[bmwg] Sequential vs. random -- Re: FW: WGLC on New version of draft-ietf-bmwg-ngfw-performance
Gábor LENCSE <lencse@hit.bme.hu> Wed, 19 May 2021 07:49 UTC
Return-Path: <lencse@hit.bme.hu>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00BD3A21BB for <bmwg@ietfa.amsl.com>; Wed, 19 May 2021 00:49:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kh9j7obeB-tU for <bmwg@ietfa.amsl.com>; Wed, 19 May 2021 00:49:46 -0700 (PDT)
Received: from frogstar.hit.bme.hu (frogstar.hit.bme.hu [IPv6:2001:738:2001:4020::2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2336C3A21BA for <bmwg@ietf.org>; Wed, 19 May 2021 00:49:45 -0700 (PDT)
Received: from [192.168.1.146] (host-79-121-40-143.kabelnet.hu [79.121.40.143]) (authenticated bits=0) by frogstar.hit.bme.hu (8.15.2/8.15.2) with ESMTPSA id 14J7nO2Z081899 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 19 May 2021 09:49:29 +0200 (CEST) (envelope-from lencse@hit.bme.hu)
X-Authentication-Warning: frogstar.hit.bme.hu: Host host-79-121-40-143.kabelnet.hu [79.121.40.143] claimed to be [192.168.1.146]
To: bmonkman@netsecopen.org, "'MORTON JR., AL'" <acmorton@att.com>
Cc: 'Bala Balarajah' <bala@netsecopen.org>, 'Bala Balarajah' <bm.balarajah@gmail.com>, bmwg@ietf.org, "'MORTON, ALFRED C (AL)'" <acm@research.att.com>, 'Sarah Banks' <sbanks@encrypted.net>, "Dr. Lencse Gábor" <lencse@sze.hu>
References: <413e779fd7eb4dd4b3aa8473c171e282@att.com> <f1a2b5c5-ebf2-12ab-b053-b9b2538342ad@hit.bme.hu> <047501d745bb$e22f4ab0$a68de010$@netsecopen.org> <7dc6b282-7f41-bf7c-f09c-65e7ce94b674@hit.bme.hu> <048801d745be$31424b50$93c6e1f0$@netsecopen.org> <84196d5ce7474f9196ab000be64c49fd@att.com> <c9a5ff54-29db-bcc0-2c50-8f2287f99b3a@hit.bme.hu> <035701d74c24$6a5c3380$3f149a80$@netsecopen.org>
From: Gábor LENCSE <lencse@hit.bme.hu>
Message-ID: <50d79594-cb01-8d3b-f5d7-52e3c339ee13@hit.bme.hu>
Date: Wed, 19 May 2021 09:49:20 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <035701d74c24$6a5c3380$3f149a80$@netsecopen.org>
Content-Type: multipart/alternative; boundary="------------1A2DA06AED55FC06938B5F0A"
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.4 at frogstar.hit.bme.hu
X-Virus-Status: Clean
Received-SPF: pass (frogstar.hit.bme.hu: authenticated connection) receiver=frogstar.hit.bme.hu; client-ip=79.121.40.143; helo=[192.168.1.146]; envelope-from=lencse@hit.bme.hu; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.10;
X-DCC--Metrics: frogstar.hit.bme.hu; whitelist
X-Scanned-By: MIMEDefang 2.79 on 152.66.248.44
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/udyLeh0RdQIEu2pkl5qx87rgh0s>
Subject: [bmwg] Sequential vs. random -- Re: FW: WGLC on New version of draft-ietf-bmwg-ngfw-performance
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 07:49:52 -0000
Dear Brian, I think that you know firewall testing better then me, thus you can make a better decision than me, and I will accept your decision anything it will be. However, I would like to support you decision by sharing my experience and results with you. Full disclosure: I find the question of sequential vs. random very interesting and important regarding my own research. I hope that our discussion may be beneficial for both of us. STATELESS TESTING 1. DNS64 and authoritative DNS server benchmarking I used sequential source port numbers in dns64perf++ (implemented by my BSc student Dániel Bakai) only to support RSS (Receive-Side Scaling). It made me possible to perform authoritative DNS server performance measurements over 3 million queries per second rate. (The details were published in my open access paper: G. Lencse, "Benchmarking Authoritative DNS Servers", /IEEE Access/, vol. 8. pp. 130224-130238, July 2020. DOI: 10.1109/ACCESS.2020.3009141) 2. SIIT (also called stateless NAT64) benchmarking In the original version of my DPDK-based RFC 8219 compliant SIIT tester called siitperf, I implemented the possibility of using random destination networks to comply with the requirement of RFC 2544. But I used fixed source and destination port numbers by literally following the Test Frame Format supplied in the appendix of RFC 2544. Then Al Morton has called my attention to RFC 4814. Then I added the feature of pseudorandom port numbers to comply with RFC 4814. Besides pseudorandom port numbers, I also added the possibility of increasing (or decreasing) port numbers. (I have seen this feature also in commercial RFC 2544 testers.) I have very interesting measurement results with using pseudorandom vs. sequential port numbers in IPv4 router benchmarking. (IPv4 routers were chosen to be able to achieve high throughput.) Please see Table I. in my open access paper: G. Lencse, "Adding RFC 4814 Random Port Feature to Siitperf: Design, Implementation and Performance Estimation", /International Journal of Advances in Telecommunications, Electrotechnics, Signals and Systems/, vol 9, no 3, pp. 18-26, 2020, DOI: 10.11601/ijates.v9i3.291 available also from: http://www.hit.bme.hu/~lencse/publications/291-1113-1-PB.pdf If you consider the median throughput rates using: - random source ports (and fixed destination port): 3,469,891 fps - increasing source ports (and fixed destination port): 3,485,627 fps - random destination ports (and fixed source port): 3,400,966 fps - increasing destination ports (and fixed source port): 3,447,165 fps Then you can see that there is not much difference, but increasing port numbers result in somewhat higher throughput than random ones. (It is also interesting that varying source port numbers cause higher throughput than varying destination port numbers. I attribute this difference to an asymmetry in the hash function: varying source port numbers can distribute the interrupts more evenly among the CPU cores.) The fact that all the above result were close to the 3,402,271 fps throughput measured using pseudorandom source and destination port numbers to comply with RFC 4814, is very important for me: using sequential source (or destination, but not both) port numbers can be a computationally cheaper alternative to using pseudorandom source and destination port numbers. STATEFUL TESTING This is my very recent research area, and my surprising results made me recommending you to consider pseudorandom port numbers. When I designed the stateful extension of siitperf, my original idea was to use sequential sweep in the port number range, which I called as "port number enumeration", in the preliminary phase of the stateful testing to load the (source IP, source port, destination IP, destination port) four tuples into both the connection tracking table of the DUT and the state table of the "Responder" subsystem of the Tester. However, my test results showed huge difference in the maximum connection establishment rate of iptables! Parameters of the tests: source port range: 10,000 - 49,999 destination port range: 80 - 179 (Number of all possible combinations: 40,000*100=4,000,000) nf_conntrack_max: 4,194,304 hashsize: 524,288 Number of preliminary frames: 4,000,000 Maximum connection establishment rate was determined by binary search. The results were shocking: - with enumerated port numbers: 669,587 fps - with random port numbers: 1,406,320 I was aware that random port numbers did not fully exhaust the possible port number combinations (some combinations appeared twice or even more times). Therefore, I have repeated the measurement with 40,000,000 preliminary frames using random port numbers. The result was 1,271,023fps, which still about the double of the result with enumerated port numbers. You can find all the details in my paper currently under review: http://www.hit.bme.hu/~lencse/publications/SFNAT64-tester-for-review.pdf Regarding the possible root cause of the phenomenon, I have my own explanation, but I do not want influence you. What do you think of it? This experience was the reason, why we wrote in our I-D that: Important warning: in normal router testing, the port number selection algorithm (whether it is pseudo-random or enumerated) does not affect final results. However, our experience with iptables shows that if the connection tracking table is filled using port number enumeration in increasing order, then the maximum connection establishment rate of iptables degrades significantly compared to its performance using pseudorandom port numbers [LEN2021 <https://datatracker.ietf.org/doc/html/draft-lencse-bmwg-benchmarking-stateful#ref-LEN2021>]. Source: https://datatracker.ietf.org/doc/html/draft-lencse-bmwg-benchmarking-stateful APPLICATION TO FIREWALL TESTING Of course, I am aware that your case may be different in several aspects than yours. For example, I willfully increased the size of the connection tracking table of iptables from its default value to a value recommended for a high-loaded NAT server: https://ixnfo.com/en/tuning-nf_conntrack.html In addition to that, I have nearly fully filled the connection tracking table of the DUT! These parameters likely do not apply to firewalls preforming deep packet inspection. :-) My aim was to test the abilities of my stateful Tester in a demanding situation. I used NAT44 instead of NAT64 to be able to achieve higher rates. NAT44 is much-much simpler than the tasks performed by your firewalls, thus the lookup of the connections may dominate the execution time in my case, but it may be marginal in your case. And there may be several other differences, which I do not even think of. This is why wrote that you need to decide, what is suitable for you. The most I can do is to give ideas to consider. :-) Best regards, Gábor 18/05/2021 22:28 keltezéssel, bmonkman@netsecopen.org írta: > > Hi Gabor, > > Apologies for the tardy reply. All of the comments/suggestions/nits > you submitted look fine, with one exception. In your original e-mail > you said: > > “page 16 > > [...] The behavior of the > client is to sweep through the given server IP space, sequentially > generating a recognizable service by the DUT. > > “I am not sure if sequential sweep is the right choice for two reasons: > - I feel that the spirit of RFC 4814 would rather suggest > pseudorandom. To surely include all of them, I recommend random > permutation. > - According to my experience, iptables has shown significantly > different maximum connection establishment rate, when I used > pseudorandom port numbers or when I enumerated the port numbers in > increasing order. (Details available upon request.)” > > We feel that in order to meet the goal of reproducible results that > introducing randomness is not something we want to do. While we do > understand your position, we hope you can support our desire to no > make this change. > > Brian >
- [bmwg] FW: WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… Gabor LENCSE
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… bmonkman
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… Gabor LENCSE
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… bmonkman
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… MORTON JR., AL
- [bmwg] Second part -- Re: FW: WGLC on New version… Gabor LENCSE
- Re: [bmwg] Second part -- Re: FW: WGLC on New ver… bmonkman
- [bmwg] Sequential vs. random -- Re: FW: WGLC on N… Gábor LENCSE
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… MORTON JR., AL
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… bmonkman
- Re: [bmwg] Sequential vs. random -- Re: FW: WGLC … bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Carsten Rossenhoevel
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Carsten Rossenhoevel
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Gábor LENCSE
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Carsten Rossenhoevel
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Gábor LENCSE