RDMA协议应用及安全防护技术综述  

作　　者：刘雨蒙 唐正梁 路松峰[1,2] 朱建新[1] 刘运渠 LIU Yumeng;TANG Zhengliang;LU Songfeng;ZHU Jianxin;LIU Yunqu(School of Cyber Science and Engineering,Laboratory of Industrial Internet Security,Huazhong University of Science and Technology,Wuhan 430074,China;Research Institute of Huazhong University of Science and Technology,Shenzhen 518057,China;Jiangsu Viscore Technologies Company Limited,Suzhou 215000,China)

机构地区：[1]华中科技大学网络空间安全学院工业互联网安全实验室,湖北武汉430074 [2]深圳华中科技大学研究院,广东深圳518057 [3]江苏为是科技有限公司,江苏苏州215000

出　　处：《网络与信息安全学报》2024年第2期22-46,共25页Chinese Journal of Network and Information Security

基　　金：2023年湖北省重大攻关项目(No.2023BAA027);湖北省重点研发计划项目(No.2021BAA038);深圳市科技计划基础研究项目(No.JCYJ20210324120002006);深圳市科技计划技术攻关项目(No.JSGG20210802153009028)。

摘　　要：远程直接内容读写技术是一种有效提升数据传输速率、降低CPU占用率的通信方式,在跨区域数据中心之间的转存、高性能计算、快速数据读写等领域起着重要的作用。然而,作为新兴技术,RDMA缺少得到业界广泛认同的安全方案,目前,随着大量RDMA应用逐渐从专用网络环境向一般以太网拓展,关注其安全风险、为其设置一套在不影响传输效率的前提下保障安全性的防护措施是很有必要的;此外,由于采用了特殊的底层实现和协议设计,RDMA技术不仅无法兼容现有的成熟安全方案,还面临其他特殊安全风险的挑战。为梳理RDMA攻防技术的发展,向即将到来的RDMA技术的大规模应用提供安全保障:以无线带宽协议和基于以太网的RDMA协议第2版为例介绍了RDMA技术及其实现原理,调查了在相关场景下RDMA应用面临的安全风险,总结了近年来RDMA安全领域的攻防研究进展,汇总了能够应对这些安全风险的有效安全方案;在证明其有效防御能力的基础上,结合理论分析和实验数据,对比了这些方案的优劣;提出了RDMA攻防领域后续的改进方案和技术优化前景。The remote direct memory access(RDMA)technology,which has been effectively utilized to enhance data transfer rates and reduce CPU utilization,has played a significant role in various domains such as cross-regional data center transfers,high-performance computing,and rapid data read/write operations.However,despite its emerging status,RDMA has been lacking in widely recognized security solutions.With the expansion of RDMA applications from dedicated network environments to general Ethernet networks,the need to address the security risks faced by these applications has become imperative.A set of protective measures were established to ensure security without compromising transmission efficiency.Furthermore,the unique underlying implementation and protocol design of RDMA technology have resulted in incompatibility with existing mature security solutions and have led to the confrontation with specific security risks.The development of RDMA attack and defense technologies and the provision of security guarantees for the forthcoming widespread application of RDMA technology were elucidated The principles of RDMA technology and its implementation were proposed,with examples drawn from the InfiniBand(IB)and the RDMA over converged Ethernet(RoCE)second edition protocols.The security risks faced by RDMA applications in relevant scenarios were investigated,and a summary of the research progress in the RDMA security field over recent years was provided.Effective security solutions addressing these risks were compiled and,after their defensive capabilities were proven,a comparison of their advantages and disadvantages was conducted through theoretical analysis and experimental data.Finally,improvement plans and prospects for technological optimization in the RDMA attack and defense field were proposed.

关 键 词：远程直接内容读写 无限带宽协议 基于以太网的RDMA协议 协议漏洞 协议防护 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]