[ https://issues.apache.org/jira/browse/HADOOP-10768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16057643#comment-16057643 ]
Daryn Sharp commented on HADOOP-10768: -------------------------------------- Ok. The patch does appear to encrypt at the packet level, this is good. Preliminary comments: # The cipher options appears to be present in every packet. If so, it should only be in the negotiate/initiate messages. # Should use a custom sasl client/server that delegates to the actual sasl instance. The ipc layer changes would be minimal and easier to maintain. # Why not use javax cipher libraries? Any number of ciphers could be used now and in the future w/o code change. The aes ciphers are supposed to use aes-ni intrinsics when available. > Optimize Hadoop RPC encryption performance > ------------------------------------------ > > Key: HADOOP-10768 > URL: https://issues.apache.org/jira/browse/HADOOP-10768 > Project: Hadoop Common > Issue Type: Improvement > Components: performance, security > Affects Versions: 3.0.0-alpha1 > Reporter: Yi Liu > Assignee: Dian Fu > Attachments: HADOOP-10768.001.patch, HADOOP-10768.002.patch, Optimize > Hadoop RPC encryption performance.pdf > > > Hadoop RPC encryption is enabled by setting {{hadoop.rpc.protection}} to > "privacy". It utilized SASL {{GSSAPI}} and {{DIGEST-MD5}} mechanisms for > secure authentication and data protection. Even {{GSSAPI}} supports using > AES, but without AES-NI support by default, so the encryption is slow and > will become bottleneck. > After discuss with [~atm], [~tucu00] and [~umamaheswararao], we can do the > same optimization as in HDFS-6606. Use AES-NI with more than *20x* speedup. > On the other hand, RPC message is small, but RPC is frequent and there may be > lots of RPC calls in one connection, we needs to setup benchmark to see real > improvement and then make a trade-off. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org