Re: [bmwg] Sequential vs. random -- Re: FW: WGLC on New version of draft-ietf-bmwg-ngfw-performance
bmonkman@netsecopen.org Thu, 20 May 2021 14:49 UTC
Return-Path: <bmonkman@netsecopen.org>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED4C73A1960 for <bmwg@ietfa.amsl.com>; Thu, 20 May 2021 07:49:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netsecopen-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oq0On4l5At0X for <bmwg@ietfa.amsl.com>; Thu, 20 May 2021 07:49:43 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DE383A195E for <bmwg@ietf.org>; Thu, 20 May 2021 07:49:43 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id k4so5295016qkd.0 for <bmwg@ietf.org>; Thu, 20 May 2021 07:49:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netsecopen-org.20150623.gappssmtp.com; s=20150623; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=bX/1M9kb9CB8Fnp44yOJYLIj0wCWBF46uijnbdKXEa4=; b=rWlqWFB/jguzr9kDBAHzS0dxuwxILoNF0K2Kp5OSTwkveh4LGDvCkpINSO9wbmHCOD x9MUavfrZlDlX0gFVkrArPmBWxDLF8wHcS1JixESogW0LsoUjCGs8DcYXPQAZ7MHngSy 5gFIkhQTJmqK9JcVvkcCBQrpiNv8+LZTuV7JwKKWmvb6oLOiquJXc4S2zulr/HER2Fl9 TZy2j/LBwDkbh/6eWGbhXD1zOXnjnzssKD7k2J6xJu7+jumqea7Rr10Qa0fBDC0R7dhW ad2p1suhs3+Vn6qYl4hxCz9Vjzh698uu0xa6ib+WDIjH+r2+W3y07Ja08+oWhrc0Hjuz hc/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=bX/1M9kb9CB8Fnp44yOJYLIj0wCWBF46uijnbdKXEa4=; b=ATLuNxKOQ6Yq756TSs/Ki+J8Qy8M2EyUcfEM9IEePvqTsXMhJB2lbPI1C+g9ZgSMmq Df1NiPw1rrmVsLEBF/I4P03/tLhejvtq3TVBZ9BUn1DPDz+YFibd0gE1TTOiso4L0q+F Kl8/iheAKFxhUVsUCC9Tt6EmBiqd1OmJq3PvwmPpZYLt7Y8vhdspqA5Lu2TrT6XZs5/T w+w5SGTfGh3Dgxu8xiJjiYZJuHdoAvDFuKzezvBb4cxQsvzoqeM1uBMuGWf9qoWJuHsy +pReOUDzbKjkH2BzRNXAbMaBZ1h+Zn6jJB+qpmmxdlw0wJ2ghvZs9swdqD3M1lpveLdx Yd8Q==
X-Gm-Message-State: AOAM53396HgSDiAV4LnSJWXUC4VUi2h2fuBUwhj7sDl+sFfTmWIyV47M 3Bejddjecu3Tub/o2tClVzBlIQ==
X-Google-Smtp-Source: ABdhPJwb4FuyThPGqnpeoxKWL/ondWnmS95zDYd1mgn6gxka0m0du6R3U1Gx3Pp3q/vp1k2u/+Obrw==
X-Received: by 2002:a05:620a:12c6:: with SMTP id e6mr5260555qkl.59.1621522181507; Thu, 20 May 2021 07:49:41 -0700 (PDT)
Received: from DESKTOP42TMNEU (c-98-235-212-118.hsd1.pa.comcast.net. [98.235.212.118]) by smtp.gmail.com with ESMTPSA id u186sm2234121qkd.30.2021.05.20.07.49.40 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 May 2021 07:49:41 -0700 (PDT)
From: bmonkman@netsecopen.org
To: 'Gábor LENCSE' <lencse@hit.bme.hu>, "'MORTON JR., AL'" <acmorton@att.com>
Cc: 'Bala Balarajah' <bala@netsecopen.org>, 'Bala Balarajah' <bm.balarajah@gmail.com>, bmwg@ietf.org, "'MORTON, ALFRED C (AL)'" <acm@research.att.com>, 'Sarah Banks' <sbanks@encrypted.net>, "'Dr. Lencse Gábor'" <lencse@sze.hu>
References: <413e779fd7eb4dd4b3aa8473c171e282@att.com> <f1a2b5c5-ebf2-12ab-b053-b9b2538342ad@hit.bme.hu> <047501d745bb$e22f4ab0$a68de010$@netsecopen.org> <7dc6b282-7f41-bf7c-f09c-65e7ce94b674@hit.bme.hu> <048801d745be$31424b50$93c6e1f0$@netsecopen.org> <84196d5ce7474f9196ab000be64c49fd@att.com> <c9a5ff54-29db-bcc0-2c50-8f2287f99b3a@hit.bme.hu> <035701d74c24$6a5c3380$3f149a80$@netsecopen.org> <50d79594-cb01-8d3b-f5d7-52e3c339ee13@hit.bme.hu>
In-Reply-To: <50d79594-cb01-8d3b-f5d7-52e3c339ee13@hit.bme.hu>
Date: Thu, 20 May 2021 10:49:40 -0400
Message-ID: <04cc01d74d87$5d168680$17439380$@netsecopen.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_04CD_01D74D65.D60582C0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFRbj6fJkgW8izlvCwqrrFMnkxIIgCInYIRAuwPM28Ba7bQAAJP8T6gAZobdVoCjOStYAMhZZ/iAfPWnPGrdMzhEA==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/EnW_0PZd4a6MstNfoVmNI4gvdlA>
Subject: Re: [bmwg] Sequential vs. random -- Re: FW: WGLC on New version of draft-ietf-bmwg-ngfw-performance
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2021 14:49:49 -0000
HI Gabor, We will update page 16 of the draft to allow for either sequential or pseudorandom port numbers. Thanks for your detailed explanation. Brian From: Gábor LENCSE <lencse@hit.bme.hu> Sent: Wednesday, May 19, 2021 3:49 AM To: bmonkman@netsecopen.org; 'MORTON JR., AL' <acmorton@att.com> Cc: 'Bala Balarajah' <bala@netsecopen.org>; 'Bala Balarajah' <bm.balarajah@gmail.com>; bmwg@ietf.org; 'MORTON, ALFRED C (AL)' <acm@research.att.com>; 'Sarah Banks' <sbanks@encrypted.net>; Dr. Lencse Gábor <lencse@sze.hu> Subject: Sequential vs. random -- Re: [bmwg] FW: WGLC on New version of draft-ietf-bmwg-ngfw-performance Dear Brian, I think that you know firewall testing better then me, thus you can make a better decision than me, and I will accept your decision anything it will be. However, I would like to support you decision by sharing my experience and results with you. Full disclosure: I find the question of sequential vs. random very interesting and important regarding my own research. I hope that our discussion may be beneficial for both of us. STATELESS TESTING 1. DNS64 and authoritative DNS server benchmarking I used sequential source port numbers in dns64perf++ (implemented by my BSc student Dániel Bakai) only to support RSS (Receive-Side Scaling). It made me possible to perform authoritative DNS server performance measurements over 3 million queries per second rate. (The details were published in my open access paper: G. Lencse, "Benchmarking Authoritative DNS Servers", IEEE Access, vol. 8. pp. 130224-130238, July 2020. DOI: 10.1109/ACCESS.2020.3009141) 2. SIIT (also called stateless NAT64) benchmarking In the original version of my DPDK-based RFC 8219 compliant SIIT tester called siitperf, I implemented the possibility of using random destination networks to comply with the requirement of RFC 2544. But I used fixed source and destination port numbers by literally following the Test Frame Format supplied in the appendix of RFC 2544. Then Al Morton has called my attention to RFC 4814. Then I added the feature of pseudorandom port numbers to comply with RFC 4814. Besides pseudorandom port numbers, I also added the possibility of increasing (or decreasing) port numbers. (I have seen this feature also in commercial RFC 2544 testers.) I have very interesting measurement results with using pseudorandom vs. sequential port numbers in IPv4 router benchmarking. (IPv4 routers were chosen to be able to achieve high throughput.) Please see Table I. in my open access paper: G. Lencse, "Adding RFC 4814 Random Port Feature to Siitperf: Design, Implementation and Performance Estimation", International Journal of Advances in Telecommunications, Electrotechnics, Signals and Systems, vol 9, no 3, pp. 18-26, 2020, DOI: 10.11601/ijates.v9i3.291 available also from: http://www.hit.bme.hu/~lencse/publications/291-1113-1-PB.pdf If you consider the median throughput rates using: - random source ports (and fixed destination port): 3,469,891 fps - increasing source ports (and fixed destination port): 3,485,627 fps - random destination ports (and fixed source port): 3,400,966 fps - increasing destination ports (and fixed source port): 3,447,165 fps Then you can see that there is not much difference, but increasing port numbers result in somewhat higher throughput than random ones. (It is also interesting that varying source port numbers cause higher throughput than varying destination port numbers. I attribute this difference to an asymmetry in the hash function: varying source port numbers can distribute the interrupts more evenly among the CPU cores.) The fact that all the above result were close to the 3,402,271 fps throughput measured using pseudorandom source and destination port numbers to comply with RFC 4814, is very important for me: using sequential source (or destination, but not both) port numbers can be a computationally cheaper alternative to using pseudorandom source and destination port numbers. STATEFUL TESTING This is my very recent research area, and my surprising results made me recommending you to consider pseudorandom port numbers. When I designed the stateful extension of siitperf, my original idea was to use sequential sweep in the port number range, which I called as "port number enumeration", in the preliminary phase of the stateful testing to load the (source IP, source port, destination IP, destination port) four tuples into both the connection tracking table of the DUT and the state table of the "Responder" subsystem of the Tester. However, my test results showed huge difference in the maximum connection establishment rate of iptables! Parameters of the tests: source port range: 10,000 - 49,999 destination port range: 80 - 179 (Number of all possible combinations: 40,000*100=4,000,000) nf_conntrack_max: 4,194,304 hashsize: 524,288 Number of preliminary frames: 4,000,000 Maximum connection establishment rate was determined by binary search. The results were shocking: - with enumerated port numbers: 669,587 fps - with random port numbers: 1,406,320 I was aware that random port numbers did not fully exhaust the possible port number combinations (some combinations appeared twice or even more times). Therefore, I have repeated the measurement with 40,000,000 preliminary frames using random port numbers. The result was 1,271,023fps, which still about the double of the result with enumerated port numbers. You can find all the details in my paper currently under review: http://www.hit.bme.hu/~lencse/publications/SFNAT64-tester-for-review.pdf Regarding the possible root cause of the phenomenon, I have my own explanation, but I do not want influence you. What do you think of it? This experience was the reason, why we wrote in our I-D that: Important warning: in normal router testing, the port number selection algorithm (whether it is pseudo-random or enumerated) does not affect final results. However, our experience with iptables shows that if the connection tracking table is filled using port number enumeration in increasing order, then the maximum connection establishment rate of iptables degrades significantly compared to its performance using pseudorandom port numbers [LEN2021 <https://datatracker.ietf.org/doc/html/draft-lencse-bmwg-benchmarking-statef ul#ref-LEN2021> ]. Source: https://datatracker.ietf.org/doc/html/draft-lencse-bmwg-benchmarking-statefu l APPLICATION TO FIREWALL TESTING Of course, I am aware that your case may be different in several aspects than yours. For example, I willfully increased the size of the connection tracking table of iptables from its default value to a value recommended for a high-loaded NAT server: https://ixnfo.com/en/tuning-nf_conntrack.html In addition to that, I have nearly fully filled the connection tracking table of the DUT! These parameters likely do not apply to firewalls preforming deep packet inspection. :-) My aim was to test the abilities of my stateful Tester in a demanding situation. I used NAT44 instead of NAT64 to be able to achieve higher rates. NAT44 is much-much simpler than the tasks performed by your firewalls, thus the lookup of the connections may dominate the execution time in my case, but it may be marginal in your case. And there may be several other differences, which I do not even think of. This is why wrote that you need to decide, what is suitable for you. The most I can do is to give ideas to consider. :-) Best regards, Gábor 18/05/2021 22:28 keltezéssel, bmonkman@netsecopen.org <mailto:bmonkman@netsecopen.org> írta: Hi Gabor, Apologies for the tardy reply. All of the comments/suggestions/nits you submitted look fine, with one exception. In your original e-mail you said: page 16 [...] The behavior of the client is to sweep through the given server IP space, sequentially generating a recognizable service by the DUT. I am not sure if sequential sweep is the right choice for two reasons: - I feel that the spirit of RFC 4814 would rather suggest pseudorandom. To surely include all of them, I recommend random permutation. - According to my experience, iptables has shown significantly different maximum connection establishment rate, when I used pseudorandom port numbers or when I enumerated the port numbers in increasing order. (Details available upon request.) We feel that in order to meet the goal of reproducible results that introducing randomness is not something we want to do. While we do understand your position, we hope you can support our desire to no make this change. Brian
- [bmwg] FW: WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… Gabor LENCSE
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… bmonkman
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… Gabor LENCSE
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… bmonkman
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… MORTON JR., AL
- [bmwg] Second part -- Re: FW: WGLC on New version… Gabor LENCSE
- Re: [bmwg] Second part -- Re: FW: WGLC on New ver… bmonkman
- [bmwg] Sequential vs. random -- Re: FW: WGLC on N… Gábor LENCSE
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… MORTON JR., AL
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… bmonkman
- Re: [bmwg] Sequential vs. random -- Re: FW: WGLC … bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Carsten Rossenhoevel
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Carsten Rossenhoevel
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Gábor LENCSE
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Carsten Rossenhoevel
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Gábor LENCSE