iSCSI: U=<user> in Authentication

["John Hufferd" <hufferd@us.ibm.com>]

Folks,
I think we should indicate in the Security section of the document how the
security Authentication process might validate that the iSCSI Initiator
Name sent in the Initial Login, has something approprate to do with the
"user" being authenticated.  (Otherwise, you could authenticate a user and
that user could claim/use any iSCSI Initiator Name in the InitiatorName
key=value pair.

It is kind of obvious how to relate the U=<user> to the approprate iSCSI
Initiator Name (in the case of SRP), and little less obvious with Chap,
though I think it would be the N=<N> parameter.  However, it is really not
obvious when using Kerberos, and SPKM.

It also should be possible for the initiator not to send another UserID, if
the Security Data Base the customer uses can support the iSCSI Initiator
Name as a UserID.  That is, it should be possible for the U=<user>
parameter not to be sent,and have that  imply  the value of <user> is the
iSCSI Initiator Node Name entered previously as a value in the InitiaorName
key=value pair. Same way with the N=<N> in Chap.

However, it is not clear, how you do similar things with Kerberos, and
SPKM.

What do you folks think about this, and how should we document it?

.
.
.
John L. Hufferd
Senior Technical Staff Member (STSM)
IBM/SSG San Jose Ca
Main Office (408) 256-0403, Tie: 276-0403,  eFax: (408) 904-4688
Home Office (408) 997-6136
Internet address: hufferd@us.ibm.com