On Wed, Oct 17, 2007 at 10:44:27AM -0500, Nicolas Williams wrote:
> On Wed, Oct 17, 2007 at 11:24:26AM -0400, Bill Sommerfeld wrote:
> > On Wed, 2007-10-17 at 16:07 +0100, Paul Jakma wrote:
> > > Firmware 'near' the NIC (I've never seen an explanation of the exact
> > > mechanism) interposes itself between hardware and OS and 'hijacks'
> > > traffic to that port. It never makes it to the OS.
> >
> > one implication of this is that, when this is in use, the NIC cannot be
> > part of a L2 aggregation (because the upstream switch will load-spread
> > some of the management traffic flows to other ports in the aggregation).
> >
> > And using it with other L2/L3 redundancy technologies (such as IPMP and
> > OSPF-MP) is going to be tricky (the shared management IP address must
> > not be seen as reachable via other NICs).
>
> My impression was that the AMT chip gets its own IPv4 address.
OK, looking at the deployment guide[0], pg. 7-8, there are two options:
- static addressing
The AMT gets its own IP address (it's implied that this is IPv4 only)
and hostname, and the host OS must have a separate one.
It's unclear from the deployment docs whether the host OS can use
DHCP while the AMT address is statically configured.
- dynamic addressing
The AMT shares an addressed obtained via DHCP with the host OS.
It's unclear from the deployment docs whether the host OS can
virtualize the NIC.
It is clear, however, that there's at least one configuration where the
AMT and the host OS share an IP address, and another where they do not.
Perhaps one of the white papers will answer some of the things that are
not clear in the deployment guide.
Features available through the AMT (deployment guide[0] pg. 9-10):
- Asset information
- Wake-up
- Remote control operations (?)
- apparently including firmware updates
- and other things (including TLS trust anchors, server cert mgmt,
etc...)
- Serial over LAN and IDE redirection[1] (yes, as in disk I/O)
- AMT user accounts and ACL management
Authentication options apparently include DIGEST-MD5, Kerberos V, and
TLS client certificates (that is, the management console can have a
private key and a certificate that it uses to authenticate to the AMTs).
I did not find details of how Kerberos V is used (it can be used badly).
TLS PSK is apparently supported using a one-time key burned into the
AMT.
[0] http://download.intel.com/business/vpro/pdfs/deployment_guide.pdf
[1]
http://softwareblogs.intel.com/2007/03/06/experimenting-with-ide-redirect-over-the-internet/
Nico
--
