Éric Vyncke has entered the following ballot position for draft-ietf-opsawg-secure-tacacs-yang-12: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsawg-secure-tacacs-yang/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- # Éric Vyncke, INT AD, comments for draft-ietf-opsawg-secure-tacacs-yang-12 CC @evyncke Thank you for the work put into this document. Please find below one blocking DISCUSS points (trivial to address), some non-blocking COMMENT points/nits (replies would be appreciated even if only for my own education). Special thanks to Joe Clarke for the shepherd's detailed write-up including the WG consensus and the justification of the intended status. I hope that this review helps to improve the document, Regards, -éric ## DISCUSS (blocking) As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a DISCUSS ballot is just a request to have a discussion on the following topics: ### Incoherence between tree view and the actual model As INT AD, I pay specific attention to addresses and domain names, hence I noticed in section 3: ``` +--rw address inet:host +--rw port? inet:port-number ``` While the actual model in section 4 is: ``` leaf address { type inet:host; mandatory true; description "The IP address or name of the TACACS+ server."; } leaf port { type inet:port-number; mandatory true; description "The port number of TACACS+ server. Default port number for legacy TACACS+ is 49, while it is TBD for TACACS+TLS."; } ``` I.e., it is unclear whether "port" is mandatory due to conflicting information. Moreover, if it is mandatory why specifying default values ? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ## COMMENTS (non-blocking) ### Section 4 I will let the SEC ADs have the final word of course, but I wonder whe the domain-name leaf is not mandatory ? I.e., the client must check whether the server certificate matches the expected SN of the certificate. Should the YANG module also include which cipher-suite was actually negotiated ? ### Appendix B Thanks for the IPv6 examples ;-) _______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
