Re: Performance impact of a large ACL list.
Augie, On Monday, 2013-02-04 19:01:38 -0600, Jeremy C. Reed jr...@isc.org wrote: On Mon, 4 Feb 2013, Augie Schwer wrote: Does anyone have any experience using a large ( 1k ) entry ACL list? Was there any performance degradation? I haven't implemented my ACL yet, but it has quickly ballooned up, and I am hoping to get some advice from others in a similar situation. It has been a few years since I researched this. (I should re-add this to my existing performance and resource usage tests.) BIND 9.5 had various ACL improvements including support for O(1) ACL processing, based on radix tree code. As one example, with 20,000 to 100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps, while the new version has around 21,000 qps. This specific change should mean that adding IP-based ACL will not slow down ACL performance. However, if you are using TSIG-based ACL then we can't store them in a radix tree, and these still scale linearly with the number of entries, IIRC. I suppose we can change this to a tree-based structure at some point if there is a real need for large TSIG-based ACL. It still won't be as fast as IP-based ACL, but it should be much faster than the simple list-based implementation we have now. Cheers, -- Shane ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Performance impact of a large ACL list.
Does anyone have any experience using a large ( 1k ) entry ACL list? Was there any performance degradation? I haven't implemented my ACL yet, but it has quickly ballooned up, and I am hoping to get some advice from others in a similar situation. -- Augie Schwer-au...@schwer.us-http://schwer.us ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Performance impact of a large ACL list.
On Mon, 4 Feb 2013, Augie Schwer wrote: Does anyone have any experience using a large ( 1k ) entry ACL list? Was there any performance degradation? I haven't implemented my ACL yet, but it has quickly ballooned up, and I am hoping to get some advice from others in a similar situation. It has been a few years since I researched this. (I should re-add this to my existing performance and resource usage tests.) BIND 9.5 had various ACL improvements including support for O(1) ACL processing, based on radix tree code. As one example, with 20,000 to 100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps, while the new version has around 21,000 qps. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users