Issue No. 10 - October (2007 vol. 18)
The InfiniBand™ Architecture (IBA) is a promising communication standard for building clusters and system area networks. However, the IBA specification has left out security aspects, resulting in potential security vulnerabilities which could be exploited with moderate effort. In this paper, we view these vulnerabilities from three classical security aspects: confidentiality, authentication, and availability and investigate the following security issues. First, as groundwork for secure services in IBA, we present partition-level and queue pair-level key management schemes, both of which can be easily integrated into IBA. Second, for confidentiality and authentication, we present a method to incorporate a scalable encryption and authentication algorithm into IBA with little performance overhead. Third, for better availability, we propose a stateful ingress filtering mechanism to block denial of service (DoS) attacks. Finally, to further improve the availability, we provide a scalable packet marking method tracing back DoS attacks. Simulation results of an IBA network show that the security performance overhead due to encryption/authentication on network latency ranges from 0.7% to 12.4%. Since the stateful ingress filtering is enabled only when a DoS attack is active, there is no performance overhead in a normal situation.
Cluster Security, InfiniBand Architecture, Galois/Counter Mode, Authentication, Encryption, Availability DoS
M. Lee and E. J. Kim, "A Comprehensive Framework for Enhancing Security in InfiniBand Architecture," in IEEE Transactions on Parallel & Distributed Systems, vol. 18, no. , pp. 1393-1406, 2007.