ietf-mailsig
[Top] [All Lists]

RE: charter constraints list

2004-10-05 22:30:13

From: Michael Thomas
Sent: Tuesday, October 05, 2004 7:25 PM



Seth Goodman writes:

[Miles Libbey]

 > > Sendmail did a much more valid test in July
 > > http://sendmail.net/dk-milter/benchmark/
 > > and determined their DomainKeys implementation would add
 > > 8-16% overhead to MTAs.

FWIW, my own testing is in the same range for IIM.

 > Thanks for posting this link.  I was looking for it recently.  The
 > conclusion they draw is based on a large average message size.
 > Most spam are very short messages, and spam is the preponderance of
 > the incoming stream, so I don't think the conclusion necessarily
 > agrees with the data they present.  For very short messages, the
 > throughput of this fairly CPU-rich MTA was reduced to
 > approximately half.  I suggest this is more like
 > what typical sites with high spam loads will see.

Something to note here is that signing and verifying are
several orders of magnitude different in CPU complexity --
verifying being *much* cheaper. The SHA1 digest quickly
overcomes the RSA verify as the dominate factor... not to
mention that watching Spamassassin grind away trumps all...


Hmm.  Something's rotten in Denmark.  There is a difference between signing
and validating, but I don't recall it as being anywhere near an order of
magnitude and certainly not multiple orders of magnitude.  The Sendmail
benchmark above shows nearly identical results for signing and validating,
which supports my recollection.  That data suggests that the test dual-CPU
machine was capable of either creating or verifying on the order of 500 RSA
signatures/second (I didn't find the key length used), if it was doing
nothing else.  I'd guess that same machine can do around 5 million SHA1
digests per second for short data blocks.  SHA1 HMAC's are a little slower,
but similar to SHA1 digests.

SpamAssassin is very slow, but you only run it on messages that pass
authentication and have adequate sender reputation.  Presumably we will be
rejecting a lot of mail due to either authentication failures or inadequate
reputation.  If not, that means either the spam problem is solved or we're
accepting all of it.

--

Seth Goodman


<Prev in Thread] Current Thread [Next in Thread>