svRDMA: Securing an RDMA Network in Virtualization Environments
摘要
Due to the kernel-bypass feature, the data transmission process in RDMA is hard to monitor for security concerns. Although numerous research efforts have been made on this issue, the results are still far from satisfactory given the diversity of threat models. In this paper we analyze the RDMA protocol and identify security holes in its data transmission and resource utilization. Then, based on the analytical results and inspired by the network routing capacity in the virtualized middle layer, we design a virtual security gateway, named svRDMA, as a middle-layer component to enforce network security control while maintaining flexibility at low cost. To prove the concept of svRDMA, we also implement a prototype based on an open-source virtualization framework and conduct empirical studies to evaluate its functionality and performance. Our results show that svRDMA can not only achieve second-level security protection but also maintain its high performance with a loss of less than 3%, compared to the default case in the absence of svRDMA, which implies that svRDMA is practical in reality and beneficial to a wide range of applications.