<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" id="owaParaStyle"></style>
</head>
<body fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">
<div>Thanks Madhav. I am aware of that, and find myself with a need for krb5p - and a disappointed user. I am hoping for some rough quantification of the expected impact of turning on end-to-ed encryption so I know whether what I get is all there is or whether
I need to keep digging.</div>
<div>I know that Spectrum Scale uses the AES-NI instructions (if available) for its own end-to-end encryption. I am less clear on whether AES-NI is used by ganesha for krb5p. Both ends have cpus that indicate support of AES-NI to the OS. I can, and with apologies
for it being a pdf, point you at a paper on AES-NI performance:</div>
<div><br>
</div>
<div><a href="http://www.sce.carleton.ca/faculty/huang/iccae-2020.pdf" target="_blank">http://www.sce.carleton.ca/faculty/huang/iccae-2020.pdf</a></div>
<div><br>
</div>
<div>which shows that their Intel i5-8250U test platform (which is probably disappointingly close in single-thread performance to my 6212U-based servers) will happily push around 900MB/s using AES-NI accelaration, but only around 110MB/s without. The higher
number wouldn't be the bottleneck in my setup. The lower number is pretty close to what I am seeing. Unfortunately I can't tell whether AES-NI is actually being used, or find any options that might control its use.<br>
</div>
<div>Do you have any numbers to indicate what throughput I might expect to get for krb5p, and what hit that might be over krb5? Or any suggestions for checking whether AES-NI is actually in use?</div>
<div>Thanks,</div>
<div>Jon</div>
<div><br>
<div style="font-size:13px; font-family:Tahoma">-- <br>
Dr. Jonathan Diprose <<a href="mailto:jon@well.ox.ac.uk">jon@well.ox.ac.uk</a>> Tel: 01865 287873<br>
Research Computing Manager<br>
Henry Wellcome Building for Genomic Medicine<br>
Roosevelt Drive, Headington, Oxford OX3 7BN</div>
</div>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF743282" style="direction: ltr;"><font size="2" face="Tahoma" color="#000000"><b>From:</b> gpfsug-discuss-bounces@spectrumscale.org [gpfsug-discuss-bounces@spectrumscale.org] on behalf of Madhav Ponamgi1 [mzp@us.ibm.com]<br>
<b>Sent:</b> 20 September 2021 13:44<br>
<b>To:</b> gpfsug-discuss@spectrumscale.org<br>
<b>Subject:</b> Re: [gpfsug-discuss] gpfsug-discuss Digest, Vol 116, Issue 6<br>
</font><br>
</div>
<div></div>
<div><span style="font-size:10pt; font-family:sans-serif">There are 3 flavors of NFS Kerberos (I'm only going to address NFS 4.x):</span><br>
<span style="font-size:10pt; font-family:sans-serif">Krb5 - encrypts authentication</span><br>
<span style="font-size:10pt; font-family:sans-serif">Krtbi - encrypts authentication and provides checksums (reducing man-in-the-middle attacks)</span><br>
<span style="font-size:10pt; font-family:sans-serif">Krb5p - End-to-end encryption with integrity checking</span><br>
<br>
<span style="font-size:10pt; font-family:sans-serif">The Krb5p protocol provides ultimate security but comes at a cost where all NFS packets will be encrypted (mount authenticated) and with checksums. This</span><br>
<span style="font-size:10pt; font-family:sans-serif">can add considerable overhead (for example, using AES-256 is similar to SMB3 signing and sealing). There are AES-NI off-loading engines to reduce this</span><br>
<span style="font-size:10pt; font-family:sans-serif">overhead. So it is not surprising to see significant performance drop when using Krb5p versus Krb5.</span><br>
<br>
<span style="font-size:10pt; font-family:sans-serif">---</span><br>
<span style="font-size:10pt; font-family:sans-serif">Madhav Ponamgi</span><br>
<span style="font-size:10pt; font-family:sans-serif">mzp@us.ibm.com</span><br>
<span style="font-size:10pt; font-family:sans-serif">(215) 794-6987</span><br>
<a href="http://www.ibm.biz/FOSDesignEngine" target="_blank" rel="noopener noreferrer"><span style="font-size:10pt; color:blue; font-family:sans-serif"><u>http://www.ibm.biz/FOSDesignEngine</u></span></a><br>
<a href="https://fileobjectsolutiondesignstudio.ibm.com/" target="_blank" rel="noopener noreferrer"><span style="font-size:10pt; color:blue; font-family:sans-serif">https://fileobjectsolutiondesignstudio.ibm.com/</span></a><br>
<span style="font-size:10pt; font-family:sans-serif">Tech Sales Website: w3.ibm.com/w3publisher/ww_storage_tech_sales</span><br>
<br>
<br>
<br>
<span style="font-size:9pt; color:#5f5f5f; font-family:sans-serif">From: </span><span style="font-size:9pt; font-family:sans-serif">gpfsug-discuss-request@spectrumscale.org</span><br>
<span style="font-size:9pt; color:#5f5f5f; font-family:sans-serif">To: </span><span style="font-size:9pt; font-family:sans-serif">gpfsug-discuss@spectrumscale.org</span><br>
<span style="font-size:9pt; color:#5f5f5f; font-family:sans-serif">Date: </span><span style="font-size:9pt; font-family:sans-serif">09/20/2021 07:00 AM</span><br>
<span style="font-size:9pt; color:#5f5f5f; font-family:sans-serif">Subject: </span><span style="font-size:9pt; font-family:sans-serif">[EXTERNAL] gpfsug-discuss Digest, Vol 116, Issue 6</span><br>
<span style="font-size:9pt; color:#5f5f5f; font-family:sans-serif">Sent by: </span><span style="font-size:9pt; font-family:sans-serif">gpfsug-discuss-bounces@spectrumscale.org</span><br>
<hr noshade="">
<br>
<br>
<br>
<tt><span style="font-size:10pt">Send gpfsug-discuss mailing list submissions to<br>
gpfsug-discuss@spectrumscale.org<br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
</span></tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" target="_blank" rel="noopener noreferrer"><tt><span style="font-size:10pt">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</span></tt></a><tt><span style="font-size:10pt"><br>
or, via email, send a message with subject or body 'help' to<br>
gpfsug-discuss-request@spectrumscale.org<br>
<br>
You can reach the person managing the list at<br>
gpfsug-discuss-owner@spectrumscale.org<br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of gpfsug-discuss digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. nfs krb5p performance (Jon Diprose)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 20 Sep 2021 09:58:02 +0000<br>
From: Jon Diprose <jon@well.ox.ac.uk><br>
To: "gpfsug-discuss@spectrumscale.org"<br>
<gpfsug-discuss@spectrumscale.org><br>
Subject: [gpfsug-discuss] nfs krb5p performance<br>
Message-ID:<br>
<CF41F7F23121954A8E819732615C61257AAE3DDB@exchange01.well.ox.ac.uk><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Hello,<br>
We have just started using the nfs protocol with SECTYPE=krb5p and are a little surprised by the performance impact - looks like down to a third of that of SECTYPE=krb5. Would any of you using krb5p be kind enough to share your estimates of impact? Not sure
if we have a misconfiguration of setup or expectation.<br>
Thanks,<br>
Jon<br>
<br>
--<br>
Dr. Jonathan Diprose <jon@well.ox.ac.uk> Tel: 01865 287873<br>
Research Computing Manager<br>
Henry Wellcome Building for Genomic Medicine<br>
Roosevelt Drive, Headington, Oxford OX3 7BN<br>
<br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at spectrumscale.org<br>
</span></tt><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" target="_blank" rel="noopener noreferrer"><tt><span style="font-size:10pt">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</span></tt></a><tt><span style="font-size:10pt"><br>
<br>
<br>
End of gpfsug-discuss Digest, Vol 116, Issue 6<br>
**********************************************<br>
</span></tt><br>
<br>
<br>
<br>
</div>
</div>
</div>
</body>
</html>