From owner-freebsd-hackers@FreeBSD.ORG  Sun Apr  6 14:55:29 2014
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 416C81F0
 for <freebsd-hackers@freebsd.org>; Sun,  6 Apr 2014 14:55:29 +0000 (UTC)
Received: from mailomat.net (mailomat.net [81.20.89.254])
 (using TLSv1 with cipher DES-CBC3-SHA (168/168 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B4A1B622
 for <freebsd-hackers@freebsd.org>; Sun,  6 Apr 2014 14:55:28 +0000 (UTC)
X-Junk-Score: 2 [X]
X-SpamCatcher-Score: 2 [X]
X-Junk-Score: 0 []
X-Cloudmark-Score: 0 []
X-Cloudmark-Analysis: v=2.1 cv=f6ZxWoCM c=1 sm=1 tr=0
 a=/nRDZZJyYxTE/j0HnTmKXw==:117 a=/nRDZZJyYxTE/j0HnTmKXw==:17
 a=Cln8rwbaxfUA:10 a=ZDwDCB9QlRsA:10 a=QX6QvZ3GsOUA:10 a=JysbXFYnAAAA:8
 a=dAPAsP0gAAAA:8 a=3wrpl_rMAAAA:8 a=NUNO_Q2GAAAA:8 a=WiKh_rET03uGXeY3LiAA:9
 a=pILNOxqGKmIA:10 a=V2UAm2ivfr4A:10 a=-mD4bCdHlbEA:10
 a=qfQzaZuGX9vIp4vycI4A:9 a=ZVk8-NSrHBgA:10
Received: from [194.39.192.125] (account bnc-mail@mailrelay.mailomat.net HELO
 bnc.net) by mailomat.net (CommuniGate Pro SMTP 6.0.5)
 with ESMTPSA id 65541561; Sun, 06 Apr 2014 16:55:17 +0200
X-Junk-Score: 2 [X]
X-SpamCatcher-Score: 2 [X]
Received: from [192.168.200.188] (account ap@bnc.net HELO [192.168.200.188])
 by bnc.net (CommuniGate Pro SMTP 6.0.5)
 with ESMTPSA id 7063031; Sun, 06 Apr 2014 16:55:17 +0200
Content-Type: multipart/signed;
 boundary="Apple-Mail=_9F77695C-54D2-41D7-B58E-EDC841F91465";
 protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: Re: Securing baseboard managers
From: Achim Patzner <ap@bnc.net>
In-Reply-To: <CA2101BB-A627-4FED-BBB8-05803F771EA8@ixsystems.com>
Date: Sun, 6 Apr 2014 16:55:12 +0200
Message-Id: <793A8C91-A1FB-4A83-A9D7-F8BFDF87EB1B@bnc.net>
References: <F9A7386EC2A26E4293AF13FABCCB32B301519A6260@janus.anserinae.net>
 <CA2101BB-A627-4FED-BBB8-05803F771EA8@ixsystems.com>
To: Jordan Hubbard <jkh@ixsystems.com>
X-Mailer: Apple Mail (2.1874)
Cc: Kamil Choudhury <Kamil.Choudhury@anserinae.net>,
 "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Apr 2014 14:55:29 -0000


--Apple-Mail=_9F77695C-54D2-41D7-B58E-EDC841F91465
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252


Am 05.04.2014 um 17:54 schrieb Jordan Hubbard <jkh@ixsystems.com>:

> On Apr 5, 2014, at 8:00 PM, Kamil Choudhury =
<Kamil.Choudhury@anserinae.net> wrote:
>=20
>> I spend my days doing application development, so I am probably =
missing=20
>> a lot of perspective that more systems-oriented people have. If my=20
>> questions are ridiculous, feel free to tell me so and send me on my =
way!
>=20
> All IPMI implementations suck.

You missed the point =96 he was probably talking about the rest of the =
package, not about the IPMI part. And looking at the latest incarnation =
of the Intel RMM (RMM4) I can=92t even share that feeling. Besides: In =
emergencies even IPMI is quite a good tool to deal with a machine =
hanging some 1000 km away without having to send a trained monkey (who =
won=92t even find the reset button) there. But you don=92t have to use =
it as most serious hardware is offering this via web pages.

We had (PDP11-based) Console Processors on the first VAX systems so =
people should maybe consider getting used to this concept. In regards to =
security they are at least as trustworthy as most of the operating =
systems people are using every day.

> To remotely render an interactive console in someone=92s browser, =
where said browser could be any one of 6 different flavors, you have to =
lean pretty heavily on the client side - especially if you want to offer =
tricks like virtual CD-to-local-ISO mapping (which is pretty handy).

Now _these_ are the parts which are not difficult at all. At least in =
those implementations I know the hardware doesn=92t even have to capture =
a video signal off a VGA connector (like some KVM switches) as it is =
directly connected to the video hardware (i. e. this is more like =
streaming a movie). Doing the =93block device over IP=94 is even simpler =
(on the server side =96 but who cares how the RMM is doing its job?).

> =46rom the security side, most reasonable motherboards don=92t feature =
NIC sharing as the only option.

Some boards do (but those will offer you VLAN support, setting static IP =
addresses and similar goodies); some engineers have a weird fetish to =
build complete servers on nanoATX boards, running out of room for =
connectors.


Achim=

--Apple-Mail=_9F77695C-54D2-41D7-B58E-EDC841F91465
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFaTCCBWUw
ggNNoAMCAQICAwyteTANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMzAxMDIwOTQ1MTVaFw0x
NTAxMDIwOTQ1MTVaMDMxFjAUBgNVBAMTDUFjaGltIFBhdHpuZXIxGTAXBgkqhkiG9w0BCQEWCmFw
QGJuYy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCemZ2gCwrtE8FYdD42ApLp
AyRBcfTJHRaU5R/rTbpBTIbDQn4ESOg0697sOlMjiNlzgvuTJeGDSd6DLREb5pJqqNyzW5kTu1yN
dzI8442GxyZAYImcXpQNvvA5OxH4GRwzcjlIie5TDZll1pA+OQwDfPWeosfUugHaDU6KuX6QhrJx
JYdweO7ZOb9jL2iJGco3QCQKPoqbLt+NmIyV48DsB12H7oW7NI9E5CfiRQqMioVVUvkRWL2w+1MQ
+ymaXl0KOqRZOzhKYJpoRmLxO/hKgBTn2MsEqtqMp5gemM3hRKF14MSo85nNqMv25AYJapkENazR
hUmISG+1y6/goSJNAgMBAAGjggE6MIIBNjAMBgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdU
byBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93
d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUF
BwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIG
CCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6
Ly9jcmwuY2FjZXJ0Lm9yZy9yZXZva2UuY3JsMBUGA1UdEQQOMAyBCmFwQGJuYy5uZXQwDQYJKoZI
hvcNAQEFBQADggIBAMmLFZrEKQJqqmh+r8IzcfPl04h4ArE8O+I0BTN0r22hy4izV+F2Qvkwy02g
uM8ylmUdCdIFXUQ8joPVT3RJqZ/NmDsdbFq4RziDbF/C219RfTRL1nWcNxudGA4vSLbuBTxD2bSx
BkmjRdmpGm3EGwRp7bLtnONuTVBxK7TDculECUbm0Bwh9RAtZr/Gqk5arj5oO0oI9vKdRDVWCUxF
m1kS7gwGfVtv2DKFDh3VBqB6kXfx5nP/LOcb7Rwpu4GzBU/e1OFswha9maU9Qi/9URX07Q47dOBc
pqhNh5pW12kfeZPO7lcGqfYq08Ub/mKaJcAEaoyD2ILDDhzeeOK3QDlKC56lEt8MW4swef6/MPUh
+WuofauNhBXoecf5XonGNuKEhbSmSykSzwoEBdBAO6QUtnpLTlYSeO3Xg/bYfbwJCGkUnd0q+2Q1
fQpN+RxkYqQCb5XaV9Fz7cU4u36Rc/AMDXr+qXEyvOqB7OzeTgjq06VMNQ+mIrGCS9rb7OQmB1o7
8PCOVTqE8z77Du4Bh14wG/SP/kat5IJSuDFjvFT/C8ro46pOfczfq/Eb4QSktwtbD7+Qlh4p/e0B
n4nyK1M1MyDnQxzv2XvmWfwoi0tUP2dkT30YtUuucWYFzRO1erg4tVd4xW0ShP1VtynFyWQcPaLT
LvWc/0VML6hcaWRuMYIDMzCCAy8CAQEwgYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMV
aHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5
MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwyteTAJBgUrDgMCGgUAoIIBhzAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDA0MDYxNDU1MTJaMCMG
CSqGSIb3DQEJBDEWBBQ+25TBiy6AFEtHnNvzLgCqgLp+6zCBkQYJKwYBBAGCNxAEMYGDMIGAMHkx
EDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UE
AxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl
cnQub3JnAgMMrXkwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAc
BgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1
dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMMrXkwDQYJKoZIhvcN
AQEBBQAEggEAji2BaE1CQ/Ih5ljOvBOqNbbQrgghYhWkKbDzO5/HGg8dOxGz+EbJENZ00nl80v8t
sa2PRX2EwWhq1Jkviy6S+YPzcTiXMu4QxC4EanT6Yo+ZONwBCzLB/XpF3DzUX0j51uTs+4u+L6Yx
3yDGayPZKcpoU976nOfYevVkps+zGUgxvZIXEz011XthcAKoGSIffCBC3DpsE9IiywCinGIg9ZtJ
xcZ/Z+PnmiSpmj9USm/Tam4wl8D9QSulamTCtyBk816DGV6UqcM9KxRy/eL9OAZR7WuSFMf2las4
OaVxg/O9ph3k4Ghu7sat/YDFOsCFONb0hLHjMe4jBpuPcYYanwAAAAAAAA==

--Apple-Mail=_9F77695C-54D2-41D7-B58E-EDC841F91465--