context negotiation performance problem
Ken Raeburn
raeburn at MIT.EDU
Wed Nov 2 16:14:45 EST 2005
On Nov 2, 2005, at 16:03, Eric Mei wrote:
> I searched archive but didn't find the answer.
>
> I made a simple test for security context negotiation of MIT
> krb5-1.3.5, under Linux, driven by GSSAPI: client call
> gss_init_sec_context() and send token to server, server call
> gss_accept_sec_context() and send back the result token.
>
> on a P4 1.6G machine, the server only could handle ~10 requests per
> second, and there's lots of disk I/O during running. By strace, I
> found krb5 libraries created a temp file under "/var/tmp", and call
> following syscalls for each request:
> write(fd, data, 50);
> fsync(fd);
> The fsync() certainly lead to low performance. Anybody know why it
> is here?
That's almost certainly the replay cache file, meant to prevent the
re-use of a transmitted authenticator by an attacker. The fsync is
there to handle the problem of the machine crashing or losing power
after an authenticator has been accepted and a data exchange
performed, but the on-disk cache not yet updated.
If your protocol or threat model is such that replay attacks are not
a problem, then under later versions of the code (I'd check whether
it's in the 1.4 series, but the machine where I keep my source trees
checked out ate its root file system over the weekend) you could set
the environment variable KRB5RCACHETYPE to "none" before starting the
program. (Look for src/lib/krb5/rcache/rc_none.c to see if you've
got the support.)
> Besides the fsync(), vmstat shows ~200 blocks write per seconds. It
> seems the above "write(fd, data, 50)" can't produce that much data.
> So where those write come from? Are there any other known issue
> might affect performance?
Doesn't ring a bell offhand...
> Our server might experience 1000s of context negotiation requests
> at the same time, so the above performance problem looks serious to
> us.
Is this a single-process server, or multiple processes? Multiple
processes would probably deal better with the fsync calls.
Ken
More information about the Kerberos
mailing list