Testimo icon indicating copy to clipboard operation
Testimo copied to clipboard

Published 20 hours ago verified publisher icon EvotecIT

Systems with RDMA NICs shouldn't have encryption or signing enabled

Open PrzemyslawKlys opened this issue 6 years ago • 9 comments

Title: Systems with RDMA NICs shouldn't have encryption or signing enabled

Severity Warning

Date: 31.05.2018 22:33:35

Category: Configuration

Problem: Either signing or Encryption is used in this server which has RDMA NIC(s).

Impact: Having signing or encryption enabled may significantly degrade RDMA performance.

Resolution Turn off signing and encryption to get best performance from SmbDirect.

http://go.microsoft.com/fwlink/?LinkId=248016

PrzemyslawKlys avatar Sep 14 '19 06:09 PrzemyslawKlys

https://support.microsoft.com/en-us/help/4458042/reduced-performance-after-smb-encryption-or-smb-signing-is-enabled

rafalfitt avatar Nov 07 '19 21:11 rafalfitt

Yes, but it shouldn't matter for DC's.

PrzemyslawKlys avatar Nov 07 '19 21:11 PrzemyslawKlys

From my experience I cannot agree with you.

rafalfitt avatar Nov 08 '19 07:11 rafalfitt

Can you explain? The issue clearly describes

Several features such as Storage Spaces Direct (S2D) or Cluster Shared Volumes (CSV) use SMB as a protocol transport for intra-cluster communication. Therefore, the performance of S2D may be significantly affected by enabling SMB Signing or SMB Encryption that uses the RDMA network adapter.

This means mostly S2D and CSV should be affected. However, surely there is some performance impact on the standard SMB - what is recommendation than?

PrzemyslawKlys avatar Nov 08 '19 08:11 PrzemyslawKlys

"mostly S2D and CSV should be affected" nope: "Storage Spaces Direct (S2D) or Cluster Shared Volumes (CSV)" - it is OR, not AND.

you drew a wrong conclusion "it shouldn't matter for DC": a DC can use S2D or CSV. Perhaps not wide used, but still it might be a problem.

rafalfitt avatar Nov 10 '19 11:11 rafalfitt

To be honest, I don't know how to approach it. Security-wise you should enable encryption and signing. That's my goal here. Disabling this means less security.

PrzemyslawKlys avatar Nov 10 '19 12:11 PrzemyslawKlys

ON DCs, obviously SMB encryption should be enabled.

Shouldn't RDMA be disabled on the network controllers for performance then, since they don't play nicely together?

1n5aN1aC avatar Dec 11 '19 00:12 1n5aN1aC

security vs performance: on DCs you should choose security ;-)

IMHO you could change the description+suggestion. from "Systems with RDMA NICs shouldn't have encryption or signing enabled" to "Systems with SMB encryption or signing enabled might experience reduced networking performance on RDMA NICs"

perhaps you use could guidance from Microsoft "For optimal SMB Direct performance, you can disable SMB Signing. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control. For optimal SMB Direct performance, you can disable SMB Encryption on the server for shares accessed by this client. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control. When requiring SMB Encryption, SMB Signing is not used, regardless of settings. SMB Encryption implicitly provides the same integrity guarantees as SMB Signing."

rafalfitt avatar Jan 03 '20 09:01 rafalfitt

Perhaps you could help out with PR’s for descriptions and other things? You seem to know a lot and I would appreciate some help :-)

PrzemyslawKlys avatar Jan 03 '20 10:01 PrzemyslawKlys