KDC performance test - lookaside cache impact, testing framework
Greg Hudson
ghudson at MIT.EDU
Sat Jun 16 11:57:32 EDT 2012
On 06/15/2012 06:50 PM, Petr Spacek wrote:
> The results from repeated tests (= AS_REQ flood, 180 seconds) are impressive:
> KDC performance with hash-based lookaside cache is nearly same as without
> lookaside cache. You can compare performances on the following graph:
> http://people.redhat.com/~pspacek/a/2012-06-15/as_flood_test.pdf
Thanks for re-running the tests; this is what I expected.
> The fast KDC has one disadvantage: Lookaside cache can consume huge amount of
> memory.
Right, though only because it accomodates more packets in a 120 second
window. I didn't substantially increase the size of an entry in the cache.
> This test is really extreme, I know, but some memory usage limit could be good
> as anti-DoS measure.
I made some additional changes at:
https://github.com/greghudson/krb5/tree/lookaside2
which should limit the lookaside cache size to 10MB by default.
I did come up with the zany idea of just using an open-addressed hash
table with no linked buckets, and "expiring" entries only by kicking out
older entries with the same hash value. That would be extremely simple
and would automatically limit itself to a fixed number of entries, but
wouldn't behave as predictably as the current code.
More information about the krbdev
mailing list