Re: TLS for localhost connections

2017-02-12 Thread Todd Lipcon
d? > > > > > > > > Same answer as above -- I don't think we're attempting to protect against > > local root in our threat model. > > > > -Todd > > > > > > > > > > On Thu, Feb 9, 2017 at 10:22 PM, Todd Lipcon <t...@cloudera

Re: TLS for localhost connections

2017-02-10 Thread Alexey Serbin
protect against > local root in our threat model. > > -Todd > > > > > > On Thu, Feb 9, 2017 at 10:22 PM, Todd Lipcon <t...@cloudera.com> wrote: > > > > > Hey folks, > > > > > > For those not following along, we're very close to the p

Re: TLS for localhost connections

2017-02-10 Thread Todd Lipcon
On Fri, Feb 10, 2017 at 10:29 AM, Dan Burkert wrote: > On Fri, Feb 10, 2017 at 10:02 AM, Todd Lipcon wrote: > > > > Yea, but still the best number here is 685MB/sec. Assuming 2ghz, that's > > around 3 cycles/byte (~25x slower than crc32). According to

Re: TLS for localhost connections

2017-02-10 Thread Dan Burkert
gt; > when security features are enabled). One thing we've decided is > important > > > is to preserve good performance for applications like Spark and Impala > > > which typically schedule tasks local to the data on the tablet servers, > > and > > > we think

Re: TLS for localhost connections

2017-02-10 Thread Alexey Serbin
one by a Kudu cluster (at least > when security features are enabled). One thing we've decided is important > is to preserve good performance for applications like Spark and Impala > which typically schedule tasks local to the data on the tablet servers, and > we think that enabling TL

Re: TLS for localhost connections

2017-02-10 Thread Todd Lipcon
we're very close to the point where we'll > be > > enabling TLS for all wire communication done by a Kudu cluster (at least > > when security features are enabled). One thing we've decided is important > > is to preserve good performance for applications like Spark and Impala > &

Re: TLS for localhost connections

2017-02-09 Thread Dan Burkert
cluster (at least > when security features are enabled). One thing we've decided is important > is to preserve good performance for applications like Spark and Impala > which typically schedule tasks local to the data on the tablet servers, and > we think that enabling TLS for these l

TLS for localhost connections

2017-02-09 Thread Todd Lipcon
and Impala which typically schedule tasks local to the data on the tablet servers, and we think that enabling TLS for these localhost connections will have an unacceptable performance hit. Our thinking was to continue to use TLS *authentication* to prevent MITM attacks (possible because we typically