|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: iSCSI: Login ProposalHi Steve, I forgot to answer your latter two questions in my earlier email! Comments within:- Cheers Matthew -----Original Message----- From: Steve Senum [mailto:ssenum@cisco.com] Sent: Tuesday, August 21, 2001 9:14 PM To: ietf-ips Subject: Re: iSCSI: Login Proposal Matthew/Marjorie/Bob: Some questions on your login proposal: 1. Why the following restriction? SecurityContextComplete=yes MUST NOT be present in the login command. I don't see the benefit in not allowing something like: I: AuthMethod:none HeaderDigest:crc-32c,none DataDigest:crc-32c,none SecurityContextComplete=yes T: AuthMethod:none HeaderDigest:crc-32c DataDigest:crc-32c SecurityContextComlete=yes 2. In the following: If the login command does not contain security parameters the target MUST perform one of the two actions below: a) If the target requires security negotiation to be performed, then it MUST enter the security phase and MUST send a text response containing one or more security parameters and F=0. b) Is this really needed? Why not simply require the initiator to offer security parameters if it supports them? I would hope authentication would become the typical case for login. MATTHEW: So I was maintaining flexibility here. If an initiator prefers not to negotiate security then why force it? Also, the login is faster if neither side want to negotiate security. I think the majority of people would go for flexibility and provided that the procedure caters for all four scenarios of either side wanting/not wanting security then the flexibility should be present. In other words, as long as the flexibility does not cause interoperability problems and allows everyone to do what they want to do then the flexibility should be there. I agree that the typical case would be to include authentication but some people will always want to skip it. 3. Is there only one Login Reponse then (just asking)? MATTHEW: yes. In deriving the proposal we came to the conclusion that the partial login response is unnecessary so we removed it. Also, some implementers have said that this makes the implementation easier as they will always return a text response unless login is completed (successfully or otherwise). Regards, Steve Senum
Home Last updated: Tue Sep 04 01:03:57 2001 6315 messages in chronological order |