RMCP support

Vernon Mauery vernon.mauery at linux.intel.com
Thu Sep 12 03:31:39 AEST 2019


On 11-Sep-2019 05:27 AM, Neeraj Ladkani wrote:
> Is there any plan to add RMCP support in IPMI LAN stack ?

There are no plans for adding RMCP support. RMCP is horribly insecure; 
even more insecure than the least secure RMCP+ cipher suites (not 
counting cipher suite 0, which should not even be a thing.)

Not implementing RMCP was an intentional choice. RMCP+ is insecure, 
especially with passwords shorter than 8 (as shown by Rick Altherr's 
OSFC 2019 presentation). It is recommended that RMCP+ is only used with 
cipher suite 17 and maximum length passwords (20 characters). Ideally, 
it would not be used at all, preferring Redfish, which uses modern 
crypto.

Every open source IPMI utility out there supports RMCP+. That should be 
used instead of RMCP.

--Vernon


More information about the openbmc mailing list