RE: [RFC] Direct Sockets Support??

From: Jesse Pollard (pollard@tomcat.admin.navo.hpc.mil)
Date: Thu May 03 2001 - 15:23:37 EST


--------- Received message begins Here ---------

>
>
> > Doesn't this bypass all of the network security controls? Granted
> - it is
> > completely reasonable in a dedicated environment, but I would
> think the
> > security loss would prevent it from being used for most usage.
>
> Direct Sockets makes sense only in clustering (server farms) to
> reduce intra-farm communication. It is *not* supposed to be used for regular
> internet. Direct Sockets over subnets is also tough to implement it across
> different topology subnets. Fabrics like Infiniband provide security on
> hardware, so there is no need to worry about it. The simple point is that
> hw supports TCP/IP, then why do we need a software TCP/IP over it?

Because the hardware doesn't have the users security context. All it can
see are addresses, socket numbers and protocol. Neither can it be extended
with that information (IPSec). Authentication of the connections are not
possible.

Now... If the server farm only runs one job at a time, it is irrelevent...

-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon May 07 2001 - 21:00:18 EST