Re: [bmwg] Rx Window question - Benchmarking Methodology for Network Security Device Performance
Tim Chown <Tim.Chown@jisc.ac.uk> Wed, 13 February 2019 15:07 UTC
Return-Path: <tim.chown@jisc.ac.uk>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3239712D826 for <bmwg@ietfa.amsl.com>; Wed, 13 Feb 2019 07:07:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.31
X-Spam-Level:
X-Spam-Status: No, score=-2.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sh3IsspvJYxj for <bmwg@ietfa.amsl.com>; Wed, 13 Feb 2019 07:07:01 -0800 (PST)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E93C12867A for <bmwg@ietf.org>; Wed, 13 Feb 2019 07:07:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=mimecast20170213; t=1550070418; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Y6qLju1sYAzhSW+2M0ofIemPDiFY3/k6dsjlJ9Noegc=; b=UxNYZsNTcjgloZComWgZq8wppSqkZ8H+NtY1f1juPAefDPgNOcx08gc69k5q/hNT1M1DwG8GqkNDYbZRSMWj36cg2jkpWLK5G65M/4bE0YBOPvJo9cuJ0KQaK8Iy0M0sf1bnxBG14NDujXvUgCmrRqUBUTZUbxrj/MxTyJupk10=
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01lp2055.outbound.protection.outlook.com [104.47.2.55]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-7-D5W_x_HfOrWZPNi1d9hwxw-1; Wed, 13 Feb 2019 15:06:48 +0000
Received: from VI1PR07MB4192.eurprd07.prod.outlook.com (20.176.6.29) by VI1PR07MB4463.eurprd07.prod.outlook.com (20.177.57.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1622.14; Wed, 13 Feb 2019 15:06:46 +0000
Received: from VI1PR07MB4192.eurprd07.prod.outlook.com ([fe80::7da3:84f3:b433:3c9c]) by VI1PR07MB4192.eurprd07.prod.outlook.com ([fe80::7da3:84f3:b433:3c9c%4]) with mapi id 15.20.1622.016; Wed, 13 Feb 2019 15:06:46 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: "MORTON, ALFRED C (AL)" <acm@research.att.com>
CC: Brian Monkman <bmonkman@netsecopen.org>, "bmwg@ietf.org" <bmwg@ietf.org>, Bala Balarajah <bala@netsecopen.org>
Thread-Topic: [bmwg] Rx Window question - Benchmarking Methodology for Network Security Device Performance
Thread-Index: AdTDf38UOflNzvrRTMiXqndXPnlNnwAIcf5gAAMdEQA=
Date: Wed, 13 Feb 2019 15:06:46 +0000
Message-ID: <68D13203-BE56-42E3-922C-8171E68D102F@jisc.ac.uk>
References: <00ce01d4c380$a2684680$e738d380$@netsecopen.org> <4D7F4AD313D3FC43A053B309F97543CF6BFD72DD@njmtexg5.research.att.com>
In-Reply-To: <4D7F4AD313D3FC43A053B309F97543CF6BFD72DD@njmtexg5.research.att.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.102.3)
x-originating-ip: [217.111.25.45]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 672ad925-66f2-4096-82fe-08d691c4df2e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(49563074)(7193020); SRVR:VI1PR07MB4463;
x-ms-traffictypediagnostic: VI1PR07MB4463:
x-ms-exchange-purlcount: 5
x-microsoft-exchange-diagnostics: 1; VI1PR07MB4463; 20:7CHIR2+cNf4hGNKoICcxlpey/1E/P9ssB/3iJDUu/NZMz2FxOWi89y5LQiKJhiMKyH0XZipot/8OyqaOR0gzN5/ck1PcwWt+ZFdT/DqPwCZG3BlJCLUp6Z00fPOpZwOrONBJ6+OuP3/2EoYjYipMB6sqYhAgk6HWJXV0uS1hKOw=
x-microsoft-antispam-prvs: <VI1PR07MB4463732002EAAF346C256EC4D6660@VI1PR07MB4463.eurprd07.prod.outlook.com>
x-forefront-prvs: 094700CA91
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(346002)(39850400004)(136003)(396003)(199004)(504964003)(189003)(15404003)(54906003)(76176011)(54896002)(86362001)(6436002)(106356001)(6306002)(71190400001)(6246003)(33656002)(105586002)(53936002)(71200400001)(236005)(14454004)(6512007)(733005)(4326008)(6116002)(99286004)(478600001)(966005)(99936001)(72206003)(54556002)(25786009)(83716004)(6486002)(15650500001)(3846002)(57306001)(446003)(11346002)(476003)(2616005)(74482002)(486006)(6916009)(66066001)(36756003)(97736004)(55236004)(2906002)(82746002)(786003)(68736007)(256004)(14444005)(606006)(8936002)(229853002)(316002)(50226002)(186003)(81166006)(8676002)(102836004)(26005)(7736002)(53546011)(6506007)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB4463; H:VI1PR07MB4192.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: z5loeKe4idUqh2cMEXnwv37D3OZAjeEnf886Whmu9ooN9v0iMX0QV9dXcSVS+/y5p2u7yln5nYWgFyOX07V2t1wtO1qDNjTXhRnNjsCRhsstn4kyuA/E28RgLJ1rMSgaew3A4s6VlVr6+JubpEHRWwTD6EQbUtTwOFPw4DDJoO+L5z3uB10FDrS1Rjrr2cR1z3OS97PpcPvXabwkLdPnMhldh5h5EBp4AQBMMw6gJsCRMawNWHN7NyGoNEBjOIHSDSwRw3cCWrIL0puxVHPG3T+TrramxDvma+AMsvA1AGtBtOGJUMV2V90aEQH0lQk3ixhQokvxsttrEHKutxAPn4nnPewbsL2dE3KaXnmLwX4TIwwmLCfuYa3dOHdVKqgP9jutjFWFUPmgeWUTekml3Up2kARrDu86c5x62Ly/nsY=
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 672ad925-66f2-4096-82fe-08d691c4df2e
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2019 15:06:46.2458 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4463
X-MC-Unique: D5W_x_HfOrWZPNi1d9hwxw-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/related; boundary="_004_68D13203BE5642E3922C8171E68D102Fjiscacuk_"; type="multipart/alternative"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/m4xZquLmdmWZEKUfHl3UBSY-ktU>
Subject: Re: [bmwg] Rx Window question - Benchmarking Methodology for Network Security Device Performance
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 15:07:05 -0000
Hi, For our end-to-end performance work, we commonly cite the ESnet guidance on tuning: https://fasterdata.es.net/host-tuning/ It's interesting that firewall buffering is mentioned below; in general the higher volume research data transfers over R&E networks recommend routing around the campus "business" firewall and applying security policy more appropriately to the science/research traffic. Generally following the "Science DMZ" approach, as per https://fasterdata.es.net/science-dmz/. I'm not sure what the benchmarking document in this WG considers in scope, but it would be interesting to be able to test a commercial firewall's ability to pass a small number of high throughput, high pps flows while also performing more detailed inspection on tens of thousands of "business" traffic flows (web, email, ...). The inability for many commercial firewalls to do that well is exactly why ESnet published their Science DMZ model. Tim On 13 Feb 2019, at 13:47, MORTON, ALFRED C (AL) <acm@research.att.com<mailto:acm@research.att.com>> wrote: Hi Brian, Thanks for following up on this point. 64k is likely to be a “safer” answer than 32k. It’s important to consider that you are setting the Max Receive Window size limit in octets. I think we simply want to ensure that none of the TCP connections are operating in a Rcv Window-limited state. The (max)buffering in the Firewall and the link speeds are critical factors you need to determine if a Max Rcv Window size is sufficient to avoid limiting the connections. Then calculate the Bandwidth-Delay Product: https://www.slashroot.in/linux-network-tcp-performance-tuning-sysctl (scroll down a bit). The Bottom Line: you don’t want the TCP streams to operate in a “receive window-limited” mode. It’s probably best to give connections more window than they need, and also not try to tune to a specific window size exactly. The congestion control algorithm, etc., also matters. All the relevant TCP options need to be specified in the report. hope this helps, Al From: bmwg [mailto:bmwg-bounces@ietf.org] On Behalf Of Brian Monkman Sent: Wednesday, February 13, 2019 4:44 AM To: bmwg@ietf.org<mailto:bmwg@ietf.org> Cc: 'Bala Balarajah' <bala@netsecopen.org> Subject: [bmwg] Rx Window question - Benchmarking Methodology for Network Security Device Performance Folks, We are making some changes to the draft before we submit it for review. These changes have resulted from our proof of concept testing. One question is the Receive Window size. Currently in the draft it is 32k. This appears to be too small for the real world. While researching what we should use, we determined that there does not appear to be anything approaching a defacto standard or even a good solid reference. We have determined that the default receive window size for Windows operating system is 64k. While many Linux variants use 128k. So, my question to use is this…. What do you think should be used? The way I see it our choices are: 1. 64k 2. 128k 3. 64k or 128k (choice made by the tester and documented if the results are made public) Thoughts or alternate suggestions anyone? Thank you in advance. Brian --------- Brian Monkman Executive Director, NetSecOPEN Office: +1-717-610-0808 Fax: +1-717-506-0460 Mobile: +1-717-462-5422 [cid:image001.png@01D2EC14.5F737970] https://www.netsecopen.org<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.netsecopen.org&d=DwQFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=OfsSu8kTIltVyD1oL72cBw&m=MUT1uFtEFACP5dPictqITC0x73ATrx-6JiMM27LUEec&s=psg1BM6BBwPGSBmCvxknTKCUncFWebs8hJVUHuc42mA&e=> _______________________________________________ bmwg mailing list bmwg@ietf.org<mailto:bmwg@ietf.org> https://www.ietf.org/mailman/listinfo/bmwg
- [bmwg] Rx Window question - Benchmarking Methodol… Brian Monkman
- Re: [bmwg] Rx Window question - Benchmarking Meth… MORTON, ALFRED C (AL)
- Re: [bmwg] Rx Window question - Benchmarking Meth… Tim Chown
- Re: [bmwg] Rx Window question - Benchmarking Meth… MORTON, ALFRED C (AL)