Thread (79 messages) 79 messages, 9 authors, 2018-06-04

Re: [PATCH 00/24] InfiniBand Transport (IBTRS) and Network Block Device (IBNBD)

From: Roman Penyaev <hidden>
Date: 2018-02-07 17:18:47
Also in: linux-rdma

On Wed, Feb 7, 2018 at 5:35 PM, Christopher Lameter [off-list ref] wrote:
On Mon, 5 Feb 2018, Bart Van Assche wrote:
quoted
That approach may work well for your employer but sorry I don't think this is
sufficient for an upstream driver. I think that most users who configure a
network storage target expect full control over which storage devices are exported
and also over which clients do have and do not have access.
Well is that actually true for IPoIB? It seems that I can arbitrarily
attach to any partition I want without access control. In many ways some
of the RDMA layers and modules are loose with security since performance
is what matters mostly and deployments occur in separate production
environments.

We have had security issues (that not fully resolved yet) with the RDMA
RPC API for years.. So maybe lets relax on the security requirements a
bit?
Frankly speaking I do not understand the "security" about this kind of
block devices and RDMA in particular.  I can admit that personally I do
not see the whole picture, so can someone provide the real usecase/scenario?
What we have in our datacenters is trusted environment (do others exist?).
You need a volume, you create it.  You need to map a volume remotely -
you map it.  Of course there are provisioning checks, rw/ro checks, etc.
But in general any IP/key checks (is that client really a "good" guy or not?)
are simply useless.  So the question is: are there real life setups where
some of the local IB network members can be untrusted?

--
Roman
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help