On 07. 05. 20 12:37, tom petch wrote: > From: OPSAWG <[email protected]> on behalf of Wubo (lana) > <[email protected]> > Sent: 07 May 2020 09:08 > > Hi Lada, Joe, > > Thanks for the guidance, please see inline. > > Thanks, > Bo > > -----邮件原件----- > 发件人: Ladislav Lhotka [mailto:[email protected]] > 发送时间: 2020年5月7日 14:38 > > "Joe Clarke (jclarke)" <[email protected]> writes: > >>> - Is it correct that the server type may be either one of "authentication", >>> "authorization" or "accounting", or all of them? Is it impossible for a >>> server to be authentication & authorization but not accounting? Such a >>> variant cannot be configured. >>> [Bo] OK, will correct when the final guidance on this issue is received. >> >> Lada replied yesterday to say that the bit string is likely preferred >> similar to access-operations in ietf-netconf-acm. I might personally >> discourage the use of ‘*’ for this given that there are only three types, >> but that’s just my individual thought. > > +1 > > I think it is better to have all three types explicitly in the value. Perhaps > this could also be the default? > > Lada > [Bo] Please see if the definition below is correct: > typedef tcsplus-server-type { > type bits { > bit authentication { > description > "When set, the server is an authentication server."; > } > bit authorization { > description > "When set, the server is an authorization server."; > } > bit accounting { > description > "When set, the server is an accounting server."; > } > bit all { > description > "When set, the server can be all types of TACACS+ servers."; > } > > } > description > "server-type can be set to authentication/authorization/accounting > or any combination of the three types. > When all three types are supported, either "all" or the three bits > setting can be used; > } > > <tp> > I would drop the all. I know that I suggested it, or an asterisk, but I was > thinking that this was a common case. Joe suggests that no accounting is > the commoner - I do not have sufficient exposure to know - in which case I > would not bother with 'all'. Whether or not to make auth/auth the default I > have no particular view on - as I say, I lack the exposure to be confident > about that. > > Having 'all' adds complexity, two ways to something, while making a small > saving in message size - on balance, not worth it.
Agreed. Lada > > Tom Petch > >> >> Joe >> > > -- > Ladislav Lhotka > Head, CZ.NIC Labs > PGP Key ID: 0xB8F92B08A9F76C67 > _______________________________________________ > OPSAWG mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsawg > -- Ladislav Lhotka Head, CZ.NIC Labs PGP Key ID: 0xB8F92B08A9F76C67 _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
