> Reviewer: Yingzhen Qu > Review result: Has Issues > > 190 To ensure separation of TACACS+ traffic that uses TLS from that which > 191 does not (Section 5.3), they will be deployed on different ports. > Q: This seems to contradict with section 5.1.1, which says "TACACS+ servers > that > have TLS support MUST NOT allow Non-TLS connections". If a TACACS+ server > uses TLS, > it should not have non-TLS connections.
The draft does not provide a way to deploy both versions of TACACS on the same port and requests the allocation of a new well-known port, as you read. S5 is the security considerations section is recommending the consideration noted; not recommended to deploy both versions on the same server to avoid exposure from a downgrade incident or misconfiguration. It should specifically mention misconfiguration; this seems to have been dropped. "will" probably ought be "SHOULD". > 205 A TACACS+ client initiates a TLS connection by making a TCP > 206 connection to a configured server on the TACACS+ TLS port number > 207 ([TBD]) (Section 3.1). > Q: should this reference Section 7? It does, via S3.1. But, I expect that the editor will remove S7 after a port is assigned. Isn't that the SOP? > 303 For the server-side validation of client identities, Implementations > 304 must support the ability to configure which fields of a certificate > Should this be MUST? yes. _______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
