...
The below performance statistics for use by NREN and Trust Router operators illustrate the penalties of these cumulative round-trips, in order to set expectations for Moonshot authentication requests for the operators of services on their trust router infrastructures.
Test Network
There are four trust routers in the test infrastructure in a tree configuration:
...
- L1 has both L2 and L2A as down-stream trust routers
- L2 has L3 as a down-stream trust router
Methodology
Each of these timings was obtained by restarting all TID and RADIUS servers for all services to ensure that new keys are obtained for all parties in the chain. This way a maximum time in an ideal configuration was obtained.
Timings were obtained in both directions up- as well as down-stream, as well as between services on the same trust router. Additionally, timings were also obtained across two trust routers on the same level.
Timings
| From | To | Direction | Initial Timing | Comments |
|---|---|---|---|---|
| L1-RP | L1-IDP | Same TR | 4 seconds | Both parties are connecting to the same trust router |
| L1-RP | L2-IDP | Down 1 TR | 6 seconds | |
| L1-RP | L3-IDP | Down 2 TR | 8 seconds | |
| L2-RP | L1-IDP | Up 1 TR | 5 seconds | |
| L2-RP | L2-IDP | Same TR | 7 seconds | |
| L2-RP | L2A-IDP | Up 1 TR, Down 1 TR | 6 seconds | This configuration tested the TID completion across two trust routers on the same level |
| L2-RP | L3-IDP | Down 1 TR | 7 seconds | |
| L3-RP | L1-IDP | Up 2 TR | 7 seconds | |
| L3-RP | L2-IDP | Up 1 TR | 7 seconds | |
| L3-RP | L3-IDP | Same TR | 7 seconds |
Conclusion
The current static peering model for the Trust Router infrastructure expects that each down-stream trust router is listed upstream as the AAA server for all the IdPs connected to it, or connected to trust routers connected to it. As appropriate, each down-stream trust router then lists the true AAA server for IdPs directly connected to it. This way trust boundaries are respected. This does add a performance penalty in that each request needs to be passed up and down the chain to the top level trust router before being routed along to the IdP.
...