[openib-general] RE: [dat-discussions] round 2 - proposal for socket based connection model

[Caitlin Bestler]

> 
> I believe that the assurances you are talking about are 
> peculiar to an implementation, not to the network.
> 

I disagree. Anytime you send an IP datagram on an IP network
you are expected to provide an authentic source address. Any
intermediate network device MAY enforce that rule and drop 
packets with invalid source addresses.

IP Addresses stored in private data, by contrast, are guaranteed
to pass all middleboxes unmolested without review of validation.
This is not a spoofer taking advantage of a lazy network admin,
this is a spoofer being given a "get out of jail free" card that
says the network admin is not even allowed to do spot checks.

> The CMA is what is preparing the private data header, not the 
> app. WRT a IB CM app, it could very easily pretend to be a 
> "CMA App" and build it's own private data that spoofed the 
> address. How would the local CM know that it is supposed to 
> verify this? Where is the service id/private data format 
> mapping database?
> 
> In short, I think we are mixing many different things together here. 
> 
>

For the very same reasons that a userspace consumer is not allowed
to pretend to be the CM itself, it should not be allowed to just
make up Source IP Addresses. If it's going to lie it needs to be
a privileged liar.

Preserving the existing CM infrastructure is fine, but not if it
forces us to take something that should be authenticated by privileged
software and simply trust that userspace code will fill it in correctly.