Hi Stephen,
thank you for the quick review!
On 2023-10-06, at 13:30, Stephen Farrell via Datatracker <noreply@xxxxxxxx> wrote:
>
> Reviewer: Stephen Farrell
> Review result: Ready
>
> I'm not a yang expert. The document is clear. I'm not sure how the dynamics of
> these allocations will play out over time, but it seems entirely reasonable to
> try this as planned.
This is indeed breaking new ground; I’m optimistic...
> One nit, the draft says:
>
> The following items are identified using SIDs:
> * identities
>
> That seems wrong, you're not intending that a 63-bit number be allocated for
> user@xxxxxxxxxxx so I think what you mean is that SIDs can identify types of
> identity/identifiers rather than the values of those.
“identity” is a YANG term of art, see RFC 7950, Section 3:
o identity: A globally unique, abstract, and untyped name.
Typical identities are essentially enumeration values of the protocols, i.e., code points that are text-based (in YANG-XML and YANG-JSON). They are defined in the YANG module, and we need to give them SIDs to be more efficient.
These are the identities in ietf-system.sid:
1701,identity,authentication-method,
1702,identity,local-users,
1703,identity,radius,
1704,identity,radius-authentication-type,
1705,identity,radius-chap,
1706,identity,radius-pap,
These actually in a derivation hierarchy (see YANG excerpt below), but we don’t see that in the SID allocation.
> If the latter were the
> intent, then I'd have significant privacy concerns and this review would have
> reached a "not ready" conclusion.
Indeed, but luckily these are not user identities.
Grüße, Carsten
YANG excerpt:
identity authentication-method {
description
"Base identity for user authentication methods.";
}
identity radius {
base authentication-method;
description
"Indicates user authentication using RADIUS.";
reference
"RFC 2865: Remote Authentication Dial In User Service (RADIUS)
RFC 5607: Remote Authentication Dial-In User Service (RADIUS)
Authorization for Network Access Server (NAS)
Management";
}
identity local-users {
base authentication-method;
description
"Indicates password-based authentication of locally
configured users.";
}
identity radius-authentication-type {
description
"Base identity for RADIUS authentication types.";
}
identity radius-pap {
base radius-authentication-type;
description
"The device requests Password Authentication Protocol (PAP)
authentication from the RADIUS server.";
reference
"RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
}
identity radius-chap {
base radius-authentication-type;
description
"The device requests Challenge Handshake Authentication
Protocol (CHAP) authentication from the RADIUS server.";
reference
"RFC 2865: Remote Authentication Dial In User Service (RADIUS)";
}
--
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
