Re: Security Use Requirements

[David Robinson <David.Robinson@EBay.Sun.COM>]

Bernard Aboba wrote:
> >I haven't heard anyone strongly request this. Hopefully
> >another body will handle this within the SCSI layer.  If
> >there is demand I would suggest looking at how the NFSv4 WG
> >handled this using GSSAPI.  But I personally think that is
> >overkill for iSCSI.
> 
> Are you saying that we *don't* need to worry about multiple
> SCSI authentications to the same target IP address and port?
> That would certainly simplify things.

I can easily see a design that has multiple authentications
on the same connection.  But I am going to argue that we
resist it strongly. Unlike NFS where there are multiple
principals on a node muxed over a single connection,
SCSI tends to have just one principal (the node) over
a connection. While I think that the SCSI community would
like to move towards the more complex model, they will have to
come up with a common model that will map to all the various
transports which I hope will be above the transport layer.
iSCSI can then just focus on securing the connection between
two nodes and let SCSI deal with multiple authentications.

I am curious if anyone else thinks we should try and tackle
the much harder problem at the iSCSI layer?

	-David