Performance impact of a large ACL list.
Shane Kerr
shane at isc.org
Fri Feb 8 14:36:32 UTC 2013
Augie,
On Monday, 2013-02-04 19:01:38 -0600,
"Jeremy C. Reed" <jreed at isc.org> wrote:
> On Mon, 4 Feb 2013, Augie Schwer wrote:
>
> > Does anyone have any experience using a large ( 1k ) entry ACL list?
> > Was there any performance degradation?
> >
> > I haven't implemented my ACL yet, but it has quickly ballooned up,
> > and I am hoping to get some advice from others in a similar
> > situation.
>
> It has been a few years since I researched this. (I should re-add
> this to my existing performance and resource usage tests.)
>
> BIND 9.5 had various ACL improvements including support for O(1) ACL
> processing, based on radix tree code. As one example, with 20,000 to
> 100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps,
> while the new version has around 21,000 qps.
This specific change should mean that adding IP-based ACL will not slow
down ACL performance.
However, if you are using TSIG-based ACL then we can't store them in
a radix tree, and these still scale linearly with the number of
entries, IIRC. I suppose we can change this to a tree-based structure at
some point if there is a real need for large TSIG-based ACL. It still
won't be as fast as IP-based ACL, but it should be much faster than the
simple list-based implementation we have now.
Cheers,
--
Shane
More information about the bind-users
mailing list