Skip to content

IPMI & ipmitool — Trivia & Interesting Facts

Surprising, historical, and little-known facts about IPMI and ipmitool.

IPMI was created by Intel in 1998 and hasn't been updated since 2015

The Intelligent Platform Management Interface (IPMI) specification was first published by Intel in 1998, with contributions from Dell, HP, and NEC. IPMI 2.0, released in 2004, is the last major version. The specification was declared "finished" by the IPMI Forum in 2015 with no further revisions planned. The industry moved to Redfish as the successor, but IPMI is still running on millions of servers worldwide.

ipmitool was written by one person and became the universal BMC CLI

ipmitool was created by Sun Microsystems engineer Duncan Laurie around 2003 as an open-source command-line interface for IPMI. Despite being a relatively small C program written primarily by one developer, it became the de facto standard tool for interacting with BMCs on every major server platform. It's installed by default on virtually every Linux distribution used in datacenter environments.

IPMI's security model was designed for a world that no longer exists

IPMI was designed assuming the BMC network was physically isolated and trusted. The default IPMI 2.0 cipher suite 0 provides authentication with no encryption — passwords are sent in cleartext. The RAKP authentication protocol in IPMI 2.0 has a design flaw that allows offline password hash retrieval (CVE-2013-4786), meaning anyone who can reach the BMC port can extract password hashes. This vulnerability is unfixable without changing the protocol specification.

Dan Farmer's 2013 IPMI security research terrified the industry

Security researcher Dan Farmer (co-creator of SATAN, one of the first network vulnerability scanners) published a devastating 2013 research paper on IPMI security. He found that over 230,000 BMCs were directly exposed to the internet, most with default credentials. His research showed that IPMI's security flaws were fundamental to the protocol design, not implementation bugs. The paper directly influenced the push toward Redfish.

The BMC runs independently of the main CPU and has its own dedicated power

The Baseboard Management Controller that implements IPMI has its own ARM processor, RAM, flash storage, and network interface. It draws power from the 5V standby rail, meaning it's operational even when the server is "off" — as long as the power supply is connected. This is by design: the whole point is to manage servers that are powered down, crashed, or have a dead OS.

IPMI's Serial over LAN (SOL) was a game-changer for remote management

Before IPMI SOL, the only way to see a server's console output remotely (BIOS POST, bootloader, kernel panics) was through a dedicated serial port connected to a terminal server. SOL tunneled serial console traffic through the BMC's network interface, eliminating the need for separate serial infrastructure. For many datacenter operators, SOL alone justified the complexity of IPMI.

The "ipmitool chassis bootdev pxe" command has saved more servers than any other

The ability to remotely set a server's next boot device to PXE via ipmitool chassis bootdev pxe followed by ipmitool chassis power cycle has rescued countless unresponsive servers. Before IPMI, re-provisioning a hung server in a remote datacenter required a phone call to a technician who would physically press buttons. This single command sequence is arguably IPMI's highest-value feature.

IPMI sensor readings can predict hardware failures before they happen

IPMI's Sensor Data Record (SDR) repository contains thresholds for temperature, voltage, and fan speed sensors. Monitoring trends in these sensor readings can predict impending hardware failures — a gradually increasing CPU temperature often indicates a failing fan or dust buildup. Many fleet management tools poll IPMI sensors every 60 seconds and alert on threshold crossing trends, not just absolute values.

The IPMI "watchdog timer" can automatically reboot hung servers

IPMI includes a hardware watchdog timer that, if not periodically reset by the OS, will automatically power cycle the server. This provides a last-resort recovery mechanism for completely hung systems where even the kernel is unresponsive. Setting up the IPMI watchdog (ipmitool mc watchdog set) is one of the most underused reliability features available on commodity servers.

Supermicro's IPMI implementation has been a repeated source of security vulnerabilities

Supermicro's BMC firmware has been the subject of numerous security advisories, including hardcoded credentials, buffer overflows in the web interface, and plaintext password storage. In 2018, Bloomberg reported (controversially) that tiny spy chips had been found on Supermicro motherboards — a claim Supermicro and Apple denied. Regardless of that specific claim, Supermicro's IPMI security track record drove many organizations to enforce strict BMC network isolation.

You can flash BMC firmware via IPMI, which means a compromised BMC can persist across OS reinstalls

Because the BMC firmware lives on dedicated flash storage independent of the server's main storage, a compromised BMC persists even if you completely reinstall the operating system and replace all drives. This makes BMC-level compromises particularly dangerous and difficult to detect. The only remediation is reflashing the BMC firmware from a known-good image — a process that itself requires trusting the BMC enough to accept the update.