Re: [PATCH fixed] libibmad: Add MKey support to SMP requests via smp_mkey_get/set()

[Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>]

On Tue, Mar 13, 2012 at 08:31:50AM -0400, Hal Rosenstock wrote:
> On 3/9/2012 1:04 PM, Jason Gunthorpe wrote:
> > On Fri, Mar 09, 2012 at 07:59:58AM -0500, Hal Rosenstock wrote:
> > 
> >> What mkey model is being proposed here ? It looks to me like it is a
> >> single mkey for all ports in the subnet which is the simplest but least
> >> flexible model. If so, I think we need something more flexible as IBA
> >> allows each port to have it's own different mkey.
> > 
> > I would like to see some general agreement on a generator for mkey,
> > something like:
> > 
> >   MKey = HMAC(Subnet_KEY,PortGUID)
> > 
> > This blinds the mkey incase a port is compromised but still lets
> > privileged entities compute it from a single key.
> 
> As there is no standard for this and there are various different
> requirements here, I'm not sure that one algorithm fits all so IMO it's
> best to make this as flexible as possible and allow for various
> algorithms/approaches to be open sourced.

That would be a disaster from a usability and security perspective. We
need one really good standard, not tens of half baked ideas. MKey
generation is such a minor point in the grand scheme of things, giving
people lots of choice makes no sense.

Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html