LITTLEBLACKDOG.COM

Throughput quantified in MPPS increases as packet size increases, as noticed with all firewall benchmarks that I saw so far - Why?

Posted: Sat Mar 08, 2008 11:07 am Post subject:

Less work. Stateful firewalls have to examine the headers of each packet. There's more work in that. In general, bigger packets are better for throughput, in any case.

Posted: Sat Mar 08, 2008 6:18 pm Post subject:

I thought about this previously but couldn't convince my self.

Let's say a CPU is not strong enough to process more than 4 headers within 1 second, so 5 headers would need more than 1 second to be processed. And let's say that sending 4 packets with large payloads would use the cable capacity for 1 second, and would also use the CPU capacity for the same period. Also let's say that packets with smaller payloads wouldn't use the cable capacity due to their smaller size, but since the CPU ain't fast enough to process more than 4 headers/second it will still only process 4 of them in 1 second, even though (say) 8 small packets were squeezed on the cable due to their smaller payload.

Here's a time graph showing the previous example (H = Header, P = Payload):-

If the CPU is strong enough to process more headers:

Code: Select all




[H|P] [H|P] [H|P] [H|P] [H|P] [H|P]


[H|PPPP] [H|PPPP] [H|PPPP] [H|PPPP]

If the CPU can't process more than 4pps, it would do:-

Code: Select all




[H|P]    [H|P]    [H|P]    [H|P]


[H|PPPP] [H|PPPP] [H|PPPP] [H|PPPP]

But in reality, it seems to happen this way, which confuses me!

Code: Select all




[H|P]             [H|P]


[H|PPPP] [H|PPPP] [H|PPPP] [H|PPPP]

Posted: Sun Mar 09, 2008 6:38 am Post subject:

The contents of the packet is not as significant as the headers. Stateful packet inspection requires table lookups between what the firewall knows is on the local network, and what it knows passed from local to wide area, and what is passing back from wide area to local.

The data is the easy part, that's simply a move instruction (or move relative). Those are generally easy for even a RISC to do.

And rather than speaking in seconds, speak in microseconds. If packet inspection takes 1 microsecond, and the actual move relative of the data takes 1 microsecond regardless of packet length, then smaller packets bring with them a significant penalty.

Say packet sizes are 100 bytes data with additional header. To pass 1k of data you have to do 11 packet inspections and 11 move relative instructions. That would take 22 microseconds (why the 11th? you have a 24 byte data packet at the end which needs a header too - 1024 bytes = 1k of data) anyway, if you just passed a 1024 byte packet, that'd be 2 microseconds.

Posted: Sun Mar 09, 2008 9:06 pm Post subject:

you are right regarding the bits per second throughput.. no doubt about it..

my question is about "packets per second", which should be almost equal since the payload size doesn't have CPU penalty..

trying to find the document that showed lesser pps (packet per second) rate with smaller payload sizes..