While I have been doing to some casual performance test of the NetLabel patch I have never posted anything to the list, so for the first time here are some NetLabel/CIPSO numbers ...
Test Background:
* Both the netperf client and server were HP DL385 machines with two
AMD Opteron 275 processors
* The machines were using the base install of FC5 for x86_64 using
the targeted policy in permissive mode
* The lspp.44 kernel was used as the kernel source
* The two machines were tested over a crossover gigabit link
* During testing only the loopback and test interfaces were "up"
* All kernels were recompiled using the base FC5 environment
* When CIPSO was used it was configured to do a one to one mapping
between levels 0-16 and categories 0-256 using the "std" map
Test Comments:
* Testing the MLS label without categories, i.e. "s0", required the
least amount of processing
* Testing the MLS label with every category between 0 and 239,
i.e. "s0:c0.c239", requires the most amount of processing
* Clearing the "net.ipv4.cipso_rbm_strictvalid" sysctl variable does
not decrease the safety of the CIPSO checks but does not follow
a strict interpretation of the CIPSO draft (see cipso_v4_validate()
for details)
* The UDP stream test message size had to be adjusted due to the extra
IP header length brought about by the CIPSO IP option
Test Description:
NoPatch - NetLabel not patched into the kernel (Venkat's patch also
removed due to patch dependencies)
Disable - NetLabel patched into the kernel but disabled at compile
Unlabel - NetLabel patched into the kernel and enabled at compile
but no explicitly configured (i.e. the default lspp.44
behavior)
C_NoCat - NetLabel patched into the kernel and enabled at compile
with CIPSO configured and using the "s0" context
C_FlCat - NetLabel patched into the kernel and enabled at compile
with CIPSO configured and using the "s0:c0.c239" context
C_F_LxV - NetLabel patched into the kernel and enabled at compile
with CIPSO configured and using the "s0:c0.c239" context
with "sysctl -w net.ipv4.cipso_rbm_strictvalid=0"
C_F_NoC - NetLabel patched into the kernel and enabled at compile
with CIPSO configured and using the "s0:c0.c239" context
with "sysctl -w net.ipv4.cipso_cache_enable=0"
(in 10^6 bits/sec) (rate / sec)
TEST tcp_stream udp_stream tcp_rr udp_rr
=================================================================
NoPatch 941.52 961.61 10778.58 10901.03
Disable 941.53 961.60 10814.46 11129.77
Unlabel 941.51 961.61 10769.00 10896.26
C_NoCat 932.30 954.04 9904.58 10106.00
C_FlCat 625.46 935.52 9110.29 9262.92
C_F_LxV 686.46 935.53 9325.37 9484.93
C_F_NoC 328.69 935.53 6258.61 6415.35
Attached is a tarball of all the output from the netperf runs in case
anyone is interested.
--
paul moore
linux security @ hp
results_07122005.tar.gz
Description: GNU Zip compressed data
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
