|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] iSCSI MIB-05 concernsLast I looked, this was the latest draft. I have a few concerns with it: 1) The text for iscsiCtxMaxRecvDataSegLength (page 55) says: Note that the size is reported in bytes even though the negotiation is in 512k blocks. I think that sentance should be deleted. :-) 2) I have a concern with iscsiSsnAuthIdentity (or with its descriptive text). The description reads: "This object contains a row in the IPS-AUTH MIB which identifies the authentication method being used on this session, as communicated during the login phase." My concern is that the text implies that only one security method can be used for a session, while the iSCSI spec does not imply that. From my read of the spec, different connections within a session can use different authentication methods. All that is required is that both sides agree during security negotiations on the method, and then authenticate each other. For long-lived sessions (say sessions in a data center) I can see a definite advantage to permitting different auth methods. Say we've had our systems up for a month, and we administratively decide we want to change auth methods (say a pointy-hair boss decides SPKM or SRP or CHAP or Kerberos is the way to go, even though it was not what we were doing when we fired the systems up a month ago). If we force only one auth method per session, then we have to tear down sessions if we ever want to add connections, which seems like a waste. Also, the name doesn't really match the text. Identity seems a broader concept that auth method. Fixes: a) move this to iscsiCxnAuthMethod b) make it the last authentication method used on a connection c) change it to point to the identity in IPS-AUTH used for authorization, rather than the method used to authenticate. I can definitely see the identity needing to stay the same for all connections in a session. Take care, Bill
Home Last updated: Thu Aug 15 13:18:55 2002 11637 messages in chronological order |