Performance impact of Kerberos on Azure NetApp Files NFSv4.1 volumes

Azure NetApp Files supports NFS client encryption in Kerberos modes (krb5, krb5i, and krb5p) with AES-256 encryption. This article describes the performance impact of Kerberos on NFSv4.1 volumes. Performance comparisons referenced in this article are made against the sec=sys security parameter, testing on a single volume with a single client.

Available security options

The security options currently available for NFSv4.1 volumes are as follows:

  • sec=sys uses local UNIX UIDs and GIDs by using AUTH_SYS to authenticate NFS operations.
  • sec=krb5 uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users.
  • sec=krb5i uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering.
  • sec=krb5p uses Kerberos V5 for user authentication and integrity checking. It encrypts NFS traffic to prevent traffic sniffing. This option is the most secure setting, but it also involves the most performance overhead.

Performance vectors tested

This section describes the single client-side performance impact of the various sec=* options.

  • Performance impact was tested at two levels: low concurrency (low load) and high concurrency (upper limits of I/O and throughput).
  • Three types of workloads were tested:
    • Small operation random read/write (using FIO)
    • Large operation sequential read/write (using FIO)
    • Metadata heavy workload as generated by applications such as git

Expected performance impact

There are two areas of focus: light load and upper limit. The following lists describe the performance impact security setting by security setting and scenario by scenario.

Testing Scope

  • All comparisons are made against the sec=sys security parameter.
  • The test was done on a single volume, using a single client.

Performance impact of krb5:

  • Average IOPS decreased by 53%
  • Average throughput decreased by 53%
  • Average latency increased by 0.2 ms

Performance impact of krb5i:

  • Average IOPS decreased by 55%
  • Average throughput decreased by 55%
  • Average latency increased by 0.6 ms

Performance impact of krb5p:

  • Average IOPS decreased by 77%
  • Average throughput decreased by 77%
  • Average latency increased by 1.6 ms

Performance considerations with nconnect

It is not recommended to use nconnect and sec=krb5* mount options together. Performance degradation has been observed when using the two options in combination.

The Generic Security Standard Application Programming Interface (GSS-API) provides a way for applications to protect data sent to peer applications. This data might be sent from a client on one machine to a server on another machine. 

When nconnect is used in Linux, the GSS security context is shared between all the nconnect connections to a particular server. TCP is a reliable transport that supports out-of-order packet delivery to deal with out-of-order packets in a GSS stream, using a sliding window of sequence numbers. When packets not in the sequence window are received, the security context is discarded, and a new security context is negotiated. All messages sent with in the now-discarded context are no longer valid, thus requiring the messages to be sent again. Larger number of packets in an nconnect setup cause frequent out-of-window packets, triggering the described behavior. No specific degradation percentages can be stated with this behavior.

Next steps