This Article 
 Bibliographic References 
 Add to: 
A Comprehensive Framework for Enhancing Security in InfiniBand Architecture
October 2007 (vol. 18 no. 10)
pp. 1393-1406
The InfiniBand™ Architecture (IBA) is a promising communication standard for building clusters and system area networks. However, the IBA specification has left out security aspects, resulting in potential security vulnerabilities which could be exploited with moderate effort. In this paper, we view these vulnerabilities from three classical security aspects: confidentiality, authentication, and availability and investigate the following security issues. First, as groundwork for secure services in IBA, we present partition-level and queue pair-level key management schemes, both of which can be easily integrated into IBA. Second, for confidentiality and authentication, we present a method to incorporate a scalable encryption and authentication algorithm into IBA with little performance overhead. Third, for better availability, we propose a stateful ingress filtering mechanism to block denial of service (DoS) attacks. Finally, to further improve the availability, we provide a scalable packet marking method tracing back DoS attacks. Simulation results of an IBA network show that the security performance overhead due to encryption/authentication on network latency ranges from 0.7% to 12.4%. Since the stateful ingress filtering is enabled only when a DoS attack is active, there is no performance overhead in a normal situation.

[1] W.R. Cheswick, S.M. Bellovin, and A.D. Rubin, Firewalls and Internet Security; Repelling the Wily Hacker, second ed. Addison-Wesley, 2003.
[2] D. Geer, “Just How Secure Are Security Products,” Computer, vol. 37, no. 6, pp. 14-16, 2004.
[3] A. Wool, “A Quantitative Study of Firewall Configuration Errors,” Computer, vol. 37, no. 6, pp. 62-67, 2004.
[4] HPC Wire, http://news.taborcommunications.commsgget.jsp? mid=506904 , 2005.
[5] N.J. Boden, D. Cohen, R.E. Felderman, A.E. Kulawik, C.L. Seitz, J.N. Seizovic, and W.-K. Su, “Myrinet: A Gigabit-per-Second Local Area Network,” IEEE Micro, vol. 15, no. 1, pp. 29-36, 1995.
[6] InfiniBand Architecture Specification, vol. 1, Release 1.1, InfiniBand Trade Assoc., 2002.
[7] D. McGrew and J. Viega, The Galois/Counter Mode of Operation (GCM), NIST Modes of Operation Process, 2004.
[8] E.J. Kim, K.H. Yum, C.R. Das, M.S. Yousif, and J. Duato, “Performance Enhancement Techniques for InfiniBand Architecture,” Proc. Ninth Int'l Symp. High-Performance Computer Architecture (HPCA '03), pp. 253-262, 2003.
[9] W. Yurcik, G.A. Koenig, X. Meng, and J. Greenseid, “Cluster Security as a Unique Problem with Emergent Properties: Issues and Techniques,” Proc. Eighth LCI Int'l Conf. High-Performance Clustered Computing (Linux Revolution '04), 2004.
[10] M. Pourzandi, “A New Distributed Security Model for Linux Clusters,” Proc. 2004 Usenix Ann. Technical Conf.: Extreme Linux Special Interest Group (Usenix '04), pp. 231-236, 2004.
[11] Distributed Security Infrastructure, http:/, 2002.
[12] I. Foster, N. Karonis, N. Kesselman, and C. Tuecke, “Managing Security in High-Performance Distributed Computing,” High-Performance Distributed Computing Cluster Computing, vol. 1, no. 1, pp. 95-107, 1998.
[13] K. Connelly and A.A. Chien, “Breaking the Barriers: High Performance Security for High Performance Computing,” Proc. Workshop New Security Paradigms (NSPW '02), pp. 36-42, 2002.
[14] R. Dimitrov and M. Gleeson, “Challenges and New Technologies for Addressing Security in High Performance Distributed Environments,” Proc. 21st Nat'l Information Systems Security Conf. (NISSC '98), pp. 457-468, 1998.
[15] M. Lee, E.J. Kim, K.H. Yum, and M. Yousif, “An Overview of Security Issues in Cluster Interconnects,” Proc. Second Int'l Workshop Cluster Security (Cluster-Sec '06)/Sixth IEEE Symp. Cluster Computing and the Grid (CCGrid '06), p. 25, 2006.
[16] M. Lee, E.J. Kim, and M. Yousif, “Security Enhancement in InfiniBand Architecture,” Proc. 19th IEEE Int'l Parallel and Distributed Processing Symp. (IPDPS '05), 2005.
[17] H. Lipmaa, P. Rogaway, and D. Wagner, “CTR-Mode Encryption,” Proc. NIST Workshop Symmetric Key Block Cipher Modes of Operation, 2000.
[18] “National Information Assurance Glossary,” Committee on Nat'l Security Systems, 4009.pdf , June 2006
[19] B. Schneier, Applied Cryptography: Protocols, Algorithms and Source Code in C, second ed. John Wiley & Sons, 1995.
[20] P. Hellekalek and S. Wegenkittl, “Empirical Evidence Concerning AES,” ACM Trans. Modeling and Computer Simulation, vol. 13, no. 4, pp. 322-333, 2003.
[21] D. McGrew and J. Viega, Flexible and Efficient Message Authentication in Hardware and Software,, 2003.
[22] H. Aljifri, “IP Traceback: A New Denial-of-Service Deterrent?” IEEE Security and Privacy, vol. 1, no. 3, pp. 24-31, 2003.
[23] D.X. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. IEEE INFOCOM '01, pp. 878-886, 2001.
[24] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” Proc. ACM SIGCOMM '00, pp. 295-306, 2000.
[25] A. Yaar, A. Perrig, and D. Song, “Pi: A Path Identification Mechanism to Defend against DDoS Attacks,” Proc. IEEE Symp. Security and Privacy (SP '03), p. 93, 2003.
[26] W. Feller, An Introduction to Probability Theory and Its Applications, third ed., vol. 1. John Wiley & Sons, 1968.
[27] D.E. Denning and G.M. Sacco, “Timestamps in Key Distribution Protocols,” Comm. ACM, vol. 24, no. 8, pp. 533-536, 1981.
[28] J. Dyer, R. Perez, S. Smith, and M. Lindemann, “Application Support Architecture for a High-Performance Programmable Secure Coprocessor,” Proc. 22nd Nat'l Information Systems Security Conf. (NISSC '99), Oct. 1999.
[29] Security Requirements for Cryptographic Modules, NIST Standard FIPS 140-1, 1994.
[30] A. Hodjat and I. Verbauwhede, “Minimum Area Cost for a 30 to 70 Gbits/s AES Processor,” Proc. IEEE CS Ann. Symp. VLSI, pp. 83-88, 2004.
[31] Y. Zhang, L. Gao, J. Yang, X. Zhang, and R. Gupta, “SENSS: Security Enhancement to Symmetric Shared Memory Multiprocessors,” Proc. 11th Int'l Symp. High Performance Computer Architecture (HPCA '05), 2005.
[32] S. Wilton and N. Jouppi, “CACTI: An Enhanced Cache Access and Cycle Time Model,” IEEE J. Solid-State Circuits, vol. 31, no. 5, pp.677-688, 1996.

Index Terms:
Cluster Security, InfiniBand Architecture, Galois/Counter Mode, Authentication, Encryption, Availability DoS
Manhee Lee, Eun Jung Kim, "A Comprehensive Framework for Enhancing Security in InfiniBand Architecture," IEEE Transactions on Parallel and Distributed Systems, vol. 18, no. 10, pp. 1393-1406, Oct. 2007, doi:10.1109/TPDS.2007.1079
Usage of this product signifies your acceptance of the Terms of Use.