CVE patch impact

[Sébastien Ros]

On June 18th a patch was applied on the machines, c.f. https://twitter.com/BrianHauerTSO/status/1141013278719524864

I was checking some numbers and the impact is actually very important, and some positions have changed quite a bit.

Before:

https://www.techempower.com/benchmarks/#section=test&runid=14aa155b-efb0-46c2-8354-c2b8debd36bb&hw=ph&test=fortune

After:

https://www.techempower.com/benchmarks/#section=test&runid=350b5d4d-261f-42ba-9ed4-f4d122467eca&hw=ph&test=fortune

For instance actix (rust) or aspnet (c#) got a big dip on Plaintext, while ulib (c++) haven't. 

Would be interesting to use TE's results to express the overall impact of this patch in a blog post maybe, and for us framework maintainers to learn from ulib to understand why the impact was so small.

Cheers,

Sebastien

[Sébastien Ros]

Also very important point, Round 18 was taken before the patch.

[Brian Hauer]

Sébastien,

The impact is indeed very significant!  And you are right, we took Round 18 results from before the patch.  That was mostly coincidental, but it was also convenient since we were not prepared to offer analysis into the impact of the CVE patch for the "TCP SACK PANIC" vulnerability.

I agree that it would be great for this to be written-up as a blog post, and especially interesting if multiple framework maintainers collaborated on writing up thoughts and findings.  Who else in the community is interested in participating?  Is there anything we (TechEmpower) can provide to the community to help beyond just providing the data?

I wonder how this CVE patch plays in a virtualized environment.  Would a comparison test in Azure be possible?  Could we set up two otherwise-identical environments that vary only by the presence of the TCP SACK PANIC patches?  It may be nice to be able to iterate on a small suite of test implementations in such a side-by-side configuration.