datatracker.ietf.org
Sign in
Version 5.13.0, 2015-03-25
Report a bug

Direct Data Placement Protocol (DDP) / Remote Direct Memory Access Protocol (RDMAP) Security
RFC 5042

Document type: RFC - Proposed Standard (October 2007; No errata)
Updated by RFC 7146
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5042 (Proposed Standard)
Responsible AD: Jon Peterson
Send notices to: ips-chairs@ietf.org

Network Working Group                                       J. Pinkerton
Request for Comments: 5042                         Microsoft Corporation
Category: Standards Track                                   E. Deleganes
                                                                    Self
                                                            October 2007

                Direct Data Placement Protocol (DDP) /
         Remote Direct Memory Access Protocol (RDMAP) Security

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document analyzes security issues around implementation and use
   of the Direct Data Placement Protocol (DDP) and Remote Direct Memory
   Access Protocol (RDMAP).  It first defines an architectural model for
   an RDMA Network Interface Card (RNIC), which can implement DDP or
   RDMAP and DDP.  The document reviews various attacks against the
   resources defined in the architectural model and the countermeasures
   that can be used to protect the system.  Attacks are grouped into
   those that can be mitigated by using secure communication channels
   across the network, attacks from Remote Peers, and attacks from Local
   Peers.  Attack categories include spoofing, tampering, information
   disclosure, denial of service, and elevation of privilege.

Pinkerton & Deleganes       Standards Track                     [Page 1]
RFC 5042                   DDP/RDMAP Security               October 2007

Table of Contents

   1. Introduction ....................................................4
   2. Architectural Model .............................................6
      2.1. Components .................................................7
      2.2. Resources ..................................................9
           2.2.1. Stream Context Memory ...............................9
           2.2.2. Data Buffers .......................................10
           2.2.3. Page Translation Tables ............................10
           2.2.4. Protection Domain (PD) .............................11
           2.2.5. STag Namespace and Scope ...........................11
           2.2.6. Completion Queues ..................................12
           2.2.7. Asynchronous Event Queue ...........................12
           2.2.8. RDMA Read Request Queue ............................13
      2.3. RNIC Interactions .........................................13
           2.3.1. Privileged Control Interface Semantics .............13
           2.3.2. Non-Privileged Data Interface Semantics ............13
           2.3.3. Privileged Data Interface Semantics ................14
           2.3.4. Initialization of RNIC Data Structures for
                  Data Transfer ......................................14
           2.3.5. RNIC Data Transfer Interactions ....................16
   3. Trust and Resource Sharing .....................................17
   4. Attacker Capabilities ..........................................18
   5. Attacks That Can Be Mitigated with End-to-End Security .........18
      5.1. Spoofing ..................................................19
           5.1.1. Impersonation ......................................19
           5.1.2. Stream Hijacking ...................................20
           5.1.3. Man-in-the-Middle Attack ...........................20
      5.2. Tampering - Network-Based Modification of Buffer Content ..21
      5.3. Information Disclosure - Network-Based Eavesdropping ......21
      5.4. Specific Requirements for Security Services ...............21
           5.4.1. Introduction to Security Options ...................21
           5.4.2. TLS Is Inappropriate for DDP/RDMAP Security ........22
           5.4.3. DTLS and RDDP ......................................23
           5.4.4. ULPs That Provide Security .........................23
           5.4.5. Requirements for IPsec Encapsulation of DDP ........23
   6. Attacks from Remote Peers ......................................24
      6.1. Spoofing ..................................................25
           6.1.1. Using an STag on a Different Stream ................25
      6.2. Tampering .................................................26
           6.2.1. Buffer Overrun - RDMA Write or Read Response .......26
           6.2.2. Modifying a Buffer after Indication ................27
           6.2.3. Multiple STags to Access the Same Buffer ...........27
      6.3. Information Disclosure ....................................28

[include full document text]