SPAM RE: [ofa-general] Is IBIS only for querying OpenSM?

Fri Apr 18 12:12:18 PDT 2008

Terry,

On Fri, 2008-04-18 at 15:25 +0000, terry watson wrote:
> Thanks Hal. I appreciate using the SM is the correct means of controlling partitioning; however, the testing I am performing is assessing security vulnerabilities. In this case, the two clusters are separated by partitioning only and I am seeking to assess the ability of a user to obtain unauthorised access to one cluster from the other. The requirement for the vendor building the two clusters was that they were isolated from each other. They have chosen to use one switch and I have to assess if this provides adequate isolation, as per the client's security requirements.
> 
> At this stage of my investigation, I do not believe partitioning on a switch provides adequate separation / isolation to be used as a security control and two physical switches will need to be used to provide the complete isolation that is required. But my task is to prove this to justify the expense.... :) 
> 
> I value any comments or input on this topic.

One pertinent thing here is whether a MKey manager is supported in the
SM, and if so, what level of MKeying is used. Sufficient MKey protection
with a sophisticated manager could make the updates of such PKey tables
difficult but not impossible. Currently, OpenSM does not support an MKey
manager but one is being proposed for the next OFED cycle. Currently,
OpenSM supports a static configured MKey and MKey lease period which
could make things marginally better if you are concerned with rogue
updates like this. Not sure about the third party (vendor) SMs in this
regard. Contact your vendor if this is of interest.

-- Hal

> ----------------------------------------
> > Subject: Re: ***SPAM*** RE: [ofa-general] Is IBIS only for querying OpenSM?
> > From: hrosenstock at xsigo.com
> > To: terrywatson at live.com
> > CC: philippe.gregoire at cea.fr; general at lists.openfabrics.org
> > Date: Fri, 18 Apr 2008 07:37:51 -0700
> > 
> > Terry,
> > 
> > On Fri, 2008-04-18 at 09:38 +0000, terry watson wrote:
> >> Thanks for the response. The environment I am testing has two clusters and one switch, 
> >> with the subnet manager running from the switch. Half the nodes are in one partition and 
> >> half in the other (ignoring 0xffff), call them partitions A and B. I have access to one 
> >> node in partition A as root and would like to be able to reconfigure that node locally, 
> >> and with no access to the switch subnet manager configuration, to be able to access nodes 
> >> in partition B.
> > 
> > In general, this is not a good idea IMO. As Philippe wrote, the SM (is
> > supposed to) own the writing of those tables (rather than some low level
> > diag utility). Even if you modify the local PKey table, it is possible
> > for the SM to overwrite this. Also, there are several other
> > ramifications of this depending on how the SM deals with partitions.
> > Even if you change things locally, that may not be sufficient as the
> > peer switch port may do partition filtering so that may need to change
> > that too and possible more PKey tables in the network depending on what
> > your SM does. Also, there are SA responses that depend on the SM having
> > correct knowledge (like PathRecords and others) so the end node may not
> > get any response on that partition for certain things.
> > 
> >> After some reading I believe that IBIS from IBUtils should allow me to alter the 
> >> local p_key table and therefore allow me to access nodes on partition B.
> > 
> > Yes but it may take more than this for it to work depending on your SM.
> > 
> >>  I cannot test this until I am on-site and I am formulating a strategy before arrival. 
> >> If it does not work this way it would be useful to know in advance. MPI is used rather than IPoIB. 
> > 
> > Some MPIs use out of band mechanisms to create connections so the SA
> > issues may not apply there; but I think the partition ones might and are
> > SM dependent so your mileage may vary...
> > 
> >> If my approach is flawed I would appreciate it if someone could point this out.
> > 
> > The proper way to do this is by reconfiguring your SM.
> > 
> > -- Hal
> > 
> >> ________________________________
> >>> Date: Fri, 18 Apr 2008 09:35:42 +0200
> >>> From: philippe.gregoire at cea.fr
> >>> To: terrywatson at live.com
> >>> CC: general at lists.openfabrics.org
> >>> Subject: Re: [ofa-general] Is IBIS only for querying OpenSM?
> >>> 
> >>> terry watson a écrit :
> >>> 
> >>> Hi all,
> >>> 
> >>> I will be performing some testing of partitioning used as a security control. Am I right in believing that IBIS will be able to set partition table values of the local compute node I am logged on to, even though they are not using OpenSM, but rather a SM on a switch? Could I then attempt to access a partition that I was originally excluded from accessing?
> >>> 
> >>> I am new to Infiniband technology and would also appreciate a response from an expert who has views on the strength of the security that partitioning provides in separating two clusters that should have no interaction whatsoever.
> >>> 
> >>> Thanks,
> >>> Dave
> >>> _________________________________________________________________
> >>> Discover the new Windows Vista
> >>> http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE_______________________________________________
> >>> general mailing list
> >>> general at lists.openfabrics.org
> >> _________________________________________________________________
> >> News, entertainment and everything you care about at Live.com. Get it now!
> >> http://www.live.com/getstarted.aspx_______________________________________________
> >> general mailing list
> >> general at lists.openfabrics.org
> >> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general
> >> 
> >> To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
> > 
> 
> _________________________________________________________________
> Connect to the next generation of MSN Messenger 
> http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline