This diff looks good to me. And while not in my track changes comments, I have a question. In your appendix B, you have examples with SNI enabled where each of the four specified servers uses the same domain name. Is that an approach that is typically done? In my TACACS+ deployments, I generally have primary and secondary servers, but each have their own FQDN. And I imagine when I deploy TACACS+ TLS, I would have the same server certificates. That is, each server would have its own FQDN/SNI. Though I admit v4 and v6 would be two sides of the same server. [Med] The rationale we following is the last part of your comment. More importantly, this example is to illustrate the use of *-reference but with multiple IPv4/IPv6 locators:
CURRENT: Figure 5<https://boucadair.github.io/secure-tacacs-yang/draft-ietf-opsawg-secure-tacacs-yang.html#ex-ref> shows a configuration example with credential references for multiple service instances: Like any other example, these should not be considered as deployment recommendations. [JMC] Fair, though every so often I get pedantic. As you say, the reference does what it says on the cred reference. Joe
_______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
