Adding on to this, there is an issue with the YANG module, which is throwing a
warning.
OLD:
leaf vrf-instance {
type leafref {
path "/ni:network-instances/ni:network-instance/ni:name";
}
must "(not(../source-interface)) or "
+ "(current() = /if:interfaces/if:interface"
+ "[if:name = current()/../source-interface]"
+ "/bind-ni-name)" {
error-message
"VRF instance must match the network instance of the
source interface.";
}
NEW:
leaf vrf-instance {
type leafref {
path "/ni:network-instances/ni:network-instance/ni:name";
}
must "(not(../source-interface)) or "
+ "(current() = /if:interfaces/if:interface"
+ "[if:name = current()/../source-interface]"
+ "/ni:bind-ni-name)" {
error-message
"VRF instance must match the network instance of the
source interface.";
}
That is, fix the namespace for bind-ni-name.
Joe
From: Joe Clarke (jclarke) <[email protected]>
Date: Friday, March 7, 2025 at 10:58
To: [email protected] <[email protected]>
Subject: [OPSAWG]WGLC/Shepherd comments for TACACS+ TLS YANG
(draft-ietf-opsawg-secure-tacacs-yang)
I have reviewed the latest version of this draft, and I think it’s in good
shape overall. However, I did find a few typos and I have a few requests for
clarification and changes. I like Med’s approach to the “track changes”, so
I’m attaching the PDF of that here. To summarize my more substantive comments:
· I’d like to see discontinuity defined more clearly
· The PSK context should have a length reflected in YANG
· While more for the main TACACS+ TLS draft, the use of Server vs.
server should probably be normalized
And while not in my track changes comments, I have a question. In your
appendix B, you have examples with SNI enabled where each of the four specified
servers uses the same domain name. Is that an approach that is typically done?
In my TACACS+ deployments, I generally have primary and secondary servers, but
each have their own FQDN. And I imagine when I deploy TACACS+ TLS, I would
have the same server certificates. That is, each server would have its own
FQDN/SNI. Though I admit v4 and v6 would be two sides of the same server.
Joe
_______________________________________________
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
