On 6/28/05, Michael S. Tsirkin <[EMAIL PROTECTED]> wrote: > Hi, James! > > I dont know much about dapl, so forgive me if the question is naive: > > Quoting r. James Lentini <[EMAIL PROTECTED]>: > > > > + CM Private Data > > > > The active side of an IB connection could place its source IP > > address in the CM's private data. The passive side would retrieve > > the source IP from this location. > > > > ... > > > > The security of this is very week. An end node could easily present > > a false IP address. > > Once you have the IP from CM private data, what prevents you from resolving it > back to hardware address (by sending an ARP request with the IP address that > you got)? > > You get back the IPoIB hardware address: GID+QPN, and can verify that > the GID matches the GID that you got from CM. > > The security of this seems to be at least as good as the one you get on > regular IP networks. > > Does this make sense at all? >
The CM private data is private. It is not supposed to be interpreted by the Provider, only by the application. The essential issue here is how you validate an L3 network address. DAT defines it as having been done, however, before it is delivered to the applicaition. I haven't seen an argument yet as to why this goal is not achievable without changing the API -- which works perfectly well over IP networks. _______________________________________________ openib-general mailing list openib-general@openib.org http://openib.org/mailman/listinfo/openib-general To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
