Hi everyone,
Hope you are doing well.
Few weeks ago now, I've been introduced to the concept of RDMA and their usage for low latency communications in distributed systems.
As far as I know, this technology has reach some success in the HPC ecosystem.
However, I've some concern regarding the security part. Do you know mechanisms on the software or hardware part to enforce secure communications (mainly through cryptography) ?
On the software part, as it bypass the kernel, i assume the only way to ensure some security is through libs ?
If you have any literature dealing with this issue, I would be very interested.
RDMA and security
-
- Member
- Posts: 5501
- Joined: Mon Mar 25, 2013 7:01 pm
Re: RDMA and security
There should be some RDMA-capable hardware out there that can encrypt/decrypt/authenticate traffic. Unfortunately it's all too expensive for me to have any experience with it.ArnaudLcm wrote:Do you know mechanisms on the software or hardware part to enforce secure communications (mainly through cryptography) ?
It's unrelated to cryptography, but you can use an IOMMU to enforce bounds checking.
If you do cryptography in hardware, you can ensure security even when you're bypassing the kernel. Without that, the only way is through software at the user level.ArnaudLcm wrote:On the software part, as it bypass the kernel, i assume the only way to ensure some security is through libs ?
Re: RDMA and security
I should have clarify that I was only focused on cryptography, and not on restricting the address space but you got the point !There should be some RDMA-capable hardware out there that can encrypt/decrypt/authenticate traffic. Unfortunately it's all too expensive for me to have any experience with it.
It's unrelated to cryptography, but you can use an IOMMU to enforce bounds checking.
I've come across an interesting white paper: https://www.usenix.org/system/files/atc20-taranov_0.pdf. Once I find the time to read it, I'll share my notes in a comment, in case someone else is interested in the topic. I would really like to dive in this topic and gain a better understanding of how it's implemented.
Nevertheless, thanks for you clarifications