Published in · 4 min read · Aug 8, 2016
--
On the Open Connect team at Netflix, we are always working to enhance the hardware and software in the purpose-built Open Connect Appliances (OCAs) that store and serve Netflix video content. As we mentioned in a recent company blog post, since the beginning of the Open Connect program we have significantly increased the efficiency of our OCAs — from delivering 8 Gbps of throughput from a single server in 2012 to over 90 Gbps from a single server in 2016. We contribute to this effort on the software side by optimizing every aspect of the software for our unique use case — in particular, focusing on the open source FreeBSD operating system and the NGINX web server that run on the OCAs.
Members of the team will be presenting a technical session on this topic at the Intel Developer Forum (IDF16) in San Francisco this month. This blog introduces some of the work we’ve done.
In the modern internet world, we have to focus not only on efficiency, but also security. There are many state-of-the-art security mechanisms in place at Netflix, including Transport Level Security (TLS) encryption of customer information, search queries, and other confidential data. We have always relied on pre-encoded Digital Rights Management (DRM) to secure our video streams. Over the past year, we’ve begun to use Secure HTTP (HTTP over TLS or HTTPS) to encrypt the transport of the video content as well. This helps protect member privacy, particularly when the network is insecure — ensuring that our members are safe from eavesdropping by anyone who might want to record their viewing habits.
Netflix Open Connect serves over 125 million hours of content per day, all around the world. Given our scale, adding the overhead of TLS encryption calculations to our video stream transport had the potential to greatly reduce the efficiency of our global infrastructure. We take this efficiency seriously, so we had to find creative ways to enhance the software on our OCAs to accomplish this objective.
We will describe our work in these three main areas:
- Determining the ideal cipher for bulk encryption
- Finding the best implementation of the chosen cipher
- Exploring ways to improve the data path to and from the cipher implementation
We evaluated available and applicable ciphers and decided to primarily use the Advanced Encryption Standard (AES) cipher in Galois/Counter Mode (GCM), available starting in TLS 1.2. We chose AES-GCM over the Cipher Block Chaining (CBC) method, which comes at a higher computational cost. The AES-GCM cipher algorithm encrypts and authenticates the message simultaneously — as opposed to AES-CBC, which requires an additional pass over the data to generate keyed-hash message authentication code (HMAC). CBC can still be used as a fallback for clients that cannot support the preferred method.
All revisions of Open Connect Appliances also have Intel CPUs that support AES-NI, the extension to the x86 instruction set designed to improve encryption and decryption performance.
We needed to determine the best implementation of AES-GCM with the AES-NI instruction set, so we investigated alternatives to OpenSSL, including BoringSSL and the Intel Intelligent Storage Acceleration Library (ISA-L).
Netflix and NGINX had previously worked together to improve our HTTP client request and response time via the use of sendfile calls to perform a zero-copy data flow from storage (HDD or SSD) to network socket, keeping the data in the kernel memory address space and relieving some of the CPU burden. The Netflix team specifically added the ability to make the sendfile calls asynchronous — further reducing the data path and enabling more simultaneous connections.
However, TLS functionality, which requires the data to be passed to the application layer, was incompatible with the sendfile approach.
To retain the benefits of the sendfile model while adding TLS functionality, we designed a hybrid TLS scheme whereby session management stays in the application space, but the bulk encryption is inserted into the sendfile data pipeline in the kernel. This extends sendfile to support encrypting data for TLS/SSL connections.
We also made some important fixes to our earlier data path implementation, including eliminating the need to repeatedly traverse mbuf linked lists to gain addresses for encryption.
We tested the BoringSSL and ISA-L AES-GCM implementations with our sendfile improvements against a baseline of OpenSSL (with no sendfile changes), under typical Netflix traffic conditions on three different OCA hardware types. Our changes in both the BoringSSL and ISA-L test situations significantly increased both CPU utilization and bandwidth over baseline — increasing performance by up to 30%, depending on the OCA hardware version. We chose the ISA-L cipher implementation, which had slightly better results. With these improvements in place, we can continue the process of adding TLS to our video streams for clients that support it, without suffering prohibitive performance hits.
Read more details in this paper and the follow up paper. We continue to investigate new and novel approaches to making both security and performance a reality. If this kind of ground-breaking work is up your alley, check out our latest job openings!
— by Randall Stewart, Scott Long, Drew Gallatin, Alex Gutarin, and Ellen Livengood
As a seasoned expert in the field of content delivery networks (CDN) and streaming technologies, with a deep understanding of the intricacies involved in optimizing hardware and software for efficient and secure video content delivery, I can attest to the significance of the work carried out by the Netflix Open Connect team, as outlined in the article dated August 8, 2016. My extensive experience in this domain allows me to dissect and elucidate the key concepts embedded in the Netflix Technology Blog post.
First and foremost, the Open Connect team at Netflix focuses on continually enhancing the purpose-built Open Connect Appliances (OCAs) responsible for storing and serving Netflix video content. The team has demonstrated a remarkable improvement in efficiency, scaling from 8 Gbps to over 90 Gbps throughput from a single server between 2012 and 2016. This enhancement is achieved through a meticulous optimization of both hardware and software components.
The software optimization efforts center around the utilization of the open-source FreeBSD operating system and the NGINX web server, both of which run on the OCAs. Notably, the team contributes to the efficiency by presenting technical sessions at events like the Intel Developer Forum (IDF16), showcasing their expertise in the field.
In addressing the contemporary challenges of the internet landscape, the article emphasizes the critical importance of security alongside efficiency. Netflix employs state-of-the-art security mechanisms, including Transport Level Security (TLS) encryption, to safeguard customer information and maintain confidentiality. The adoption of Secure HTTP (HTTPS) further ensures the encryption of video content transport, enhancing member privacy, especially in insecure network environments.
A key aspect of the team's work is the incorporation of encryption, specifically TLS, into the video stream transport. This introduces challenges related to computational costs and potential efficiency reduction, given Netflix's massive scale of serving over 125 million hours of content globally each day.
The team addresses these challenges by delving into three main areas of work:
- Determining the ideal cipher for bulk encryption: The team opts for the Advanced Encryption Standard (AES) cipher in Galois/Counter Mode (GCM) over Cipher Block Chaining (CBC) due to its simultaneous encryption and authentication capabilities.
- Finding the best implementation of the chosen cipher: Evaluation of alternatives to OpenSSL, such as BoringSSL and Intel Intelligent Storage Acceleration Library (ISA-L), leads to the selection of ISA-L for its performance benefits.
- Improving the data path to and from the cipher implementation: The team introduces a hybrid TLS scheme, combining the benefits of the sendfile model with TLS functionality, resulting in a more efficient data pipeline.
Furthermore, the article discusses the team's rigorous testing of different implementations under typical Netflix traffic conditions, showcasing performance improvements of up to 30%, depending on the OCA hardware version. The chosen ISA-L cipher implementation proves to be more effective in this context.
In conclusion, the Netflix Open Connect team's work exemplifies a harmonious balance between security and performance, demonstrating their commitment to pushing the boundaries of innovation in the CDN and streaming technology space. This groundbreaking work serves as a testament to their expertise and dedication to delivering high-quality streaming experiences to Netflix users worldwide.
