Open PrzemyslawKlys opened 5 years ago
Yes, but it shouldn't matter for DC's.
From my experience I cannot agree with you.
Can you explain? The issue clearly describes
Several features such as Storage Spaces Direct (S2D) or Cluster Shared Volumes (CSV) use SMB as a protocol transport for intra-cluster communication. Therefore, the performance of S2D may be significantly affected by enabling SMB Signing or SMB Encryption that uses the RDMA network adapter.
This means mostly S2D and CSV should be affected. However, surely there is some performance impact on the standard SMB - what is recommendation than?
"mostly S2D and CSV should be affected" nope: "Storage Spaces Direct (S2D) or Cluster Shared Volumes (CSV)" - it is OR, not AND.
you drew a wrong conclusion "it shouldn't matter for DC": a DC can use S2D or CSV. Perhaps not wide used, but still it might be a problem.
To be honest, I don't know how to approach it. Security-wise you should enable encryption and signing. That's my goal here. Disabling this means less security.
ON DCs, obviously SMB encryption should be enabled.
Shouldn't RDMA be disabled on the network controllers for performance then, since they don't play nicely together?
security vs performance: on DCs you should choose security ;-)
IMHO you could change the description+suggestion. from "Systems with RDMA NICs shouldn't have encryption or signing enabled" to "Systems with SMB encryption or signing enabled might experience reduced networking performance on RDMA NICs"
perhaps you use could guidance from Microsoft "For optimal SMB Direct performance, you can disable SMB Signing. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control. For optimal SMB Direct performance, you can disable SMB Encryption on the server for shares accessed by this client. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control. When requiring SMB Encryption, SMB Signing is not used, regardless of settings. SMB Encryption implicitly provides the same integrity guarantees as SMB Signing."
Perhaps you could help out with PR’s for descriptions and other things? You seem to know a lot and I would appreciate some help :-)
Title: Systems with RDMA NICs shouldn't have encryption or signing enabled
Severity Warning
Date: 31.05.2018 22:33:35
Category: Configuration
Problem: Either signing or Encryption is used in this server which has RDMA NIC(s).
Impact: Having signing or encryption enabled may significantly degrade RDMA performance.
Resolution Turn off signing and encryption to get best performance from SmbDirect.
http://go.microsoft.com/fwlink/?LinkId=248016