[ofa-general] Allowing end-users to query for fabric information
Jason Gunthorpe
jgunthorpe at obsidianresearch.com
Wed Oct 8 13:44:36 PDT 2008
On Wed, Oct 08, 2008 at 01:07:14PM -0700, Roland Dreier wrote:
> > It's comparable to saying that a single machine on the company net can
> > subvert DNS.
>
> Just think about all the things a malicious host can do on an IB fabric.
> For example, a malicious SMA could send an unending stream of traps to
> the SM, or consume huge SM resources by faking an ever-changing virtual
> topology, or just report a GID that collides with another port on the
> fabric. And I'm sure there are other things you can think of if you try
> to get really nasty.
Right, it is quite similar to the problems with ethernet spanning tree
protocol, linux prevents unprivileged processed from sending spanning
tree packets too.
I expect as IB matures we will get the same kinds of protections we
see in ethernet, namely switch ports marked as untrusted have many
restrictions placed on them, like single CA only, no outgoing SMPs
except to the SM, etc.
GMPs face a similar problem, except a little worse, any process can
create a UD QP and send a GMP to QP1 on another node. You can mess
with performance management, multicast registrations, service
registrations, etc like this.
Jason
More information about the general
mailing list