I have read rev -11 of this draft, and I have some feedback as a contributor.
But first (as chair), I thank the authors and shepherd for addressing the feedback that has come in so far. I encourage the WG to read this new revision and see if it fully addresses the concerns raised. Now on to my review. Section 2.4 was a bit awkward to read. What about: NEW: A TACACS+ server, as defined in Section 3.2 of [RFC8907], responds to TACACS+ traffic and is bound to a specific port number on a particular IP address or hostname. This definition is critical because it helps inform the configuration of TACACS+ clients so that they direct their traffic to the appropriate TACACS+ servers. In Section 3.5, you have normative statements: Where PSK Authentication is implemented, PSK lengths of at least 64 octets or more MUST be supported. AND Implementations MUST support PSK identities of 128 octets or more. The “or more” is odd to me. In the latter case, it seems that not all TLS implementations support 128-byte identity lengths. If an implementation is based on mbedTLS, it seems it may not be able to support 128-byte, and this might be a valid library to use for a device’s TACACS+ implementation. Why not just say that at least 16 octet lengths MUST be supported (and drop the “or more” as it is redundant)? Joe
_______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
