Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 87544200D4F for ; Wed, 6 Dec 2017 10:47:06 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 85F2B160BFD; Wed, 6 Dec 2017 09:47:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D1FAC160C08 for ; Wed, 6 Dec 2017 10:47:05 +0100 (CET) Received: (qmail 22908 invoked by uid 500); 6 Dec 2017 09:47:05 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 22897 invoked by uid 99); 6 Dec 2017 09:47:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Dec 2017 09:47:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 03FAEC5919 for ; Wed, 6 Dec 2017 09:47:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.211 X-Spam-Level: X-Spam-Status: No, score=-99.211 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id U6EJUMpY-b3U for ; Wed, 6 Dec 2017 09:47:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id AAF4C5F3FE for ; Wed, 6 Dec 2017 09:47:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 3BBB6E2578 for ; Wed, 6 Dec 2017 09:47:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 93974255CC for ; Wed, 6 Dec 2017 09:47:00 +0000 (UTC) Date: Wed, 6 Dec 2017 09:47:00 +0000 (UTC) From: "Dapeng Sun (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (HADOOP-10768) Optimize Hadoop RPC encryption performance MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 06 Dec 2017 09:47:06 -0000 [ https://issues.apache.org/jira/browse/HADOOP-10768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16279929#comment-16279929 ] Dapeng Sun edited comment on HADOOP-10768 at 12/6/17 9:46 AM: -------------------------------------------------------------- Thank [~daryn] for your comments! JCE Cipher may not a good choice from performance aspect: * From java 7u40, Cipher uses native intrinsics. But the performance is not good for CTR mode: it have been fixed at JDK 9 https://bugs.openjdk.java.net/browse/JDK-8143925, For performance reason, we should use HadoopCryptoCodec or Apache Commons Crypto. * About AES-GCM, JDK 8 and above would support it, but the performance of JCE was very bad (~Half of Openssl), Apache Commons Crypto support GCM via openssl, but it haven't release now, and the performance of AES-GCM(openssl) ~= AES-CTR + MD5 I would do more investigation on QOP and key exchange, and reply the detail tomorrow. was (Author: dapengsun): Thank [~daryn] for your comments! JCE Cipher may not a good choice from performance aspect: * From java 7u40, Cipher supposedly uses native intrinsics. But the performance is not good for CTR mode: it have been fixed at JDK 9 https://bugs.openjdk.java.net/browse/JDK-8143925, For performance reason, we should use HadoopCryptoCodec or Apache Commons Crypto. * About AES-GCM, JDK 8 and above would support it, but the performance of JCE was very bad (~Half of Openssl), Apache Commons Crypto support GCM via openssl, but it haven't release now, and the performance of AES-GCM(openssl) ~= AES-CTR + MD5 I would do more investigation on QOP and key exchange, and reply the detail tomorrow. > Optimize Hadoop RPC encryption performance > ------------------------------------------ > > Key: HADOOP-10768 > URL: https://issues.apache.org/jira/browse/HADOOP-10768 > Project: Hadoop Common > Issue Type: Improvement > Components: performance, security > Affects Versions: 3.0.0-alpha1 > Reporter: Yi Liu > Assignee: Dapeng Sun > Attachments: HADOOP-10768.001.patch, HADOOP-10768.002.patch, HADOOP-10768.003.patch, HADOOP-10768.004.patch, HADOOP-10768.005.patch, HADOOP-10768.006.patch, HADOOP-10768.007.patch, HADOOP-10768.008.patch, Optimize Hadoop RPC encryption performance.pdf > > > Hadoop RPC encryption is enabled by setting {{hadoop.rpc.protection}} to "privacy". It utilized SASL {{GSSAPI}} and {{DIGEST-MD5}} mechanisms for secure authentication and data protection. Even {{GSSAPI}} supports using AES, but without AES-NI support by default, so the encryption is slow and will become bottleneck. > After discuss with [~atm], [~tucu00] and [~umamaheswararao], we can do the same optimization as in HDFS-6606. Use AES-NI with more than *20x* speedup. > On the other hand, RPC message is small, but RPC is frequent and there may be lots of RPC calls in one connection, we needs to setup benchmark to see real improvement and then make a trade-off. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org