Thanks Hal. I appreciate using the SM is the correct means of controlling partitioning; however, the testing I am performing is assessing security vulnerabilities. In this case, the two clusters are separated by partitioning only and I am seeking to assess the ability of a user to obtain unauthorised access to one cluster from the other. The requirement for the vendor building the two clusters was that they were isolated from each other. They have chosen to use one switch and I have to assess if this provides adequate isolation, as per the client's security requirements.
At this stage of my investigation, I do not believe partitioning on a switch provides adequate separation / isolation to be used as a security control and two physical switches will need to be used to provide the complete isolation that is required. But my task is to prove this to justify the expense.... :) I value any comments or input on this topic. ---------------------------------------- > Subject: Re: ***SPAM*** RE: [ofa-general] Is IBIS only for querying OpenSM? > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > CC: [EMAIL PROTECTED]; [email protected] > Date: Fri, 18 Apr 2008 07:37:51 -0700 > > Terry, > > On Fri, 2008-04-18 at 09:38 +0000, terry watson wrote: >> Thanks for the response. The environment I am testing has two clusters and >> one switch, >> with the subnet manager running from the switch. Half the nodes are in one >> partition and >> half in the other (ignoring 0xffff), call them partitions A and B. I have >> access to one >> node in partition A as root and would like to be able to reconfigure that >> node locally, >> and with no access to the switch subnet manager configuration, to be able to >> access nodes >> in partition B. > > In general, this is not a good idea IMO. As Philippe wrote, the SM (is > supposed to) own the writing of those tables (rather than some low level > diag utility). Even if you modify the local PKey table, it is possible > for the SM to overwrite this. Also, there are several other > ramifications of this depending on how the SM deals with partitions. > Even if you change things locally, that may not be sufficient as the > peer switch port may do partition filtering so that may need to change > that too and possible more PKey tables in the network depending on what > your SM does. Also, there are SA responses that depend on the SM having > correct knowledge (like PathRecords and others) so the end node may not > get any response on that partition for certain things. > >> After some reading I believe that IBIS from IBUtils should allow me to alter >> the >> local p_key table and therefore allow me to access nodes on partition B. > > Yes but it may take more than this for it to work depending on your SM. > >> I cannot test this until I am on-site and I am formulating a strategy >> before arrival. >> If it does not work this way it would be useful to know in advance. MPI is >> used rather than IPoIB. > > Some MPIs use out of band mechanisms to create connections so the SA > issues may not apply there; but I think the partition ones might and are > SM dependent so your mileage may vary... > >> If my approach is flawed I would appreciate it if someone could point this >> out. > > The proper way to do this is by reconfiguring your SM. > > -- Hal > >> ________________________________ >>> Date: Fri, 18 Apr 2008 09:35:42 +0200 >>> From: [EMAIL PROTECTED] >>> To: [EMAIL PROTECTED] >>> CC: [email protected] >>> Subject: Re: [ofa-general] Is IBIS only for querying OpenSM? >>> >>> terry watson a écrit : >>> >>> Hi all, >>> >>> I will be performing some testing of partitioning used as a security >>> control. Am I right in believing that IBIS will be able to set partition >>> table values of the local compute node I am logged on to, even though they >>> are not using OpenSM, but rather a SM on a switch? Could I then attempt to >>> access a partition that I was originally excluded from accessing? >>> >>> I am new to Infiniband technology and would also appreciate a response from >>> an expert who has views on the strength of the security that partitioning >>> provides in separating two clusters that should have no interaction >>> whatsoever. >>> >>> Thanks, >>> Dave >>> _________________________________________________________________ >>> Discover the new Windows Vista >>> http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE_______________________________________________ >>> general mailing list >>> [email protected] >> _________________________________________________________________ >> News, entertainment and everything you care about at Live.com. Get it now! >> http://www.live.com/getstarted.aspx_______________________________________________ >> general mailing list >> [email protected] >> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general >> >> To unsubscribe, please visit >> http://openib.org/mailman/listinfo/openib-general > _________________________________________________________________ Connect to the next generation of MSN Messenger http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline_______________________________________________ general mailing list [email protected] http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
