hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10768) Optimize Hadoop RPC encryption performance
Date Tue, 01 Jul 2014 16:56:25 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14049067#comment-14049067
] 

Andrew Purtell commented on HADOOP-10768:
-----------------------------------------

bq. Even GSSAPI supports using AES, but without AES-NI support by default, so the encryption
is slow and will become bottleneck.

Java's GSSAPI uses JCE ciphers for crypto support. Would it be possible to simply swap in
an accelerated provider like Diceros? 

On the other hand, whether to wrap payloads using the SASL client or server or not is an application
decision. One could wrap the initial payloads with whatever encryption was negotiated during
connection initiation until completing additional key exchange and negotiation steps, then
switch to an alternate means of applying a symmetric cipher to RPC payloads.

bq. On the other hand, RPC message is small

This is a similar issue we had/have with HBase write ahead log encryption, because we need
to encrypt on a per-entry boundary for avoiding data loss during recovery, and each entry
is small. You might think that small payloads mean we won't be able to increase throughput
with accelerated crypto, and you would be right, but the accelerated crypto still reduces
on CPU time substantially, with proportional reduction in latency introduced by cryptographic
operations. I think for both the HBase WAL and Hadoop RPC, latency is a critical consideration.

> Optimize Hadoop RPC encryption performance
> ------------------------------------------
>
>                 Key: HADOOP-10768
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10768
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: performance, security
>    Affects Versions: 3.0.0
>            Reporter: Yi Liu
>            Assignee: Yi Liu
>             Fix For: 3.0.0
>
>
> Hadoop RPC encryption is enabled by setting {{hadoop.rpc.protection}} to "privacy". It
utilized SASL {{GSSAPI}} and {{DIGEST-MD5}} mechanisms for secure authentication and data
protection. Even {{GSSAPI}} supports using AES, but without AES-NI support by default, so
the encryption is slow and will become bottleneck.
> After discuss with [~atm], [~tucu00] and [~umamaheswararao], we can do the same optimization
as in HDFS-6606. Use AES-NI with more than *20x* speedup.
> On the other hand, RPC message is small, but RPC is frequent and there may be lots of
RPC calls in one connection, we needs to setup benchmark to see real improvement and then
make a trade-off. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message