On Tue, Mar 13, 2012 at 08:31:50AM -0400, Hal Rosenstock wrote: > On 3/9/2012 1:04 PM, Jason Gunthorpe wrote: > > On Fri, Mar 09, 2012 at 07:59:58AM -0500, Hal Rosenstock wrote: > > > >> What mkey model is being proposed here ? It looks to me like it is a > >> single mkey for all ports in the subnet which is the simplest but least > >> flexible model. If so, I think we need something more flexible as IBA > >> allows each port to have it's own different mkey. > > > > I would like to see some general agreement on a generator for mkey, > > something like: > > > > MKey = HMAC(Subnet_KEY,PortGUID) > > > > This blinds the mkey incase a port is compromised but still lets > > privileged entities compute it from a single key. > > As there is no standard for this and there are various different > requirements here, I'm not sure that one algorithm fits all so IMO it's > best to make this as flexible as possible and allow for various > algorithms/approaches to be open sourced.
That would be a disaster from a usability and security perspective. We need one really good standard, not tens of half baked ideas. MKey generation is such a minor point in the grand scheme of things, giving people lots of choice makes no sense. Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html