You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Dapeng Sun (JIRA)" <ji...@apache.org> on 2017/12/06 09:47:00 UTC
[jira] [Comment Edited] (HADOOP-10768) Optimize Hadoop RPC
encryption performance
[ https://issues.apache.org/jira/browse/HADOOP-10768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16279929#comment-16279929 ]
Dapeng Sun edited comment on HADOOP-10768 at 12/6/17 9:46 AM:
--------------------------------------------------------------
Thank [~daryn] for your comments!
JCE Cipher may not a good choice from performance aspect:
* From java 7u40, Cipher uses native intrinsics. But the performance is not good for CTR mode: it have been fixed at JDK 9 https://bugs.openjdk.java.net/browse/JDK-8143925, For performance reason, we should use HadoopCryptoCodec or Apache Commons Crypto.
* About AES-GCM, JDK 8 and above would support it, but the performance of JCE was very bad (~Half of Openssl), Apache Commons Crypto support GCM via openssl, but it haven't release now, and the performance of AES-GCM(openssl) ~= AES-CTR + MD5
I would do more investigation on QOP and key exchange, and reply the detail tomorrow.
was (Author: dapengsun):
Thank [~daryn] for your comments!
JCE Cipher may not a good choice from performance aspect:
* From java 7u40, Cipher supposedly uses native intrinsics. But the performance is not good for CTR mode: it have been fixed at JDK 9 https://bugs.openjdk.java.net/browse/JDK-8143925, For performance reason, we should use HadoopCryptoCodec or Apache Commons Crypto.
* About AES-GCM, JDK 8 and above would support it, but the performance of JCE was very bad (~Half of Openssl), Apache Commons Crypto support GCM via openssl, but it haven't release now, and the performance of AES-GCM(openssl) ~= AES-CTR + MD5
I would do more investigation on QOP and key exchange, and reply the detail tomorrow.
> Optimize Hadoop RPC encryption performance
> ------------------------------------------
>
> Key: HADOOP-10768
> URL: https://issues.apache.org/jira/browse/HADOOP-10768
> Project: Hadoop Common
> Issue Type: Improvement
> Components: performance, security
> Affects Versions: 3.0.0-alpha1
> Reporter: Yi Liu
> Assignee: Dapeng Sun
> Attachments: HADOOP-10768.001.patch, HADOOP-10768.002.patch, HADOOP-10768.003.patch, HADOOP-10768.004.patch, HADOOP-10768.005.patch, HADOOP-10768.006.patch, HADOOP-10768.007.patch, HADOOP-10768.008.patch, Optimize Hadoop RPC encryption performance.pdf
>
>
> Hadoop RPC encryption is enabled by setting {{hadoop.rpc.protection}} to "privacy". It utilized SASL {{GSSAPI}} and {{DIGEST-MD5}} mechanisms for secure authentication and data protection. Even {{GSSAPI}} supports using AES, but without AES-NI support by default, so the encryption is slow and will become bottleneck.
> After discuss with [~atm], [~tucu00] and [~umamaheswararao], we can do the same optimization as in HDFS-6606. Use AES-NI with more than *20x* speedup.
> On the other hand, RPC message is small, but RPC is frequent and there may be lots of RPC calls in one connection, we needs to setup benchmark to see real improvement and then make a trade-off.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org