Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rdmap Security

1,016 views

Published on

presented by Shinto T.Jose ,CUSAT,Kerala

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Rdmap Security

  1. 1. A Seminar by Shinto. T. Jose
  2. 2. INTRODUCTION <ul><li>DIRECTLY MOVES DATA </li></ul><ul><li>HIGH THROUGHPUT </li></ul><ul><li>LOW LATENCY </li></ul><ul><li>ZERO COPY NETWORKING </li></ul><ul><li>RDMA </li></ul><ul><li>LAYERING </li></ul><ul><li>DATA FLOW </li></ul><ul><li>APPLICATIONS </li></ul>
  3. 3. INTRODUCTION <ul><li>RDMA </li></ul><ul><li>LAYERING </li></ul><ul><li>DATA FLOW </li></ul><ul><li>APPLICATIONS </li></ul>ULP TCP IP DATA LINK LAYER RDMA
  4. 4. INTRODUCTION <ul><li>RDMA </li></ul><ul><li>LAYERING </li></ul><ul><li>DATA FLOW </li></ul><ul><li>APPLICATIONS </li></ul>
  5. 5. INTRODUCTION <ul><li>Virtual interface Architecture </li></ul><ul><li>Infiniband </li></ul><ul><li>Iwarp </li></ul><ul><li>Future versions of Microsoft Windows </li></ul><ul><li>RDMA </li></ul><ul><li>LAYERING </li></ul><ul><li>DATA FLOW </li></ul><ul><li>APPLICATIONS </li></ul>
  6. 6. ARCHITECTURE <ul><li>COMPONENTS </li></ul><ul><li>RNIC INTERACTIONS </li></ul>Privileged Resource Manager Privileged ULP Non-privileged ULP RNIC Engine internet RNIC interface ULP interface
  7. 7. ARCHITECTURE <ul><li>RNIC </li></ul><ul><li>Privileged resource manager </li></ul><ul><li>Privileged ULP </li></ul><ul><li>Non privileged ULP </li></ul><ul><li>COMPONENTS </li></ul><ul><li>RNIC INTERACTIONS </li></ul>
  8. 8. ARCHITECTURE <ul><li>Privileged control interface </li></ul><ul><li>Privileged data interface </li></ul><ul><li>Non-Privelged data interface </li></ul><ul><li>COMPONENTS </li></ul><ul><li>RNIC INTERACTIONS </li></ul>
  9. 9. ATTACKS THAT CAN BE MITIGATED WITH END-TO-END SECURITY <ul><li>IMPERSONATION </li></ul><ul><ul><li>BLIND ATTACK OR ESTABLISHING STREAM </li></ul></ul><ul><ul><li>GUESSING VALID PARAMETERS </li></ul></ul><ul><ul><li>END-TO-END AUTHENTICATION </li></ul></ul><ul><li>STREAM HIJACKING </li></ul><ul><li>MAN-IN-THE MIDDLE ATTACK </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>SECURITY OPTIONS </li></ul>
  10. 10. ATTACKS THAT CAN BE MITIGATED WITH END-TO-END SECURITY <ul><li>IMPERSONATION </li></ul><ul><li>STREAM HIJACKING </li></ul><ul><ul><li>HIJACK IN THE STREAM ESTABLISHMENT PHASE </li></ul></ul><ul><ul><li>IP ADDRESS SPOOFING </li></ul></ul><ul><ul><li>END-TO-END INTEGRITY PROTECTION AND AUTHETICATION </li></ul></ul><ul><li>MAN-IN-THE MIDDLE ATTACK </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>SECURITY OPTIONS </li></ul>
  11. 11. ATTACKS THAT CAN BE MITIGATED WITH END-TO-END SECURITY <ul><li>IMPERSONATION </li></ul><ul><li>STREAM HIJACKING </li></ul><ul><li>MAN-IN-THE MIDDLE ATTACK </li></ul><ul><ul><li>ABILITY TO DELETE OR MODIFY </li></ul></ul><ul><ul><li>INVALIDATE STag </li></ul></ul><ul><ul><li>END-TO-END INTEGRITY PROTECTION AND AUTHENTICATION </li></ul></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>SECURITY OPTIONS </li></ul>
  12. 12. ATTACKS THAT CAN BE MITIGATED WITH END-TO-END SECURITY <ul><li>MAN IN THE MIDDLE ATTACK </li></ul><ul><li>MODIFICATION OF BUFFER CONTENT </li></ul><ul><li>END-TO-END INTEGRITY PROTECTION AND AUTHENTICATION </li></ul><ul><li>PHYSICAL PROTECTION </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>SECURITY OPTIONS </li></ul>
  13. 13. ATTACKS THAT CAN BE MITIGATED WITH END-TO-END SECURITY <ul><li>SESSION CONFIDENTIALITY </li></ul><ul><li>PER-PACKET DATA SOURCE AUTHENTICATION </li></ul><ul><li>PER-PACKET INTEGRITY </li></ul><ul><li>PACKET SEQUENCING </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>SECURITY OPTIONS </li></ul>
  14. 14. ATTACKS FROM LOCAL PEERS <ul><li>MORE COMPLETIONS THAN ITS FAIR SHARE </li></ul><ul><li>CAUSES STARVING OF OTHER ULP’S </li></ul><ul><li>RNIC MUST NOT ENABLE SHARING A CQ ACROSS UNTRUSTED ULPS </li></ul><ul><li>LOCAL ULP ATTACKING A SHARED CQ </li></ul><ul><li>LOCAL PEER ATTACKING THE RDMA READ REQUEST QUEUE </li></ul>
  15. 15. ATTACKS FROM LOCAL PEERS <ul><li>UNFAIRLY ALLOCATE RDMA READ REQUEST QUEUE RESOURCES FOR ITS STREAMS </li></ul><ul><li>RDMA READ REQUEST QUEUE ENTRIES MUST BE RESTRICTED TO A TRUSTED LOCAL PEER (PRIVILEGED RESOURCE MANAGER) </li></ul><ul><li>LOCAL ULP ATTACKING A SHARED CQ </li></ul><ul><li>LOCAL PEER ATTACKING THE RDMA READ REQUEST QUEUE </li></ul>
  16. 16. ATTACKS FROM REMOTE PEERS <ul><li>USING UNAUTHORIZED STag </li></ul><ul><li>WHEN Stag FOR ONE STREAM IS ENABLED, ATTACKER WILL USE IT FOR ANOTHER STREAM </li></ul><ul><li>Stag VALUES SHOULD BE RANDOMLY SELECTED </li></ul><ul><li>END-TO-END SECURITY IS USED </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>ELEVATION OF PRIVILEGE </li></ul>
  17. 17. ATTACKS FROM REMOTE PEERS <ul><li>LOCAL BUFFER ENABLED WITH REMOTE WRITE </li></ul><ul><li>BUFFER OVERRUN </li></ul><ul><li>BASE AND BOUND CHECK </li></ul><ul><li>END-TO-END SECURITY IS USED </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>ELEVATION OF PRIVILEGE </li></ul>
  18. 18. ATTACKS FROM REMOTE PEERS <ul><li>NON PRIVILEGED ULP WILL MAKE IT AS PRIVILEGED ONE </li></ul><ul><li>PRIVILEGED ULP WILL MAKE ITSELF AS PRIVILEGED RESOURCE MANAGER </li></ul><ul><li>SECURITY BASED ON LOCAL IMPLEMENTATION </li></ul><ul><li>END-TO-END SECURITY IS USED </li></ul><ul><li>SPOOFING </li></ul><ul><li>TAMPERING </li></ul><ul><li>ELEVATION OF PRIVILEGE </li></ul>
  19. 19. CONCLUTION <ul><li>High throughput, low latency </li></ul><ul><li>Maximum care given for security, but still remains a concern. </li></ul>
  20. 20. REFERENCES <ul><li>  [RDMAP] Recio, R., Culley, P.,Garcia, D., and J. Hilland, &quot;A Remote Direct Memory Access ProtocolSpecification &quot;,RFC 5040, October 2007. </li></ul><ul><li>[RDMAP SECURITY] J.Pinkerton. “RDMAP SECURITY”, RFC 5042, October 2007. </li></ul>

×