RDMAP/DDP Security Draft - PowerPoint PPT Presentation

About This Presentation
Title:

RDMAP/DDP Security Draft

Description:

Implements policies to detect and prevent DoS attacks. 11/11/2003 ... 11/11/2003. 58th IETF - Minneapolis, MN USA. Security - 7. Threats and Attack Classes ... – PowerPoint PPT presentation

Number of Views:225
Avg rating:3.0/5.0
Slides: 21
Provided by: jimpin
Learn more at: https://www.ietf.org
Category:
Tags: ddp | rdmap | attack | draft | security

less

Transcript and Presenter's Notes

Title: RDMAP/DDP Security Draft


1
RDMAP/DDP Security Draft
  • draft-ietf-rddp-security-00.txt
  • Jim Pinkerton, Ellen Deleganes, Allyn Romanow,
    Bernard Aboba

2
Agenda
  • Overview of the paper
  • Define Functional Model, including
  • Components
  • Attack paths
  • Identify threats
  • Define counter measures
  • Whats new in this version
  • Issues
  • Whats still to be done

3
Approach
  • Security analysis not constrained to any one
    implementation examine the scope of
    implementations
  • The draft is relatively new minimal review
  • Still sections left to be written

4
Functional Component Model
Request Proxy Interface
Privileged Resource Manager
Application Control Interface
Admin
Privileged Application
Non-Privileged Application
Privileged Control Interface
Privileged Data Interface
Non-Privileged Data Interface
RNIC Interface (RI)
RNIC Engine
firmware
Internet
5
Functional Components
  • Privileged application
  • Assumed to not intentionally attack the system,
    but may be greedy for resources
  • Non-privileged application
  • Desire to provide benefits of RDMAP/DDP without
    introducing additional security risk
  • Not trusted, granted only a subset of the
    capabilities granted to a privileged application
  • Resource Manager
  • Controls allocation of scarce resources
  • Implements policies to detect and prevent DoS
    attacks

6
An RI in More Detail
Host
RI





























Completion Queue
Async Event Queue
Send Queue
Receive Queue
RDMA Read Request Queue



Resources Page Translation Table, STag Table,
Connection Context Memory
Network
7
Threats and Attack Classes
  • Spoofing
  • Connection hijacking
  • Unauthorized STag use
  • Tampering
  • Unauthorized modification of remote buffers
  • Information Disclosure
  • Unauthorized read access to remote buffers
  • Denial of Service
  • Consumption of precious resources
  • Elevation of Privilege
  • Loading FW onto the RNIC

8
Tampering
  • Remote Peer attempts to tamper with buffers on a
    Local Peer
  • Attempt to write outside of the buffer bounds
  • Modify buffer contents after indicating buffer
    contents are ready for use
  • Using multiple STags to access the same buffer

9
Information Disclosure
  • Remote peer attempts to improperly read
    information in buffers on a Local Peer
  • Use of RDMA Read to access stale data
  • Accessing buffer after transfer is over
  • Accessing unintended data through use of a valid
    STag
  • Using multiple STags to access the same buffer

10
Denial of Service
  • Resource consumption
  • Receive data buffers when pool is shared
  • Completion Queue entries
  • RDMA Read Request Queue
  • Untagged receive buffers
  • Remote invalidation of an STag across multiple
    connections

11
Tools for Counter Measures
  • Protection Domain
  • End-to-end authentication
  • Limiting scope of
  • STag
  • Number of connections, amount of buffer
    advertised, time the buffer is advertised,
    randomly use the namespace
  • Buffer access rights
  • Write-only, Read-only, Write/Read
  • Completion Queue
  • One or more connections
  • Error generation/propagation
  • Resource manager

12
Counter Measures
  • Protection Domain (PD)
  • Data buffers associated with an STag can be
    accessed only through connections in the same PD
  • Limit CQ access to connections in the same PD
  • Limit STag scope
  • Limit SdTag usage to a single connection, or
    connections in the same PD
  • Limit the time the STag is valid by invalidating
    STag when data transfer is over
  • Limit the memory the STag can access by setting
    base and bounds to just the intended buffers

13
Counter Measures
  • Set appropriate buffer access rights
  • Enable only the rights needed (read only, write
    only or read/write)
  • Local peer only access for buffers that do not
    require remote access
  • Limit scope of error propagation/generation
  • Limit generation of error events to prevent event
    queue overflow
  • Resource Manager
  • Put allocation of scarce resource under control
    of a Resource Manager

14
Attacks Countermeasures
Threat/Attack Class PD E2E auth Limit scope Limit scope Limit scope Limit scope Resource Manager
Threat/Attack Class PD E2E auth STag Buffer Access CQ Error Resource Manager
Spoofing Connection hijacking Unauthorized STag use
Spoofing Connection hijacking Unauthorized STag use
Tampering Unauthorized data modification
Information Disclosure Unauthorized data access
Denial of Service Consumption of resources
Elevation of Privilege Load FW on RNIC (Or not allow this feature) (Or not allow this feature) (Or not allow this feature) (Or not allow this feature) (Or not allow this feature)
15
Whats New
  • Partial Trust instead of Trust
  • Architecture model
  • Clarifications to existing components
  • RNIC data transfer initialization
  • RNIC data transfer (SQ, RQ)
  • RNIC Asynch Event Queue

16
Whats New (cont)
  • Clarifications for implementation flexibility
  • Multiple PDs in a single app
  • Consideration of additional attacks
  • Controlling Page Trans. Table mapping to a buffer
  • Shared STag remote invalidate
  • Shared STag remote peer consumes too many
    buffers

17
Combinations of Trust
Local ResourceSharing Local Trust? Remote Trust? Name Example Application
N N N NS-NT RDDP/DDP client/server Networking
N N Y NS-RT Authenticated Remote Peer
N Y N Kernel client
N Y Y Similar to S-T
Y N N S-NT Typical Networking
Y N Y ??
Y Y N S-LT Storage target
Y Y Y S-T MPI
18
Dimensions of Partial Trust
  • Primarily a tool to educate the non-IETF RDMA
    community on the risks of traditional RDMA (local
    and remote trust)
  • Within IETF the assumption is generally no remote
    trust, no local trust
  • Thus dimensions of trust could be simplified to
    just a local resource sharing issue
  • i.e. Are local resources shared between streams?
  • Should we remove dimensions of trust?

19
Outstanding Issues
  • Issues highlighted in the document
  • IPsec section
  • Summary table at the end
  • Clarify using PD as counter measure vs. PD
    resource limitation
  • Describe security issue with sharing resources
    for untagged receives before diving into
    evaluation of shared buffer pool vs. shared
    receive queue
  • Still open since Vienna
  • Resolve shared RQ security issues
  • Better document multiple client to single server
    with different trust model per client

20
Outstanding Issues
  • Other emails
  • Non-privileged Application being able to
    disable/enable an STag mapping without using the
    Privileged Resource Manager
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "RDMAP/DDP Security Draft" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!