[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Heimdal Vs. MIT Round 4



On Friday, July 30, 2004, at 09:52 AM, Quanah Gibson-Mount wrote:

Yesterday, I tested OpenLDAP using Heimdal and OpenLDAP using a 6/24/2004 HEAD checkout of MIT Kerberos (It has mutex protections in place).

Overall, results for MIT Kerberos have improved -- The server never locked up, and it was able to keep a reasonable number of clients going (22).

Heimdal was able to keep 29 without issue.

Underlying software:

Cyrus-SASL 2.1.19 (This release does *not* have mutex protections in.)
BDB 4.2.52 (plus 2 patches)
OpenLDAP 2.2.15
OpenSSL 0.9.7d
libgcc 3.3.1


Results pages:

<http://www.stanford.edu/~quanah/openldap/heimdal-results-0-6-1.html>
<http://www.stanford.edu/~quanah/openldap/mit-results-20040624.html>

Note the far superior speed performance when using Heimdal. So, although I understand that people often would prefer to have only a single Kerberos to use, if you go with MIT as the underlying Kerberos to build cyrus-sasl against, you are looking at getting 3x+ worse performance than if you went with Heimdal.

I haven't explored this issue in detail, since my application is in
general going to be host-authorized and authenticated via certificate.
But when I tested performance with GSSAPI authentication, I found that
it was significantly slower than SSL certificates. To my surprise,
since I had expected the cryptography to be more expensive, but I think
the explanation is "replay" detection, which requires the server to
maintain a little database of incoming authentications. An MIT server,
anyway, as that was what I was using - Heimdal's replay cache system
may be different. That could sure limit the rate of concurrent
authentications, and the effect could vary a lot between implementations.
Could be an issue, if you have an application where the rate of GSSAPI
authentications is the limiting factor.


	Donn Cave, donn@u.washington.edu