SSR: 以SoftRoCE為基礎強化資料中心的RDMA資料交換的安全性

Liang-Jie Lee; 李亮節

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/85175

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	洪士灝(Shih-Hao Hung)
dc.contributor.author	Liang-Jie Lee	en
dc.contributor.author	李亮節	zh_TW
dc.date.accessioned	2023-03-19T22:48:16Z	-
dc.date.copyright	2022-08-10
dc.date.issued	2022
dc.date.submitted	2022-08-08
dc.identifier.citation	[1] Intel AES New Instructions (Intel AES-NI). https://www.intel.com/content/www/us/en/architecture-and-technology/advanced-encryption-standard-aes/data-protection-aes-general-technology.html. [2] linux-rdma/perftest: Infiniband Verbs Performance Tests. https://github.com/linux-rdma/perftest. [3] rdma-core/ libibverbs: Library implements RDMA Verbs as described in the InfiniBand Architecture Specification. https://github.com/linux-rdma/rdma-core/tree/master/libibverbs. [4] rdma-core/librdmacm: RDMA communication manager. https://github.com/linux-rdma/rdma-core/tree/master/librdmacm. [5] The Linux SoftRoCE driver. https://github.com/torvalds/linux/tree/master/drivers/infiniband/sw/rxe. [6] Userspace verbs access. https://docs.kernel.org/infiniband/user_verbs.html. [7] Rdma aware networks programming user manual. https://indico.cern.ch/event/218156/attachments/351725/490089/RDMA_Aware_Programming_user_manual.pdf, 2017. [8] Enabling the modern data center - rdma for the enterprise. https://www.infinibandta.org/wp-content/uploads/2019/05/IBTA_WhitePaper_May-20-2019.pdf, May 2019. [9] Mellanox. NVidia Mellanox ConnectX-6 DX. https://www.nvidia.com/content/dam/en-zz/Solutions/networking/ethernet-adapters/connectX-6-dx-datasheet.pdf, 2020. [10] NVIDIA BlueField-2 Datasheet. https://www.nvidia.com/content/dam/en-zz/Solutions/Data-Center/documents/datasheet-nvidia-bluefield-2-dpu.pdf, 2021. [11] Slides of ReDMArk in Usenix Security. https://www.usenix.org/system/files/sec21_slides_rothenberger_0.pdf, 2021. [12] Q. Cai, S. Chaudhary, M. Vuppalapati, J. Hwang, and R. Agarwal. Understanding host network stack overheads. In Proceedings of the 2021 ACM SIGCOMM 2021 Conference, SIGCOMM ’21, page 65–77, New York, NY, USA, 2021. Association for Computing Machinery. [13] S. Dong, A. Kryczka, Y. Jin, and M. Stumm. Rocksdb: Evolution of development priorities in a key-value store serving large-scale applications. ACM Trans. Storage, 17(4), oct 2021. [14] N. Doraswamy and D. Harkins. IPSec: the new security standard for the Internet, intranets, and virtual private networks. Prentice Hall Professional, 2003. [15] A. Dragojević, D. Narayanan, M. Castro, and O. Hodson. FaRM: Fast remote memory. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14), pages 401–414, Seattle, WA, Apr. 2014. USENIX Association. [16] J. Gu, Y. Lee, Y. Zhang, M. Chowdhury, and K. G. Shin. Efficient memory disaggregation with infiniswap. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17), pages 649–667, Boston, MA, Mar. 2017. USENIX Association. [17] A. Kalia, M. Kaminsky, and D. G. Andersen. Design guidelines for high performance RDMA systems. In 2016 USENIX Annual Technical Conference (USENIX ATC16), pages 437–450, Denver, CO, June 2016. USENIX Association. [18] S. Kent. IP Authentication Header. RFC 4302, Dec. 2005. [19] I. Kotuliak, P. Rybár, and P. Trúchly. Performance comparison of ipsec and tls based vpn technologies. In 2011 9th International Conference on Emerging eLearning Technologies and Applications (ICETA), pages 217–221, 2011. [20] P. Minet, E. Renault, I. Khoufi, and S. Boumerdassi. Analyzing traces from a google data center. In 2018 14th International Wireless Communications & Mobile Computing Conference (IWCMC), pages 1167–1172, 2018. [21] J. Pinkerton and E. Deleganes. Direct data placement protocol (ddp) / remote direct memory access protocol (rdmap) security. RFC, 5042:1–52, 2007. [22] B. Rothenberger, K. Taranov, A. Perrig, and T. Hoefler. ReDMArk: Bypassing RDMA security mechanisms. In 30th USENIX Security Symposium (USENIX Security 21), pages 4277–4292. USENIX Association, Aug. 2021. [23] A. K. Simpson, A. Szekeres, J. Nelson, and I. Zhang. Securing RDMA for High-Performance datacenter storage systems. In 12th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 20). USENIX Association, July 2020. [24] K. Taranov, B. Rothenberger, A. Perrig, and T. Hoefler. sRDMA – efficient NIC-based authentication and encryption for remote direct memory access. In 2020 USENIX Annual Technical Conference (USENIX ATC 20), pages 691–704. USENIX Association, July 2020. [25] S.-Y. Tsai, M. Payer, and Y. Zhang. Pythia: Remote oracles for the masses. In 28th USENIX Security Symposium (USENIX Security 19), pages 693–710, Santa Clara, CA, Aug. 2019. USENIX Association. [26] S.-Y. Tsai and Y. Zhang. A Double-Edged sword: Security threats and opportunities in One-Sided network communication. In 11th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 19), Renton, WA, July 2019. USENIX Association. [27] J. Yang, Y. Yue, and K. V. Rashmi. A large-scale analysis of hundreds of in-memory key-value cache clusters at twitter. ACM Trans. Storage, 17(3), aug 2021.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/85175	-
dc.description.abstract	遠端直接記憶體存取 (RDMA) 被廣泛應用在資料中心建構高效的資源解耦系統。RDMA 允許電腦在很少或沒有 CPU 參與的情況下以超低延遲和高頻寬交換資料，這使得眾多最先進的雲端服務能夠同時兼顧高效能和有效的資源利用。然而，在 Infiniband 和 RDMA over Converged Ethernet (RoCE) 等傳統 RDMA 協議的主流實現中，主要的設計考量在於如何使用硬體加速來提高效能，而往往沒有考慮到安全性的問題。這使得在將 RDMA 推廣到除了高效能應用以外的其他場景時造成嚴重的阻礙。為此，我們提出了 Secure SoftRoCE (SSR) 框架，希望透過 SoftRoCE 以軟體的方式來解決 RDMA 安全性上的問題。本篇論文討論了 SSR 如何克服 RDMA 協議中的安全漏洞，並提出了幾種緩解方法來展示本框架的可行性，這些方法包含了封包加密、來源驗證、虛擬 QPN 、精細的資源管理和泛用的傳輸監控機制。本篇論文也評估了這些緩解手段對效能的潛在影響，並討論將SSR 應用於實際場景時的可行性。	zh_TW
dc.description.abstract	Remote Direct Memory Access (RDMA) is popularly used for building highly efficient resource disaggregation systems in datacenters. RDMA allows computers to exchange data with ultra-low latency and high bandwidth with no or little CPU resources, which enables numerous state-of-the-art cloud services to achieve high performance and effective resource utilization. Unfortunately, traditional RDMA protocols in mainstream implementations such as Infiniband and RDMA over Converged Ethernet (RoCE) are usually designed with hardware accelerators in mind, which focus mainly on performance instead of security and have become serious concerns today for extending the usage of RDMA beyond high-performance computing applications. As a remedy, we propose a framework called Secure SoftRoCE (SSR), which invokes SoftRoCE to address the security concerns with software methods. In this thesis, we discuss how SSR may overcome security vulnerabilities in the RDMA protocols and present several mitigation techniques to demonstrate the effectiveness of the proposed framework, including payload encryption, source authentication, virtual QPN, fine-grained resource management, and a general transmission monitoring mechanism. Meanwhile, we evaluate the potential performance impact of those mitigation techniques to discuss the practicality of applying SSR to real workloads.	en
dc.description.provenance	Made available in DSpace on 2023-03-19T22:48:16Z (GMT). No. of bitstreams: 1 U0001-0208202223201600.pdf: 2598599 bytes, checksum: 8c09b95f2e65d5347b04bd6d2b32b8fb (MD5) Previous issue date: 2022	en
dc.description.tableofcontents	Verification Letter from the Oral Examination Committee i Acknowledgements iii 摘要 v Abstract vii Contents ix List of Figures xi List of Tables xiii Chapter 1 Introduction 1 Chapter 2 Background and Related Works 5 2.1 RDMA Overview 5 2.2 RDMA Packet Format and Processing 8 2.3 Known Security Issues of RDMA 9 2.4 RDMA-over-IPsec 13 Chapter 3 Methodology 15 3.1 RDMA Ecosystem and SoftRoCE 16 3.2 Design of SSR 19 3.3 Payload Encryption 21 3.4 Authentication and Extended PSN 22 3.5 Virtual Queue Pair Number 23 3.6 Resource Control 24 3.7 Transmission Monitor 25 Chapter 4 Evaluation 27 4.1 Evaluation Setup 27 4.2 Microbenchmark of Each Security Feature 28 4.3 Performance of SSR 30 4.3.1 Single QP with Various Message Sizes 30 4.3.2 Scalability with Number of QPs 32 4.3.3 Latency 35 4.4 SSR Performance with RocksDB 36 4.4.1 Single Thread with Various Value Size 36 4.4.2 Scalability with Number of Threads 37 4.4.3 Latency 38 4.5 Comparison to Other Approaches 38 Chapter 5 Conclusion and Future Works 43 References 45 Appendix A — SSR Utilities 49 A.1 QPfs: Pseudo file system that presents information about QP 49 A.2 RTOP: top for RDMA 50
dc.language.iso	en
dc.subject	資料中心	zh_TW
dc.subject	SoftRoCE	zh_TW
dc.subject	網路協議	zh_TW
dc.subject	遠端直接記憶體存取	zh_TW
dc.subject	安全性	zh_TW
dc.subject	Datacenter	en
dc.subject	RDMA	en
dc.subject	SoftRoCE	en
dc.subject	Network Protocol	en
dc.subject	Security	en
dc.title	SSR: 以SoftRoCE為基礎強化資料中心的RDMA資料交換的安全性	zh_TW
dc.title	Secure SoftRoCE (SSR): a Method based on SoftRoCE for Enhancing the Security of RDMA Data Transfers in Datacenters	en
dc.type	Thesis
dc.date.schoolyear	110-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	郭大維(Tei-Wei Kuo),施吉昇(Chi-Sheng Shih),劉邦鋒(Pangfeng Liu),周志遠(Jerry Chou)
dc.subject.keyword	遠端直接記憶體存取,資料中心,安全性,網路協議,SoftRoCE,	zh_TW
dc.subject.keyword	RDMA,Datacenter,Security,Network Protocol,SoftRoCE,	en
dc.relation.page	50
dc.identifier.doi	10.6342/NTU202201992
dc.rights.note	同意授權(限校園內公開)
dc.date.accepted	2022-08-08
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	資訊網路與多媒體研究所	zh_TW
dc.date.embargo-lift	2027-08-05	-
顯示於系所單位：	資訊網路與多媒體研究所

文件中的檔案：

檔案	大小	格式
U0001-0208202223201600.pdf 未授權公開取用	2.54 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。