Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Some performance statistics for use by NREN and Trust Router operators to set expectations.

Network

There are three four trust routers in the test infrastructure in a chained tree configuration:

  • MAINTR L1 - The main (top level) trust router to which the APC is connected, as well as one IDP (MAINL1-IDP) and one RP (MAINL1-RP).
  • DSTR L2 - The first level down-stream trust router, to which one IDP (DSL2-IDP) and one RP (DSL2-RP) are connected.DS-TR2 - The second
  • L2A - Another first level down-stream trust router, to which is connected to DSTR, and one IDP (L2A-IDP) is connected.
  • L3 - The second level down-stream trust router, to which one IDP (DSL3-IDP2IDP) and one RP (DSL3-RP2RP) are connected.

While the two second-level trust routers are connected to the first-level trust router, the third-level trust router is connected to one of the second-level trust routers.

Methodology

Each of these timings has been was obtained by restarting all TID and RADIUS servers for all services to ensure that new keys are obtained for all parties in the chain. This way a maximum time in an ideal configuration can be was obtained. Additionally, the timings

Timings were obtained in both directions up- as well as down-stream, as well as between services on the same trust router. Additionally, timings were also obtained across two trust routers on the same level.

Timings

FromToDirectionInitial TimingComments
L1-RPL1-IDPSame TR4 secondsBoth parties are connecting to the same trust router
L1-RPL2-IDPDown 1 TR6 seconds 
L1-RPL3-IDPDown 2 TR8 seconds 
L2-RPL1-IDPUp 1 TR5 seconds 
L2-RPL2-IDPSame TR7 seconds 
L2-RPL2A-IDPUp 1 TR, Down 1 TR6 secondsThis configuration tested the TID completion across two trust routers on the same level
L2-RPL3-IDPDown 1 TR7 seconds 
L3-RPL1-IDPUp 2 TR7 seconds 
L3-RPL2-IDPUp 1 TR7 seconds 
L3-RPL3-IDPSame TR7 seconds 

Conclusion

The current static peering model for the Trust Router infrastructure expects that each down-stream trust router is listed upstream as the AAA server for all the IdPs connected to it, or connected to trust routers connected to it. As appropriate, each down-stream trust router then lists the true AAA server for IdPs directly connected to it. This way trust boundaries are respected. This does add a performance penalty in that each request needs to be passed up and down the chain to the top level trust router before being routed along to the IdP. 

In the infrastructure example above, L2 would be listed as AAA server for L2-IDP and L3-IDP on L1, while L2A would be listed as AAA server for L2A-IDP.

The timings improve when the top-level trust router has a fairly liberal key expiry policy and subsequent requests do not need to request TID keys for the APC itself.