On 3/13/2012 12:35 PM, Jason Gunthorpe wrote: > On Tue, Mar 13, 2012 at 08:31:50AM -0400, Hal Rosenstock wrote: >> On 3/9/2012 1:04 PM, Jason Gunthorpe wrote: >>> On Fri, Mar 09, 2012 at 07:59:58AM -0500, Hal Rosenstock wrote: >>> >>>> What mkey model is being proposed here ? It looks to me like it is a >>>> single mkey for all ports in the subnet which is the simplest but least >>>> flexible model. If so, I think we need something more flexible as IBA >>>> allows each port to have it's own different mkey. >>> >>> I would like to see some general agreement on a generator for mkey, >>> something like: >>> >>> MKey = HMAC(Subnet_KEY,PortGUID) >>> >>> This blinds the mkey incase a port is compromised but still lets >>> privileged entities compute it from a single key. >> >> As there is no standard for this and there are various different >> requirements here, I'm not sure that one algorithm fits all so IMO it's >> best to make this as flexible as possible and allow for various >> algorithms/approaches to be open sourced. > > That would be a disaster from a usability and security perspective. We > need one really good standard, not tens of half baked ideas. MKey > generation is such a minor point in the grand scheme of things, giving > people lots of choice makes no sense.
I've already heard several ideas on what MKey generation should be and not just the ones on the list so far. I doubt there will be agreement by all parties on this and I think different schemes can be accommodated. It's either that or the standard tools will support one scheme and there will be several "proprietary" variants of the tools in those environments which I think would not be good. -- Hal > Jason > -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
