Skip to content
grafOS docs

Trusted Fabric Profile

This document defines a non-default deployment profile for fabricBIOS on physically isolated networks. It expands the explicit trusted-fabric exception described in docs/spec/fabricBIOS-design-document.md §8.5, specifying which security properties may be relaxed, which remain mandatory, the expected benefits, the accepted risks, and the operational requirements.

This profile is not the normative default. The normative default is the full secure profile with TLS, signed discovery, and all protections enabled. Operators must explicitly opt in to trusted-fabric relaxations.

1. What May Be Relaxed

On a physically isolated L2 segment where all hosts are under the operator’s control:

  • TLS on control plane. QUIC transport encryption may be disabled when the physical network provides equivalent confidentiality and integrity (e.g., dedicated switch, no untrusted taps).
  • ANNOUNCE/SOLICIT signature verification. Ed25519 signatures on discovery frames may be omitted. Nodes accept unsigned ANNOUNCE and SOLICIT frames.
  • SIGNED flag enforcement for discovery. The relay and receiving nodes do not reject discovery frames lacking the SIGNED flag.
  • Firewall rules on the internal trusted segment. Port-level firewalling between fabric nodes may be relaxed when L2 isolation is sufficient.

No other relaxations are implied by this profile.

2. What Remains Mandatory

These properties are never disabled, regardless of network trust level. They correspond to the five mandatory invariants defined in Section 7.1 of docs/spec/premium-dataplane-methodology.md and Section 5 of the same document.

  • Capability token validation. Tokens are still validated (audience, expiry, signature) before granting leases.
  • Lease expiry enforcement. Background tick_leases runs unconditionally. Leases still expire on schedule. There is no infinite-lease mode.
  • Fail-closed teardown. Teardown executes on expiry or revocation. The same transport-specific teardown sequence (QP destroy, configfs removal, VF release, session invalidation) runs whether the network is trusted or not.
  • Fencing on teardown failure. A resource that cannot be cleanly torn down enters FENCED state. Trusted network status does not waive fencing.
  • Anti-replay on data-plane ops. Nonce-based replay caches are enforced on FBMU and FBBU operations even on trusted networks.
  • Audit logging. Bind, renew, revoke, expire, and fence events are logged with timestamps, node identities, and lease identifiers.

3. Expected Benefits

  • Simpler certificate management. No TLS certificates to provision, rotate, or distribute across fabric nodes.
  • Lower bind latency. No TLS handshake overhead on LEASE_ALLOC. The QUIC connection setup cost is reduced.
  • Reduced operational complexity. Fewer moving parts for isolated fabrics where the threat model does not include network-level attackers.

These benefits affect setup and management. They do not increase steady-state dataplane throughput, and enabling this profile does not by itself satisfy any premium-dataplane performance proof requirement. The data path is transport-native regardless of control-plane security posture (see Section 7 of docs/spec/premium-dataplane-methodology.md).

4. Accepted Risks

Operators enabling this profile accept the following risks:

  • No protection against insider threats. A compromised or malicious host on the trusted segment can forge discovery messages, intercept control-plane traffic, and impersonate nodes.
  • No protection against configuration errors. A misconfigured switch or VLAN that admits untrusted traffic silently degrades the trust boundary.
  • No protection against credential leakage. Leaked binding material (rkeys, NQNs, VF assignments) on the trusted segment cannot be detected by fabricBIOS without TLS and signed discovery.
  • No protection against lateral movement. If the trusted boundary is breached (e.g., a host on the segment is compromised), the attacker has unimpeded access to the control plane.

5. Operational Requirements

The trusted-fabric profile is only appropriate when all of the following are satisfied:

  • L2 isolation. The fabric segment is a dedicated VLAN or a physically separate switch. No untrusted hosts share the L2 domain.
  • No untrusted hosts on fabric segment. Every host on the segment is under the operator’s administrative control and runs trusted software.
  • ARP security. Static ARP entries or DHCP snooping with dynamic ARP inspection. Prevents ARP spoofing on the trusted segment.
  • Switch port security. MAC address filtering or 802.1X on switch ports. Prevents unauthorized hosts from joining the segment.

6. Configuration Knobs

KnobTypeDefaultEffect
signed_announce_requiredbooltrueWhen false, unsigned ANNOUNCE frames are accepted.
signed_solicit_requiredbooltrueWhen false, unsigned SOLICIT frames are accepted.
tls_requiredbooltrueWhen false, QUIC connections without TLS are accepted.

All defaults are true (normative secure default). Changing any of these to false opts into the trusted-fabric profile with the risks described in Section 4.