Re: [Qemu-devel] RFC: Universal encryption on QEMU I/O channels

[Marcel Apfelbaum <marcel@redhat.com>]

On 02/04/2015 04:28 PM, Paolo Bonzini wrote:
>
>
> On 04/02/2015 15:02, Daniel P. Berrange wrote:
>>> I'm not sure if it makes sense for RDMA; it already has a couple of hooks
>>> that go around the back of QEMUFile in migration, and it's transferring the
>>> data via DMA so the page data doesn't go through the same path.
>>
>> Could you ever anticipate any need for authentication or encryption in
>> the RDMA based channel ? I don't know enough about RDMA myself to know
>> if it makes sense or not, other than the fact that any channel between
>> two separate hosts needs security at some level in the stack.
>
> Authentication, possibly; but I don't think encryption makes sense.  Marcel?
I personally think that the protocol is safe enough, but as always there are holes
and I am not a security expert:

     "RDMA mechanisms can create a potential security vulnerability. A node may access another nodes
      memory region that was supposed to be banned.
      In order to protect remote memory access to unauthorized memory areas, InfiniBand defines memory
      protection mechanisms, where a remote memory access requires a special key (R_Key). The R_Key is
      negotiated between the peers and is validated at the target’s system HCA card. In case of illegal key the
      packet is dropped. The R_Key requirement is built into silicon and driver code and cannot be disabled
      even when attacker compromises root/admin/superuser account on one or multiple servers."

More on Layer 2 attacks and how Infiniband handle those:
     http://www.mellanox.com/related-docs/whitepapers/WP_Secuirty_In_InfiniBand_Fabrics_Final.pdf

I hope I helped,
Marcel

>
> Paolo
>