RE: Security Use Requirements

[Black_David@emc.com]

> I think it might help to explicitly define what you mean by "correct".
> For example, it might be possible for the iSCSI target to control
> access to LUNs based on characteristics of the certs negotiated
> in IKE, and characteristics of the IPSEC SA. However, I wouldn't
> suggest that something like this (which requires more advanced
> APIs than are generally available) is required or even
> generally useful.

The more important problem is one level closer to the network.
iSCSI envisions and allows multiple targets behind a single IP
address and TCP port.  The targets are named (via WWUIs) in a
fashion that neither IPsec nor TLS can be expected to understand
natively (and I strongly agree with the comment about not
changing IKE being the preferred course).  Bernard's comments
about linking iSCSI identity or proof of identity to IPSec are
along the lines of what needs to be done here.

We should stay away from individual LUN access issues, for
two reasons:
(1) They're in T10's domain and T10 is working on them.
(2) There really aren't any standard ways to do this sort of thing
	currently deployed in the Fibre Channel world, yet.
Some words on how to accomplish this by using a (virtual) target per
initiator or group of initiators whose access privileges need to be
distinguished would be worth including as an example, but such
an approach probably should not be required.

--David
---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------