Benchmarking on network-noteshttps://network-notes.com/tags/benchmarking/Recent content in Benchmarking on network-notesHugo -- gohugo.ioen-usbrett@network-notes.com (Brett Lykins)brett@network-notes.com (Brett Lykins)© 2015-2026 Brett LykinsThu, 30 Apr 2026 09:00:00 +0000CLI Over HTTPS Part 2: Proving Ithttps://network-notes.com/posts/2026/cli-over-https-2/Thu, 30 Apr 2026 09:00:00 +0000brett@network-notes.com (Brett Lykins)Brett Lykinshttps://network-notes.com/posts/2026/cli-over-https-2/<p>In <a href="https://network-notes.com/posts/2026/cli-over-https-1/">Part 1</a>, I argued that SSH is a slow transport for network automation at scale and that HTTPS is fundamentally faster. Round-trip analysis and back-of-napkin math are useful, but they&rsquo;re not proof. This post is the proof.</p> <p>I built <a href="https://github.com/lykinsbd/clibench">clibench</a>, a dual-protocol network device emulator and benchmark client that measures the difference at realistic latencies sourced from <a href="https://www.verizon.com/business/terms/latency/">Verizon&rsquo;s published backbone measurements</a>.</p> <h2 id="design-constraints">Design Constraints</h2> <p>For the comparison to mean anything, the test has to be fair. That means:</p> <ul> <li><strong>Same device, same commands, same output.</strong> Both transports hit the same <code>device.Device</code> struct. The only variable is how the command arrives and how the response leaves.</li> <li><strong>Same latency for both.</strong> Delay is injected at the TCP connection level, not the application level. Both SSH and HTTPS experience identical network conditions.</li> <li><strong>Realistic latency values.</strong> No made-up numbers. Every profile is sourced from published measurements.</li> <li><strong>Multiple modes per transport.</strong> SSH gets tested with fresh connections and with connection reuse (ControlMaster-style). HTTPS gets tested with fresh connections, keep-alive, multi-command batching, and config push. Each mode represents a real-world usage pattern.</li> </ul> <h2 id="architecture">Architecture</h2> <p>clibench is written in Go. The project has nine packages:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">internal/ </span></span><span class="line"><span class="cl"> bench/ Benchmark runner: SSH, HTTPS, proxy, and PTY modes </span></span><span class="line"><span class="cl"> device/ Shared command engine: prefix matching, transcript loading </span></span><span class="line"><span class="cl"> sshserver/ crypto/ssh listener, CiSSHGo patterns </span></span><span class="line"><span class="cl"> httpserver/ net/http + TLS, ASA-style /admin/exec/ and /admin/config </span></span><span class="line"><span class="cl"> proxy/ HTTPS→SSH edge proxy (fresh + pooled modes) </span></span><span class="line"><span class="cl"> netem/ tc netem latency injection (Linux, requires sudo) </span></span><span class="line"><span class="cl"> latency/ Userspace delay injection (fallback, no root) </span></span><span class="line"><span class="cl"> stats/ Benchmark statistics: percentile, summarize, parallel runner </span></span><span class="line"><span class="cl"> tlsutil/ Shared self-signed TLS config generator </span></span></code></pre></td></tr></table> </div> </div><p><img src="https://network-notes.com/img/2026/cli-over-https-bench-architecture.5fda7576f27eb2b1430a4a744666530cfc1e3a520c633554f8ab7a4da0730954.svg" alt="Benchmark architecture: client on the left, latency injection in the middle, SSH and HTTPS servers both feeding into a shared device.Device on the right" loading="lazy" /></p> <p>The benchmark client embeds its own server. No separate process needed. Latency is injected at the kernel level using Linux <code>tc netem</code>, applied per-port on the loopback interface so both SSH and HTTPS experience identical network conditions.</p> <h3 id="the-shared-command-engine">The Shared Command Engine</h3> <p>Both servers use the same <code>device.Device</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="kd">type</span><span class="w"> </span><span class="nx">Device</span><span class="w"> </span><span class="kd">struct</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Hostname</span><span class="w"> </span><span class="kt">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Username</span><span class="w"> </span><span class="kt">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Password</span><span class="w"> </span><span class="kt">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">commands</span><span class="w"> </span><span class="kd">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="w"> </span><span class="c1">// &#34;show version&#34; -&gt; transcript text</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">transcriptDir</span><span class="w"> </span><span class="kt">string</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="kd">func</span><span class="w"> </span><span class="p">(</span><span class="nx">d</span><span class="w"> </span><span class="o">*</span><span class="nx">Device</span><span class="p">)</span><span class="w"> </span><span class="nf">Exec</span><span class="p">(</span><span class="nx">input</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="kt">string</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">input</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nf">TrimSpace</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">input</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&#34;&#34;</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="s">&#34;&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c1">// exact match first</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">resp</span><span class="p">,</span><span class="w"> </span><span class="nx">ok</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">d</span><span class="p">.</span><span class="nx">commands</span><span class="p">[</span><span class="nx">input</span><span class="p">];</span><span class="w"> </span><span class="nx">ok</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">resp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c1">// prefix match (&#34;sh ver&#34; -&gt; &#34;show version&#34;)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c1">// returns &#34;% Ambiguous command&#34; or &#34;% Unknown command&#34; on miss</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">}</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Command transcripts are plain text files loaded from a directory. The filename convention maps to the command: <code>show_version.txt</code> becomes <code>show version</code>. Templates support <code>{{.Hostname}}</code> substitution. This follows the same pattern as <a href="https://network-notes.com/posts/2026/cisshgo-ssh-device-emulator/">CiSSHGo</a>, which I wrote about recently.</p> <h3 id="the-ssh-server">The SSH Server</h3> <p>The SSH side uses Go&rsquo;s <code>crypto/ssh</code> package with an ed25519 host key generated at startup. It supports both exec mode (<code>ssh host &quot;show version&quot;</code>) and interactive shell sessions with prompt rendering and command matching. The benchmark client tests both, since real-world tools are split: libraries like Go&rsquo;s <code>x/crypto/ssh</code> use exec mode, while Netmiko, Ansible, and Scrapli use PTY/shell.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="c1">// Exec mode: split newline-delimited payloads for batch support</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">case</span><span class="w"> </span><span class="s">&#34;exec&#34;</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nb">len</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">Payload</span><span class="p">)</span><span class="w"> </span><span class="p">&gt;</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">execCmd</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nb">string</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">Payload</span><span class="p">[</span><span class="mi">4</span><span class="p">:])</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">req</span><span class="p">.</span><span class="nf">Reply</span><span class="p">(</span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="kc">nil</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">execCmd</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="s">&#34;&#34;</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">out</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nx">Builder</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">_</span><span class="p">,</span><span class="w"> </span><span class="nx">line</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="k">range</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nf">Split</span><span class="p">(</span><span class="nx">execCmd</span><span class="p">,</span><span class="w"> </span><span class="s">&#34;\n&#34;</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">cmd</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nf">TrimSpace</span><span class="p">(</span><span class="nx">line</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">cmd</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="s">&#34;&#34;</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">out</span><span class="p">.</span><span class="nf">WriteString</span><span class="p">(</span><span class="nx">s</span><span class="p">.</span><span class="nx">dev</span><span class="p">.</span><span class="nf">Exec</span><span class="p">(</span><span class="nx">cmd</span><span class="p">))</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">io</span><span class="p">.</span><span class="nf">WriteString</span><span class="p">(</span><span class="nx">ch</span><span class="p">,</span><span class="w"> </span><span class="nx">out</span><span class="p">.</span><span class="nf">String</span><span class="p">())</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ch</span><span class="p">.</span><span class="nf">SendRequest</span><span class="p">(</span><span class="s">&#34;exit-status&#34;</span><span class="p">,</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="p">[]</span><span class="kt">byte</span><span class="p">{</span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">})</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="the-https-server">The HTTPS Server</h3> <p>The HTTPS side generates a self-signed P-256 ECDSA certificate at startup (negotiating TLS 1.3 with <code>TLS_AES_128_GCM_SHA256</code>) and exposes the same endpoints as the <a href="https://www.cisco.com/c/en/us/td/docs/security/asa/misc/http-interface/asa-http-interface.html">Cisco ASA HTTP interface</a>:</p> <ul> <li><code>GET /admin/exec/show+version</code>. Single command, URL-encoded</li> <li><code>GET /admin/exec/cmd1/cmd2/cmd3</code>. Multiple commands, slash-separated</li> <li><code>POST /admin/config</code>. Bulk commands, newline-delimited body</li> </ul> <p>Authentication is HTTP Basic over TLS, matching the ASA&rsquo;s behavior.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="kd">func</span><span class="w"> </span><span class="p">(</span><span class="nx">s</span><span class="w"> </span><span class="o">*</span><span class="nx">Server</span><span class="p">)</span><span class="w"> </span><span class="nf">handleExec</span><span class="p">(</span><span class="nx">w</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">ResponseWriter</span><span class="p">,</span><span class="w"> </span><span class="nx">r</span><span class="w"> </span><span class="o">*</span><span class="nx">http</span><span class="p">.</span><span class="nx">Request</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">path</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nf">TrimPrefix</span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nx">URL</span><span class="p">.</span><span class="nx">Path</span><span class="p">,</span><span class="w"> </span><span class="s">&#34;/admin/exec/&#34;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">parts</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nf">Split</span><span class="p">(</span><span class="nx">path</span><span class="p">,</span><span class="w"> </span><span class="s">&#34;/&#34;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="kd">var</span><span class="w"> </span><span class="nx">out</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nx">Builder</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">_</span><span class="p">,</span><span class="w"> </span><span class="nx">p</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="k">range</span><span class="w"> </span><span class="nx">parts</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">cmd</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nf">ReplaceAll</span><span class="p">(</span><span class="nx">p</span><span class="p">,</span><span class="w"> </span><span class="s">&#34;+&#34;</span><span class="p">,</span><span class="w"> </span><span class="s">&#34; &#34;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">cmd</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nf">TrimSpace</span><span class="p">(</span><span class="nx">cmd</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">cmd</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&#34;&#34;</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">continue</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">out</span><span class="p">.</span><span class="nf">WriteString</span><span class="p">(</span><span class="nx">s</span><span class="p">.</span><span class="nx">dev</span><span class="p">.</span><span class="nf">Exec</span><span class="p">(</span><span class="nx">cmd</span><span class="p">))</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">w</span><span class="p">.</span><span class="nf">Header</span><span class="p">().</span><span class="nf">Set</span><span class="p">(</span><span class="s">&#34;Content-Type&#34;</span><span class="p">,</span><span class="w"> </span><span class="s">&#34;text/plain&#34;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">io</span><span class="p">.</span><span class="nf">WriteString</span><span class="p">(</span><span class="nx">w</span><span class="p">,</span><span class="w"> </span><span class="nx">out</span><span class="p">.</span><span class="nf">String</span><span class="p">())</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">}</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="the-benchmark-client">The Benchmark Client</h3> <p>The client calls both transports with the same commands and measures wall-clock time. The key difference is visible in the code: SSH requires connection setup, auth, channel open, and per-command exec requests. HTTPS is a single HTTP call:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="c1">// SSH: connect + auth + exec per command</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">client</span><span class="p">,</span><span class="w"> </span><span class="nx">_</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">ssh</span><span class="p">.</span><span class="nf">Dial</span><span class="p">(</span><span class="s">&#34;tcp&#34;</span><span class="p">,</span><span class="w"> </span><span class="nx">addr</span><span class="p">,</span><span class="w"> </span><span class="nx">sshConfig</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">for</span><span class="w"> </span><span class="nx">_</span><span class="p">,</span><span class="w"> </span><span class="nx">cmd</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="k">range</span><span class="w"> </span><span class="nx">commands</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">session</span><span class="p">,</span><span class="w"> </span><span class="nx">_</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">client</span><span class="p">.</span><span class="nf">NewSession</span><span class="p">()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">output</span><span class="p">,</span><span class="w"> </span><span class="nx">_</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">session</span><span class="p">.</span><span class="nf">CombinedOutput</span><span class="p">(</span><span class="nx">cmd</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">session</span><span class="p">.</span><span class="nf">Close</span><span class="p">()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">// HTTPS: one request, all commands</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">url</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="s">&#34;https://&#34;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">addr</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s">&#34;/admin/exec/&#34;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nf">Join</span><span class="p">(</span><span class="nx">commands</span><span class="p">,</span><span class="w"> </span><span class="s">&#34;/&#34;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">resp</span><span class="p">,</span><span class="w"> </span><span class="nx">_</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">httpClient</span><span class="p">.</span><span class="nf">Get</span><span class="p">(</span><span class="nx">url</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">body</span><span class="p">,</span><span class="w"> </span><span class="nx">_</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">io</span><span class="p">.</span><span class="nf">ReadAll</span><span class="p">(</span><span class="nx">resp</span><span class="p">.</span><span class="nx">Body</span><span class="p">)</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="latency-injection">Latency Injection</h3> <p>Latency is injected using Linux <code>tc netem</code> on the loopback interface, configured entirely via the <a href="https://github.com/vishvananda/netlink"><code>vishvananda/netlink</code></a> library, the same netlink library used by Docker and Kubernetes. The tool sets up a <code>prio</code> qdisc with per-port <code>u32</code> filters so that traffic to the SSH and HTTPS server ports gets the configured one-way delay, while other loopback traffic is unaffected. This requires root or <code>CAP_NET_ADMIN</code>, the same requirement as most raw-socket networking tools.</p> <details> <summary>Netlink qdisc setup code (click to expand)</summary> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="c1">// Qdisc setup via netlink - no shell-out to tc</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">prio</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nf">NewPrio</span><span class="p">(</span><span class="nx">netlink</span><span class="p">.</span><span class="nx">QdiscAttrs</span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">LinkIndex</span><span class="p">:</span><span class="w"> </span><span class="nx">loopbackIndex</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Handle</span><span class="p">:</span><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nf">MakeHandle</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">),</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Parent</span><span class="p">:</span><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nx">HANDLE_ROOT</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">})</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">prio</span><span class="p">.</span><span class="nx">Bands</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="mi">4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">prio</span><span class="p">.</span><span class="nx">PriorityMap</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">[</span><span class="mi">16</span><span class="p">]</span><span class="kt">uint8</span><span class="p">{}</span><span class="w"> </span><span class="c1">// unmatched traffic → band 0 (no delay)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">netlink</span><span class="p">.</span><span class="nf">QdiscAdd</span><span class="p">(</span><span class="nx">prio</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">netem</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nf">NewNetem</span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nx">QdiscAttrs</span><span class="p">{</span><span class="nx">Parent</span><span class="p">:</span><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nf">MakeHandle</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">2</span><span class="p">)},</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nx">NetemQdiscAttrs</span><span class="p">{</span><span class="nx">Latency</span><span class="p">:</span><span class="w"> </span><span class="nb">uint32</span><span class="p">(</span><span class="nx">delay</span><span class="p">.</span><span class="nf">Microseconds</span><span class="p">())},</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">netlink</span><span class="p">.</span><span class="nf">QdiscAdd</span><span class="p">(</span><span class="nx">netem</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c1">// Per-port u32 filter: match dport, classify to delayed band</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nx">netlink</span><span class="p">.</span><span class="nf">FilterAdd</span><span class="p">(</span><span class="o">&amp;</span><span class="nx">netlink</span><span class="p">.</span><span class="nx">U32</span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">FilterAttrs</span><span class="p">:</span><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nx">FilterAttrs</span><span class="p">{</span><span class="nx">Parent</span><span class="p">:</span><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nf">MakeHandle</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="p">),</span><span class="w"> </span><span class="nx">Protocol</span><span class="p">:</span><span class="w"> </span><span class="mh">0x0800</span><span class="p">},</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ClassId</span><span class="p">:</span><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nf">MakeHandle</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">2</span><span class="p">),</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Sel</span><span class="p">:</span><span class="w"> </span><span class="o">&amp;</span><span class="nx">netlink</span><span class="p">.</span><span class="nx">TcU32Sel</span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Flags</span><span class="p">:</span><span class="w"> </span><span class="nx">netlink</span><span class="p">.</span><span class="nx">TC_U32_TERMINAL</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Keys</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span><span class="nx">netlink</span><span class="p">.</span><span class="nx">TcU32Key</span><span class="p">{{</span><span class="nx">Val</span><span class="p">:</span><span class="w"> </span><span class="nb">uint32</span><span class="p">(</span><span class="nx">port</span><span class="p">),</span><span class="w"> </span><span class="nx">Mask</span><span class="p">:</span><span class="w"> </span><span class="mh">0xffff</span><span class="p">,</span><span class="w"> </span><span class="nx">Off</span><span class="p">:</span><span class="w"> </span><span class="mi">20</span><span class="p">}},</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">},</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">})</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div></details> <p>Because <code>netem</code> operates at the kernel&rsquo;s network stack, it captures real TCP behavior: Nagle&rsquo;s algorithm, delayed ACKs, TCP window scaling, and proper per-packet delay. Every packet in both directions, client-to-server and server-to-client, experiences the configured delay. This is more accurate than userspace delay injection, which can&rsquo;t distinguish between logically separate protocol exchanges that happen to be coalesced into a single write.</p> <p>A <code>-userspace</code> flag is available as a fallback for environments where root isn&rsquo;t available, but the published numbers all use <code>tc netem</code>.</p> <h2 id="latency-profiles">Latency Profiles</h2> <p>Each profile corresponds to a real network path, sourced from <a href="https://www.verizon.com/business/terms/latency/">Verizon Enterprise&rsquo;s monthly IP latency statistics</a> (March 2026). The simulated RTT values are rounded for readability; the Verizon measured column shows the exact source data:</p> <table> <thead> <tr> <th>Profile</th> <th>Simulated RTT</th> <th>Real-world path</th> <th>Verizon measured RTT</th> </tr> </thead> <tbody> <tr> <td><code>local</code></td> <td>0ms</td> <td>Co-located</td> <td>Baseline</td> </tr> <tr> <td><code>campus</code></td> <td>2ms</td> <td>Same data center</td> <td>AWS/Prisma: 1-2ms</td> </tr> <tr> <td><code>regional</code></td> <td>30ms</td> <td>US backbone</td> <td>29.9ms</td> </tr> <tr> <td><code>continental</code></td> <td>70ms</td> <td>NYC ↔ London</td> <td>70.2ms</td> </tr> <tr> <td><code>intercontinental</code></td> <td>150ms</td> <td>US ↔ Hong Kong</td> <td>145.5ms</td> </tr> <tr> <td><code>transpacific</code></td> <td>175ms</td> <td>NA ↔ Taiwan</td> <td>175.2ms</td> </tr> </tbody> </table> <h2 id="benchmark-modes">Benchmark Modes</h2> <p>The client tests these scenarios across both transports (plus a multi-command GET mode when running more than one command per iteration):</p> <h3 id="ssh-exec-modes">SSH Exec Modes</h3> <p>SSH exec mode opens a channel, sends a command, and reads the output. This is what Go&rsquo;s <code>x/crypto/ssh</code>, Paramiko&rsquo;s <code>exec_command()</code>, and OpenSSH&rsquo;s <code>ssh host &quot;cmd&quot;</code> use. Each command gets its own channel.</p> <table> <thead> <tr> <th>Mode</th> <th>What it measures</th> </tr> </thead> <tbody> <tr> <td><code>ssh/fresh-conn</code></td> <td>Full SSH lifecycle per iteration: TCP + handshake + auth + channel + exec</td> </tr> <tr> <td><code>ssh/reuse-conn</code></td> <td>One SSH connection shared across all iterations (ControlMaster-style)</td> </tr> <tr> <td><code>ssh/batch-exec</code></td> <td>Multi-line command string over a single exec session</td> </tr> </tbody> </table> <h3 id="ssh-ptyshell-modes">SSH PTY/Shell Modes</h3> <p>SSH PTY mode opens an interactive shell with a pseudo-terminal, sends commands as keystrokes, and detects the prompt after each command. This is what <strong>Netmiko</strong>, <strong>Ansible <code>network_cli</code></strong>, <strong>Scrapli</strong>, and most real-world network automation tools use. Many network devices don&rsquo;t support exec mode properly, and automation tools need prompt detection, pagination control, and mode transitions. (Part 1 called this the <a href="https://network-notes.com/posts/2026/cli-over-https-1/#the-screen-scraping-tax">&ldquo;screen-scraping tax&rdquo;</a>, the cost of parsing an unstructured byte stream.)</p> <p>The PTY benchmark includes session preparation (sending <code>terminal length 0</code> and <code>terminal width 511</code> before the first command) and per-command echo verification (reading until the echoed command appears, then reading until the prompt), matching the protocol-level behavior common to all major tools.</p> <table> <thead> <tr> <th>Mode</th> <th>What it measures</th> </tr> </thead> <tbody> <tr> <td><code>ssh/pty-fresh</code></td> <td>Full SSH lifecycle + PTY + shell + session prep + commands with echo verification</td> </tr> <tr> <td><code>ssh/pty-reuse</code></td> <td>Shared connection, new PTY/shell per iteration with session prep</td> </tr> </tbody> </table> <h3 id="https-modes">HTTPS Modes</h3> <table> <thead> <tr> <th>Mode</th> <th>What it measures</th> </tr> </thead> <tbody> <tr> <td><code>https/fresh-conn</code></td> <td>New TCP + TLS handshake per iteration (<code>DisableKeepAlives: true</code>)</td> </tr> <tr> <td><code>https/keep-alive</code></td> <td>Single TCP + TLS connection reused across all iterations (default HTTP behavior)</td> </tr> <tr> <td><code>https/batch-post</code></td> <td>All commands in one POST body (<code>/admin/config</code>)</td> </tr> <tr> <td><code>https/multi-cmd</code></td> <td>All commands in one GET request (ASA <code>/admin/exec/cmd1/cmd2</code> syntax)</td> </tr> </tbody> </table> <p>Each mode runs N iterations, each executing 5 <code>show version</code> commands. The client reports min, max, average, p50, p95, and standard deviation.</p> <h2 id="running-it-yourself">Running It Yourself</h2> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone https://github.com/lykinsbd/clibench.git </span></span><span class="line"><span class="cl"><span class="nb">cd</span> clibench </span></span><span class="line"><span class="cl">go build -o bin/bench ./cmd/bench/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Baseline - no added latency (no root needed)</span> </span></span><span class="line"><span class="cl">./bin/bench -latency <span class="nb">local</span> -iterations <span class="m">20</span> -commands <span class="m">5</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># US backbone - 30ms RTT (requires root for tc netem)</span> </span></span><span class="line"><span class="cl">sudo ./bin/bench -latency regional -iterations <span class="m">20</span> -commands <span class="m">5</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># US to Hong Kong - 150ms RTT</span> </span></span><span class="line"><span class="cl">sudo ./bin/bench -latency intercontinental -iterations <span class="m">20</span> -commands <span class="m">5</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Fallback: userspace delay injection (no root, less accurate)</span> </span></span><span class="line"><span class="cl">./bin/bench -latency regional -iterations <span class="m">20</span> -commands <span class="m">5</span> -userspace </span></span></code></pre></td></tr></table> </div> </div><p>clibench embeds its own server. No separate process needed. Non-local profiles require root (or <code>CAP_NET_ADMIN</code>) for <code>tc netem</code> on the loopback interface. Output is JSON.</p> <h2 id="results">Results</h2> <p>5 commands per iteration, all times in milliseconds (average of 20 iterations). Latency injected via <code>tc netem</code> on the loopback interface.</p> <p>At zero latency, SSH exec mode is the fastest option. There&rsquo;s no round-trip penalty, and SSH&rsquo;s binary framing has less per-message overhead than HTTP headers + TLS:</p> <p><img src="https://network-notes.com/img/2026/cli-over-https-bench-local.016c463cda2ffbff3ef237d3f2986ee2b27c37a09c455f2c394e3c0b416ba37c.svg" alt="Bar chart at 0ms RTT showing SSH exec-fresh at 3.9ms, PTY-fresh at 4.3ms, and HTTPS fresh at 12.0ms" loading="lazy" /></p> <p>The moment real network latency enters the picture, the result flips. At 30ms RTT, a US backbone path per Verizon&rsquo;s March 2026 measurements, HTTPS batch is 16.8x faster than SSH PTY fresh and 15.9x faster than SSH exec fresh-conn:</p> <p><img src="https://network-notes.com/img/2026/cli-over-https-bench-regional.eb891e20708c51e9da713ce909b2088de07d106485a700f823d35833d01957f0.svg" alt="Bar chart at 30ms RTT showing SSH exec-fresh at 494ms, PTY-fresh at 522ms, and HTTPS batch at 31ms" loading="lazy" /></p> <p>At intercontinental distances (US ↔ Hong Kong, 150ms RTT), SSH PTY fresh takes 2.6 seconds for 5 commands. SSH exec fresh takes 2.4 seconds. HTTPS batch does it in 151ms:</p> <p><img src="https://network-notes.com/img/2026/cli-over-https-bench-intercontinental.5a06f3614b9f61e6c31b509722e421529c638a65a69e5f8545afcafdfff06c33.svg" alt="Bar chart at 150ms RTT showing SSH PTY-fresh at 2,565ms, exec-fresh at 2,412ms, and HTTPS batch at 151ms" loading="lazy" /></p> <h3 id="exec-mode-vs-ptyshell-mode">Exec Mode vs PTY/Shell Mode</h3> <p>The PTY overhead comes from session preparation (<code>terminal length 0</code>, <code>terminal width 511</code>) and per-command echo verification. At higher latencies, this adds up:</p> <table> <thead> <tr> <th>Profile</th> <th>RTT</th> <th>SSH exec fresh</th> <th>SSH PTY fresh</th> <th>PTY overhead</th> </tr> </thead> <tbody> <tr> <td>local</td> <td>0ms</td> <td>3.9ms</td> <td>4.3ms</td> <td>+0.4ms</td> </tr> <tr> <td>campus</td> <td>2ms</td> <td>40ms</td> <td>42ms</td> <td>+2ms</td> </tr> <tr> <td>regional</td> <td>30ms</td> <td>494ms</td> <td>522ms</td> <td>+28ms</td> </tr> <tr> <td>continental</td> <td>70ms</td> <td>1,144ms</td> <td>1,213ms</td> <td>+69ms</td> </tr> <tr> <td>intercontinental</td> <td>150ms</td> <td>2,412ms</td> <td>2,565ms</td> <td>+153ms</td> </tr> </tbody> </table> <p>The PTY overhead scales linearly with RTT because the session prep commands add roughly one extra round trip of overhead before the first real command runs. At 150ms RTT, that&rsquo;s ~150ms of pure protocol overhead. And this is the best case. Real devices add processing time, ANSI escape codes, and prompt detection regex that the emulator doesn&rsquo;t capture.</p> <h3 id="speedup-vs-ssh-pty-fresh-what-most-tools-actually-use">Speedup vs SSH PTY fresh (what most tools actually use)</h3> <table> <thead> <tr> <th>Profile</th> <th>RTT</th> <th>SSH exec fresh</th> <th>SSH reuse</th> <th>HTTPS keep-alive</th> <th>HTTPS batch</th> </tr> </thead> <tbody> <tr> <td>local</td> <td>0ms</td> <td>1.1x</td> <td>3.9x</td> <td>7.2x</td> <td>19.1x</td> </tr> <tr> <td>campus</td> <td>2ms</td> <td>1.1x</td> <td>1.8x</td> <td>3.3x</td> <td>16.3x</td> </tr> <tr> <td>regional</td> <td>30ms</td> <td>1.1x</td> <td>1.7x</td> <td>3.3x</td> <td>16.8x</td> </tr> <tr> <td>continental</td> <td>70ms</td> <td>1.1x</td> <td>1.7x</td> <td>3.4x</td> <td>16.3x</td> </tr> <tr> <td>intercontinental</td> <td>150ms</td> <td>1.1x</td> <td>1.7x</td> <td>3.4x</td> <td>17.0x</td> </tr> </tbody> </table> <h2 id="what-the-numbers-say">What the Numbers Say</h2> <p>All results are from 20 iterations per profile. Variance was low, at regional (30ms), SSH exec fresh-conn p50 was 492ms with p95 at 508ms.</p> <p><strong>At zero latency, SSH exec wins.</strong> When there&rsquo;s no network delay, TLS handshake overhead dominates. SSH exec fresh-conn takes 3.9ms; HTTPS fresh-conn takes 12.0ms. But PTY mode is already slower at 4.3ms due to session prep overhead. The reuse modes tell a different story: SSH exec reuse (1.1ms) and HTTPS keep-alive (0.6ms) are both sub-millisecond. Once the handshake is amortized, both protocols are fast.</p> <p><strong>Most automation tools don&rsquo;t use exec mode.</strong> As covered <a href="https://network-notes.com/posts/2026/cli-over-https-2/#ssh-ptyshell-modes">above</a>, they use PTY/shell mode for prompt detection, pagination control, and mode transitions. The PTY numbers are what your automation actually experiences.</p> <p><strong>SSH reuse helps, but not enough.</strong> Sharing one SSH connection (the ControlMaster pattern) eliminates the handshake cost, but each command still requires its own round trips. The improvement is consistent at ~1.7x. Real, but modest.</p> <p><strong>HTTPS keep-alive is ~3.4x faster at any real latency.</strong> Every HTTP client library does connection pooling by default. You don&rsquo;t have to configure anything special. Just reuse the <code>http.Client</code>. At 30ms RTT, that&rsquo;s 158ms vs 522ms (PTY fresh).</p> <p><strong>HTTPS batch is ~17x faster.</strong> Batching all commands into a single HTTP request eliminates per-command round trips entirely. The entire exchange costs one round trip regardless of command count. At 150ms RTT, that&rsquo;s 151ms vs 2,565ms (PTY fresh). Unlike keep-alive (which still pays one round trip per command), batch mode pays a fixed cost regardless of command count.</p> <p><strong>The advantage grows with command count, for per-command modes.</strong> At 30ms RTT with 50 commands, SSH exec fresh-conn takes 3,253ms. SSH PTY fresh takes 1,912ms (PTY avoids per-command channel overhead but pays per-command echo verification). HTTPS keep-alive takes 1,548ms. But HTTPS batch takes just 33ms. A ~99x improvement over exec fresh and ~58x over PTY fresh. SSH batch-exec shows the same flat scaling (~250ms regardless of command count), confirming this is a property of batching, not the transport.</p> <p><img src="https://network-notes.com/img/2026/cli-over-https-command-scaling.7c056e6f62149c833ff6d10a41480272480f71fb76eaa5acb3ddc1d8a7df97dc.svg" alt="Time vs command count at 30ms RTT: batch modes stay flat while per-command modes scale linearly" loading="lazy" /></p> <h2 id="what-this-means-at-scale">What This Means at Scale</h2> <p>If you&rsquo;re managing 100 devices serially (worst case, no concurrency), using PTY mode (what Netmiko/Ansible actually do):</p> <table> <thead> <tr> <th>Profile</th> <th>RTT</th> <th>SSH PTY fresh (total)</th> <th>HTTPS batch (total)</th> <th>Time saved</th> </tr> </thead> <tbody> <tr> <td>regional</td> <td>30ms</td> <td>52s</td> <td>3.1s</td> <td>49s</td> </tr> <tr> <td>continental</td> <td>70ms</td> <td>121s (2.0 min)</td> <td>7.4s</td> <td>114s</td> </tr> <tr> <td>intercontinental</td> <td>150ms</td> <td>257s (4.3 min)</td> <td>15s</td> <td>242s (4.0 min)</td> </tr> </tbody> </table> <p>Concurrency shrinks the wall time, but the per-device cost stays the same. At 150ms RTT with 10 concurrent workers against 1,000 devices, SSH PTY takes ~4.3 minutes of wall time. HTTPS batch takes ~15 seconds.</p> <h2 id="limitations">Limitations</h2> <p>This benchmark measures transport overhead, not device processing time. Real network devices add their own latency to command execution: parsing the command, generating output, writing to the terminal. That cost is the same regardless of transport, so it doesn&rsquo;t affect the relative comparison.</p> <p>The HTTPS server uses a self-signed certificate with no session resumption. TLS 1.3 0-RTT resumption would make the HTTPS numbers even better on repeated connections, but I didn&rsquo;t implement it because most device management scenarios don&rsquo;t maintain long-lived TLS sessions.</p> <p>A <code>-userspace</code> flag is available as a fallback for environments where root isn&rsquo;t available, but it under-counts SSH round trips due to write coalescing in Go&rsquo;s <code>crypto/ssh</code>. The published numbers all use <code>tc netem</code>.</p> <h2 id="whats-next">What&rsquo;s Next</h2> <p>In Part 3, I&rsquo;ll look at what happens when you can&rsquo;t change the device: the proxy pattern. Move SSH to the edge, talk HTTPS over the WAN, and capture most of the improvement without touching a single device config.</p> <p>The <a href="https://github.com/lykinsbd/clibench">benchmark code</a> already supports proxy mode. Try it yourself and see what your numbers look like.</p>