[openib-general] RE: [dat-discussions] round 2 - proposal for socket based connection model
Caitlin Bestler
caitlinb at broadcom.com
Tue Oct 25 09:45:17 PDT 2005
I believe it requires a CM protocol version change, or a "IP Address Header
present" bit.
Basically, userspace consumers can supply *any* 72 bytes of private data
currently.
To maintain backwards compatability you need an authenticator that says "this
IP
header data vouched for by privileged components on this end", and that
authenticator
cannot be within the private data.
The equivalent guarantee is provided on IP networks by the fact that raw
sockets are
not accessible by non-privileged applications.
________________________________
From: Kanevsky, Arkady [mailto:Arkady.Kanevsky at netapp.com]
Sent: Tuesday, October 25, 2005 9:39 AM
To: Caitlin Bestler; dat-discussions at yahoogroups.com;
openib-general at openib.org; swg at infinibandta.org
Subject: RE: [openib-general] RE: [dat-discussions] round 2 -
proposal for socket based connection model
Caitlin,
how does it change the proposed protocol?
Arkady
Arkady Kanevsky email: arkady at netapp.com
Network Appliance phone: 781-768-5395
375 Totten Pond Rd. Fax: 781-895-1195
Waltham, MA 02451-2010 central phone: 781-768-5300
-----Original Message-----
From: Caitlin Bestler [mailto:caitlinb at broadcom.com]
Sent: Tuesday, October 25, 2005 12:36 PM
To: dat-discussions at yahoogroups.com;
openib-general at openib.org; swg at infinibandta.org
Subject: [openib-general] RE: [dat-discussions] round 2 -
proposal for socket based connection model
On an IP network, a non-privileged user is generally not
capable of forging
a source IP address and is typically prevented from using
certain source ports.
I would propose that the CM [MAY|SHOULD|MUST] enforce that a
non-privileged
user can only use a Source IP Address and Port that they
would have been
able to use following the normal stack path (or what it would
have been in the
case that there is no conventional IP stack associated with
this path).
So if IPoIB is installed, you would not be able to use any
address that
you would have been blocked from using over IPoIB. Or at
least you
would not be guaranteed that you could.
I think that MUST is the correct level of enforcement, but it
needs to be
clear that the CM and OS *MAY* do this checking and that a
userspace
IB application cannot use the IB stack to perform IP
spoofing.
________________________________
From: dat-discussions at yahoogroups.com
[mailto:dat-discussions at yahoogroups.com] On Behalf Of Kanevsky, Arkady
Sent: Tuesday, October 25, 2005 9:00 AM
To: openib-general at openib.org;
dat-discussions at yahoogroups.com; swg at infinibandta.org
Subject: [dat-discussions] round 2 - proposal for
socket based connection model
Dear OpenIB, SWG and DAT members,
enclosed is teh second version of the proposal.
There are really 2 proposals that are related.
The first one is encoding IP 5-tuple into REQ private
data
with small additional info for versioning and IB
capabilities.
The second is just a couple of ideas, not a real
proposal,
on maping of IP ports
to IB Service IDs.
Thanks everybody for tons of feedback and deep
discussions.
I appologize if I had missed something.
Happy reading,
Arkady
Arkady Kanevsky email:
arkady at netapp.com
Network Appliance phone:
781-768-5395
375 Totten Pond Rd. Fax:
781-895-1195
Waltham, MA 02451-2010 central phone:
781-768-5300
________________________________
YAHOO! GROUPS LINKS
* Visit your group "dat-discussions
<http://groups.yahoo.com/group/dat-discussions> " on the web.
* To unsubscribe from this group, send an
email to:
dat-discussions-unsubscribe at yahoogroups.com
<mailto:dat-discussions-unsubscribe at yahoogroups.com?subject=Unsubscribe>
* Your use of Yahoo! Groups is subject to the
Yahoo! Terms of Service <http://docs.yahoo.com/info/terms/> .
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/general/attachments/20051025/d09aab40/attachment.html>
More information about the general
mailing list