The Architecture of Direct Data Placement (DDP) and Remote Direct Memory Access (RDMA) on Internet Protocols
draft-ietf-rddp-arch-07
Discuss
Yes
(Allison Mankin)
(Jon Peterson)
No Objection
(Bert Wijnen)
(Margaret Cullen)
(Ned Freed)
(Ted Hardie)
Abstain
Note: This ballot was opened for revision 07 and is now closed.
Steven Bellovin Former IESG member
Discuss
Discuss
[Treat as non-blocking comment]
(2004-02-04)
Unknown
I"m not convinced the security considerations is adequate. I see several threat issues. The first is the tension between direct copy and packet authentication. In many cases, it is not possible to authenticate a packet until the entire thing has been read. But here, the data is being copied to a receiving buffer directly from the wire, before authentication takes place. This is especially a challenge to a multi-threaded interface --- ATM where the cells for some packet are not consecutive, perhaps -- where you might get interleaving. More generally, authorization for access to storage has to be dependent on the connection as well as the steering tag. Otherwise, you introduce new vulnerabilities. This is especially problematic given that receive buffers may (according to the document) be used for data from a different socket. Aside: I think that many of these issues, as well as the multiple receiver problem (and I do not accept the argument that requiring many different clients to use the same address is in any way comparable to any existing problem in that space), would go away if the steering tag sent over the wire to the receiver were not just opaque, but by intent a random 64- or 128-bit tag to a local buffer descriptor. That permits easy local revocation of capabilities, as well as a defense against remote contamination attempts if the value were communicated previously over an encrypted channel.
Allison Mankin Former IESG member
Yes
Yes
()
Unknown
Jon Peterson Former IESG member
Yes
Yes
()
Unknown
Bert Wijnen Former IESG member
No Objection
No Objection
()
Unknown
Margaret Cullen Former IESG member
No Objection
No Objection
()
Unknown
Ned Freed Former IESG member
No Objection
No Objection
()
Unknown
Russ Housley Former IESG member
No Objection
No Objection
(2004-02-04)
Unknown
The use of TLS (as discussed briefly in the security considerations) or any other protocol that provides authentication will not fit well into the proposed architecture. The integrity check cannot be performed until the entire packet (or record in the case of TLS) is available in memory. So, the data must be copied from the I/O interface to memory, which may involve some reassembly, before the integrity check can be performed. This issue should be discussed in the security considerations.
Ted Hardie Former IESG member
(was Discuss)
No Objection
No Objection
()
Unknown
Sam Hartman Former IESG member
Abstain
Abstain
(2005-05-05)
Unknown
I did not find this document clear at all. I was unable to easily tell whether Steve Bellovin's discuss text had been addressed because I found the document too confusing. I suspect that at some technical level the text has been address in that you could find changes in the document and understand how they address Steve's comments. However I'm not convinced that anyone who read the document without Steve's comments would be aware of the issues.