TY - GEN
T1 - An experimental testbed to predict the performance of XACML policy decision points
AU - Butler, Bernard
AU - Jennings, Brendan
AU - Botvich, Dmitri
PY - 2011
Y1 - 2011
N2 - The performance and scalability of access control systems is a growing concern as organisations deploy ever more complex communications and content management systems. This paper describes how an (offline) experimental testbed may be used to address performance concerns. To begin, timing measurements are collected from a server component incorporating the Policy Decision Point (PDP) under test, using representative policies and corresponding requests. Our experiments with two XACML PDP implementations show that measured request service times are typically clustered by request type; thus an algorithm for request cluster identification is presented. Cluster characterisations are used as inputs to a PDP performance model for a given policy/request mix and an analytic (queueing) model is used to estimate the equilibrium server load for different mixes of request clusters. The analytic performance prediction model is validated and extended by discrete event simulation of a PDP subject to additional load. These predictive models enable network administrators to explore the capacity of the PDP for different overall loadings (requests per unit time) and profiles (relative frequencies) of requests.
AB - The performance and scalability of access control systems is a growing concern as organisations deploy ever more complex communications and content management systems. This paper describes how an (offline) experimental testbed may be used to address performance concerns. To begin, timing measurements are collected from a server component incorporating the Policy Decision Point (PDP) under test, using representative policies and corresponding requests. Our experiments with two XACML PDP implementations show that measured request service times are typically clustered by request type; thus an algorithm for request cluster identification is presented. Cluster characterisations are used as inputs to a PDP performance model for a given policy/request mix and an analytic (queueing) model is used to estimate the equilibrium server load for different mixes of request clusters. The analytic performance prediction model is validated and extended by discrete event simulation of a PDP subject to additional load. These predictive models enable network administrators to explore the capacity of the PDP for different overall loadings (requests per unit time) and profiles (relative frequencies) of requests.
UR - http://www.scopus.com/inward/record.url?scp=80052749371&partnerID=8YFLogxK
U2 - 10.1109/INM.2011.5990711
DO - 10.1109/INM.2011.5990711
M3 - Conference contribution
AN - SCOPUS:80052749371
SN - 9781424492213
T3 - Proceedings of the 12th IFIP/IEEE International Symposium on Integrated Network Management, IM 2011
SP - 353
EP - 360
BT - Proceedings of the 12th IFIP/IEEE International Symposium on Integrated Network Management, IM 2011
T2 - 12th IFIP/IEEE International Symposium on Integrated Network Management, IM 2011
Y2 - 23 May 2011 through 27 May 2011
ER -