On 07. 05. 20 12:37, tom petch wrote: > From: OPSAWG <opsawg-bounces@xxxxxxxx> on behalf of Wubo (lana) <lana.wubo@xxxxxxxxxx> > Sent: 07 May 2020 09:08 > > Hi Lada, Joe, > > Thanks for the guidance, please see inline. > > Thanks, > Bo > > -----邮件原件----- > 发件人: Ladislav Lhotka [mailto:ladislav.lhotka@xxxxxx] > 发送时间: 2020年5月7日 14:38 > > "Joe Clarke (jclarke)" <jclarke@xxxxxxxxx> writes: > >>> - Is it correct that the server type may be either one of "authentication", "authorization" or "accounting", or all of them? Is it impossible for a server to be authentication & authorization but not accounting? Such a variant cannot be configured. >>> [Bo] OK, will correct when the final guidance on this issue is received. >> >> Lada replied yesterday to say that the bit string is likely preferred similar to access-operations in ietf-netconf-acm. I might personally discourage the use of ‘*’ for this given that there are only three types, but that’s just my individual thought. > > +1 > > I think it is better to have all three types explicitly in the value. Perhaps this could also be the default? > > Lada > [Bo] Please see if the definition below is correct: > typedef tcsplus-server-type { > type bits { > bit authentication { > description > "When set, the server is an authentication server."; > } > bit authorization { > description > "When set, the server is an authorization server."; > } > bit accounting { > description > "When set, the server is an accounting server."; > } > bit all { > description > "When set, the server can be all types of TACACS+ servers."; > } > > } > description > "server-type can be set to authentication/authorization/accounting or any combination of the three types. > When all three types are supported, either "all" or the three bits setting can be used; > } > > <tp> > I would drop the all. I know that I suggested it, or an asterisk, but I was thinking that this was a common case. Joe suggests that no accounting is the commoner - I do not have sufficient exposure to know - in which case I would not bother with 'all'. Whether or not to make auth/auth the default I have no particular view on - as I say, I lack the exposure to be confident about that. > > Having 'all' adds complexity, two ways to something, while making a small saving in message size - on balance, not worth it. Agreed. Lada > > Tom Petch > >> >> Joe >> > > -- > Ladislav Lhotka > Head, CZ.NIC Labs > PGP Key ID: 0xB8F92B08A9F76C67 > _______________________________________________ > OPSAWG mailing list > OPSAWG@xxxxxxxx > https://www.ietf.org/mailman/listinfo/opsawg > -- Ladislav Lhotka Head, CZ.NIC Labs PGP Key ID: 0xB8F92B08A9F76C67 -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
