[openib-general] Re: RDMA connection and address translation API

[Michael S. Tsirkin]

Quoting r. Roland Dreier <rolandd at cisco.com>:
> It would make perfect sense to take a couple of the reserved bits in
> the CM REQ format and turn them into an "IP address present" field (a
> couple of bits so we can distinguish between v4 and v6).  When this
> field is set, then the first (or last, or whatever) 32 bytes of the
> private data would hold the source and destination IP address.

Wouldnt it be better to use some bits in the service ID field for this?

> Having this standardized also gives us the ability to deal with the
> concerns around connections initiated in userspace.  The kernel proxy
> for the user CM can make sure that any REQs sent with the "IP address
> present" field set actually has an IP assigned to the local system.
> Remote systems would still need to treat CM messages from QPs other
> than QP 1 as untrusted.

Actually, it might already make sense to implement something like this
for ucm: anything with service ID 0x0000 0000 0001 XXXX
is SDP and should be kernel only.
Does this make sense?

> Of course for real security some stronger authentication is needed in
> any case (even in the iWARP case the source IP can't be trusted; an
> attacker could DOS the real owner of the IP, flood the switches MAC
> tables so it becomes a hub, and then take over any IP it wants).
> 
> The only unfortunate thing about all this is that the SDP Hello
> message format is already frozen, and it seems a little too
> specialized for generic use (eg we don't want a "Max Zcopy
> Advertisements" field).

It's somewhat ugly, but still possible to leave the IP address
where it is in the SDP Hello message, in the middle of the private
data field.
Alternatively, special-casing SDP for the sake of backward compatibility
would not be too bad.

-- 
MST