Rdmap Security

921
-1

Published on

presented by Shinto T.Jose ,CUSAT,Kerala

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
921
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Rdmap Security

  1. 1. A Seminar by Shinto. T. Jose
  2. 2. INTRODUCTION <ul><li>DIRECTLY MOVES DATA </li></ul><ul><li>HIGH THROUGHPUT </li></ul><ul><li>LOW LATENCY </li></ul><ul><li>ZERO COPY NETWORKING </li></ul><ul><li>RDMA </li></ul><ul><li>LAYERING </li></ul><ul><li>DATA FLOW </li></ul><ul><li>APPLICATIONS </li></ul>
  3. 3. INTRODUCTION <ul><li>RDMA </li></ul><ul><li>LAYERING </li></ul><ul><li>DATA FLOW </li></ul><ul><li>APPLICATIONS </li></ul>ULP TCP IP DATA LINK LAYER RDMA
  4. 4. INTRODUCTION <ul><li>RDMA </li></ul><ul><li>LAYERING </li></ul><ul><li>DATA FLOW </li></ul><ul><li>APPLICATIONS </li></ul>
  5. 5. INTRODUCTION <ul><li>Virtual interface Architecture </li></ul><ul><li>Infiniband </li></ul><ul><li>Iwarp </li></ul><ul><li>Future versions of Microsoft Windows </li></ul><ul><li>RDMA </li></ul><ul><li>LAYERING </li></ul><ul><li>DATA FLOW </li></ul><ul><li>APPLICATIONS </li></ul>
  6. 6. ARCHITECTURE <ul><li>COMPONENTS </li></ul><ul><li>RNIC INTERACTIONS </li></ul>Privileged Resource Manager Privileged ULP Non-privileged ULP RNIC Engine internet RNIC interface ULP interface
  7. 7. ARCHITECTURE <ul><li>RNIC </li></ul><ul><li>Privileged resource manager </li></ul><ul><li>Privileged ULP </li></ul><ul><li>Non privileged ULP </li></ul><ul><li>COMPONENTS </li></ul><ul><li>RNIC INTERACTIONS </li></ul>
  8. 8. ARCHITECTURE <ul><li>Privileged control interface </li></ul><ul><li>Privileged data interface </li></ul><ul><li>Non-Privelged data interface </li></ul><ul><li>COMPONENTS </li></ul><ul><li>RNIC INTERACTIONS </li></ul>
  9. 9. ATTACKS THAT CAN BE MITIGATED WITH END-TO-END SECURITY <ul><li>IMPERSONATION </li></ul><ul><ul><li>BLIND ATTACK OR ESTABLISHING STREAM </li></ul></ul><ul><ul><li>GUESSING VALID PARAMETERS </li></ul></ul><ul><ul><li>END-TO-END AUTHENTICATION </li></ul></ul><ul><li>STREAM HIJACKING </li></ul><ul><li>MAN-IN-THE MIDDLE ATTACK </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>SECURITY OPTIONS </li></ul>
  10. 10. ATTACKS THAT CAN BE MITIGATED WITH END-TO-END SECURITY <ul><li>IMPERSONATION </li></ul><ul><li>STREAM HIJACKING </li></ul><ul><ul><li>HIJACK IN THE STREAM ESTABLISHMENT PHASE </li></ul></ul><ul><ul><li>IP ADDRESS SPOOFING </li></ul></ul><ul><ul><li>END-TO-END INTEGRITY PROTECTION AND AUTHETICATION </li></ul></ul><ul><li>MAN-IN-THE MIDDLE ATTACK </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>SECURITY OPTIONS </li></ul>
  11. 11. ATTACKS THAT CAN BE MITIGATED WITH END-TO-END SECURITY <ul><li>IMPERSONATION </li></ul><ul><li>STREAM HIJACKING </li></ul><ul><li>MAN-IN-THE MIDDLE ATTACK </li></ul><ul><ul><li>ABILITY TO DELETE OR MODIFY </li></ul></ul><ul><ul><li>INVALIDATE STag </li></ul></ul><ul><ul><li>END-TO-END INTEGRITY PROTECTION AND AUTHENTICATION </li></ul></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>SECURITY OPTIONS </li></ul>
  12. 12. ATTACKS THAT CAN BE MITIGATED WITH END-TO-END SECURITY <ul><li>MAN IN THE MIDDLE ATTACK </li></ul><ul><li>MODIFICATION OF BUFFER CONTENT </li></ul><ul><li>END-TO-END INTEGRITY PROTECTION AND AUTHENTICATION </li></ul><ul><li>PHYSICAL PROTECTION </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>SECURITY OPTIONS </li></ul>
  13. 13. ATTACKS THAT CAN BE MITIGATED WITH END-TO-END SECURITY <ul><li>SESSION CONFIDENTIALITY </li></ul><ul><li>PER-PACKET DATA SOURCE AUTHENTICATION </li></ul><ul><li>PER-PACKET INTEGRITY </li></ul><ul><li>PACKET SEQUENCING </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>SECURITY OPTIONS </li></ul>
  14. 14. ATTACKS FROM LOCAL PEERS <ul><li>MORE COMPLETIONS THAN ITS FAIR SHARE </li></ul><ul><li>CAUSES STARVING OF OTHER ULP’S </li></ul><ul><li>RNIC MUST NOT ENABLE SHARING A CQ ACROSS UNTRUSTED ULPS </li></ul><ul><li>LOCAL ULP ATTACKING A SHARED CQ </li></ul><ul><li>LOCAL PEER ATTACKING THE RDMA READ REQUEST QUEUE </li></ul>
  15. 15. ATTACKS FROM LOCAL PEERS <ul><li>UNFAIRLY ALLOCATE RDMA READ REQUEST QUEUE RESOURCES FOR ITS STREAMS </li></ul><ul><li>RDMA READ REQUEST QUEUE ENTRIES MUST BE RESTRICTED TO A TRUSTED LOCAL PEER (PRIVILEGED RESOURCE MANAGER) </li></ul><ul><li>LOCAL ULP ATTACKING A SHARED CQ </li></ul><ul><li>LOCAL PEER ATTACKING THE RDMA READ REQUEST QUEUE </li></ul>
  16. 16. ATTACKS FROM REMOTE PEERS <ul><li>USING UNAUTHORIZED STag </li></ul><ul><li>WHEN Stag FOR ONE STREAM IS ENABLED, ATTACKER WILL USE IT FOR ANOTHER STREAM </li></ul><ul><li>Stag VALUES SHOULD BE RANDOMLY SELECTED </li></ul><ul><li>END-TO-END SECURITY IS USED </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>ELEVATION OF PRIVILEGE </li></ul>
  17. 17. ATTACKS FROM REMOTE PEERS <ul><li>LOCAL BUFFER ENABLED WITH REMOTE WRITE </li></ul><ul><li>BUFFER OVERRUN </li></ul><ul><li>BASE AND BOUND CHECK </li></ul><ul><li>END-TO-END SECURITY IS USED </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>ELEVATION OF PRIVILEGE </li></ul>
  18. 18. ATTACKS FROM REMOTE PEERS <ul><li>NON PRIVILEGED ULP WILL MAKE IT AS PRIVILEGED ONE </li></ul><ul><li>PRIVILEGED ULP WILL MAKE ITSELF AS PRIVILEGED RESOURCE MANAGER </li></ul><ul><li>SECURITY BASED ON LOCAL IMPLEMENTATION </li></ul><ul><li>END-TO-END SECURITY IS USED </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>ELEVATION OF PRIVILEGE </li></ul>
  19. 19. CONCLUTION <ul><li>High throughput, low latency </li></ul><ul><li>Maximum care given for security, but still remains a concern. </li></ul>
  20. 20. REFERENCES <ul><li>  [RDMAP] Recio, R., Culley, P.,Garcia, D., and J. Hilland, &quot;A Remote Direct Memory Access ProtocolSpecification &quot;,RFC 5040, October 2007. </li></ul><ul><li>[RDMAP SECURITY] J.Pinkerton. “RDMAP SECURITY”, RFC 5042, October 2007. </li></ul>

×