1 / 20

RDMAP/DDP Security Draft

RDMAP/DDP Security Draft. draft-ietf-rddp-security-00.txt Jim Pinkerton, Ellen Deleganes, Allyn Romanow, Bernard Aboba. Agenda. Overview of the paper Define Functional Model, including Components Attack paths Identify threats Define counter measures What’s new in this version Issues

lali
Download Presentation

RDMAP/DDP Security Draft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. RDMAP/DDP Security Draft draft-ietf-rddp-security-00.txt Jim Pinkerton, Ellen Deleganes, Allyn Romanow, Bernard Aboba

  2. Agenda • Overview of the paper • Define Functional Model, including • Components • Attack paths • Identify threats • Define counter measures • What’s new in this version • Issues • What’s still to be done 58th IETF - Minneapolis, MN USA

  3. Approach • Security analysis not constrained to any one implementation – examine the scope of implementations • The draft is relatively new – minimal review • Still sections left to be written 58th IETF - Minneapolis, MN USA

  4. Functional Component Model Request Proxy Interface Privileged Resource Manager Application Control Interface Admin Privileged Application Non-Privileged Application Privileged Control Interface Privileged Data Interface Non-Privileged Data Interface RNIC Interface (RI) RNIC Engine firmware Internet 58th IETF - Minneapolis, MN USA

  5. Functional Components • Privileged application • Assumed to not intentionally attack the system, but may be greedy for resources • Non-privileged application • Desire to provide benefits of RDMAP/DDP without introducing additional security risk • Not trusted, granted only a subset of the capabilities granted to a privileged application • Resource Manager • Controls allocation of “scarce” resources • Implements policies to detect and prevent DoS attacks 58th IETF - Minneapolis, MN USA

  6. An RI in More Detail Host RI Completion Queue Async Event Queue Send Queue Receive Queue RDMA Read Request Queue Resources: Page Translation Table, STag Table, Connection Context Memory Network 58th IETF - Minneapolis, MN USA

  7. Threats and Attack Classes • Spoofing • Connection hijacking • Unauthorized STag use • Tampering • Unauthorized modification of remote buffers • Information Disclosure • Unauthorized read access to remote buffers • Denial of Service • Consumption of “precious” resources • Elevation of Privilege • Loading FW onto the RNIC 58th IETF - Minneapolis, MN USA

  8. Tampering • Remote Peer attempts to tamper with buffers on a Local Peer • Attempt to write outside of the buffer bounds • Modify buffer contents after indicating buffer contents are ready for use • Using multiple STags to access the same buffer 58th IETF - Minneapolis, MN USA

  9. Information Disclosure • Remote peer attempts to improperly read information in buffers on a Local Peer • Use of RDMA Read to access stale data • Accessing buffer after transfer is over • Accessing unintended data through use of a valid STag • Using multiple STags to access the same buffer 58th IETF - Minneapolis, MN USA

  10. Denial of Service • Resource consumption • Receive data buffers when pool is shared • Completion Queue entries • RDMA Read Request Queue • Untagged receive buffers • Remote invalidation of an STag across multiple connections 58th IETF - Minneapolis, MN USA

  11. Tools for Counter Measures • Protection Domain • End-to-end authentication • Limiting scope of: • STag • Number of connections, amount of buffer advertised, time the buffer is advertised, randomly use the namespace • Buffer access rights • Write-only, Read-only, Write/Read • Completion Queue • One or more connections • Error generation/propagation • Resource manager 58th IETF - Minneapolis, MN USA

  12. Counter Measures • Protection Domain (PD) • Data buffers associated with an STag can be accessed only through connections in the same PD • Limit CQ access to connections in the same PD • Limit STag scope • Limit SdTag usage to a single connection, or connections in the same PD • Limit the time the STag is valid by invalidating STag when data transfer is over • Limit the memory the STag can access by setting base and bounds to just the intended buffers 58th IETF - Minneapolis, MN USA

  13. Counter Measures • Set appropriate buffer access rights • Enable only the rights needed (read only, write only or read/write) • Local peer only access for buffers that do not require remote access • Limit scope of error propagation/generation • Limit generation of error events to prevent event queue overflow • Resource Manager • Put allocation of scarce resource under control of a Resource Manager 58th IETF - Minneapolis, MN USA

  14. Attacks & Countermeasures 58th IETF - Minneapolis, MN USA

  15. What’s New • “Partial Trust” instead of “Trust” • Architecture model • Clarifications to existing components • RNIC data transfer initialization • RNIC data transfer (SQ, RQ) • RNIC Asynch Event Queue 58th IETF - Minneapolis, MN USA

  16. What’s New (cont) • Clarifications for implementation flexibility • Multiple PDs in a single app • Consideration of additional attacks • Controlling Page Trans. Table mapping to a buffer • Shared STag – remote invalidate • Shared STag – remote peer consumes too many buffers 58th IETF - Minneapolis, MN USA

  17. Combinations of Trust 58th IETF - Minneapolis, MN USA

  18. Dimensions of Partial Trust • Primarily a tool to educate the non-IETF RDMA community on the risks of traditional RDMA (local and remote trust) • Within IETF the assumption is generally no remote trust, no local trust • Thus dimensions of trust could be simplified to just a local resource sharing issue • i.e. Are local resources shared between streams? • Should we remove dimensions of trust? 58th IETF - Minneapolis, MN USA

  19. Outstanding Issues • Issues highlighted in the document • IPsec section • Summary table at the end • Clarify using PD as counter measure vs. PD resource limitation • Describe security issue with sharing resources for untagged receives before diving into evaluation of shared buffer pool vs. shared receive queue • Still open since Vienna • Resolve shared RQ security issues • Better document multiple client to single server with different trust model per client 58th IETF - Minneapolis, MN USA

  20. Outstanding Issues • Other emails • Non-privileged Application being able to disable/enable an STag mapping without using the Privileged Resource Manager 58th IETF - Minneapolis, MN USA

More Related