A decent SSL performer

We measured the Nortel SSL VPN Module 1000 running inside the Contivity 1740 against three performance metrics: SSL tunnel setup/teardown rate, maximum concurrent users and forwarding rate.

We measured the Nortel SSL VPN Module 1000 running inside the Contivity 1740 against three performance metrics: SSL tunnel setup/teardown rate (see glossary of SSL terminology), maximum concurrent users and forwarding rate.

The SSL tunnel setup and teardown test determines how quickly a device can respond to new users' requests. Each user requires a unique SSL session to be negotiated, which is a processor-intensive task.

We configured the Spirent Avalanche to emulate up to 64,000 unique hosts, each attempting to log on to the Contivity 1740 box (see How we did it). The Contivity 1740 topped out at 50 tunnels per second. When we tried to use 51 tunnels per second, the box continued to function but some transactions failed.

For a box of this size, 50 sessions per second is a middle-of-the-pack rate. At that rate, a Contivity 1740 can set up 4.3 million sessions per day.

The maximum-concurrent-users test sought to determine the greatest number of users capable of simultaneously retrieving data through the Contivity 1740. In our test, 1,000 users were able to log on and retrieve objects.

The final performance test, forwarding rate, measured how quickly the Contivity 1740 could move HTTP traffic. We configured Avalanche to retrieve large (5M-byte) objects through the Contivity 1740. Large objects produce high forwarding rates because there is more object data relative to the amount of SSL and TCP handshaking traffic.

The Contivity 1740 moved data over SSL at a peak rate of 128.3M bit/sec when tested with 10 users. With lower or higher numbers of users, the forwarding rate tailed off. However, the aggregate forwarding rate remained flat at about 120M bit/sec for anywhere up to 125 concurrent users.

This test determined not only the highest rate but also the highest user count the Contivity 1740 could handle with zero failures. In all tests we attempted with 150 or more users, the Contivity failed to forward at least some users' requests.

In "sizing" an SSL system for production use, the 1,000-concurrent-user count is probably the more meaningful result. Average HTTP object sizes tend to be small, typically around 1K byte or so, making forwarding rate less critical.

Back to review: "Nortel's Contivity picks up SSL"

Learn more about this topic

Spirent Communications supplied its Avalanche and Reflector application-layer traffic generator/analyzers, and Spirent's Philip Joung and Jeff Brown assisted in configuration troubleshooting. Thanks also to Foundry Networks, which supplied a FastIron 12GCF copper gigabit Ethernet switch to connect all systems on the test bed.

We gratefully acknowledge the vendors that supplied infrastructure and support for this project.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.