hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dapeng Sun (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HADOOP-10768) Optimize Hadoop RPC encryption performance
Date Wed, 06 Dec 2017 09:47:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16279929#comment-16279929
] 

Dapeng Sun edited comment on HADOOP-10768 at 12/6/17 9:46 AM:
--------------------------------------------------------------

Thank [~daryn] for your comments!

JCE Cipher may not a good choice from performance aspect:
* From java 7u40, Cipher uses native intrinsics. But the performance is not good for CTR mode:
it have been fixed at JDK 9 https://bugs.openjdk.java.net/browse/JDK-8143925, For performance
reason, we should use HadoopCryptoCodec or Apache Commons Crypto.
* About AES-GCM, JDK 8 and above would support it, but the performance of JCE was very bad
(~Half of Openssl),  Apache Commons Crypto support GCM via openssl, but it haven't release
now, and the performance of AES-GCM(openssl) ~= AES-CTR + MD5

 I would do more investigation on QOP and key exchange, and reply the detail tomorrow.



was (Author: dapengsun):
Thank [~daryn] for your comments!

JCE Cipher may not a good choice from performance aspect:
* From java 7u40, Cipher supposedly uses native intrinsics. But the performance is not good
for CTR mode: it have been fixed at JDK 9 https://bugs.openjdk.java.net/browse/JDK-8143925,
For performance reason, we should use HadoopCryptoCodec or Apache Commons Crypto.
* About AES-GCM, JDK 8 and above would support it, but the performance of JCE was very bad
(~Half of Openssl),  Apache Commons Crypto support GCM via openssl, but it haven't release
now, and the performance of AES-GCM(openssl) ~= AES-CTR + MD5

 I would do more investigation on QOP and key exchange, and reply the detail tomorrow.


> Optimize Hadoop RPC encryption performance
> ------------------------------------------
>
>                 Key: HADOOP-10768
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10768
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: performance, security
>    Affects Versions: 3.0.0-alpha1
>            Reporter: Yi Liu
>            Assignee: Dapeng Sun
>         Attachments: HADOOP-10768.001.patch, HADOOP-10768.002.patch, HADOOP-10768.003.patch,
HADOOP-10768.004.patch, HADOOP-10768.005.patch, HADOOP-10768.006.patch, HADOOP-10768.007.patch,
HADOOP-10768.008.patch, Optimize Hadoop RPC encryption performance.pdf
>
>
> Hadoop RPC encryption is enabled by setting {{hadoop.rpc.protection}} to "privacy". It
utilized SASL {{GSSAPI}} and {{DIGEST-MD5}} mechanisms for secure authentication and data
protection. Even {{GSSAPI}} supports using AES, but without AES-NI support by default, so
the encryption is slow and will become bottleneck.
> After discuss with [~atm], [~tucu00] and [~umamaheswararao], we can do the same optimization
as in HDFS-6606. Use AES-NI with more than *20x* speedup.
> On the other hand, RPC message is small, but RPC is frequent and there may be lots of
RPC calls in one connection, we needs to setup benchmark to see real improvement and then
make a trade-off. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message