[zorp] Performance numbers for Zorp

Balazs Scheidler zorp@lists.balabit.hu
Thu, 01 Jan 2004 20:37:17 +0100

On Tue, 2003-12-30 at 21:37, Elwin Eliazer wrote:
> Hi,
> I am trying to use Zorp.
> Would like to get some more details about the
> performance of Zorp and connection setup rates.
> I see the web-proxy throughput mentioned in the file
> Zorp2.pdf.

Those numbers are the results of labor testing and as we all know
(except for the marketing guys :) labor tests never really measure real
life. We used "ab" (apachebench, bundled in Apache webservers) to
generate HTTP requests through router/packet filter+NAT/Zorp to a custom
web server (not really a webserver, it is just a program which
understands HTTP and returns static content).

Our results clearly indicate that session startup time is much worse
than for packet filters but as soon as the proxies start running
throughput is quite good when the number of parallel sessions stabilize
(ie. not many new/closing connections)

> What i am looking for immediately are:
> - Number of TCP connections Zorp can handle per second
> in a Pentium-3 or similar type of desktop.

Speaking about real life, we are using Zorp in the following scenario:
- about 10000 users
- Four Pentium IV Xeon 2.4Ghz, 2GB RAM, SCSI disks
- load balancing equipment to balance load accross the four firewall
- mail traffic is relayed (this results in lots of disk I/O)
- about 15GB log each day

The system is stable for about 100MBits of Internet traffic (95% HTTP
sessions), about 30000-40000 sessions/minute. It is important to note
that Zorp supports HTTP keep-alive, therefore the number of connections
is lower than the number of URLs fetched.

We tried to overload a single box just to see where the limits of a
single box configuration is, with a widespread e-mail virus active at
the time, it could handle about 16000 connections per minute. I think
without the load generated by the mail system (postfix) we could achieve
18000-20000 connections per minute.

As we profiled and tuned the system for a couple of weeks I'm confident
that about 90% of the load is caused by session startup/teardown.

> - Similarly, Number of SSL connections per second

We don't really have similar, real-life performance numbers for SSL.
Zorp uses openssl and as such it is a possibility to use crypto
accelerator cards, though this is currently not supported (because of
the lack of customer demand). 

> Would appreciate your input on any performance related
> information on Zorp.

We are currently evaluating a technology that could increase our
performance even more, using a custom kernel module. In our experience
these kernel extensions can increase proxy throughput significantly.
(copying files from kernel space is about ten times faster than doing
the same in userspace). I think raw throughput (e.g. without the proxy
startup time) can be increased by 100%.

If you provided some more information about your actual scenario, we
could probably help you more.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1