Presentation is loading. Please wait.

Presentation is loading. Please wait.

RDMAP/DDP Security Draft draft-pinkerton-rddp-security-00.txt Jim Pinkerton, Ellen Deleganes, Allyn Romanow, Bernard Aboba.

Published byShanna Hill Modified over 8 years ago

Similar presentations

Presentation on theme: "RDMAP/DDP Security Draft draft-pinkerton-rddp-security-00.txt Jim Pinkerton, Ellen Deleganes, Allyn Romanow, Bernard Aboba."— Presentation transcript:

1 RDMAP/DDP Security Draft draft-pinkerton-rddp-security-00.txt Jim Pinkerton, Ellen Deleganes, Allyn Romanow, Bernard Aboba

2 Approach Focus on wire visible issues Do not constrain the security analysis to any one implementation – examine the scope of implementations The draft is new – much of the thought has not been presented/reviewed before

3 Security Model Privileged Resource Manager Privileged Application Non-Privileged Application RNIC Engine firmware Admin Privileged Control Interface Privileged Data Interface Non-Privileged Data Interface Application Control Interface Request Proxy Interface RNIC Interface (RI) Internet

4 Resources RDMAP/DDP Resources –Connection context memory –Data Buffers –Page translation tables –STag namespace –Completion Queues RDMAP Specific Resources –RDMA Read Request Queue

5 Dimensions of Trust Local Resource Sharing – are local resources shared between streams? Local Trust – are local applications trusted to not try to circumvent the protocol (either accidentally or on purpose) Remote Trust – are remote applications trusted to try to not circumvent the protocol

6 Combinations of Trust Local Resource Sharing Local Trust? Remote Trust? NameExample Application NNNNS- NT RDDP/DDP client/server Networking NNYNS- RT Authenticated Remote Peer NYNKernel client NYYSimilar to S-T YNNS-NTTypical Networking YNY?? YYNS-LTStorage target YYYS-TMPI

7 Tools for Counter Measures Protection Domain Limiting STag scope –Number of connections, amount of buffer advertised, time the buffer is advertised, randomly use the namespace Buffer access rights –Write-only, Read-only, Write/Read Limiting Completion Queue Scope –One or more connections Limiting the scope of an error

8 Questions Is using “Dimensions of Trust” the right way to characterize the security models? Are the 4 security models the sufficient? Are there other countermeasures?

9 Outstanding Issues In the document –IPsec section –Summary table at the end From David’s email –Change definition of “Trust” to “Partial Trust” –Least common denominator for trust model –Trust model for multiple clients to a single server?

10 Outstanding Issues Other emails –Clarify that an application may choose to use multiple Protections Domains –Possibly explicitly limit STag scope to just PD or just Stream? –Other Resources Asynch Event Queue? –Errors –Shared data buffers Protection Domain as a resource? –Non-privileged Application being able to disable/enable an STag mapping without using the Privileged Resource Manager

Download ppt "RDMAP/DDP Security Draft draft-pinkerton-rddp-security-00.txt Jim Pinkerton, Ellen Deleganes, Allyn Romanow, Bernard Aboba."

Similar presentations

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
August 02, 2004Mallikarjun Chadalapaka, HP1 iSCSI/RDMA: Overview of DA and iSER Mallikarjun Chadalapaka HP.

August 02, 2004Mallikarjun Chadalapaka, HP1 iSCSI/RDMA: Overview of DA and iSER Mallikarjun Chadalapaka HP.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
WNT Client/Server SDK Tony Vaccaro CS699 Project Presentation.

WNT Client/Server SDK Tony Vaccaro CS699 Project Presentation.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.

1 Chapter Overview Introduction to Windows XP Professional Printing Setting Up Network Printers Connecting to Network Printers Configuring Network Printers.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Client/Server Computing. Information processing is distributed among several workstations and servers on a network, with each function being assigned.

Client/Server Computing. Information processing is distributed among several workstations and servers on a network, with each function being assigned.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?
1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
RDMAP/DDP Security Draft draft-ietf-rddp-security-01.txt Jim Pinkerton, Ellen Deleganes, Sara Bitan.

RDMAP/DDP Security Draft draft-ietf-rddp-security-01.txt Jim Pinkerton, Ellen Deleganes, Sara Bitan.

Similar presentations

Ads by Google