EvotecIT / Testimo

Testimo is a PowerShell module for running health checks for Active Directory against a bunch of different tests
547 stars 58 forks source link

Systems with RDMA NICs shouldn't have encryption or signing enabled #53

Open PrzemyslawKlys opened 5 years ago

PrzemyslawKlys commented 5 years ago

Title: Systems with RDMA NICs shouldn't have encryption or signing enabled

Severity Warning

Date: 31.05.2018 22:33:35

Category: Configuration

Problem: Either signing or Encryption is used in this server which has RDMA NIC(s).

Impact: Having signing or encryption enabled may significantly degrade RDMA performance.

Resolution Turn off signing and encryption to get best performance from SmbDirect.

http://go.microsoft.com/fwlink/?LinkId=248016

rafalfitt commented 4 years ago

https://support.microsoft.com/en-us/help/4458042/reduced-performance-after-smb-encryption-or-smb-signing-is-enabled

PrzemyslawKlys commented 4 years ago

Yes, but it shouldn't matter for DC's.

rafalfitt commented 4 years ago

From my experience I cannot agree with you.

PrzemyslawKlys commented 4 years ago

Can you explain? The issue clearly describes

Several features such as Storage Spaces Direct (S2D) or Cluster Shared Volumes (CSV) use SMB as a protocol transport for intra-cluster communication. Therefore, the performance of S2D may be significantly affected by enabling SMB Signing or SMB Encryption that uses the RDMA network adapter.

This means mostly S2D and CSV should be affected. However, surely there is some performance impact on the standard SMB - what is recommendation than?

rafalfitt commented 4 years ago

"mostly S2D and CSV should be affected" nope: "Storage Spaces Direct (S2D) or Cluster Shared Volumes (CSV)" - it is OR, not AND.

you drew a wrong conclusion "it shouldn't matter for DC": a DC can use S2D or CSV. Perhaps not wide used, but still it might be a problem.

PrzemyslawKlys commented 4 years ago

To be honest, I don't know how to approach it. Security-wise you should enable encryption and signing. That's my goal here. Disabling this means less security.

1n5aN1aC commented 4 years ago

ON DCs, obviously SMB encryption should be enabled.

Shouldn't RDMA be disabled on the network controllers for performance then, since they don't play nicely together?

rafalfitt commented 4 years ago

security vs performance: on DCs you should choose security ;-)

IMHO you could change the description+suggestion. from "Systems with RDMA NICs shouldn't have encryption or signing enabled" to "Systems with SMB encryption or signing enabled might experience reduced networking performance on RDMA NICs"

perhaps you use could guidance from Microsoft "For optimal SMB Direct performance, you can disable SMB Signing. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control. For optimal SMB Direct performance, you can disable SMB Encryption on the server for shares accessed by this client. This configuration is less secure and you should only consider this configuration on trustworthy private networks with strict access control. When requiring SMB Encryption, SMB Signing is not used, regardless of settings. SMB Encryption implicitly provides the same integrity guarantees as SMB Signing."

PrzemyslawKlys commented 4 years ago

Perhaps you could help out with PR’s for descriptions and other things? You seem to know a lot and I would appreciate some help :-)