SNIA Developer Conference September 15-17, 2025 | Santa Clara, CA
Navigating NVMe-oF Authentication: Best Practices for Key Management in Pre-AVE and Post-AVE Deployments
Winchester
Mon Sep 15 | 10:35am
Abstract
NVMe-over-Fabrics (NVMe-oF) offers DH-HMAC-CHAP as its in-band method for authenticating hosts and subsystems. To enhance authentication capabilities, the specification recently introduced the Authentication Verification Entity (AVE) – a logical entity designed to manage and verify the authentication process. AVE enables centralized or semi-centralized authentication, simplifying the management of authentication keys and improving security in large fabrics deployments.
However, the specification lacks comprehensive guidelines on implementing authentication mechanisms, particularly in determining when to use single versus multiple authentication keys. This ambiguity existed before AVE and still persists after its addition. The absence of clear recommendations poses challenges for implementers, especially in managing security risks, key isolation, and scalability.
In this talk, we address these gaps by discussing all the recommendations from the NVMe Workgroup that we identified in the NVMe specification and the open-source ecosystem during our product development.
Related Sessions
Navigating NVMe-oF Authentication: Best Practices for Key Management in Pre-AVE and Post-AVE Deployments
NVMe-over-Fabrics (NVMe-oF) offers DH-HMAC-CHAP as its in-band method for authenticating hosts and subsystems. To enhance authentication capabilities, the specification recently introduced the Authentication Verification Entity (AVE) – a logical entity designed to manage and verify the authentication process. AVE enables centralized or semi-centralized authentication, simplifying the management of authentication keys and improving security in large fabrics deployments.
However, the specification lacks comprehensive guidelines on implementing authentication mechanisms, particularly in determining when to use single versus multiple authentication keys. This ambiguity existed before AVE and still persists after its addition. The absence of clear recommendations poses challenges for implementers, especially in managing security risks, key isolation, and scalability.
In this talk, we address these gaps by discussing all the recommendations from the NVMe Workgroup that we identified in the NVMe specification and the open-source ecosystem during our product development.
Sprandom - A Fast Method to Reduce the Random Preconditioning Time of SSDs from Days to Hours
As SSD capacities increase beyond 16TB, the time to randomly precondition these drives has also increased from several hours to several days. Traditional methods involve a sequential write followed by multiple random writes to reach a steady state. We present Sprandom (SanDisk Pseudo Random) – a novel approach to random preconditioning that uses the Flexible I/O Tester (fio) to achieve near steady-state performance with just a single physical drive write. Our experiments show that using the Sprandom method, the random preconditioning time of large (> 64TB) drives can be reduced from days to hours.
Host Management of NVM Express™ Exported NVM Subsystems in PCIe™ SSDs
This presentation explains how an NVMe™ PCIe SSD supporting multiple NVMe controllers can be used to create and migrate virtual NVMe SSDs (i.e., Exported NVM Subsystems). The commands used by a host managing these virtual SSDs are fully illustrated using animation and demonstrates the interoperability between different SSD vendors during migration. Come and see how the virtual NVMe SSD is abstracted from the underlying NVMe SSD for the migrating Virtual Machine.
