Metrics and Definitions
Table 7 describes the key performance metrics of SBRC.
Table 7: Key Performance Metrics
RADIUS accounting per second.
In SBRC, starts, stops, and interims have approximately the same load requirements. In certain use cases, starts can be marginally faster (a new session when a phantom was not generated), interims marginally slower (requiring an update, retrieval of existing values, and re-writing the record), and stops may be marginally more work (such as managing IP addresses and concurrency).
RADIUS authentications per second.
In general, auths/s refers to PAP authentication or CHAP authentication, which is the RADIUS Auth-Request.
The performance characteristics of these auths are similar; the differences in simple authentication cryptographies are usually minor.
Calls per second.
This can be one RADIUS authentication, one accounting start, and one accounting stop.
This metric corresponds to a model where the sessions are transient, rather than of long duration where re-authentication occurs with each connection.
Call setups per second.
This is one authentication and one accounting-start.
Note: CSPS is rarely used by Juniper Networks, but is commonly used in other sources of reference.
Adding 33 percent to CSPS equalizes the CPS metric, since CSPS ignores stops, whether generated by NAS, or autostops generated from the session timeout.
Extensible Authentication Protocol.
Most EAP-based authentication protocols require multiple round trips of RADIUS authentication requests and responses.
The number of round trips is strongly influenced by the client and the number of protocols supported. The client can send negative acknowledgements (NAKs) for each authentication protocol until either the last authentication protocol or the server has attempted to serve all the protocols on the available list, after which the server should be configured to reject.
If several types of EAP requests are supported, and the most likely ones are the preferred ones; this will under most circumstances decrease the number of transactions done at the negotiation stage.
EAP-SIM and EAP-AKA
Extensible Authentication Protocol method for GSM Subscriber Identity Module (EAP-SIM) and Extensible Authentication Protocol method for UMTS Authentication and Key Agreement (EAP-AKA).
EAP-SIM and EAP-AKA require multiple round trips and less cryptography in the SBRC front-end application, some of which is pushed into the authGW and some to the Home Location Register (HLR).
EAP-Transport Layer Security/Tunneled Transport Layer Security.
In addition to multiple round trips, some of the packets that require much heavier cryptography to process can take many CPU cycles on each front-end application.
The performance overhead of writing a request downstream and reading a response from downstream is similar to the equivalent auths/s or accts/s. This is in addition to the overhead of proxy processing of greater or lesser complexity.
Sessions per second.
This can be one authentication, one accounting start, three interim-accounting, and an accounting-stop.
In certain use cases, the number of transactions can vary significantly, but the three interim-accounting transactions are in place in proportion to the authentications, starts, and stops for calls of average duration. In an average case, interims are sent to extend the session life three times in a varying period of time.
Note: CPS can also be referred to as SPS in other documents or in literature from other organizations.
Transactions per second.
In SBRC, a transaction refers to a RADIUS input packet and its corresponding response packet.
For example, a key TTLS transaction may take 100 CPU-milliseconds to execute. An interim accounting transaction might generate an ACK, but it might not perform an update, making it quicker. Thus, the “TPS” of a system is not a great metric for comparative performance.
In general, TPS refers to any RADIUS transaction processing such as receiving a packet, turning the attribute-value pairs (AVPs) into an internal representation, doing minimal processing common to all transactions, turning the internal representation of AVPs back into RADIUS and calculating the authenticator, and sending simple responses.
Worldwide Interoperability for Microwave Access.
WiMAX is similar to EAP-TLS/TTLS for authentication in specific cases. In WiMAX, the session resumption keys and certain AVPs are stored within the NDB and use the WiMAX accounting flow functionality. This adds to the overhead for processing the accounting starts, interims, and stops.