iSCSI MIB-05 concerns

[Bill Studenmund <wrstuden@wasabisystems.com>]

Last I looked, this was the latest draft. I have a few concerns with it:

1) The text for iscsiCtxMaxRecvDataSegLength (page 55) says:

Note that the size is reported in bytes even though the negotiation is in
512k blocks.

I think that sentance should be deleted. :-)

2) I have a concern with iscsiSsnAuthIdentity (or with its descriptive
text). The description reads:

"This object contains a row in the IPS-AUTH MIB which identifies the
authentication method being used on this session, as communicated during
the login phase."

My concern is that the text implies that only one security method can be
used for a session, while the iSCSI spec does not imply that. From my read
of the spec, different connections within a session can use different
authentication methods. All that is required is that both sides agree
during security negotiations on the method, and then authenticate each
other.

For long-lived sessions (say sessions in a data center) I can see a
definite advantage to permitting different auth methods. Say we've had our
systems up for a month, and we administratively decide we want to change
auth methods (say a pointy-hair boss decides SPKM or SRP or CHAP or
Kerberos is the way to go, even though it was not what we were doing when
we fired the systems up a month ago). If we force only one auth method per
session, then we have to tear down sessions if we ever want to add
connections, which seems like a waste.

Also, the name doesn't really match the text. Identity seems a broader
concept that auth method.

Fixes:

a) move this to iscsiCxnAuthMethod

b) make it the last authentication method used on a connection

c) change it to point to the identity in IPS-AUTH used for authorization,
rather than the method used to authenticate. I can definitely see the
identity needing to stay the same for all connections in a session.

Take care,

Bill