Manualshelf

HP-UX IPFilter Performance White Paper

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software
12345678910
3
Summary of Test Results
IPFilter has a moderate effect on network throughput. Throughput decreased 0 to 6.42% percent on a
system with IPFilter rules configured compared to systems without IPFilter installed.
Installing IPFilter and configuring IPFilter rules has a greater effect on system performance, as
measured by CPU utilization rates. Test results using netperf show the average increase in CPU
utilization rate is 8.46% when IPFilter is installed, even when no rules are configured. When IPFilter
rules are configured, CPU utilization rates increase on average by 29.78% compared to systems
without IPFilter installed. However, note that the primary goal of netperf tests is to determine
maximum throughput by saturating the network. In real-world deployments, network usage rates are
likely to be lower than those generated by netperf, and the actual increase in CPU utilization rates
is also likely to be lower.
Another measurement that reflects the effect of IPFilter on system performance is service demand.
Service demand is the amount of CPU time (in microseconds) required to process one KB of network
data. Service demand increases by an average of 9.23% when IPFilter is installed, even when no
rules are configured. When IPFilter rules are configured, service demand increases by an average of
32.78% compared to systems without IPFilter installed. Again, note that in real-world deployments,
network usage rates are likely to be lower than those generated by netperf, and the actual increase
in service demand is also likely to be lower.
In some results, there is an inverse relationship between packet size and the effect of IPFilter on system
performance (CPU utilization rates and service demand). This is because number of packets
processed per second by TCP/IP and the network interface decreases when packet size increases. As
a result, there are fewer packets for IPFilter to process and IPFilter uses relatively fewer CPU cycles.
When packet size decreases, TCP/IP and the network interface process more packets per second,
which causes IPFilter to process more packets and use more CPU cycles.
Test results also show that throughput decreases as the number of IPFilter rules increases. With 100
rules configured, the decrease in throughput is less than 1% (0.788%) when compared to systems
without IPFilter. However, with 5000 rules configured, the decrease in throughput is nearly 38%
(37.84%).
Limited testing (not documented in this report) shows that interface speed can affect IPFilter CPU
utilization. High-speed interfaces process more packets per second and enable IPFilter to process
more packets per second, which increases the CPU cycles used by IPFilter. When IPFilter is used with
a slow interface, there are fewer packets for IPFilter to process per second and IPFilter uses fewer CPU
cycles.