SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI: Authentication MIB question



    
    We are planning to publish another draft of the IPS
    authentication MIB in the near future.  It currently
    supports authentication by:
    
       AuthMethods - none, CHAP, SRP, Kerberos, SPKM
    
       IP address ranges
    
       Fibre Channel address ranges (added in the upcoming version)
    
       iSCSI Initiator Names
    
    Cleanup of most of these items is pretty straightforward, with
    the exception of SPKM.  To configure SPKM public key certificates
    via the MIB, some certificates will exceed the size of a single
    UDP/IP packet on many networks.  There are some possible solutions
    to this, but they will require some effort to finish up.
    
    So here's the question:  In order to do the work to make SPKM
    configurable through the MIB, we need to know that we are not
    wasting our time.  I have not heard of anyone implementing SPKM
    as an iSCSI authmethod in the near future; most implementations
    seem to be supporting None, CHAP, and SRP.
    
    If you are planning to implement SPKM as an iSCSI authMethod
    (this is not the same thing as IPsec public keys), please speak
    up.  Otherwise, I will plan to publish the MIB without public
    keys, and add them later if necessary.
    
    Also, please respond if you are planning to implement Kerberos
    as well; I want to make sure that the Kerberos attributes are
    reviewed by anyone who may wish to use them.
    
    BTW, here's our to-do-list:
    
    > 1. Clean up SRP credential attributes
    > 
    > 2. Add Kerberos credential attributes
    > 
    > 3. Decide how to transport certificates in SNMP, or at least
    >    how to transport certificate identifiers
    > 
    > 4. Support DH-CHAP method if applicable
    > 
    > 5. Remove netmask from address range
    > 
    > 6. Re-write IP address section based on AF types
    > 
    > 7. Finish up security considerations
    > 
    > 8. Clean up IANA-AF reference
    > 
    > 9. Split references into normative and informative
    
    If you have comments on other things that should go in the IPS
    auth MIB, please let me know.
    
    -- 
    Mark A. Bakke
    Cisco Systems
    mbakke@cisco.com
    763.398.1054
    


Home

Last updated: Wed Apr 24 20:18:22 2002
9775 messages in chronological order