Subject: Re: NetBSD iSCSI HOWTOs
To: Alistair Crooks <>
From: Steven M. Bellovin <>
List: current-users
Date: 02/28/2006 08:32:08
I'd like more details on what you would have wanted.  As Security AD at 
the time, it was a fight to get in the security mechanisms they have -- 
there was strong sentiment that "this is only used within data centers; 
why do we need crypto?"

Everyone would like finer-grained authentication; IPsec doesn't work 
well that way.  But iSCSI is a disk abstract, not a file system, and 
granting access to hosts was the issue.  

I glanced at the talk you pointed to.  It looked to me much more like 
complaints about Microsoft's implementation.  While I don't remember 
the details of 3270, I'd be *astonished* if the IESG -- including me -- 
would have approved a protocol where authentication was optional and 
not turned on by default.

Some of that talk was dishonest.  It spoke of eavesdropping and MITM 
attacks.  Of course, until the very end it omitted mention of IPsec.  
That attack is, of course, why IPsec is in the spec.

Do you have a pointer to OSD?  I'm not familiar with it?  (I wasn't an 
iSCSI proponent; I was the guy who forced them to add IPsec to the 

		--Steven M. Bellovin,