Re: security model

["Jim Hafner/Almaden/IBM" <hafner@almaden.ibm.com>]

Dave,

You suggest the following:

5. Data Privacy (new)

     This mode protects against T3 types of threats. The initiator
     encrypts/decrypts data. The target stores encrypted data.

This sort of idea has come up before in a number of other (non-iSCSI)
contexts.   However, I've always felt that this was not an issue for either
the transport (iSCSI) or for the SCSI layer itself.    If an initiator
wants to protect its data in this way (from unauthorized use at the storage
device), he needs only to encrypt it at the source.  That is LONG before it
ever gets to the SCSI or iSCSI/FCP/SPI/SST.... layer.  The point is that
none of these layers need participate in this process; the target (and any
of its protocol stack layers) need not participate as well. So no
specification in these layers is required; e.g., it need not be included in
the iSCSI spec (though a NOTE commenting on this point might be useful).
The application layer above all this SCSI stuff can do it autonomously.

However, you run into interesting design problems if the data needs to be
shared amongst different hosts or different applications.  But that exists
so long as the data is stored in encrypted form at all, regardless of which
layer did the encrypting.

The more important issue, I think, is unauthorized access to the data while
it is stored.  If the wrong guy can get to the data, whether it's encrypted
or not, that guy can DESTROY the data. This is the more fundamental threat
as it attacks the heart of a storage device's nature.  I think the login
authentication should handle that role.

Jim Hafner