iSCSI: security questions

["Lee Xing" <lxing@Crossroads.com>]

Hi,

I got a few questions on iSCSI security.  I would appreciate it if
someone could help.  Thank you.

================
Q1: iSCSI v.08, page 142 "The authentication method cannot assume an
underlying IPSec protection, since IPSec is optional to use."  IPSec is
an option for IPv4, but it's mandatory for IPv6 (if I remember right).
Should we make it more specific?

Q2: iSCSI v.08 Chapter 10 (Security Consideration) mentions a few times
of "...MUST implement...".  Should we add something like "security is
mandatory to implement, but not mandatory to use" in this chapter?  This
is stated explicitly in SEC-IPS v.04 draft, and also implied in Chapter
5 (Login Phase) of iSCSI v.08.

Q3:
SEC-IPS v.04, page 11 "Negotiation between Initiator and Target is used
to determine which authentication algorithm to use (or whether to use
one at all); the connection closes if either side requires
authentication and no mutually acceptable algorithm can be agreed upon"

The question is whether "none" is considered as an "acceptable
algorithm".  In other words, if initiator asks
"AuthMethod=KRB5,SRP,none" during login, and target answers
"AuthMethod=none", should the connection be closed, or should the
initiator continue with LoginOperationalNegotiation stage?  If latter is
acceptable, should we reword the last sentence like "...and no mutually
acceptable algorithm or "none" can be agreed upon"?

Q4:
SEC-IPS v.04, page32 "If IPsec protection is removed on a connection, it
MUST be reinstated before iSCSI, iFCP or FCIP packets are sent."  The
question is do we have to check security every time before sending out
iSCSI packets?



Lee