Re: [nfsv4] WG last call for draft-ietf-nfsv4-rpcrdma-cm-pvt-data-02.txt (Ends May 31st)

[Tom Talpey <tom@talpey.com>]

On 6/12/2019 3:07 PM, Chuck Lever wrote:
> [ Already "good" replacements have been snipped ]
> 
>> On Jun 11, 2019, at 4:35 PM, Tom Talpey <tom@talpey.com> wrote:
>>
>> On 6/11/2019 3:20 PM, Chuck Lever wrote:
>>
>>>> In section 3.2 third paragraph two comments. First, it describes an
>>>> advantage of avoiding a context switch. This is a local implementation
>>>> matter, and not really something the protocol can or cannot proscribe.
>>>> It would be state the benefit in protocol terms, such as "avoids
>>>> processing of the invalidate completion", then go on to say which may
>>>> enable avoiding interrupt(s) and context switch(es). Second, a nit - the
>>>> word "upshot" is slang. Suggest "benefit".
>>> I plan to replace the third paragraph of Section 3.2:
>>> OLD TEXT:
>>> An RPC-over-RDMA responder can use remote invalidation
>>> when replying to an RPC request that provided Read or
>>> Write chunks. The requester thus avoids dispatching an
>>> extra Work Request, the resulting context switch, and
>>> the invalidation completion interrupt as part of
>>> completing an RPC transaction that uses chunks. The
>>> upshot is faster completion of RPC transactions that
>>> involve RDMA data transfer.
>>> REPLACEMENT TEXT:
>>> An RPC-over-RDMA responder can use remote invalidation
>>> when replying to an RPC request that provided chunks.
>>> The requester thus avoids processing an invalidation
>>> completion for that chunk. The benefit is faster
>>> completion of RPC transactions that involve RDMA data
>>> transfer.
>>
>> The words "The requester thus avoids processing..." don't quite
>> capture the benefit, I feel. In particular, "processing" is a
>> rather passive term and doesn't capture the full benefit.
>>
>> Here's a swag:
>>
>> "This extensions provides a means for the RPC-over-RDMA requester
>> to signal the responder to optionally use this remote invalidation
>> when replying to an RPC request that provided chunks. In this way,
>> the RDMA provider performs the invalidation in the process of
>> delivering the response, which allows the requester to avoid
>> required additional, and possibly expensive, invalidation prior
>> to finalizing the results of the RPC."
>>
>> I admit, it's tricky language to get right. Maybe it can be stated
>> more simply.
> 
> The preceding paragraphs already provide the same context
> that you suggested above. I've updated the third paragraph
> again. Here is how Section 3.2 starts now:

Sorry, I thought I had gone back to look at the document and didn't see
this in the section. I guess my comment is a nit, in that case:

> After an RDMA data transfer operation completes, an RDMA peer can use
> remote invalidation to request that the remote peer RNIC invalidate
> an STag associated with the data transfer [RFC5042].

The phrase "can use" might seem to imply that rpcrdmav1 allows it. In
fact, these introductory paragraphs are describing generic RDMA
capabilities. So, perhaps stating this as "an RDMA consumer can use
RDMA remote invalidation...", instead of the ambiguous "peer".
Using the term consumer matches the next paragraph, which continues
the thought.

> An RDMA consumer requests remote invalidation by posting an RDMA Send
> With Invalidate Work Request in place of an RDMA Send Work Request.
> Each RDMA Send With Invalidate carries one STag to invalidate.  The
> receiver of an RDMA Send With Invalidate performs the requested
> invalidation and then reports that invalidation as part of the
> completion of a waiting Receive Work Request.
> 
> An RPC-over-RDMA responder uses remote invalidation when replying to
> an RPC request that provided chunks.  Because one of the chunks has
> already been invalidated, finalizing the results of the RPC is made
> simpler and faster.

But, this final paragraph jumps the gun. It's only when this extension
is in place that this can happen. So perhaps "With the extension defined
in this document, an RPC-over-RDMA responder can use remote
invalidation..."

>>>> At the end of section 3.2, the final paragraph is quite mysterious. It
>>>> refers to "a simple signaling mechanism" and "some NFS/RDMA client".
>>>> Really, something more needs to be said here. If this signaling
>>>> mechanism involves a protocol payload, then definitely so. Can you
>>>> elaborate? I admit I don't fully understand what is meant here.
>>> I plan to replace the final paragraph of Section 3.2:
>>> OLD TEXT:
>>> However, it is possible to provide a simple signaling mechanism
>>> for a requester to indicate it can deal with remote invalidation
>>> of any STag it has presented to a responder.
>>> There are some NFS/RDMA client implementations that
>>> can successfully make use of such a signaling mechanism.
>>> REPLACEMENT TEXT:
>>> There are some NFS/RDMA client implementations whose STags
>>> are always safe to invalidate remotely.
>>> For such clients, indicating to the responder that remote
>>> invalidation is always safe can allow such invalidation
>>> without the need for more complex communication between the
>>> requester and responder.
>>
>> "...without the need for additional protocol to be defined for
>> management of STags between requester and responder."
>>
>> Maybe?
> 
> This works for me:
> 
> There are some NFS/RDMA client implementations whose STags are always
> safe to invalidate remotely.  For such clients, indicating to the
> responder that remote invalidation is always safe can allow such
> invalidation without the need for additional protocol to be
> defined.

Ok.

>>>> In section 7, the vulnerability is in the RDMA-CM protocol, not this
>>>> protocol. And, private data is carried differently by different lower
>>>> layers - for example in the IETF iWARP family, it's part of MPA.
>>>> Honestly, I'm not sure this is relevant to this document. It basically
>>>> inherits all the considerations of the protocols it extends.
>>> I've replaced the entirety of the Security Considerations
>>> section as follows:
>>> OLD TEXT:
>>> RDMA-CM Private Data typically traverses the link layer in
>>> the clear. A man-in-the-middle attack could alter the
>>> settings exchanged at connect time such that one or both
>>> peers might perform operations that result in premature
>>> termination of the connection.
>>> REPLACEMENT TEXT:
>>> The private data extension specified in this document
>>> inherits the security considerations of the link layer
>>> protocols it extends (e.g., the RDMA-CM protocol).
>>
>> Hmm, this will trigger the next logical question "where is this protocol
>> defined?", and the answer ("outside the IETF") will cause trouble.
>>
>> Also, it's not strictly the link layer. All the IETF RDMA protocols
>> operate above transport.
>>
>> I'd suggest keeping the example to the IETF-owned MPA protocol, which
>> is the one governing RDMA connection establishment and which carries
>> private data. I.e, RFC 5044 (MPA) and RFC6581 (MPA extensions). MPA, in turn, makes its own security considerations and refers to RFC5042 (the
>> original RDMA Security analysis), which may be a useful reference but
>> is not specifically about connection establishment.
> 
> In it's entirety, the Security Considerations section now reads:
> 
> The private data extension specified in this document inherits the
> security considerations of the link layer protocols it extends; e.g.,
> the MPA protocol, as specified in [RFC5044] and extended in
> [RFC6581].  Additional relevant analysis of RDMA security appears in
> the Security Considerations section of [RFC5042] but it is not
> specifically about connection establishment.

The paragraph still refers to "link layer protocols". The simplest
solution is to simply drop "link layer".

I added that last bit "but it is not specifically..." for discussion.
In the document, just drop it if you're satisfied with the open-ended
reference. Since a similar open-ended RFC5042 one is made earlier,
I guess it's ok to do so again.

Tom.