IETF Logo Mail Archive

Re: [bmwg] Sequential vs. random -- Re: FW: WGLC on New version of draft-ietf-bmwg-ngfw-performance

bmonkman@netsecopen.org Thu, 20 May 2021 14:49 UTC

Return-Path: <bmonkman@netsecopen.org>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED4C73A1960 for <bmwg@ietfa.amsl.com>; Thu, 20 May 2021 07:49:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netsecopen-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oq0On4l5At0X for <bmwg@ietfa.amsl.com>; Thu, 20 May 2021 07:49:43 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DE383A195E for <bmwg@ietf.org>; Thu, 20 May 2021 07:49:43 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id k4so5295016qkd.0 for <bmwg@ietf.org>; Thu, 20 May 2021 07:49:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netsecopen-org.20150623.gappssmtp.com; s=20150623; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=bX/1M9kb9CB8Fnp44yOJYLIj0wCWBF46uijnbdKXEa4=; b=rWlqWFB/jguzr9kDBAHzS0dxuwxILoNF0K2Kp5OSTwkveh4LGDvCkpINSO9wbmHCOD x9MUavfrZlDlX0gFVkrArPmBWxDLF8wHcS1JixESogW0LsoUjCGs8DcYXPQAZ7MHngSy 5gFIkhQTJmqK9JcVvkcCBQrpiNv8+LZTuV7JwKKWmvb6oLOiquJXc4S2zulr/HER2Fl9 TZy2j/LBwDkbh/6eWGbhXD1zOXnjnzssKD7k2J6xJu7+jumqea7Rr10Qa0fBDC0R7dhW ad2p1suhs3+Vn6qYl4hxCz9Vjzh698uu0xa6ib+WDIjH+r2+W3y07Ja08+oWhrc0Hjuz hc/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=bX/1M9kb9CB8Fnp44yOJYLIj0wCWBF46uijnbdKXEa4=; b=ATLuNxKOQ6Yq756TSs/Ki+J8Qy8M2EyUcfEM9IEePvqTsXMhJB2lbPI1C+g9ZgSMmq Df1NiPw1rrmVsLEBF/I4P03/tLhejvtq3TVBZ9BUn1DPDz+YFibd0gE1TTOiso4L0q+F Kl8/iheAKFxhUVsUCC9Tt6EmBiqd1OmJq3PvwmPpZYLt7Y8vhdspqA5Lu2TrT6XZs5/T w+w5SGTfGh3Dgxu8xiJjiYZJuHdoAvDFuKzezvBb4cxQsvzoqeM1uBMuGWf9qoWJuHsy +pReOUDzbKjkH2BzRNXAbMaBZ1h+Zn6jJB+qpmmxdlw0wJ2ghvZs9swdqD3M1lpveLdx Yd8Q==
X-Gm-Message-State: AOAM53396HgSDiAV4LnSJWXUC4VUi2h2fuBUwhj7sDl+sFfTmWIyV47M 3Bejddjecu3Tub/o2tClVzBlIQ==
X-Google-Smtp-Source: ABdhPJwb4FuyThPGqnpeoxKWL/ondWnmS95zDYd1mgn6gxka0m0du6R3U1Gx3Pp3q/vp1k2u/+Obrw==
X-Received: by 2002:a05:620a:12c6:: with SMTP id e6mr5260555qkl.59.1621522181507; Thu, 20 May 2021 07:49:41 -0700 (PDT)
Received: from DESKTOP42TMNEU (c-98-235-212-118.hsd1.pa.comcast.net. [98.235.212.118]) by smtp.gmail.com with ESMTPSA id u186sm2234121qkd.30.2021.05.20.07.49.40 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 May 2021 07:49:41 -0700 (PDT)
From: bmonkman@netsecopen.org
To: 'Gábor LENCSE' <lencse@hit.bme.hu>, "'MORTON JR., AL'" <acmorton@att.com>
Cc: 'Bala Balarajah' <bala@netsecopen.org>, 'Bala Balarajah' <bm.balarajah@gmail.com>, bmwg@ietf.org, "'MORTON, ALFRED C (AL)'" <acm@research.att.com>, 'Sarah Banks' <sbanks@encrypted.net>, "'Dr. Lencse Gábor'" <lencse@sze.hu>
References: <413e779fd7eb4dd4b3aa8473c171e282@att.com> <f1a2b5c5-ebf2-12ab-b053-b9b2538342ad@hit.bme.hu> <047501d745bb$e22f4ab0$a68de010$@netsecopen.org> <7dc6b282-7f41-bf7c-f09c-65e7ce94b674@hit.bme.hu> <048801d745be$31424b50$93c6e1f0$@netsecopen.org> <84196d5ce7474f9196ab000be64c49fd@att.com> <c9a5ff54-29db-bcc0-2c50-8f2287f99b3a@hit.bme.hu> <035701d74c24$6a5c3380$3f149a80$@netsecopen.org> <50d79594-cb01-8d3b-f5d7-52e3c339ee13@hit.bme.hu>
In-Reply-To: <50d79594-cb01-8d3b-f5d7-52e3c339ee13@hit.bme.hu>
Date: Thu, 20 May 2021 10:49:40 -0400
Message-ID: <04cc01d74d87$5d168680$17439380$@netsecopen.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_04CD_01D74D65.D60582C0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFRbj6fJkgW8izlvCwqrrFMnkxIIgCInYIRAuwPM28Ba7bQAAJP8T6gAZobdVoCjOStYAMhZZ/iAfPWnPGrdMzhEA==
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/EnW_0PZd4a6MstNfoVmNI4gvdlA>
Subject: Re: [bmwg] Sequential vs. random -- Re: FW: WGLC on New version of draft-ietf-bmwg-ngfw-performance
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2021 14:49:49 -0000

HI Gabor,

 

We will update page 16 of the draft to allow for either sequential or
pseudorandom port numbers. 

 

Thanks for your detailed explanation.

 

Brian 

 

From: Gábor LENCSE <lencse@hit.bme.hu> 
Sent: Wednesday, May 19, 2021 3:49 AM
To: bmonkman@netsecopen.org; 'MORTON JR., AL' <acmorton@att.com>
Cc: 'Bala Balarajah' <bala@netsecopen.org>; 'Bala Balarajah'
<bm.balarajah@gmail.com>; bmwg@ietf.org; 'MORTON, ALFRED C (AL)'
<acm@research.att.com>; 'Sarah Banks' <sbanks@encrypted.net>; Dr. Lencse
Gábor <lencse@sze.hu>
Subject: Sequential vs. random -- Re: [bmwg] FW: WGLC on New version of
draft-ietf-bmwg-ngfw-performance

 

Dear Brian,

I think that you know firewall testing better then me, thus you can make a
better decision than me, and I will accept your decision anything it will
be.

However, I would like to support you decision by sharing my experience and
results with you. Full disclosure: I find the question of sequential vs.
random very interesting and important regarding my own research. I hope that
our discussion may be beneficial for both of us. 


STATELESS TESTING

1. DNS64 and authoritative DNS server benchmarking

I used sequential source port numbers in dns64perf++ (implemented by my BSc
student Dániel Bakai) only to support RSS (Receive-Side Scaling). It made me
possible to perform authoritative DNS server performance measurements over 3
million queries per second rate. (The details were published in my open
access paper: G. Lencse, "Benchmarking Authoritative DNS Servers", IEEE
Access, vol. 8. pp. 130224-130238, July 2020. DOI:
10.1109/ACCESS.2020.3009141) 

2. SIIT (also called stateless NAT64) benchmarking

In the original version of my DPDK-based RFC 8219 compliant SIIT tester
called siitperf, I implemented the possibility of using random destination
networks to comply with the requirement of RFC 2544. But I used fixed source
and destination port numbers by literally following the Test Frame Format
supplied in the appendix of RFC 2544. Then Al Morton has called my attention
to RFC 4814. Then I added the feature of pseudorandom port numbers to comply
with RFC 4814. Besides pseudorandom port numbers, I also added the
possibility of increasing (or decreasing) port numbers. (I have seen this
feature also in commercial RFC 2544 testers.)

I have very interesting measurement results with using pseudorandom vs.
sequential port numbers in IPv4 router benchmarking. (IPv4 routers were
chosen to be able to achieve high throughput.) Please see Table I. in my
open access paper: G. Lencse, "Adding RFC 4814 Random Port Feature to
Siitperf: Design, Implementation and Performance Estimation", International
Journal of Advances in Telecommunications, Electrotechnics, Signals and
Systems, vol 9, no 3, pp. 18-26, 2020, DOI: 10.11601/ijates.v9i3.291
available also from:
http://www.hit.bme.hu/~lencse/publications/291-1113-1-PB.pdf
If you consider the median throughput rates using:
- random source ports (and fixed destination port): 3,469,891 fps
- increasing source ports (and fixed destination port): 3,485,627 fps
- random destination ports (and fixed source port): 3,400,966 fps
- increasing destination ports (and fixed source port): 3,447,165 fps
Then you can see that there is not much difference, but increasing port
numbers result in somewhat higher throughput than random ones. (It is also
interesting that varying source port numbers cause higher throughput than
varying destination port numbers. I attribute this difference to an
asymmetry in the hash function: varying source port numbers can distribute
the interrupts more evenly among the CPU cores.)

The fact that all the above result were close to the 3,402,271 fps
throughput measured using pseudorandom source and destination port numbers
to comply with RFC 4814, is very important for me: using sequential source
(or destination, but not both) port numbers can be a computationally cheaper
alternative to using pseudorandom source and destination port numbers.


STATEFUL TESTING

This is my very recent research area, and my surprising results made me
recommending you to consider pseudorandom port numbers. 

When I designed the stateful extension of siitperf, my original idea was to
use sequential sweep in the port number range, which I called as "port
number enumeration", in the preliminary phase of the stateful testing to
load the (source IP, source port, destination IP, destination port) four
tuples into both the connection tracking table of the DUT and the state
table of the "Responder" subsystem of the Tester.
However, my test results showed huge difference in the maximum connection
establishment rate of iptables! 
Parameters of the tests:
source port range: 10,000 - 49,999 
destination port range: 80 - 179
(Number of all possible combinations: 40,000*100=4,000,000)
nf_conntrack_max: 4,194,304
hashsize: 524,288
Number of preliminary frames: 4,000,000
Maximum connection establishment rate was determined by binary search. The
results were shocking:
- with enumerated port numbers: 669,587 fps
- with random port numbers: 1,406,320

I was aware that random port numbers did not fully exhaust the possible port
number combinations (some combinations appeared twice or even more times).
Therefore, I have repeated the measurement with 40,000,000 preliminary
frames using random port numbers. The result was 1,271,023fps, which still
about the double of the result with enumerated port numbers.

You can find all the details in my paper currently under review:
http://www.hit.bme.hu/~lencse/publications/SFNAT64-tester-for-review.pdf

Regarding the possible root cause of the phenomenon, I have my own
explanation, but I do not want influence you. 

What do you think of it?

This experience was the reason, why we wrote in our I-D that:

   Important warning: in normal router testing, the port number
   selection algorithm (whether it is pseudo-random or enumerated) does
   not affect final results.  However, our experience with iptables
   shows that if the connection tracking table is filled using port
   number enumeration in increasing order, then the maximum connection
   establishment rate of iptables degrades significantly compared to its
   performance using pseudorandom port numbers [LEN2021
<https://datatracker.ietf.org/doc/html/draft-lencse-bmwg-benchmarking-statef
ul#ref-LEN2021> ].

Source:
https://datatracker.ietf.org/doc/html/draft-lencse-bmwg-benchmarking-statefu
l


APPLICATION TO FIREWALL TESTING

Of course, I am aware that your case may be different in several aspects
than yours. 

For example, I willfully increased the size of the connection tracking table
of iptables from its default value to a value recommended for a high-loaded
NAT server: https://ixnfo.com/en/tuning-nf_conntrack.html
In addition to that, I have nearly fully filled the connection tracking
table of the DUT!

These parameters likely do not apply to firewalls preforming deep packet
inspection. :-)

My aim was to test the abilities of my stateful Tester in a demanding
situation. I used NAT44 instead of NAT64 to be able to achieve higher rates.
NAT44 is much-much simpler than the tasks performed by your firewalls, thus
the lookup of the connections may dominate the execution time in my case,
but it may be marginal in your case.

And there may be several other differences, which I do not even think of.
This is why wrote that you need to decide, what is suitable for you. The
most I can do is to give ideas to consider. :-)

Best regards,

Gábor




18/05/2021 22:28 keltezéssel, bmonkman@netsecopen.org
<mailto:bmonkman@netsecopen.org>  írta:

Hi Gabor,

 

Apologies for the tardy reply. All of the comments/suggestions/nits you
submitted look fine, with one exception. In your original e-mail you said:

 

“page 16

   [...]  The behavior of the
   client is to sweep through the given server IP space, sequentially
   generating a recognizable service by the DUT.  

“I am not sure if sequential sweep is the right choice for two reasons:
- I feel that the spirit of RFC 4814 would rather suggest pseudorandom. To
surely include all of them, I recommend random permutation.
- According to my experience, iptables has shown significantly different
maximum connection establishment rate, when I used pseudorandom port numbers
or when I enumerated the port numbers in increasing order. (Details
available upon request.)”

 

We feel that in order to meet the goal of reproducible results that
introducing randomness is not something we want to do.  While we do
understand your position, we hope you can support our desire to no make this
change.

 

Brian

v2.23.0 | Report a Bug | By Email