Firewall Wizards mailing list archives

Re: Firewall performance testing (Was: Re: Evaluating Firewall)

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 07 May 2003 20:20:25 +0200


Carson Gaspar wrote:


- TCP Packets / sec vs. packet size

This will illuminate the packet rate limitations, as well as the bit rate
limitations (which are frequently 2 different limits - firewalls rarely can
keep up at their bit rate limit with 64 byte packets)


All too true for anything with PCI (and similar) buses.
The amount of time spent setting up a simple bus mastering 
operation, and the spillage on the buses themselves, is insane
per packet. They are built for transferring much larger bursts of 
data than runt ethernet packets and it shows.

These numbers should be for 0% packet loss.


I've got to object here. Test for 0% packet loss if you need 
__zero__ loss. Sure, a unit running below spec shouldn't be
losing packets, but to find out what "peak performance" is,
you really should be testing with something like 0.1%..0.01%
loss, IMHO.  Take the intel e1000 series NICs for example.
You can get them to do 1GBps flat with 0% packet loss by cranking
their RX/TX rings to 1024..8192 buffers (I shit you not), but the
latency hit is... yuck.  Aim for 0.1%..0.01% loss and you'll get
a NIC that behaves __much__ better all-round.

Most firewalls have to do a connection lookup for established sessions.
Good ones will do so with some algorithm that is O(log n) (or so) instead
of O(n).


s/O(log n)/O(1..2)/

- Behavior on saturation

How does the firewall behave once you've gone beyond its capacity? Does it
gracefully degrade, or fall off a cliff? Do existing connections or old
connections get priority?


Don't just try to flood the connection table; try overloading
it throughput-wise too.  If you find out that its throughput
limit is 0.5M packets/s, try throwing twice that at it and see
how much comes out the other end.  Something with working ring
management will come out forwarding near its limit (~80% perhaps?).
Others will vary from <50% throughput to...  basically dead.


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Evaluating Firewall Vineet Mehta (May 03)
- Re: Evaluating Firewall Rama krishna prasad (May 05)
  - Re: Evaluating Firewall Ravi (May 05)
  - Re: Evaluating Firewall Mark Gumennik (May 05)
    - Re: Evaluating Firewall Henning Brauer (May 06)
  - Message not available
    - Re: Evaluating Firewall Rama Kant (May 06)
- <Possible follow-ups>
- Re: Evaluating Firewall Jeffery . Gieser (May 05)
  - Re: Evaluating Firewall Carson Gaspar (May 06)
    - Re: Firewall performance testing (Was: Re: Evaluating Firewall) Mikael Olsson (May 07)
    - Re: Firewall performance testing (Was: Re: Evaluating Firewall) Carson Gaspar (May 07)
    - Re: Firewall performance testing (Was: Re: Evaluating Firewall) Kyle R. Hofmann (May 07)
    - Free Firewalls? Thoughts... Sean Barraclough (May 08)
    - Re: Free Firewalls? Thoughts... Henning Brauer (May 08)
    - Re: Free Firewalls? Thoughts... Ted Behling (May 08)
    - Re: Free Firewalls? Thoughts... Javier Sanchez (May 09)
    - Re: Free Firewalls? Thoughts... Mark Gumennik (May 09)
    - Re: Free Firewalls? Thoughts... David Lang (May 09)
    - Re: Free Firewalls? Thoughts... Mikael Olsson (May 10)
    - Re: Free Firewalls? Thoughts... Javier Sanchez (May 12)

(Thread continues...)