Abstract
InfiniBand is employed in applications outside of high performance computing, including in critical infrastructure assets. This requires efforts at securing InfiniBand networks with encryption and packet inspection. Unfortunately, the performance benefits realized via the use of remote direct memory access by InfiniBand are at odds with many kernel-stack-based IP datagram encryption and network monitoring technologies. As a result, it is necessary to offload these tasks to other hardware. A promising candidate is the NVIDIA Mellanox Bluefield-2 data processing unit, which combines high-performance processors, network interfaces and flexible hardware accelerators, and runs a tailored version of Linux that provides several network management applications.
This chapter characterizes the ability of Bluefield-2 data processing units to encrypt and monitor remote direct memory access traffic. The results demonstrate that the hardware accelerators of Bluefield-2 data processing units can support throughputs of nearly 86 Gbps when encrypting remote direct memory access over Converged Ethernet Version 2 traffic with Internet Protocol security (IPsec) encryption. Offloading IPsec encryption to the hardware accelerators on Bluefield-2 data processing units is a promising method for achieving confidentiality, integrity and authentication in InfiniBand networks with minimal interaction from host processors.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
N. Diamond, S. Graham and G. Clark, Securing InfiniBand networks with the Bluefield-2 data processing unit, Proceedings of the Seventeenth International Conference on Cyber Warfare and Security, pp. 459–468, 2022.
P. Grun, Introduction to InfiniBand for End Users – Industry-Standard Value and Performance for High Performance Computing and the Enterprise, InfiniBand Trade Association, Beaverton, Oregon (network.nvidia.com/pdf/whitepapers/Intro_to_IB_for_End_Users.pdf), 2010.
K. Hintze, S. Graham, S. Dunlap and P. Sweeney, InfiniBand network monitoring: Challenges and possibilities, in Critical Infrastructure Protection XV, J. Staggs and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 187–208, 2022.
InfiniBand Trade Association, Supplement to InfiniBand Architecture Specification, Volume 1, Release 1.2.1, Annex A17: RoCEv2, Beaverton, Oregon (cw.infinibandta.org/document/dl/7781), 2014.
InfiniBand Trade Association, InfiniBand Architecture Specification, Volume 1, Release 1.6, Beaverton, Oregon (www.infinibandta.org/ibta-specification), 2022.
InfiniBand Trade Association, InfiniBand Trade Association, Bea- verton, Oregon (www.infinibandta.org, 2022.
J. Kurose and K. Ross, Computer Networking – A Top-Down Approach, Pearson, Hoboken, New Jersey, 2017.
M. Lee and E. Kim, A comprehensive framework for enhancing security in the InfiniBand architecture, IEEE Transactions on Parallel and Distributed Systems, vol. 18(10), pp. 1393–1406, 2007.
M. Lee, E. Kim, K. Yum and M. Yousif, Instant attack stopper in the InfiniBand architecture, Proceedings of the IEEE International Symposium on Cluster Computing and the Grid, pp. 105–110, 2005.
Mellanox Technologies, Introduction to InfiniBand, White Paper, Document No. 2003WP, Santa Clara, California (www.mellanox.com/pdf/whitepapers/IB_Intro_WP_190.pdf), 2003.
Mellanox Technologies, NVIDIA Mellanox BlueField Data Processing Unit (DPU), Data Processor Product Brief, Sunnyvale, California, 2020.
L. Mireles, Implications and Limitations of Securing an InfiniBand Network, M.S. Thesis, Department of Electrical and Computer Engineering, Air Force Institute of Technology, Wright-Patterson Air Force Base, Ohio, 2020.
D. Montgomery, Design and Analysis of Experiments, John Wiley and Sons, Hoboken, New Jersey, 2019.
NVIDIA Corporation, NVIDIA Bluefield-2 DPU Data Center Infrastructure on a Chip, Datasheet, Santa Clara, California (www.nvidia.com/content/dam/en-zz/Solutions/Data-Center/documents/datasheet-nvidia-bluefield-2-dpu.pdf), 2022.
D. Panda and S. Sur, Designing Cloud and Grid Computing Systems with InfiniBand and High-Speed Ethernet: A Tutorial, presented at the Cluster, Cloud and Grid Workshops (www.ics.uci.edu/\(\sim \)ccgrid11/files/ccgrid11-ib-hse_last.pdf), 2011.
G. Pfister, An introduction to the InfiniBand architecture, in High Performance Mass Storage and Parallel I/O: Technologies and Applications, H. Jin, T. Cortes and R. Buyya (Eds.), John Wiley and Sons, New York, pp. 617–632, 2001.
B. Rothenberger, K. Taranov, A. Perrig and T. Hoefler, ReDMArk: Bypassing RDMA security mechanisms, Proceedings of the Thirtieth USENIX Security Symposium, pp. 4277–4292, 2021.
E. Strohmaier, J. Dongarra, H. Simon and M. Meuer, TOP 500 The List, Prometeus, Sinsheim, Germany (www.top500.org/statistics/list), 2022.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Diamond, N., Graham, S., Clark, G. (2022). SECURING INFINIBAND TRAFFIC WITH BLUEFIELD-2 DATA PROCESSING UNITS. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XVI. ICCIP 2022. IFIP Advances in Information and Communication Technology, vol 666. Springer, Cham. https://doi.org/10.1007/978-3-031-20137-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-20137-0_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-20136-3
Online ISBN: 978-3-031-20137-0
eBook Packages: Computer ScienceComputer Science (R0)