Direct Data Placement Protocol (DDP) / Remote Direct Memory Access Protocol (RDMAP) Security
RFC 5042
Document Type RFC - Proposed Standard (October 2007; No errata)
Updated by RFC 7146
Authors James Pinkerton  , Ellen Deleganes 
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Reviews
SECDIR Early Review
SECDIR Early Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5042 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Jon Peterson
Send notices to ips-chairs@ietf.org
Email authors Email WG IPR 1 References Referenced by Nits 
Network Working Group                                       J. Pinkerton
Request for Comments: 5042                         Microsoft Corporation
Category: Standards Track                                   E. Deleganes
                                                                    Self
                                                            October 2007

                Direct Data Placement Protocol (DDP) /
         Remote Direct Memory Access Protocol (RDMAP) Security

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document analyzes security issues around implementation and use
   of the Direct Data Placement Protocol (DDP) and Remote Direct Memory
   Access Protocol (RDMAP).  It first defines an architectural model for
   an RDMA Network Interface Card (RNIC), which can implement DDP or
   RDMAP and DDP.  The document reviews various attacks against the
   resources defined in the architectural model and the countermeasures
   that can be used to protect the system.  Attacks are grouped into
   those that can be mitigated by using secure communication channels
   across the network, attacks from Remote Peers, and attacks from Local
   Peers.  Attack categories include spoofing, tampering, information
   disclosure, denial of service, and elevation of privilege.

Pinkerton & Deleganes       Standards Track                     [Page 1]
RFC 5042                   DDP/RDMAP Security               October 2007

Table of Contents

   1. Introduction ....................................................4
   2. Architectural Model .............................................6
      2.1. Components .................................................7
      2.2. Resources ..................................................9
           2.2.1. Stream Context Memory ...............................9
           2.2.2. Data Buffers .......................................10
           2.2.3. Page Translation Tables ............................10
           2.2.4. Protection Domain (PD) .............................11
           2.2.5. STag Namespace and Scope ...........................11
           2.2.6. Completion Queues ..................................12
           2.2.7. Asynchronous Event Queue ...........................12
           2.2.8. RDMA Read Request Queue ............................13
      2.3. RNIC Interactions .........................................13
           2.3.1. Privileged Control Interface Semantics .............13
           2.3.2. Non-Privileged Data Interface Semantics ............13
           2.3.3. Privileged Data Interface Semantics ................14
           2.3.4. Initialization of RNIC Data Structures for
                  Data Transfer ......................................14
           2.3.5. RNIC Data Transfer Interactions ....................16
   3. Trust and Resource Sharing .....................................17
   4. Attacker Capabilities ..........................................18
   5. Attacks That Can Be Mitigated with End-to-End Security .........18
      5.1. Spoofing ..................................................19
           5.1.1. Impersonation ......................................19
           5.1.2. Stream Hijacking ...................................20
           5.1.3. Man-in-the-Middle Attack ...........................20
      5.2. Tampering - Network-Based Modification of Buffer Content ..21
      5.3. Information Disclosure - Network-Based Eavesdropping ......21
      5.4. Specific Requirements for Security Services ...............21
           5.4.1. Introduction to Security Options ...................21
           5.4.2. TLS Is Inappropriate for DDP/RDMAP Security ........22
           5.4.3. DTLS and RDDP ......................................23
           5.4.4. ULPs That Provide Security .........................23
           5.4.5. Requirements for IPsec Encapsulation of DDP ........23
   6. Attacks from Remote Peers ......................................24
      6.1. Spoofing ..................................................25
           6.1.1. Using an STag on a Different Stream ................25
      6.2. Tampering .................................................26
           6.2.1. Buffer Overrun - RDMA Write or Read Response .......26
           6.2.2. Modifying a Buffer after Indication ................27
           6.2.3. Multiple STags to Access the Same Buffer ...........27
      6.3. Information Disclosure ....................................28
           6.3.1. Probing Memory Outside of the Buffer Bounds ........28
           6.3.2. Using RDMA Read to Access Stale Data ...............28
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools