|
From: | Marcel Apfelbaum |
Subject: | Re: [Qemu-devel] RFC: Universal encryption on QEMU I/O channels |
Date: | Wed, 04 Feb 2015 16:48:44 +0200 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 |
On 02/04/2015 04:28 PM, Paolo Bonzini wrote:
On 04/02/2015 15:02, Daniel P. Berrange wrote:I'm not sure if it makes sense for RDMA; it already has a couple of hooks that go around the back of QEMUFile in migration, and it's transferring the data via DMA so the page data doesn't go through the same path.Could you ever anticipate any need for authentication or encryption in the RDMA based channel ? I don't know enough about RDMA myself to know if it makes sense or not, other than the fact that any channel between two separate hosts needs security at some level in the stack.Authentication, possibly; but I don't think encryption makes sense. Marcel?
I personally think that the protocol is safe enough, but as always there are holes and I am not a security expert: "RDMA mechanisms can create a potential security vulnerability. A node may access another nodes memory region that was supposed to be banned. In order to protect remote memory access to unauthorized memory areas, InfiniBand defines memory protection mechanisms, where a remote memory access requires a special key (R_Key). The R_Key is negotiated between the peers and is validated at the target’s system HCA card. In case of illegal key the packet is dropped. The R_Key requirement is built into silicon and driver code and cannot be disabled even when attacker compromises root/admin/superuser account on one or multiple servers." More on Layer 2 attacks and how Infiniband handle those: http://www.mellanox.com/related-docs/whitepapers/WP_Secuirty_In_InfiniBand_Fabrics_Final.pdf I hope I helped, Marcel
Paolo
[Prev in Thread] | Current Thread | [Next in Thread] |