SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    iSCSI MIB-05 concerns



    Last I looked, this was the latest draft. I have a few concerns with it:
    
    1) The text for iscsiCtxMaxRecvDataSegLength (page 55) says:
    
    Note that the size is reported in bytes even though the negotiation is in
    512k blocks.
    
    I think that sentance should be deleted. :-)
    
    2) I have a concern with iscsiSsnAuthIdentity (or with its descriptive
    text). The description reads:
    
    "This object contains a row in the IPS-AUTH MIB which identifies the
    authentication method being used on this session, as communicated during
    the login phase."
    
    My concern is that the text implies that only one security method can be
    used for a session, while the iSCSI spec does not imply that. From my read
    of the spec, different connections within a session can use different
    authentication methods. All that is required is that both sides agree
    during security negotiations on the method, and then authenticate each
    other.
    
    For long-lived sessions (say sessions in a data center) I can see a
    definite advantage to permitting different auth methods. Say we've had our
    systems up for a month, and we administratively decide we want to change
    auth methods (say a pointy-hair boss decides SPKM or SRP or CHAP or
    Kerberos is the way to go, even though it was not what we were doing when
    we fired the systems up a month ago). If we force only one auth method per
    session, then we have to tear down sessions if we ever want to add
    connections, which seems like a waste.
    
    Also, the name doesn't really match the text. Identity seems a broader
    concept that auth method.
    
    Fixes:
    
    a) move this to iscsiCxnAuthMethod
    
    b) make it the last authentication method used on a connection
    
    c) change it to point to the identity in IPS-AUTH used for authorization,
    rather than the method used to authenticate. I can definitely see the
    identity needing to stay the same for all connections in a session.
    
    Take care,
    
    Bill
    
    


Home

Last updated: Thu Aug 15 13:18:55 2002
11637 messages in chronological order