Shield: node-to-node communication performance

Hi,

Can anyone shed some light on the impact of Shield on performance, assuming
that secured communication is enabled for node to node communication?

When Elasticsearch team says that node-to-node encryption is enabled, does
it mean that every bit of data transported on port 9300 is encrypted? Since
the whole cluster could transfer a huge amount of data across different
nodes constantly, would this encryption step severely lower the performance
of the cluster?

Doe the Elasticsearch team have some ready-made benchmark data to share?

Can someone elaborate on the architecture?

Thanks,
Jin

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8af7a106-0365-49a1-a0be-38eb1a7c0514%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Shay twitted this about this matter: https://twitter.com/kimchy/status/560124652472008704 https://twitter.com/kimchy/status/560124652472008704

Shay Banon @kimchy https://twitter.com/kimchyFollow https://twitter.com/kimchy
@m_hughes https://twitter.com/m_hughes yes, it affects performance, though less now with newer JVMs @dadoonet https://twitter.com/dadoonet @elasticsearch https://twitter.com/elasticsearch
6:18 PM - 27 Jan 2015 https://twitter.com/kimchy/status/560124652472008704
Not specific numbers here though.

--
David Pilato | Technical Advocate | Elasticsearch.com
@dadoonet https://twitter.com/dadoonet | @elasticsearchfr https://twitter.com/elasticsearchfr | @scrutmydocs https://twitter.com/scrutmydocs

Le 29 janv. 2015 à 09:56, Jin Huang huang.jin.f@gmail.com a écrit :

Hi,

Can anyone shed some light on the impact of Shield on performance, assuming that secured communication is enabled for node to node communication?

When Elasticsearch team says that node-to-node encryption is enabled, does it mean that every bit of data transported on port 9300 is encrypted? Since the whole cluster could transfer a huge amount of data across different nodes constantly, would this encryption step severely lower the performance of the cluster?

Doe the Elasticsearch team have some ready-made benchmark data to share?

Can someone elaborate on the architecture?

Thanks,
Jin

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com mailto:elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8af7a106-0365-49a1-a0be-38eb1a7c0514%40googlegroups.com https://groups.google.com/d/msgid/elasticsearch/8af7a106-0365-49a1-a0be-38eb1a7c0514%40googlegroups.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/6AC269AE-549F-492F-B1E0-996364FEDEEF%40pilato.fr.
For more options, visit https://groups.google.com/d/optout.

Well...this is hardly a satisfactory answer. Of course I expect a slowdown
because encryption takes down. But how much, and what data does shield
encrypt (e.g. only the initial authentication step or every bit of
communication)? For example, I would not be surprised if Shield does the
simplest thing and naively encrypt every communication between nodes as
they happen, i.e. a SSL wrap on top of the transport layer. In that case,
it would be super easy to estimate the type of slowdown that one could
expect, and similarly back out how much slowdown under a specific cluster
setup and data pattern.

My inquiry is really to ask for more detailed information.

  1. Could you outline how the node-to-node communication is encrypted?
  2. Using 1, could you explain, via an example, when the slowdown is
    minimum, and also via a different example, when the slowdown is significant?

Best,
Jin

On Thursday, January 29, 2015 at 1:00:32 AM UTC-8, David Pilato wrote:

Shay twitted this about this matter:
https://twitter.com/kimchy/status/560124652472008704

Shay Banon @kimchy https://twitter.com/kimchy
Follow https://twitter.com/kimchy
@m_hughes https://twitter.com/m_hughes yes, it affects performance,
though less now with newer JVMs @dadoonet https://twitter.com/dadoonet @
elasticsearch https://twitter.com/elasticsearch
6:18 PM - 27 Jan 2015
https://twitter.com/kimchy/status/560124652472008704
Not specific numbers here though.

--
David Pilato | Technical Advocate | Elasticsearch.com
http://Elasticsearch.com

@dadoonet https://twitter.com/dadoonet | @elasticsearchfr
https://twitter.com/elasticsearchfr | @scrutmydocs
https://twitter.com/scrutmydocs

Le 29 janv. 2015 à 09:56, Jin Huang <huang...@gmail.com <javascript:>> a
écrit :

Hi,

Can anyone shed some light on the impact of Shield on performance,
assuming that secured communication is enabled for node to node
communication?

When Elasticsearch team says that node-to-node encryption is enabled, does
it mean that every bit of data transported on port 9300 is encrypted? Since
the whole cluster could transfer a huge amount of data across different
nodes constantly, would this encryption step severely lower the performance
of the cluster?

Doe the Elasticsearch team have some ready-made benchmark data to share?

Can someone elaborate on the architecture?

Thanks,
Jin

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/8af7a106-0365-49a1-a0be-38eb1a7c0514%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/8af7a106-0365-49a1-a0be-38eb1a7c0514%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/9eca170f-8bf9-4dda-afee-f38c099174b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Shield uses TLS to encrypt all node to node communication as described in
the docs [1].

As Shay and David mentioned, newer JVMs (Oracle and OpenJDK 7u40+ [2])
combined with processors with AES-NI can greatly reduce the overhead of TLS
when using a cipher suite that uses AES. There are a lot of cipher suites
[3] that can used for SSL/TLS with differing characteristics (performance
vs security), so there can be a lot of variation in performance with
different AES key sizes and/or RSA key sizes used in certificates. Shield
does allow for configuration of the cipher suites[4].

[1] http://www.elasticsearch.org/guide/en/shield/current/securing-nodes.html
[2] https://bugs.openjdk.java.net/browse/JDK-7184394
[3] http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
[4] http://www.elasticsearch.org/guide/en/shield/current/reference.html#ref-ssl-tls-settings

On Thursday, January 29, 2015 at 4:23:48 AM UTC-5, Jin Huang wrote:

Well...this is hardly a satisfactory answer. Of course I expect a slowdown
because encryption takes down. But how much, and what data does shield
encrypt (e.g. only the initial authentication step or every bit of
communication)? For example, I would not be surprised if Shield does the
simplest thing and naively encrypt every communication between nodes as
they happen, i.e. a SSL wrap on top of the transport layer. In that case,
it would be super easy to estimate the type of slowdown that one could
expect, and similarly back out how much slowdown under a specific cluster
setup and data pattern.

My inquiry is really to ask for more detailed information.

  1. Could you outline how the node-to-node communication is encrypted?
  2. Using 1, could you explain, via an example, when the slowdown is
    minimum, and also via a different example, when the slowdown is significant?

Best,
Jin

On Thursday, January 29, 2015 at 1:00:32 AM UTC-8, David Pilato wrote:

Shay twitted this about this matter:
https://twitter.com/kimchy/status/560124652472008704

Shay Banon @kimchy https://twitter.com/kimchy
Follow https://twitter.com/kimchy
@m_hughes https://twitter.com/m_hughes yes, it affects performance,
though less now with newer JVMs @dadoonet https://twitter.com/dadoonet
@elasticsearch https://twitter.com/elasticsearch
6:18 PM - 27 Jan 2015
https://twitter.com/kimchy/status/560124652472008704
Not specific numbers here though.

--
David Pilato | Technical Advocate | Elasticsearch.com
http://Elasticsearch.com

@dadoonet https://twitter.com/dadoonet | @elasticsearchfr
https://twitter.com/elasticsearchfr | @scrutmydocs
https://twitter.com/scrutmydocs

Le 29 janv. 2015 à 09:56, Jin Huang huang...@gmail.com a écrit :

Hi,

Can anyone shed some light on the impact of Shield on performance,
assuming that secured communication is enabled for node to node
communication?

When Elasticsearch team says that node-to-node encryption is enabled,
does it mean that every bit of data transported on port 9300 is encrypted?
Since the whole cluster could transfer a huge amount of data across
different nodes constantly, would this encryption step severely lower the
performance of the cluster?

Doe the Elasticsearch team have some ready-made benchmark data to share?

Can someone elaborate on the architecture?

Thanks,
Jin

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/8af7a106-0365-49a1-a0be-38eb1a7c0514%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/8af7a106-0365-49a1-a0be-38eb1a7c0514%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/9e8d153e-925a-454c-bf28-cb8723c685db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.