on the performance of middleboxes
play

On the Performance of Middleboxes Mark Allman ICSI Center for - PowerPoint PPT Presentation

On the Performance of Middleboxes Mark Allman ICSI Center for Internet Research mallman@icir.org (Work done while with BBN Technologies) Internet Measurement Conference October 2003 "Holly came from Miami, FLA; Hitch-hiked her way across


  1. On the Performance of Middleboxes Mark Allman ICSI Center for Internet Research mallman@icir.org (Work done while with BBN Technologies) Internet Measurement Conference October 2003 "Holly came from Miami, FLA; Hitch-hiked her way across the USA"

  2. Middleboxes "Middleboxes" have cropped up all over the Internet for a variety of reasons: security (firewalls, normalizers, etc.) performance (PEPs, TCP snoopers, etc.) address translation (NATs) Many have espoused the virtues and evilness of these entities. But, little quantitative information about their impact in real networks. We conducted a preliminary evaluation of one middlebox setup. Allman IMC-2003 2

  3. Experimental Setup Application measurements Packet tracing and matching is future work Measurement period: 10/14/2002 - 1/27/2003 Conducted in a production setting A network serving thousands of users Allman IMC-2003 3

  4. Experimental Setup (cont.) Measured: Transaction delay Feedback time (aka "RTT") Bulk transfer FTP performance See the paper Also, failures. Allman IMC-2003 4

  5. Experimental Setup (cont.) Dest FW1 Internet LAN LB1 LB2 Router FW2 MeasBox1 MeasBox2 Firewalls + Load Balancers = MBI Allman IMC-2003 5

  6. Transaction Delay How long does it take to start from nothing and run a transaction between a client and the server? Procedure: A finger transaction between the client and server Time the entire transaction at the application layer Conduct a transaction from each client roughly every 2 minutes. Over 75,000 transactions from each client. Allman IMC-2003 6

  7. Transaction Delay (cont.) 1 0.9 0.8 0.7 0.6 CDF 0.5 0.4 0.3 0.2 Outside 0.1 Inside 0 0 0.2 0.4 0.6 0.8 1 Response Time (sec) 42 failures inside the MBI; 12 failures outside the MBI Allman IMC-2003 7

  8. Feedback Time Once established, how long does it take to send a message across a TCP connection? Procedure: Open a TCP connection between the client and server Send "pings" from the client; echoed by the server Every (roughly) N seconds We only consider N = 30 seconds -- others are similar Until one of the pings does not come back in 20 seconds Then, start a new TCP connection and start over Over 303,000 pings from each client. Allman IMC-2003 8

  9. Feedback Time (cont.) R = 30 1 0.9 0.8 0.7 0.6 CDF 0.5 0.4 0.3 0.2 Outside 0.1 Inside 0 1e-05 0.0001 0.001 0.01 0.1 1 10 100 RTT (sec) Failed to setup connection: 51 from inside; 46 from outside Allman IMC-2003 9

  10. Feedback Time (cont.) Connection lengths are roughly twice as long from the outside as from the inside client On mean and median Allman IMC-2003 10

  11. Bulk Transfer Open a TCP connection Send 1 MB Last 4 bytes are a random number The server echos the random number back to the client Measurement stops when the "ACK" arrives Conduct a transfer from each client roughly every 10 minutes. 15,000 transfers from each client Allman IMC-2003 11

  12. Bulk Transfer (cont.) 1 0.9 0.8 0.7 0.6 CDF 0.5 0.4 0.3 0.2 Outside 0.1 Inside 0 0 200000 400000 600000 800000 1e+06 1.2e+06 1.4e+06 Throughput (bytes/sec) Allman IMC-2003 12

  13. Bulk Transfer (cont.) Why the bi-model distribution? Routing or provisioning changes 1.4e+06 1.2e+06 Throughput (bytes/sec) 1e+06 800000 600000 400000 200000 0 0 2000 4000 6000 8000 10000 12000 14000 16000 Transfer Number Allman IMC-2003 13

  14. Bulk Transfer (cont.) Why the difference in performance? Possibility #1: Concatenated TCP connections shorter control loop isolate drops Possibility#2: Maybe a difference in TCP’s congestion control algorithms inside and outside the MBI. Allman IMC-2003 14

  15. Conclusions Performance comparison is a muddle of contradictions Bulk transfer performance is enhanced by the middleboxes Transaction times increase roughly 5 times when going through the middleboxes Failures increase when going through the middleboxes But, failures are very low in all the cases (over 99.9% across all measurements). Allman IMC-2003 15

  16. Future Work Tons Lots of questions can be better answered if we had packet traces from various points throughout the middlebox infrastructure. Requires lots of analysis and correlation that may be non-trivial We can pin down why the performance is different E.g., are the MBI elements getting out of sync? E.g., are the firewalls dropping state? Etc. Gather data from more locations and different kinds of middleboxes Allman IMC-2003 16

Recommend


More recommend