[rddp] RDDP WG Seoul minutes
Black_David@emc.com Wed, 24 March 2004 15:40 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01587 for <rddp-archive@odin.ietf.org>; Wed, 24 Mar 2004 10:40:45 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B6AUL-0005a8-Vl for rddp-archive@odin.ietf.org; Wed, 24 Mar 2004 10:40:18 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i2OFeHZQ021452 for rddp-archive@odin.ietf.org; Wed, 24 Mar 2004 10:40:17 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B6AUL-0005Zv-OM for rddp-web-archive@optimus.ietf.org; Wed, 24 Mar 2004 10:40:17 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01563 for <rddp-web-archive@ietf.org>; Wed, 24 Mar 2004 10:40:14 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B6AUJ-0004Oa-00 for rddp-web-archive@ietf.org; Wed, 24 Mar 2004 10:40:15 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B6ASp-00047J-00 for rddp-web-archive@ietf.org; Wed, 24 Mar 2004 10:38:46 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1B6ARE-0003m6-00 for rddp-web-archive@ietf.org; Wed, 24 Mar 2004 10:37:04 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B6ARB-0004tX-IX; Wed, 24 Mar 2004 10:37:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1B6AR6-0004s9-4J for rddp@optimus.ietf.org; Wed, 24 Mar 2004 10:36:56 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01171 for <rddp@ietf.org>; Wed, 24 Mar 2004 10:36:52 -0500 (EST)
From: Black_David@emc.com
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1B6AR3-0003jq-00 for rddp@ietf.org; Wed, 24 Mar 2004 10:36:53 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1B6AOH-00031h-00 for rddp@ietf.org; Wed, 24 Mar 2004 10:34:08 -0500
Received: from mxic2.corp.emc.com ([128.221.12.9]) by ietf-mx with esmtp (Exim 4.12) id 1B6AHD-0000uJ-00; Wed, 24 Mar 2004 10:26:43 -0500
Received: by mxic2.corp.emc.com with Internet Mail Service (5.5.2653.19) id <HSHHQQ7G>; Wed, 24 Mar 2004 10:26:07 -0500
Message-ID: <B459CE1AFFC52D4688B2A5B842CA35EA7A5795@corpmx14.us.dg.com>
To: rddp@ietf.org, minutes@ietf.org
Date: Wed, 24 Mar 2004 10:26:05 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Subject: [rddp] RDDP WG Seoul minutes
Sender: rddp-admin@ietf.org
Errors-To: rddp-admin@ietf.org
X-BeenThere: rddp@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rddp>, <mailto:rddp-request@ietf.org?subject=unsubscribe>
List-Id: IETF Remote Direct Data Placement (rddp) WG <rddp.ietf.org>
List-Post: <mailto:rddp@ietf.org>
List-Help: <mailto:rddp-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rddp>, <mailto:rddp-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.3 required=5.0 tests=AWL, NO_REAL_NAME autolearn=no version=2.60
RDDP WG meeting minutes IETF-59, Seoul March 3, 15:30-17:30 ----------------------- Many thanks to Tom Talpey for taking these minutes. The agenda was: - Agenda Bashing and Administrivia (5 min) - Blue Sheets - NOTE WELL - Status of drafts (5 min) - Applicability Statement (5 min) (draft-ietf-rddp-applicability-01.txt) Mostly a status update. - DDP and RDMAP drafts (10 min) (draft-ietf-rddp-ddp-02.txt, draft-ietf-rddp-rdmap-01.txt) Mostly a status update. - SCTP Mapping (5 min) (draft-ietf-rddp-sctp-00.txt) Despite the -00 version number, this is the fourth version of this draft, and it is relatively mature. - TCP mapping (30 min) (draft-ietf-rddp-mpa-00.txt, draft-culley-mpa-issueresponses-00.txt) The mpa-issueresponses draft is a separate draft from the MPA authors describing issues raised in MPA and proposed approaches. - Security (60 min) (draft-ietf-rddp-security-01.txt) Time allocated reflects the importance of progress on this draft. ----- Agenda bashed - no changes Blue sheets, Note Wells, etc. - Status of drafts (David Black, WG chair): Problem Statement, architecture documents are in IESG discussion. Feedback from IESG is in-progress and docs will be revised. Main protocols (DDP, RDMAP): No open issues. Changes are expected in the Security Considerations, however. Applicability Statement: Probably in good shape, but please take a new look in light of current progress. SCTP mapping: One open issue - need for active/active startup? The plan is to discuss this in context of MPA, and provide the same functionality via TCP and SCTP for consistency. This document will be a Proposed Standard RFC. MPA (TCP mapping): Open issues revolve completely around startup, not operation. To be discussed today. This document will be an Informational RFC. Security mapping: WG chair has consulted with Area Director - this will be a Proposed Standard RFC. Because it covers endpoint behavior, it's appropriate for a standards draft. Also, the IPsec mapping is applicable to multiple transport protocols, so its text can and should be shared in a single RFC. - TCP Mapping (MPA) discussion. (David Black presenting for Paul Culley) (see presentation C-MPA update040225.ppt) (1) Fast FPDU return (responder need not wait for first pdu). Tentative proposal: leave as-is (responder must wait). No dissension in room. This is not needed for client/server, as the server expects to wait for the client. Need to take proposal to the list. (2) Active/Active startup. Tentative proposal: leave as-is (no support for active/active). No dissension in room. Note, no known applications require it. Need to take proposal to the list. (3) Rejected Connection bit. Dissension expressed, this leads to interoperability issues because it forces a ULP to interpret private data to figure out that the connection setup failed, and requires MPA to handle TCP close specially (more detail in mail to list). Further discussion: Q: If MPA does not do "teardown", why is the bit needed to free resources at MPA layer? A: Practically speaking, implementations will allocate and free resources in MPA (e.g. connection model in kernel), this enables layering and better control. A: The bit will prevent some timed-wait resource consumption issues, if used properly (this is about cooperating systems, not malicious resource consumption attacks). Rough consensus in room to include the bit. Take to list. See presentation for other nits in-progress (will be taken care of in next revision of draft). NOTE: separate list consensus call emails will be sent to start and focus discussion on issues (1) thru (3). Please wait for them! - Security discussion (Ellen Deleganes): (see presentation D-RDDP Security presentation 040302.ppt) New author, Sara Bitan, joins Jim Pinkerton and Ellen. Main change, the document has been reorganized. This is in response to comments, and all feedback is welcomed. The term "Partial Trust" was changed - needed a crisper meaning. Now called "Partial Mutual Trust". Defines a cooperative set of streams. Discussion: what does this mean? Concept seems better but the name is still problematic. Basically, it seems to define a set of assumptions that can allow simplification (efficiency) for cooperative streams. Trusting that they will not attack one another - but still protecting the server. "Queue"-level granularity is new (and useful) text. But, the word "queue" may have to go, because the doc will be normative. We can't assume a queue in normative text. Or, add text such as "the use of the word 'queue' does not imply that this implementation actually contains a queue"... New section - "security services for RDDP" - has a list of attacks listed - good progress. One issue in Security section - now mentions SSL. This will require more text because of ordering issues. SSL is a bad match because of its stream orientation. Section 9 - Should we require IPsec, and therefore implement this section, or make it optional? Suggestion that it be made "mandatory-to-implement, optional-to-use." It was observed that IPS had a similar section because it needed it. Also, now that there is the IKEv2 specification to refer to, the problem is no longer so difficult to document. Look at IKEv2 and new "Cryptographic Algorithms for IKEv2" draft. If these are used this section in the RDDP security draft may not be necessary, as an IKEv2 reference will be adequate. (4) Core question: Should we say that IPsec is mandatory for RDDP? Secondary question: What parts do we actually require? (IKEv2?) Take to list! Also, take to NFSv4 WG the next day. (NFS has no such requirement currently, and has its own RPCSEC_GSS security support). The mandatory security item generated significant discussion but was highly inconclusive. It was observed that mandatory-to-implement would be a significant enhancement to the review approval process. Appendix A - remove or keep? No conclusion, but possibly best to remove? May want to keep some of it - taxonomy, etc., which contains useful raw material for a revised Summary section. Summary section: perhaps have a summarized list of MUST and SHOULD requirements, etc. Partial placement text additions are an open issue. (e.g. place code, via RDMA into a buffer, then attack the server in some other fashion to run that code) Draft should note these as a risk and state that buffer overflow protection is actually stronger with RDMA, and why (byte-level protection with bounds). (5) Need to address "protection for shared RQ" problem. The security draft makes a "valiant" attempt to make it a ULP issue - but can't. Exhaustion of receive buffers is a key attack. Is this the job of each and every ULP, or RDDP's? Probably the latter. OTOH, there is general discomfort with specifying this in a fashion that would require checking it in the fast receive path (e.g., in hardware in a hardware-optimized implementation). Scenario - server mis-implements resource management, bug in one handler drags down others. E.g., a multiprotocol server with busted filesystem component kills HTTP, etc. "Unsafe by design", i.e. RDDP should not impose non-uniform controls. The goal is to specify a functionality that is guaranteed to exist, though possibly overridable given sufficient trust. Absence of any required control here doesn't line up with the Partial Mutual Trust concept discussed earlier. Proposed approach: Require a default implementation of this protection, as part of the Privileged Resource Manager. Privileged protocols can override it, but the base function is always provided. Does a similar situation exist for CQs? (Response: yes, with suppressed completions, underprovision is desirable!) NOTE: separate list consensus call emails will be sent to start and focus discussion on issues (4) and (5). Please wait for them! ---- At the end of the session, the Area Director commented he was glad to see significant work being done in meeting, and was pleased with the progress. <adjourns 17:05> _______________________________________________ rddp mailing list rddp@ietf.org https://www1.ietf.org/mailman/listinfo/rddp
- [rddp] RDDP WG Seoul minutes Black_David
- Re: [rddp] RDDP WG Seoul minutes John Hufferd
- RE: [rddp] RDDP WG Seoul minutes Black_David