AM, Douglas Gash (dcmgash) <[email protected]> wrote: > To this end, we have split your comments into 4 main issues, and I’ll be > making a response (your other points will be responded to shortly by the > other authors.) to the following points from your mail > .. > The purpose of Section 4 is to introduce arguments handling into > Authentication phase of the T+ protocol, to align it with the with the > authorization and accounting phases. To recap: authorization and accounting > phases have extensible arguments handling, authentication does not. Section 4 > intends to bring the same patterns we have in authorization and accounting > into authentication.
That's useful, but my concern here is "feature creep". The original discussions were to (a) document historical TACACS+, and (b) add TLS transport for security. We're now well past that into extending the protocol with new features. > Regarding the Proxy Flow specifically: in the experience of the authors this > is not a new flow for T+: it is an established practice in the field. Which wasn't mentioned in the previous document, I don't recall seeing much discussion of it in relation to that document. The text in this document is clear that proxying is new, and requires a change to the TACACS+ version. Is this established practice? So what is the purpose of this document? TACACS+ and TLS? Or TACACS+ extensions? Or documenting TACACS+ proxying? Why has the scope changed from the original discussion from a few years ago? Alan DeKok. _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
