[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[redhat-lspp] NetLabel performance numbers



While I have been doing to some casual performance test of the NetLabel
patch I have never posted anything to the list, so for the first time
here are some NetLabel/CIPSO numbers ...

Test Background:
 * Both the netperf client and server were HP DL385 machines with two
   AMD Opteron 275 processors
 * The machines were using the base install of FC5 for x86_64 using
   the targeted policy in permissive mode
 * The lspp.44 kernel was used as the kernel source
 * The two machines were tested over a crossover gigabit link
 * During testing only the loopback and test interfaces were "up"
 * All kernels were recompiled using the base FC5 environment
 * When CIPSO was used it was configured to do a one to one mapping
   between levels 0-16 and categories 0-256 using the "std" map

Test Comments:
 * Testing the MLS label without categories, i.e. "s0", required the
   least amount of processing
 * Testing the MLS label with every category between 0 and 239,
   i.e. "s0:c0.c239", requires the most amount of processing
 * Clearing the "net.ipv4.cipso_rbm_strictvalid" sysctl variable does
   not decrease the safety of the CIPSO checks but does not follow
   a strict interpretation of the CIPSO draft (see cipso_v4_validate()
   for details)
 * The UDP stream test message size had to be adjusted due to the extra
   IP header length brought about by the CIPSO IP option

Test Description:
 NoPatch - NetLabel not patched into the kernel (Venkat's patch also
           removed due to patch dependencies)
 Disable - NetLabel patched into the kernel but disabled at compile
 Unlabel - NetLabel patched into the kernel and enabled at compile
           but no explicitly configured (i.e. the default lspp.44
           behavior)
 C_NoCat - NetLabel patched into the kernel and enabled at compile
           with CIPSO configured and using the "s0" context
 C_FlCat - NetLabel patched into the kernel and enabled at compile
           with CIPSO configured and using the "s0:c0.c239" context
 C_F_LxV - NetLabel patched into the kernel and enabled at compile
           with CIPSO configured and using the "s0:c0.c239" context
           with "sysctl -w net.ipv4.cipso_rbm_strictvalid=0"
 C_F_NoC - NetLabel patched into the kernel and enabled at compile
           with CIPSO configured and using the "s0:c0.c239" context
           with "sysctl -w net.ipv4.cipso_cache_enable=0"

                 (in 10^6 bits/sec)           (rate / sec)
  TEST      tcp_stream      udp_stream     tcp_rr       udp_rr
 =================================================================
  NoPatch    941.52          961.61         10778.58     10901.03
  Disable    941.53          961.60         10814.46     11129.77
  Unlabel    941.51          961.61         10769.00     10896.26
  C_NoCat    932.30          954.04          9904.58     10106.00
  C_FlCat    625.46          935.52          9110.29      9262.92
  C_F_LxV    686.46          935.53          9325.37      9484.93
  C_F_NoC    328.69          935.53          6258.61      6415.35

Attached is a tarball of all the output from the netperf runs in case
anyone is interested.

-- 
paul moore
linux security @ hp

Attachment: results_07122005.tar.gz
Description: GNU Zip compressed data


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]