Prior measurements were taken by timing how long it takes for a connect() call to complete on the client machine. This corresponds to the time required to complete 2 stages of a TCP handshake, since the client machine enters the ESTABLISHED state as soon as it receives a SYN,ACK. An unanswered question is how long it takes the server to enter the ESTABLISHED state, from the time the initial SYN is sent from the client. This time may be affected by the different processing requirements to verify the ACK, and may fail if the original syncache record no longer exists.
To verify failure was not a concern, the experimental setup was modified to include the time required to read() a byte from the server, which can be viewed as a 4 way handshake: transmit SYN, receive SYN,ACK, transmit ACK, receive data. The results for this test are presented in Figure 6.
On an unloaded box, there is no measurable difference in performance between the syncache and syncookies approaches. However, when the box is loaded, the combination of syncache and syncookies outperforms a pure syncache configuration. Again, as there are no TCP retransmits occurring, the performance difference is not due to entries getting dropped from the syncache hash buckets. This also indicates that the bucket depth of 30 entries that is used in these tests is sufficient to handle the RTT across the local LAN; connections are getting established before they are dropped.
The difference between the two algorithms could be explained by the difference in ISS generation, or by the fact that the standalone syncache needs to perform FIFO drop for a bucket, which is bypassed when syncookies are in use. However, it is not expected that the list management requirements, which consist of few TAILQ_* calls, would be significant. The investigation into the performance difference is still ongoing.
In comparison to the unmodified system presented in Figure 2, there is a dramatic improvement. In this experiment, clients were able to connect to the server and perform useful work (reading one byte), with all attempts completing within 1 second. In the unmodified system, 90% of the connections still had not completed the TCP handshake after 1 second. Even with reduced queue depths, the performance of the unmodified system does not match the new code.