hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-6606) Optimize HDFS Encrypted Transport performance
Date Mon, 27 Oct 2014 22:46:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-6606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14185955#comment-14185955

Chris Nauroth commented on HDFS-6606:

Thanks for checking in with your final review, Aaron.

Yi, I reviewed the latest patch once again, and I found one more potential issue in {{SaslDataTransferServer}}:

      CipherOption cipherOption = null;
      if (sasl.isNegotiatedQopPrivacy()) {
        // Negotiate a cipher option
        cipherOption = negotiateCipherOption(dnConf.getConf(), cipherOptions);
        if (LOG.isDebugEnabled()) {
          LOG.debug("Server using cipher suite " + 

It's possible for {{negotiateCipherOption}} to return {{null}} when the connection comes from
an older client version that doesn't do cipher negotiation.  If debug logging is enabled,
then the log statement would cause a {{NullPointerException}}.

I'll be +1 after that's addressed, and I'm happy to volunteer for the commit.

> Optimize HDFS Encrypted Transport performance
> ---------------------------------------------
>                 Key: HDFS-6606
>                 URL: https://issues.apache.org/jira/browse/HDFS-6606
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: datanode, hdfs-client, security
>            Reporter: Yi Liu
>            Assignee: Yi Liu
>         Attachments: HDFS-6606.001.patch, HDFS-6606.002.patch, HDFS-6606.003.patch, HDFS-6606.004.patch,
HDFS-6606.005.patch, HDFS-6606.006.patch, HDFS-6606.007.patch, HDFS-6606.008.patch, OptimizeHdfsEncryptedTransportperformance.pdf
> In HDFS-3637, [~atm] added support for encrypting the DataTransferProtocol, it was a
great work.
> It utilizes SASL {{Digest-MD5}} mechanism (use Qop: auth-conf),  it supports three security
> * high                      3des   or rc4 (128bits)
> * medium             des or rc4(56bits)
> * low                       rc4(40bits)
> 3des and rc4 are slow, only *tens of MB/s*, 
> http://www.javamex.com/tutorials/cryptography/ciphers.shtml
> http://www.cs.wustl.edu/~jain/cse567-06/ftp/encryption_perf/
> I will give more detailed performance data in future. Absolutely it’s bottleneck and
will vastly affect the end to end performance. 
> AES(Advanced Encryption Standard) is recommended as a replacement of DES, it’s more
secure; with AES-NI support, the throughput can reach nearly *2GB/s*, it won’t be the bottleneck
any more, AES and CryptoCodec work is supported in HADOOP-10150, HADOOP-10603 and HADOOP-10693
(We may need to add a new mode support for AES). 
> This JIRA will use AES with AES-NI support as encryption algorithm for DataTransferProtocol.

This message was sent by Atlassian JIRA

View raw message