Last Call Review of draft-ietf-opsawg-tacacs-yang-03
review-ietf-opsawg-tacacs-yang-03-secdir-lc-sheffer-2020-05-08-00

Request Review of draft-ietf-opsawg-tacacs-yang
Requested revision No specific revision (document currently at 12)
Type IETF Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-05-03
Requested 2020-04-20
Requested by Joe Clarke
Authors Bo Wu , Guangying Zheng , Zitao Wang
I-D last updated 2021-08-05 (Latest revision 2021-05-14)
Completed reviews Secdir IETF Last Call review of -03 by Yaron Sheffer (diff)
Yangdoctors IETF Last Call review of -03 by Ladislav Lhotka (diff)
Secdir IETF Last Call review of -09 by Yaron Sheffer (diff)
Genart IETF Last Call review of -09 by Mohit Sethi (diff)
Assignment Reviewer Yaron Sheffer
State Completed
Request IETF Last Call review on draft-ietf-opsawg-tacacs-yang by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/6eIkdrZSypBCVeSwsX6Urq7KzZ8
Reviewed revision 03 (document currently at 12)
Result Has nits
Completed 2020-05-08
review-ietf-opsawg-tacacs-yang-03-secdir-lc-sheffer-2020-05-08-00
This document defines a YANG module for the configuration of TACACS+ clients.

The document is short and straightforward, and I only have one significant
comment.

* I am not familiar with common security practices for the devices covered by
this protocol. But I am wondering, should the "shared-secret" field be made
optional, so that it can be entered "out of band" in applications that prefer
not to keep it stored in the YANG configuration store and available to network
management tools?

* Not a security comment: the YANG module includes a reference to
draft-ietf-opsawg-tacacs-18, but I assume that you'll want to replace it with
the RFC number for that draft once it is published. Yet I don't see an RFC
Editor note mentioning that.

* It is confusing that "messages-received" is for messages received by the
server, and "errors-received" is for errors received *from* the server.