[jira] [Commented] (HADOOP-10768) Optimize Hadoop RPC encryption performance

Tue, 01 Jul 2014 09:57:14 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14049067#comment-14049067
 ] 

Andrew Purtell commented on HADOOP-10768:
-----------------------------------------

bq. Even GSSAPI supports using AES, but without AES-NI support by default, so 
the encryption is slow and will become bottleneck.

Java's GSSAPI uses JCE ciphers for crypto support. Would it be possible to 
simply swap in an accelerated provider like Diceros? 

On the other hand, whether to wrap payloads using the SASL client or server or 
not is an application decision. One could wrap the initial payloads with 
whatever encryption was negotiated during connection initiation until 
completing additional key exchange and negotiation steps, then switch to an 
alternate means of applying a symmetric cipher to RPC payloads.

bq. On the other hand, RPC message is small

This is a similar issue we had/have with HBase write ahead log encryption, 
because we need to encrypt on a per-entry boundary for avoiding data loss 
during recovery, and each entry is small. You might think that small payloads 
mean we won't be able to increase throughput with accelerated crypto, and you 
would be right, but the accelerated crypto still reduces on CPU time 
substantially, with proportional reduction in latency introduced by 
cryptographic operations. I think for both the HBase WAL and Hadoop RPC, 
latency is a critical consideration.

> Optimize Hadoop RPC encryption performance
> ------------------------------------------
>
>                 Key: HADOOP-10768
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10768
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: performance, security
>    Affects Versions: 3.0.0
>            Reporter: Yi Liu
>            Assignee: Yi Liu
>             Fix For: 3.0.0
>
>
> Hadoop RPC encryption is enabled by setting {{hadoop.rpc.protection}} to 
> "privacy". It utilized SASL {{GSSAPI}} and {{DIGEST-MD5}} mechanisms for 
> secure authentication and data protection. Even {{GSSAPI}} supports using 
> AES, but without AES-NI support by default, so the encryption is slow and 
> will become bottleneck.
> After discuss with [~atm], [~tucu00] and [~umamaheswararao], we can do the 
> same optimization as in HDFS-6606. Use AES-NI with more than *20x* speedup.
> On the other hand, RPC message is small, but RPC is frequent and there may be 
> lots of RPC calls in one connection, we needs to setup benchmark to see real 
> improvement and then make a trade-off. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to