On 10/20/2011 08:56 AM, Justin Clift wrote:
> (1) The SSL feature is implemented as part of the socket
transport, so is not
> applicable to RDMA. This also precludes using both transports at once, because
> it would be bad to have asymmetric authentication.
Thanks Jeff. Kund of thinking this SSL-not-available-for-that is probably a
non issue. Haven't ever heard of people sniffing Infiniband RDMA before, though
it's probably possible with some even more exotic gear. (switch level port
mirroring maybe?)
As you point out, being able to see the traffic might not be a problem. The
bigger problem is at the endpoints, because we rely on SSL for authentication
as well as encryption. As a result, there would be little point to using SSL
on the socket transport if an attacker could trivially spoof an identity by
using RDMA (including RoCE) instead.