Re: [auth48] AUTH48: RFC-to-be 9411 <draft-ietf-bmwg-ngfw-performance-15> for your review
rfc-editor@rfc-editor.org Tue, 28 February 2023 23:31 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4547EC15DD44; Tue, 28 Feb 2023 15:31:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.108
X-Spam-Level:
X-Spam-Status: No, score=-3.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, CTE_8BIT_MISMATCH=0.84, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PjLbnOSp2wMA; Tue, 28 Feb 2023 15:31:33 -0800 (PST)
Received: from rfcpa.amsl.com (rfc-editor.org [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E373FC140661; Tue, 28 Feb 2023 15:31:33 -0800 (PST)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id A386D88A97; Tue, 28 Feb 2023 15:31:33 -0800 (PST)
To: bm.balarajah@gmail.com, cross@eantc.de, bmonkman@netsecopen.org
From: rfc-editor@rfc-editor.org
Cc: rfc-editor@rfc-editor.org, bmwg-ads@ietf.org, bmwg-chairs@ietf.org, acm@research.att.com, warren@kumari.net, auth48archive@rfc-editor.org
Content-type: text/plain; charset="UTF-8"
Message-Id: <20230228233133.A386D88A97@rfcpa.amsl.com>
Date: Tue, 28 Feb 2023 15:31:33 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/fS5QB02Sotwk982hnjGQD7yBtmc>
Subject: Re: [auth48] AUTH48: RFC-to-be 9411 <draft-ietf-bmwg-ngfw-performance-15> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2023 23:31:38 -0000
Authors, While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file. 1) <!--[rfced] Section 1. FYI, we have updated instances where "ACL" is expanded as "access control rule" to be "access control list". Please review and let us know if further updates are needed. Original: Firewalls have evolved significantly from the days of simple ACL filters. ... In addition, a realistic number of access control rules (ACL) SHOULD be configured on the DUT/SUT where ACLs are configurable and reasonable based on the deployment scenario. Current: Firewalls have evolved significantly from the days of simple access control list (ACL) filters. ... In addition, a realistic number of access control lists (ACLs) SHOULD be configured on the DUT/SUT where ACLs are configurable and reasonable based on the deployment scenario. --> 2) <!-- [rfced] Section 4.2.1. Would you like to provide a reference for the Common Vulnerabilities and Exposures (CVE) list? Original: This section defines the selection of the security vulnerability sets from the Common Vulnerabilities and Exposures (CVE) list for testing. --> 3) <!-- [rfced] Section 4.3.1.3. FYI, we have updated the following sentence by removing "be". Please let us know if any changes are necessary: Original: * If multiple IP blocks are used, they MUST be consist of multiple unique, discontinuous static address blocks. Current: * If multiple IP blocks are used, they MUST consist of multiple unique, discontinuous static address blocks. --> 4) <!-- [rfced] Section 4.3.1.4. We have updated the following HTTP/2 terms to match RFC 9113. Please let us know if any updates are needed: Original: * Maximum Frame size: 16384 bytes * Initial Window size: 65535 bytes * HPACK Header table size: 4096 bytes * Server PUSH enable: false Current (using lowercase and changing "Header table" to "header field table"): * Maximum frame size: 16384 bytes * Initial window size: 65535 bytes * HPACK header field table size: 4096 bytes * Server push enable: false --> 5) <!--[rfced] Section 4.3.2.4. Is "any port" all encompassing? Should "UDP port 443" be removed? Original: HTTP/3 server pool listens on UDP port 443 or any port. Perhaps: The HTTP/3 server pool listens on any port. --> 6) <!-- [rfced] Section 4.3.3. We are having difficulty parsing the following. Will the server be ready to accept "connection states" or just "connections"? Is the initialization of the transport stack part of the init phase or the ramp up phase of the traffic load profile? Are the HTTP(S) servers bound or are their connections inbound? Are clients added throughout the testing, as implied by "When a client endpoint is needed", or only during the init phase, as described in Section 4.3.4? Please let us know how to make this clearer. Original: At the beginning of the test, the server endpoint initializes and will be ready to accept connection states including initialization of the TCP or QUIC stack as well as bound HTTP and HTTPS servers. When a client endpoint is needed, it will initialize and be given attributes such as a MAC and IP address. The behavior of the client is to sweep through the given server IP space, generating a recognizable service by the DUT. Possibly (clarifying load phase and server connections; tweaking the wording of client behavior): At the beginning of the test (the init phase; see Section 4.3.4), the server endpoint initializes, and the server endpoint will be ready to accept TCP or QUIC connections as well as inbound HTTP and HTTPS requests. The client endpoints initialize and are given attributes such as a MAC and IP address. After the init phase of the test, each client sweeps through the given server IP space, generating a service recognizable by the DUT. --> 7) <!-- [rfced] Section 4.3.3.1. Does the following suggestion improve the readability of the sentence? Original: If using SNI, the server MUST then perform an SNI name check with the proposed FQDN compared to the domain embedded in the certificate. Perhaps (changing "with...compared to" to "by comparing...to"): If using SNI, the server MUST then perform an SNI name check by comparing the proposed FQDN to the domain embedded in the certificate. --> 8) <!-- [rfced] Section 5. Does the following update improve the readability of the sentence? Original: 3. Ensure that any ancillary switching or routing functions added in the test equipment do not limit the performance by introducing network metrics such as packet loss and latency. Perhaps (removing "network metrics such as" because the terms "packet loss and latency" don't refer to metrics in this case): 3. Ensure that any ancillary switching or routing functions added in the test equipment do not limit performance by introducing packet loss or latency. --> 9) <!--[rfced] Section 6.1. As both of the bullet points listed below list multiple items, should their contents be separated into multiple bullet points? Original: * If the DUT/SUT is a Virtual Network Function (VNF), host (server) hardware and software details, interface acceleration type such as DPDK and SR-IOV, used CPU cores, used RAM, resource sharing (e.g. Pinning details and NUMA Node) configuration details, hypervisor version, virtual switch version ... * If the test equipment is a virtual solution, the host (server) hardware and software details, interface acceleration type such as DPDK and SR-IOV, used CPU cores, used RAM, resource sharing (e.g. Pinning details and NUMA Node) configuration details, hypervisor version, virtual switch version --> 10) <!-- [rfced] Section 7.1.3.1. We are having difficulty parsing the following sentence. Does TLS inspection impact the mix of encrypted traffic at the application layer? Original: In case the DUT/SUT is configured without TLS inspection, the test report MUST explain the implications of this to the relevant application traffic mix encrypted traffic. Possibly: If the DUT/SUT is configured without TLS inspection, the test report MUST explain how this impacts the mix of relevant encrypted traffic at the application layer. --> 11) <!-- [rfced] Section 7.2.4 and also 7.6.4. Do the following updates clarify these two sentences? Original: The test procedure is designed to measure the TCP connections per second rate of the DUT/SUT at the sustaining period of the traffic load profile. ... The test procedure is designed to measure the TCP or QUIC connections per second rate of the DUT/SUT at the sustaining period of the traffic load profile. Perhaps (clarifying what is being measured and when): The test procedure is designed to measure the DUT/SUT's rate of TCP connections per second during the sustaining period of the traffic load profile. ... The test procedure is designed to measure the DUT/SUT's rate of TCP or QUIC connections per second during the sustaining period of the traffic load profile. --> 12) <!--[rfced] Section 7.3.4.1. "Initial inspected throughput" is not defined in Section 7.3.3.2, but that section does define "Target inspected throughput" and "Initial throughput". Please review and let us know how to update. Original: Configure the traffic load profile of the test equipment to establish "Initial inspected throughput" as defined in Section 7.3.3.2. ... The traffic load profile MUST be defined as described in Section 4.3.4. The DUT/SUT MUST reach the "Initial inspected throughput" during the sustain phase. --> 13) <!--[rfced] Sections 7.5.4.1 and 7.9.4.1. We note that Sections 7.5.3.2 and 7.9.3.2 do not contain definitions of "Initial concurrent TCP connections", but it does contain "Initial concurrent connections". Please review and let us know how to update. Original: Configure test equipment to establish "Initial concurrent TCP connections" defined in Section 7.5.3.2. ... Configure test equipment to establish "Initial concurrent TCP connections" defined in Section 7.9.3.2. --> 14) <!-- [rfced] Informative References. FYI, we updated the Wikipedia reference to include the title, date, and a dated URI. Please let us know if any updates are necessary. Original: [Wiki-NGFW] "", <https://en.wikipedia.org/wiki/Next-generation_firewall>. Current: [Wiki-NGFW] Wikipedia, "Next-generation firewall", January 2023, <https://en.wikipedia.org/w/index.php?title=Next- generation_firewall&oldid=1133673904>. --> 15) <!-- [rfced] Informative References. FYI, we updated the title of this reference to the title of the URL provided. Original: [fastly] Oku, K. and J. Iyengar, "Can QUIC match TCP's computational efficiency?", 30 April 2020, <https://www.fastly.com/blog/measuring-quic-vs-tcp- computational-efficiency>. Current: [fastly] Oku, K. and J. Iyengar, "QUIC vs TCP: Which is Better?", 30 April 2020, <https://www.fastly.com/blog/measuring-quic-vs-tcp- computational-efficiency>. --> 16) <!--[rfced] Appendix A.5. FYI, to parallel the other terminology defined in Appendix A.5, we have updated the text as follows. Please let us know of any objections. Original: - Heavily impacted: Considered as "Heavily impacted" if any deviation of traffic forwarding rate is greater than 10% (i.e. large spikes) or reduced the background HTTP(S) throughput greater than 10% Current: - Heavy impact: Considered as "heavy impact" if any deviation of the traffic forwarding rate is greater than 10% (i.e., large spikes) or reduced the background HTTP(S) throughput greater than 10% --> 17) <!--[rfced] Appendix A.6.2. Should the section number be included here? Original: While generating background traffic (in sustain phase), send the CVE traffic as defined in the parameter section. Perhaps: While generating background traffic (in sustain phase), send the CVE traffic as defined in the parameter section (Appendix A.3.2). --> 18) <!-- [rfced] Appendix A.6.2. Does the following reordering of the conditional phrase improve the readability of the sentence? Original: In addition, the DUT/SUT should either report the detected vulnerabilities in the log correctly or if, for example, a different naming convention is used, there MUST be reference material available that will allow for verification that the correct vulnerability was detected. Perhaps (moving the example conditional phrase to the end): In addition, the DUT/SUT should report the detected vulnerabilities in the log correctly, or there MUST be reference material available that will allow for verification that the correct vulnerability was detected if, for example, a different naming convention is used. --> 19) <!-- [rfced] Formatting Questions: a) Section 4.2. Would you like to format Figure 3 as a <table> instead? b) Please review the lists in the "Test Equipment Configuration Parameters" sections listed below to ensure correctness. We updated to use bulleted lists for the parameters (the original xml contained a mix of <ul empty="true" spacing="normal"> and <t>). 7.2.3.2 7.3.3.2 7.4.3.2 7.5.3.2 7.6.3.2 7.7.3.2 7.8.3.2 7.9.3.2 In particular, in Section 7.2.3.2, should the last two paragraphs (after the Note) be part of the bulleted list? Also, in Section 7.6.3.2, should the last paragraph be part of the bulleted list? c) Please review whether any of the notes in this document should be in the <aside> element. It is defined as "a container for content that is semantically less important or tangential to the content that surrounds it" (https://authors.ietf.org/en/rfcxml-vocabulary#aside). --> 20) <!--[rfced] FYI, to make the use of the terms "target objective" and "initial objective" consistent, we have updated '"Initial objective"' to 'initial objectives' and '"Target objective"' to 'target objectives' when the terms were referring to multiple objectives. Please let us know if any changes are needed. For example: Original: Configure the traffic load profile of the test equipment to establish the "Initial objective" as defined in Section 7.4.3.2. Current (made 'initial objective' plural because there are two initial objectives specified in Section 7.4.3.2): Configure the traffic load profile of the test equipment to establish the initial objectives as defined in Section 7.4.3.2. --> 21) <!-- [rfced] Throughout the text, the KPIs appear to be capitalized inconsistently. May we make the KPIs lower case when used generally in the text and upper case in section titles and when they are being defined? For example: Original: The duration for the ramp up phase MUST be configured long enough that the test equipment does not overwhelm the DUT/SUTs stated performance metrics defined in Section 6.3 namely, TCP or QUIC Connections Per Second, Inspected Throughput, Concurrent TCP or QUIC Connections, and Application Transactions Per Second. ... * Application Transactions Per Second The average number of successfully completed transactions per second. For a particular transaction to be considered successful, all data MUST have been transferred in its entirety. In case of HTTP(S) transactions, it MUST have a valid status code (200 OK). Perhaps: The duration for the ramp up phase MUST be configured long enough that the test equipment does not overwhelm the DUT's/SUT's stated performance metrics defined in Section 6.3, namely TCP/QUIC connections per second, inspected throughput, concurrent TCP/QUIC connections, and application transactions per second. ... Application Transactions Per Second The average number of successfully completed transactions per second. For a particular transaction to be considered successful, all data MUST have been transferred in its entirety. In case of an HTTP(S) transaction, it MUST have a valid status code (200 OK). List of the specific KPIs that are capitalized inconsistently: Concurrent TCP/QUIC Connections vs. concurrent TCP/QUIC connections Connections Per Second vs. connections per second vs. Connections per second vs. Connections per Second Note that the following is consistently capitalized: Initial connections per second Handshake Rate vs. handshake rate HTTP/HTTPS Throughput vs. HTTP/HTTPS throughput HTTP/HTTPS Transaction Latency vs. HTTP/HTTPS transaction latency Initial throughput vs. initial throughput Inspected Throughput vs. inspected throughput Transactions Per Second vs. transactions per second --> 22) <!-- [rfced] Terminology a) May we update "KBytes" to "KB" to match more common usage? b) Please review the use of "TCP/QUIC connections". Does this mean "TCP or QUIC", "TCP and QUIC", or "TCP and/or QUIC"? c) Please review the use of "TCP/HTTP connections". Does this mean "TCP connections carrying HTTP traffic"? --> 23) <!-- [rfced] Please review the "Inclusive Language" portion of the online Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> and let us know if any changes are needed. For example, please consider whether "dummy" should be updated. --> Thank you. RFC Editor/ap/jm On 2/28/23 5:23 PM, rfc-editor@rfc-editor.org wrote: *****IMPORTANT***** Updated 2023/02/28 RFC Author(s): -------------- Instructions for Completing AUTH48 Your document has now entered AUTH48. Once it has been reviewed and approved by you and all coauthors, it will be published as an RFC. If an author is no longer available, there are several remedies available as listed in the FAQ (https://www.rfc-editor.org/faq/). You and you coauthors are responsible for engaging other parties (e.g., Contributors or Working Group) as necessary before providing your approval. Planning your review --------------------- Please review the following aspects of your document: * RFC Editor questions Please review and resolve any questions raised by the RFC Editor that have been included in the XML file as comments marked as follows: <!-- [rfced] ... --> These questions will also be sent in a subsequent email. * Changes submitted by coauthors Please ensure that you review any changes submitted by your coauthors. We assume that if you do not speak up that you agree to changes submitted by your coauthors. * Content Please review the full content of the document, as this cannot change once the RFC is published. Please pay particular attention to: - IANA considerations updates (if applicable) - contact information - references * Copyright notices and legends Please review the copyright notice and legends as defined in RFC 5378 and the Trust Legal Provisions (TLP – https://trustee.ietf.org/license-info/). * Semantic markup Please review the markup in the XML file to ensure that elements of content are correctly tagged. For example, ensure that <sourcecode> and <artwork> are set correctly. See details at <https://authors.ietf.org/rfcxml-vocabulary>. * Formatted output Please review the PDF, HTML, and TXT files to ensure that the formatted output, as generated from the markup in the XML file, is reasonable. Please note that the TXT will have formatting limitations compared to the PDF and HTML. Submitting changes ------------------ To submit changes, please reply to this email using ‘REPLY ALL’ as all the parties CCed on this message need to see your changes. The parties include: * your coauthors * rfc-editor@rfc-editor.org (the RPC team) * other document participants, depending on the stream (e.g., IETF Stream participants are your working group chairs, the responsible ADs, and the document shepherd). * auth48archive@rfc-editor.org, which is a new archival mailing list to preserve AUTH48 conversations; it is not an active discussion list: * More info: https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc * The archive itself: https://mailarchive.ietf.org/arch/browse/auth48archive/ * Note: If only absolutely necessary, you may temporarily opt out of the archiving of messages (e.g., to discuss a sensitive matter). If needed, please add a note at the top of the message that you have dropped the address. When the discussion is concluded, auth48archive@rfc-editor.org will be re-added to the CC list and its addition will be noted at the top of the message. You may submit your changes in one of two ways: An update to the provided XML file — OR — An explicit list of changes in this format Section # (or indicate Global) OLD: old text NEW: new text You do not need to reply with both an updated XML file and an explicit list of changes, as either form is sufficient. We will ask a stream manager to review and approve any changes that seem beyond editorial in nature, e.g., addition of new text, deletion of text, and technical changes. Information about stream managers can be found in the FAQ. Editorial changes do not require approval from a stream manager. Approving for publication -------------------------- To approve your RFC for publication, please reply to this email stating that you approve this RFC for publication. Please use ‘REPLY ALL’, as all the parties CCed on this message need to see your approval. Files ----- The files are available here: https://www.rfc-editor.org/authors/rfc9411.xml https://www.rfc-editor.org/authors/rfc9411.html https://www.rfc-editor.org/authors/rfc9411.pdf https://www.rfc-editor.org/authors/rfc9411.txt Diff file of the text: https://www.rfc-editor.org/authors/rfc9411-diff.html https://www.rfc-editor.org/authors/rfc9411-rfcdiff.html (side by side) For your convenience, we have also created an alt-diff file that will allow you to more easily view changes where text has been deleted or moved: https://www.rfc-editor.org/authors/rfc9411-alt-diff.html Diff of the XML: https://www.rfc-editor.org/authors/rfc9411-xmldiff1.html The following files are provided to facilitate creation of your own diff files of the XML. Initial XMLv3 created using XMLv2 as input: https://www.rfc-editor.org/authors/rfc9411.original.v2v3.xml XMLv3 file that is a best effort to capture v3-related format updates only: https://www.rfc-editor.org/authors/rfc9411.form.xml Tracking progress ----------------- The details of the AUTH48 status of your document are here: https://www.rfc-editor.org/auth48/rfc9411 Please let us know if you have any questions. Thank you for your cooperation, RFC Editor -------------------------------------- RFC9411 (draft-ietf-bmwg-ngfw-performance-15) Title : Benchmarking Methodology for Network Security Device Performance Author(s) : B. Balarajah, C. Rossenhoevel, B. Monkman WG Chair(s) : Sarah Banks, Al Morton Area Director(s) : Warren Kumari, Robert Wilton
- [auth48] AUTH48: RFC-to-be 9411 <draft-ietf-bmwg-… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9411 <draft-ietf-b… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9411 <draft-ietf-b… Bala Balarajah
- Re: [auth48] AUTH48: RFC-to-be 9411 <draft-ietf-b… Alanna Paloma
- Re: [auth48] AUTH48: RFC-to-be 9411 <draft-ietf-b… Carsten Rossenhoevel
- Re: [auth48] AUTH48: RFC-to-be 9411 <draft-ietf-b… Bala Balarajah
- Re: [auth48] AUTH48: RFC-to-be 9411 <draft-ietf-b… bmonkman
- [auth48] [AD] Re: AUTH48: RFC-to-be 9411 <draft-i… Alanna Paloma
- Re: [auth48] [AD] Re: AUTH48: RFC-to-be 9411 <dra… Warren Kumari
- Re: [auth48] [AD] AUTH48: RFC-to-be 9411 <draft-i… Alanna Paloma