Re: [nfsv4] Kathleen Moriarty's No Objection on draft-ietf-nfsv4-scsi-layout-08: (with COMMENT)

Christoph Hellwig <> Wed, 16 November 2016 17:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DF581129469; Wed, 16 Nov 2016 09:04:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JHMnR2KHmLGm; Wed, 16 Nov 2016 09:04:49 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0D728127076; Wed, 16 Nov 2016 09:04:48 -0800 (PST)
Received: by (Postfix, from userid 2407) id D5A4368CEB; Wed, 16 Nov 2016 18:04:46 +0100 (CET)
Date: Wed, 16 Nov 2016 18:04:46 +0100
From: Christoph Hellwig <>
To: Kathleen Moriarty <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.17 (2007-11-01)
Archived-At: <>
Cc:, The IESG <>,,
Subject: Re: [nfsv4] Kathleen Moriarty's No Objection on draft-ietf-nfsv4-scsi-layout-08: (with COMMENT)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: NFSv4 Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Nov 2016 17:04:51 -0000

Hi Kathleen,

sorry for the delay, somehow this comments slipped through the cracks
and Spencer had to remind me of it.

On Mon, Aug 29, 2016 at 11:57:14AM -0700, Kathleen Moriarty wrote:
> For the security considerations, it would be good to include a few
> examples of the security provided by iSCSI, like encryption via IPsec
> (tunnel and transport mode - IMO opinion this RFC makes it difficult to
> set this up in an interoperable way, but that's not the responsibility of
> this draft), authentication, etc.  RFC7143 is such a large document, just
> a pointer isn't as helpful here in comparison to the no security example.
>  This is just at the comment level since the pointer is technically
> sufficient, but sets one up for a lot of reading.

I don't think it makes much sense to address the iSCSI security
issues in this document, and here is why:

As far as the pNFS SCSI layout is concerned setting up the actual
SCSI transport is completely out of scope, and that's intentional because
there are so many different SCSI transports and implementations, and
I don't want to get into details for any of them except mentioning a few.

But maybe as a compromise I can add references to RFC3723 and RFC7146
which seems to be the IETF canonical answer on how to secure iSCSI?