RMCP support

RMCP support

[Neeraj Ladkani]

[-- Attachment #1: Type: text/plain, Size: 109 bytes --]

Is there any plan to add RMCP support in IPMI LAN stack ?



Get Outlook for iOS<https://aka.ms/o0ukef>

[-- Attachment #2: Type: text/html, Size: 11073 bytes --]

Re: RMCP support

[vishwa]

[-- Attachment #1: Type: text/plain, Size: 273 bytes --]

Are you asking for something beyond what's already in 
https://github.com/openbmc/phosphor-net-ipmid ?

!! Vishwa !!

On 9/11/19 10:57 AM, Neeraj Ladkani wrote:
> Is there any plan to add RMCP support in IPMI LAN stack ?
>
>
>
> Get Outlook for iOS <https://aka.ms/o0ukef>

[-- Attachment #2: Type: text/html, Size: 11652 bytes --]

Re: RMCP support

[Vernon Mauery]

On 11-Sep-2019 05:27 AM, Neeraj Ladkani wrote:
> Is there any plan to add RMCP support in IPMI LAN stack ?

There are no plans for adding RMCP support. RMCP is horribly insecure; 
even more insecure than the least secure RMCP+ cipher suites (not 
counting cipher suite 0, which should not even be a thing.)

Not implementing RMCP was an intentional choice. RMCP+ is insecure, 
especially with passwords shorter than 8 (as shown by Rick Altherr's 
OSFC 2019 presentation). It is recommended that RMCP+ is only used with 
cipher suite 17 and maximum length passwords (20 characters). Ideally, 
it would not be used at all, preferring Redfish, which uses modern 
crypto.

Every open source IPMI utility out there supports RMCP+. That should be 
used instead of RMCP.

--Vernon

Re: RMCP support

[Alexander Amelkin]

[-- Attachment #1.1: Type: text/plain, Size: 1145 bytes --]

11.09.2019 20:31, Vernon Mauery wrote:
> On 11-Sep-2019 05:27 AM, Neeraj Ladkani wrote:
>> Is there any plan to add RMCP support in IPMI LAN stack ?
> There are no plans for adding RMCP support. RMCP is horribly insecure; 
> even more insecure than the least secure RMCP+ cipher suites (not 
> counting cipher suite 0, which should not even be a thing.)
>
> Not implementing RMCP was an intentional choice. RMCP+ is insecure, 
> especially with passwords shorter than 8 (as shown by Rick Altherr's 
> OSFC 2019 presentation). It is recommended that RMCP+ is only used with 
> cipher suite 17 and maximum length passwords (20 characters). Ideally, 
> it would not be used at all, preferring Redfish, which uses modern 
> crypto.
>
> Every open source IPMI utility out there supports RMCP+. That should be 
> used instead of RMCP.

What about RMCP pings used for device discovery as described in section 13.13 of
IPMI specification?

AFAIK, it's not supported in OpenBMC and so `ipmiutil discover` fails to
discover OpenBMC devices.

With best regards,
Alexander Amelkin,
BIOS/BMC Team Lead, YADRO
https://yadro.com



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: RMCP support

[Vernon Mauery]

On 13-Sep-2019 10:50 AM, Alexander Amelkin wrote:
> 11.09.2019 20:31, Vernon Mauery wrote:
> > On 11-Sep-2019 05:27 AM, Neeraj Ladkani wrote:
> >> Is there any plan to add RMCP support in IPMI LAN stack ?
> > There are no plans for adding RMCP support. RMCP is horribly insecure; 
> > even more insecure than the least secure RMCP+ cipher suites (not 
> > counting cipher suite 0, which should not even be a thing.)
> >
> > Not implementing RMCP was an intentional choice. RMCP+ is insecure, 
> > especially with passwords shorter than 8 (as shown by Rick Altherr's 
> > OSFC 2019 presentation). It is recommended that RMCP+ is only used with 
> > cipher suite 17 and maximum length passwords (20 characters). Ideally, 
> > it would not be used at all, preferring Redfish, which uses modern 
> > crypto.
> >
> > Every open source IPMI utility out there supports RMCP+. That should be 
> > used instead of RMCP.
> 
> What about RMCP pings used for device discovery as described in section 13.13 of
> IPMI specification?

I don't have any problem in particular with RMCP Ping, but it is not 
implemented. It is not required by RMCP+ as far as I can tell. The spec 
calls out that is *is* required for RMCP, and can be implemented for 
RMCP+.

> AFAIK, it's not supported in OpenBMC and so `ipmiutil discover` fails to
> discover OpenBMC devices.

From what I can tell, the spec suggests that you send a Get Channel 
Authentication Capabilities request to discover RMCP+ devices.

--Vernon

Re: RMCP support

[Alexander Amelkin]

[-- Attachment #1.1: Type: text/plain, Size: 1101 bytes --]

13.09.2019 21:41, Vernon Mauery wrote:
>> What about RMCP pings used for device discovery as described in section 13.13 of
>> IPMI specification?
> I don't have any problem in particular with RMCP Ping, but it is not 
> implemented. It is not required by RMCP+ as far as I can tell. The spec 
> calls out that is *is* required for RMCP, and can be implemented for 
> RMCP+.
>
>> AFAIK, it's not supported in OpenBMC and so `ipmiutil discover` fails to
>> discover OpenBMC devices.
> From what I can tell, the spec suggests that you send a Get Channel 
> Authentication Capabilities request to discover RMCP+ devices.

True, but you can't send a broadcast GetChAuthCap and just gather all the
answers like you can do with RMCP ping.

`idiscover` is much easier and faster to use than `idiscover -g -b 172.16.1.1 -e
172.16.1.254`. The latter takes like 15 minutes to complete versus like 2
seconds for plain `idiscover`.

Do you think implementing RMCP ping support in OpenBMC is feasible?

With best regards,
Alexander Amelkin,
BIOS/BMC Team Lead, YADRO
https://yadro.com



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: RMCP support

[Vernon Mauery]

On 17-Sep-2019 12:16 PM, Alexander Amelkin wrote:
> 13.09.2019 21:41, Vernon Mauery wrote:
> >> What about RMCP pings used for device discovery as described in section 13.13 of
> >> IPMI specification?
> > I don't have any problem in particular with RMCP Ping, but it is not 
> > implemented. It is not required by RMCP+ as far as I can tell. The spec 
> > calls out that is *is* required for RMCP, and can be implemented for 
> > RMCP+.
> >
> >> AFAIK, it's not supported in OpenBMC and so `ipmiutil discover` fails to
> >> discover OpenBMC devices.
> > From what I can tell, the spec suggests that you send a Get Channel 
> > Authentication Capabilities request to discover RMCP+ devices.
> 
> True, but you can't send a broadcast GetChAuthCap and just gather all the
> answers like you can do with RMCP ping.
> 
> `idiscover` is much easier and faster to use than `idiscover -g -b 172.16.1.1 -e
> 172.16.1.254`. The latter takes like 15 minutes to complete versus like 2
> seconds for plain `idiscover`.

This seems like it might be a case of poor implementation. Surely it is 
possible to send 254 GetChAuthCap requests in less than 15 minutes. They 
could all be sent in milliseconds, with the responses coming in out of 
order and compete performance-wise with a broadcast.

> Do you think implementing RMCP ping support in OpenBMC is feasible?

I would not block a patch that implemented it, especially if it was a 
configure option that could be enabled at build time.

I don't have any plans of implementing it unless my marketing/management 
teams require it. So far, everyone is fine without it.

--Vernon