iSCSI: rejecting AuthMethod

["Tony Battersby" <tonyb@cybernetics.com>]

Draft 19 Section 5.3.2 iSCSI Security Negotiation: The target MUST reply
with the first option in the list it supports and is allowed to use for the
specific initiator unless it does not support any in which case it MUST
answer with "Reject" (see Section 5.2 Text Mode Negotiation).

Draft 19 Section 5.2.1 List Negotiations: If an acceptor does not support,
does not understand, or is not allowed to use any of the proposed options
with a specific originator, it may use the constant "Reject" or terminate
the negotiation.

I am considering the case where the target is configured not to accept a
connection without authentication, and the target does not support any of
the authentication methods offered by the initiator.  Since the initiator is
not allowed to send the AuthMethod key a second time, the login attempt must
fail.  I assume that the target should return a Login Response with
Authentication Failure status in this case.  The first quote above implies
that the target's Login Response should in addition contain the
"AuthMethod=Reject" key.  Is this really the intended meaning?  In the
general case it is not necessary to return any keys with a Login Response
that has a nonzero Status-Class, so I do not see why this case should be any
different.  For consistency, I recommend changing the text to something like
"...in which case it MUST answer with "Reject" (see Section 5.2 Text Mode
Negotiation) or terminate the negotiation."

Incidently, the names of the Login Response status codes in section 10.13.5
have inconsistent capitalization (e.g. "Target Moved Temporarily" vs. "Can't
include in session").

Anthony J. Battersby
Cybernetics