Wybór docelowej platformy sieciowej (np. routera, firewalla, scrubbera DDoS) jest często poprzedzony jej testami. Jednym z celów testów jest sprawdzenie, czy parametry wydajnościowe deklarowane przez producenta odpowiadają rzeczywistości. Zespół rozwijający redGuardian Anty DDoS testuje rozwiązanie regresyjnie i wydajnościowo w sposób zautomatyzowany od początku jego istnienia. W czasie prezentacji przeanalizujemy aspekty, na które warto zwrócić uwagę w czasie testów wydajnościowych urządzeń IP oraz przyjrzymy się narzędziom open source pomocnym w realizacji tego zadania.
3. Basics
RFC 2544 „Benchmarking Methodology for Network Interconnect Devices”
Frame sizes to be used on Ethernet 64, 128, 256, 512, 1024, 1280, 1518
RFC 6815 „Use on Production Networks Considered Harmful”
RFC2889 „Benchmarking Methodology for LAN Switching Devices”
IMIX concept
10. Classic generators
available OOTB or easy to install
mature, well documented
pcap(3) based
„fast enough” in some cases
11. hping3
command-line oriented TCP/IP packet assembler and analyzer
notable options: flood, spoofing, addres/port randomization
1 Mpps easy to achieve
similar tools: nping (nmap)
12. hping3
% hping3 --syn 127.0.0.1 --destport ++31337
HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes
len=40 ip=127.0.0.1 ttl=64 DF id=46879 sport=31337 flags=RA seq=0 win=0 rtt=7.7 ms
len=40 ip=127.0.0.1 ttl=64 DF id=46992 sport=31338 flags=RA seq=1 win=0 rtt=3.5 ms
len=40 ip=127.0.0.1 ttl=64 DF id=47120 sport=31339 flags=RA seq=2 win=0 rtt=3.3 ms
^C
--- 127.0.0.1 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3.3/4.8/7.7 ms
% hping3 --syn 127.0.0.1 --destport ++31337 --flood
13. tcpreplay
tools for editing and replaying network traffic
pcap(3) based, Netmap support
idea: record your UDP traffic, replay it against tested service
https://github.com/appneta/tcpreplay
21. Accelerated generators
kernel bypassing for maximum performance
rough edges
non–trivial to install, tune (core to RX/TX queue mapping,
driver and PCIe tuning) and operate
poor man’s alternative for hardware packet generators
22. Snabb packetblaster
Snabb (LuaJIT) based
able to push 20x10Gbps with little CPU usage
tight TX loop over preloaded packets
https://github.com/snabbco/snabb/tree/master/src/program/packetblaster
% packetblaster replay myfile.cap 0000:01:00.0
25. MoonGen
„Scriptable High-Speed Packet Generator”
DPDK + LuaJIT based
craft your packets in Lua!
nice, scientific approach
https://github.com/emmericp/MoonGen
% moongen-simple start udp-simple:0:0:rate=1000mbit/s,ratePattern=poisson
26. T-Rex
„generates L4-7 traffic based on pre-processing and smart replay of
real traffic templates”
DPDK-based
feature rich
https://trex-tgn.cisco.com/,
https://github.com/cisco-system-traffic-generator
35. Example testcase
def _conf(cfg):
cfg.add_target_v4('0.0.0.0/0')
@with_config(_conf)
class TestForward:
def test_ipv4_fragment_beyond_end(self, tester):
"""Fragmented packets with sum of fragment offset and IP length exceeding 65535 are dropped"""
src = '1.2.3.4'
dst = '10.0.0.1'
tester.run(PASS << RAND_ETH << [
PASS << IP(src=src, dst=dst, proto='udp', id=1, frag=8189) / Payload(3), # =65535
DROP << IP(src=src, dst=dst, proto='udp', id=1, frag=8189) / Payload(4), # =65536
])
36. „Expected” packet actions
Action Expected behaviour
DROP silent drop
PASS passthrough
DEC_TTL decrement TTL
DELAY wait (e.g. for state expiration)
FRAGMENT perform IP fragmentation
STRIP_VLAN remove 802.1Q tag
TRUNCATE truncate packet (packet sampling)
…
41. Testing frameworks
DPDK Test Suite: https://dpdk.org/doc/dts/gsg/index.html
fd.io/VPP Continuous System Integration and Testing (CSIT):
https://docs.fd.io/csit/master/doc/
42. Summary
theoretical vs. real life vs. IMIX
understand your DUT internals
networking product development without automated testing
is impossible