Re: [PATCH 00/24] InfiniBand Transport (IBTRS) and Network Block Device (IBNBD)
From: Roman Penyaev <hidden>
Date: 2018-02-07 17:18:47
Also in:
linux-rdma
On Wed, Feb 7, 2018 at 5:35 PM, Christopher Lameter [off-list ref] wrote:
On Mon, 5 Feb 2018, Bart Van Assche wrote:quoted
That approach may work well for your employer but sorry I don't think this is sufficient for an upstream driver. I think that most users who configure a network storage target expect full control over which storage devices are exported and also over which clients do have and do not have access.Well is that actually true for IPoIB? It seems that I can arbitrarily attach to any partition I want without access control. In many ways some of the RDMA layers and modules are loose with security since performance is what matters mostly and deployments occur in separate production environments. We have had security issues (that not fully resolved yet) with the RDMA RPC API for years.. So maybe lets relax on the security requirements a bit?
Frankly speaking I do not understand the "security" about this kind of block devices and RDMA in particular. I can admit that personally I do not see the whole picture, so can someone provide the real usecase/scenario? What we have in our datacenters is trusted environment (do others exist?). You need a volume, you create it. You need to map a volume remotely - you map it. Of course there are provisioning checks, rw/ro checks, etc. But in general any IP/key checks (is that client really a "good" guy or not?) are simply useless. So the question is: are there real life setups where some of the local IB network members can be untrusted? -- Roman