[openib-general] Re: IP addressing on InfiniBand networks
Caitlin Bestler
caitlin.bestler at gmail.com
Tue Jun 28 14:25:35 PDT 2005
On 6/28/05, Michael S. Tsirkin <mst at mellanox.co.il> wrote:
> Hi, James!
>
> I dont know much about dapl, so forgive me if the question is naive:
>
> Quoting r. James Lentini <jlentini at netapp.com>:
> >
> > + CM Private Data
> >
> > The active side of an IB connection could place its source IP
> > address in the CM's private data. The passive side would retrieve
> > the source IP from this location.
> >
> > ...
> >
> > The security of this is very week. An end node could easily present
> > a false IP address.
>
> Once you have the IP from CM private data, what prevents you from resolving it
> back to hardware address (by sending an ARP request with the IP address that
> you got)?
>
> You get back the IPoIB hardware address: GID+QPN, and can verify that
> the GID matches the GID that you got from CM.
>
> The security of this seems to be at least as good as the one you get on
> regular IP networks.
>
> Does this make sense at all?
>
The CM private data is private. It is not supposed to be interpreted
by the Provider, only by the application.
The essential issue here is how you validate an L3 network address.
DAT defines it as having been done, however, before it is delivered
to the applicaition.
I haven't seen an argument yet as to why this goal is not achievable
without changing the API -- which works perfectly well over IP networks.
More information about the general
mailing list