iSCSI: Authentication MIB question

[Mark Bakke <mbakke@cisco.com>]

We are planning to publish another draft of the IPS
authentication MIB in the near future.  It currently
supports authentication by:

   AuthMethods - none, CHAP, SRP, Kerberos, SPKM

   IP address ranges

   Fibre Channel address ranges (added in the upcoming version)

   iSCSI Initiator Names

Cleanup of most of these items is pretty straightforward, with
the exception of SPKM.  To configure SPKM public key certificates
via the MIB, some certificates will exceed the size of a single
UDP/IP packet on many networks.  There are some possible solutions
to this, but they will require some effort to finish up.

So here's the question:  In order to do the work to make SPKM
configurable through the MIB, we need to know that we are not
wasting our time.  I have not heard of anyone implementing SPKM
as an iSCSI authmethod in the near future; most implementations
seem to be supporting None, CHAP, and SRP.

If you are planning to implement SPKM as an iSCSI authMethod
(this is not the same thing as IPsec public keys), please speak
up.  Otherwise, I will plan to publish the MIB without public
keys, and add them later if necessary.

Also, please respond if you are planning to implement Kerberos
as well; I want to make sure that the Kerberos attributes are
reviewed by anyone who may wish to use them.

BTW, here's our to-do-list:

> 1. Clean up SRP credential attributes
> 
> 2. Add Kerberos credential attributes
> 
> 3. Decide how to transport certificates in SNMP, or at least
>    how to transport certificate identifiers
> 
> 4. Support DH-CHAP method if applicable
> 
> 5. Remove netmask from address range
> 
> 6. Re-write IP address section based on AF types
> 
> 7. Finish up security considerations
> 
> 8. Clean up IANA-AF reference
> 
> 9. Split references into normative and informative

If you have comments on other things that should go in the IPS
auth MIB, please let me know.

-- 
Mark A. Bakke
Cisco Systems
mbakke@cisco.com
763.398.1054