Firewall Wizards mailing list archives
Re: Firewall performance testing (Was: Re: Evaluating Firewall)
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 07 May 2003 20:20:25 +0200
Carson Gaspar wrote:
- TCP Packets / sec vs. packet size This will illuminate the packet rate limitations, as well as the bit rate limitations (which are frequently 2 different limits - firewalls rarely can keep up at their bit rate limit with 64 byte packets)
All too true for anything with PCI (and similar) buses. The amount of time spent setting up a simple bus mastering operation, and the spillage on the buses themselves, is insane per packet. They are built for transferring much larger bursts of data than runt ethernet packets and it shows.
These numbers should be for 0% packet loss.
I've got to object here. Test for 0% packet loss if you need __zero__ loss. Sure, a unit running below spec shouldn't be losing packets, but to find out what "peak performance" is, you really should be testing with something like 0.1%..0.01% loss, IMHO. Take the intel e1000 series NICs for example. You can get them to do 1GBps flat with 0% packet loss by cranking their RX/TX rings to 1024..8192 buffers (I shit you not), but the latency hit is... yuck. Aim for 0.1%..0.01% loss and you'll get a NIC that behaves __much__ better all-round.
Most firewalls have to do a connection lookup for established sessions. Good ones will do so with some algorithm that is O(log n) (or so) instead of O(n).
s/O(log n)/O(1..2)/
- Behavior on saturation How does the firewall behave once you've gone beyond its capacity? Does it gracefully degrade, or fall off a cliff? Do existing connections or old connections get priority?
Don't just try to flood the connection table; try overloading it throughput-wise too. If you find out that its throughput limit is 0.5M packets/s, try throwing twice that at it and see how much comes out the other end. Something with working ring management will come out forwarding near its limit (~80% perhaps?). Others will vary from <50% throughput to... basically dead. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Evaluating Firewall Vineet Mehta (May 03)
- Re: Evaluating Firewall Rama krishna prasad (May 05)
- Re: Evaluating Firewall Ravi (May 05)
- Re: Evaluating Firewall Mark Gumennik (May 05)
- Re: Evaluating Firewall Henning Brauer (May 06)
- Message not available
- Re: Evaluating Firewall Rama Kant (May 06)
- Re: Evaluating Firewall Rama krishna prasad (May 05)
- <Possible follow-ups>
- Re: Evaluating Firewall Jeffery . Gieser (May 05)
- Re: Evaluating Firewall Carson Gaspar (May 06)
- Re: Firewall performance testing (Was: Re: Evaluating Firewall) Mikael Olsson (May 07)
- Re: Firewall performance testing (Was: Re: Evaluating Firewall) Carson Gaspar (May 07)
- Re: Firewall performance testing (Was: Re: Evaluating Firewall) Kyle R. Hofmann (May 07)
- Free Firewalls? Thoughts... Sean Barraclough (May 08)
- Re: Free Firewalls? Thoughts... Henning Brauer (May 08)
- Re: Free Firewalls? Thoughts... Ted Behling (May 08)
- Re: Free Firewalls? Thoughts... Javier Sanchez (May 09)
- Re: Free Firewalls? Thoughts... Mark Gumennik (May 09)
- Re: Free Firewalls? Thoughts... David Lang (May 09)
- Re: Free Firewalls? Thoughts... Mikael Olsson (May 10)
- Re: Free Firewalls? Thoughts... Javier Sanchez (May 12)
- Re: Evaluating Firewall Carson Gaspar (May 06)