Direct Data Placement Protocol (DDP) / Remote Direct Memory Access Protocol (RDMAP) Security
RFC 5042
Document | Type |
RFC - Proposed Standard
(October 2007; No errata)
Updated by RFC 7146
|
|
---|---|---|---|
Authors | James Pinkerton , Ellen Deleganes | ||
Last updated | 2013-03-02 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5042 (Proposed Standard) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Jon Peterson | ||
Send notices to | ips-chairs@ietf.org |
Network Working Group J. Pinkerton Request for Comments: 5042 Microsoft Corporation Category: Standards Track E. Deleganes Self October 2007 Direct Data Placement Protocol (DDP) / Remote Direct Memory Access Protocol (RDMAP) Security Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract This document analyzes security issues around implementation and use of the Direct Data Placement Protocol (DDP) and Remote Direct Memory Access Protocol (RDMAP). It first defines an architectural model for an RDMA Network Interface Card (RNIC), which can implement DDP or RDMAP and DDP. The document reviews various attacks against the resources defined in the architectural model and the countermeasures that can be used to protect the system. Attacks are grouped into those that can be mitigated by using secure communication channels across the network, attacks from Remote Peers, and attacks from Local Peers. Attack categories include spoofing, tampering, information disclosure, denial of service, and elevation of privilege. Pinkerton & Deleganes Standards Track [Page 1] RFC 5042 DDP/RDMAP Security October 2007 Table of Contents 1. Introduction ....................................................4 2. Architectural Model .............................................6 2.1. Components .................................................7 2.2. Resources ..................................................9 2.2.1. Stream Context Memory ...............................9 2.2.2. Data Buffers .......................................10 2.2.3. Page Translation Tables ............................10 2.2.4. Protection Domain (PD) .............................11 2.2.5. STag Namespace and Scope ...........................11 2.2.6. Completion Queues ..................................12 2.2.7. Asynchronous Event Queue ...........................12 2.2.8. RDMA Read Request Queue ............................13 2.3. RNIC Interactions .........................................13 2.3.1. Privileged Control Interface Semantics .............13 2.3.2. Non-Privileged Data Interface Semantics ............13 2.3.3. Privileged Data Interface Semantics ................14 2.3.4. Initialization of RNIC Data Structures for Data Transfer ......................................14 2.3.5. RNIC Data Transfer Interactions ....................16 3. Trust and Resource Sharing .....................................17 4. Attacker Capabilities ..........................................18 5. Attacks That Can Be Mitigated with End-to-End Security .........18 5.1. Spoofing ..................................................19 5.1.1. Impersonation ......................................19 5.1.2. Stream Hijacking ...................................20 5.1.3. Man-in-the-Middle Attack ...........................20 5.2. Tampering - Network-Based Modification of Buffer Content ..21 5.3. Information Disclosure - Network-Based Eavesdropping ......21 5.4. Specific Requirements for Security Services ...............21 5.4.1. Introduction to Security Options ...................21 5.4.2. TLS Is Inappropriate for DDP/RDMAP Security ........22 5.4.3. DTLS and RDDP ......................................23 5.4.4. ULPs That Provide Security .........................23 5.4.5. Requirements for IPsec Encapsulation of DDP ........23 6. Attacks from Remote Peers ......................................24 6.1. Spoofing ..................................................25 6.1.1. Using an STag on a Different Stream ................25 6.2. Tampering .................................................26 6.2.1. Buffer Overrun - RDMA Write or Read Response .......26 6.2.2. Modifying a Buffer after Indication ................27 6.2.3. Multiple STags to Access the Same Buffer ...........27 6.3. Information Disclosure ....................................28 6.3.1. Probing Memory Outside of the Buffer Bounds ........28 6.3.2. Using RDMA Read to Access Stale Data ...............28Show full document text