Component Matching Performance

[Sang s Lim <slim@xxxxxxxxxx>]

Attached is a preliminary performance numbers of Component Matching. We 
compared the performance of Component Matching and the existing 
certificateExactMatch implementation of OpenLDAP which utilizes openssl 
certificate decoder. We were able to use the DirectoryMark benchmarking 
tool for Component Matching because DirectoryMark clients naturally 
support component matching without modification.

Experimental platform
        - Server: IBM BladeCenter blade node with 2x2.4G HT Xeon, Linux 
Kernel 2.4.20
        - Client: IBM BladeCenter blade node with 2x2.4G HT Xeon, Windows 
2000
        - Network: 1Gbps Ethernet
 
Directory
        - 100,000 entry DIT
        - Each entry is a person entry with one userCertificate attribute
        - Operations: Random searches on tbsCertificate.serialNumber 
(serialNumber in userCertificate)
        - Indexing: tbsCertificate.serialNumber

Result (average of 3 runs)
        - Component Matching: 
                - Throughput: 3273.66 ops/sec
                - Max latency: 20ms
        - certificateExactMatch in OpenLDAP
                - Throughput: 3674.73 ops/sec
                - Max latency: 18ms
 
The performance numbers show that the overhead of Component Matching is 
around 10% which we attribute to the component filter parsing overhead. 
However, we expect that Component Matching performs on par with the custom 
openssl matching when the attribute aliasing mechanism is used in 
Component Matching because this will eliminate the additional component 
filter parsing steps.

Sang Seok Lim

IBM T.J Watson Research Center
Enterprise Linux Group
slim@xxxxxxxxxx