Forum Discussion

Tim_Hsiao_30513's avatar
Tim_Hsiao_30513
Icon for Nimbostratus rankNimbostratus
Jan 04, 2017

Do custom headers incur performance overhead on Big-IP?

BIG-IP 11.6.0 Build 4.0.420 Hotfix HF4

We have added an iRule to add http headers from incoming requests so that our application can capture client certificate information:

when CLIENTSSL_HANDSHAKE { 
    set my_cert_0 [SSL::cert 0] 
    set my_verify_result [SSL::verify_result] 
 } 
 when HTTP_REQUEST { 
    HTTP::header insert [X509::cert_fields $my_cert_0 $my_verify_result versionnum serial sigalg issuer validity subject subpubkey hash] 
 }

Functionally, this is working well on test environment. We plan to move this to production but want to make sure all bases are covered. Specifically, we are not able to do performance/load testing in our test environment due to limited connections. Our production environment normally sees 1600 to 2200 simultaneous connections. I can't seem to find any article or documentation on the web regarding any performance hit with such custom headers. That said, the feature is well documented and seems to be a standard way of manipulating inbound/outbound traffic. Are there any other recommendations or metrics that I should look into?

Thank you.

application delivery
BIG-IP
iRules
overhead
performance

2 Replies

Sort By
  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jan 05, 2017

    Hi!

     

    Always good to cover all bases, good thinking!

     

    You have two events here

     

    • CLIENT_SSL_HANDSHAKE - Occurs once per connection
    • HTTP_REQUEST - Occurs once per request

    Since the performance impact is dependent on both connections and requests it's hard to answer your question as one connection could carry 1, 1000 or more requests per second. Also, knowing which platform you're running this on would also be helpful. :)

     

    That said, the F5's are very efficient when it comes down to header manipulations and SSL should be hardware accelerated (unless you're running a VM) so you should be in the clear.

     

    Hope that somewhat answered your question!

     

    /Patrik

     

  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Jan 05, 2017

    What you can also do is enable timings on the iRules and then check how many CPU cycles per call are taken.