[rds-devel] RDS in OFED 1.5.2

Tang, Changqing changquing.tang at hp.com
Wed Aug 4 10:11:27 PDT 2010 

Zach,
        Thanks for the clarification. How does Oracle solve this security issue? Do you use app-level authentication ?

--CQ

-----Original Message-----
From: Zach Brown [mailto:zach.brown at oracle.com]
Sent: Wednesday, August 04, 2010 11:59 AM
To: Tang, Changqing
Cc: Andy Grover; RDS Devel
Subject: Re: [rds-devel] RDS in OFED 1.5.2

As Andy said, RDS behaves like TCP and UDP in this regard.  If you have connectivity to the port that a socket is bound to then you can communicate with the socket.  It's up to the broader system design -- network isolation, filtering, app-level authentication -- to address the problem you're describing.

We could talk about working RDS into the kernel's packet filtering layer, maybe, but I can't imagine that we'd ever put uids in the packet headers.

- z

On Aug 4, 2010, at 6:39 AM, Tang, Changqing wrote:

> Andy,
>        I see that RDS extension header has 16 bytes, and currently only 8 bytes are used, can we attach process euid (4bytes) to
> A RDS message? and on receiving side, after we find the destination RDS socket to delivery, we also check if euid are matching,
> If not, we drop the message.
>        Do you think this is a possible solution?
>
> --CQ
>
> -----Original Message-----
> From: Andy Grover [mailto:andy.grover at oracle.com]
> Sent: Tuesday, August 03, 2010 7:11 PM
> To: Tang, Changqing
> Cc: RDS Devel
> Subject: Re: RDS in OFED 1.5.2
>
> On 08/03/2010 07:01 AM, Tang, Changqing wrote:
>> 1.      In OFED 1.5.2 released last month, I don't see a newer
>> version RDS included, it is still the version from OFED 1.5. I see
>> you have a lot of changes in recent month, what is the reason these
>> changes not to apply to OFED 1.5.2?
>
> OFED 1.5.2 is a bugfix release. Due to the scope of the changes, we will
> be pushing them to mainline first, and OFED 1.6 as soon as it opens.
>
>> 2.      Suppose a system has both user A and user B, A has a lot of
>> processes opened RDS sockets among all the nodes and communicate each
>> other. If B happens to know the port number of a B's process (or just
>> randomly choose one), then user B can open an RDS socket and send
>> message to user A's process to interfere A's communication. Is there
>> a way to prevent this to happen in RDS level ? or you prefer RDS
>> application to implement something to avoid it?
>
> Hmm, interesting question.
>
> I don't believe there's anything to guard for this. You could add some
> kind of signature or something at the application level I'd guess, but
> RDS doesn't do anything more (or less) than what is normal for, say, UDP
> sockets.
>
> Regards -- Andy
>
> _______________________________________________
> rds-devel mailing list
> rds-devel at oss.oracle.com
> http://oss.oracle.com/mailman/listinfo/rds-devel

More information about the rds-devel mailing list