Re: Heimdal Vs. MIT Round 4

[Donn Cave <donn@u.washington.edu>]

On Friday, July 30, 2004, at 09:52 AM, Quanah Gibson-Mount wrote:

> Yesterday, I tested OpenLDAP using Heimdal and OpenLDAP using a 
> 6/24/2004 HEAD checkout of MIT Kerberos (It has mutex protections in 
> place).
>
> Overall, results for MIT Kerberos have improved -- The server never 
> locked up, and it was able to keep a reasonable number of clients 
> going (22).
>
> Heimdal was able to keep 29 without issue.
>
> Underlying software:
>
> Cyrus-SASL 2.1.19 (This release does *not* have mutex protections in.)
> BDB 4.2.52 (plus 2 patches)
> OpenLDAP 2.2.15
> OpenSSL 0.9.7d
> libgcc 3.3.1
>
>
> Results pages:
>
> <http://www.stanford.edu/~quanah/openldap/heimdal-results-0-6-1.html>
> <http://www.stanford.edu/~quanah/openldap/mit-results-20040624.html>
>
> Note the far superior speed performance when using Heimdal.  So, 
> although I understand that people often would prefer to have only a 
> single Kerberos to use, if you go with MIT as the underlying Kerberos 
> to build cyrus-sasl against, you are looking at getting 3x+ worse 
> performance than if you went with Heimdal.

I haven't explored this issue in detail, since my application is in
general going to be host-authorized and authenticated via certificate.
But when I tested performance with GSSAPI authentication, I found that
it was significantly slower than SSL certificates.  To my surprise,
since I had expected the cryptography to be more expensive, but I think
the explanation is "replay" detection, which requires the server to
maintain a little database of incoming authentications.  An MIT server,
anyway, as that was what I was using - Heimdal's replay cache system
may be different.  That could sure limit the rate of concurrent
authentications, and the effect could vary a lot between 
implementations.
Could be an issue, if you have an application where the rate of GSSAPI
authentications is the limiting factor.

	Donn Cave, donn@u.washington.edu