[jira] [Commented] (HADOOP-10768) Optimize Hadoop RPC encryption performance

Wed, 06 Dec 2017 01:45:31 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16279929#comment-16279929
 ] 

Dapeng Sun commented on HADOOP-10768:
-------------------------------------

Thank [~daryn] for your comments!

JCE Cipher may not a good choice from performance aspect:
* From java 7u40, Cipher supposedly uses native intrinsics. But the performance 
is not good for CTR mode: it have been fixed at JDK 9 
https://bugs.openjdk.java.net/browse/JDK-8143925, For performance reason, we 
should use HadoopCryptoCodec or Apache Commons Crypto.
* About AES-GCM, JDK 8 and above would support it, but the performance of JCE 
was very bad (~Half of Openssl),  Apache Commons Crypto support GCM via 
openssl, but it haven't release now, and the performance of AES-GCM(openssl) ~= 
AES-CTR + MD5

 I would do more investigation on QOP and key exchange, and reply the detail 
tomorrow.


> Optimize Hadoop RPC encryption performance
> ------------------------------------------
>
>                 Key: HADOOP-10768
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10768
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: performance, security
>    Affects Versions: 3.0.0-alpha1
>            Reporter: Yi Liu
>            Assignee: Dapeng Sun
>         Attachments: HADOOP-10768.001.patch, HADOOP-10768.002.patch, 
> HADOOP-10768.003.patch, HADOOP-10768.004.patch, HADOOP-10768.005.patch, 
> HADOOP-10768.006.patch, HADOOP-10768.007.patch, HADOOP-10768.008.patch, 
> Optimize Hadoop RPC encryption performance.pdf
>
>
> Hadoop RPC encryption is enabled by setting {{hadoop.rpc.protection}} to 
> "privacy". It utilized SASL {{GSSAPI}} and {{DIGEST-MD5}} mechanisms for 
> secure authentication and data protection. Even {{GSSAPI}} supports using 
> AES, but without AES-NI support by default, so the encryption is slow and 
> will become bottleneck.
> After discuss with [~atm], [~tucu00] and [~umamaheswararao], we can do the 
> same optimization as in HDFS-6606. Use AES-NI with more than *20x* speedup.
> On the other hand, RPC message is small, but RPC is frequent and there may be 
> lots of RPC calls in one connection, we needs to setup benchmark to see real 
> improvement and then make a trade-off. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to