Re: [bmwg] First draft for next-gen firewall (NGFW) performance benchmarking uploaded

"MORTON, ALFRED C (AL)" <acmorton@att.com> Tue, 09 January 2018 02:09 UTC

Return-Path: <acmorton@att.com>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCBD7124B18 for <bmwg@ietfa.amsl.com>; Mon, 8 Jan 2018 18:09:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level:
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCvU9o2Cw3vN for <bmwg@ietfa.amsl.com>; Mon, 8 Jan 2018 18:09:48 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5D4F1200B9 for <bmwg@ietf.org>; Mon, 8 Jan 2018 18:09:47 -0800 (PST)
Received: from pps.filterd (m0083689.ppops.net [127.0.0.1]) by m0083689.ppops.net-00191d01. (8.16.0.21/8.16.0.21) with SMTP id w0926Lhi027545; Mon, 8 Jan 2018 21:09:44 -0500
Received: from tlpd255.enaf.dadc.sbc.com (sbcsmtp3.sbc.com [144.160.112.28]) by m0083689.ppops.net-00191d01. with ESMTP id 2fcje7j20q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Jan 2018 21:09:42 -0500
Received: from enaf.dadc.sbc.com (localhost [127.0.0.1]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id w0929fGF044044; Mon, 8 Jan 2018 20:09:42 -0600
Received: from dalint02.pst.cso.att.com (dalint02.pst.cso.att.com [135.31.133.160]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id w0929bR2043973 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 8 Jan 2018 20:09:38 -0600
Received: from zlp30497.vci.att.com (zlp30497.vci.att.com [135.46.181.156]) by dalint02.pst.cso.att.com (RSA Interceptor); Tue, 9 Jan 2018 02:09:25 GMT
Received: from zlp30497.vci.att.com (zlp30497.vci.att.com [127.0.0.1]) by zlp30497.vci.att.com (Service) with ESMTP id 18B4D4000383; Tue, 9 Jan 2018 02:09:25 +0000 (GMT)
Received: from clpi183.sldc.sbc.com (unknown [135.41.1.46]) by zlp30497.vci.att.com (Service) with ESMTP id D715340006FE; Tue, 9 Jan 2018 02:09:24 +0000 (GMT)
Received: from sldc.sbc.com (localhost [127.0.0.1]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id w0929Oep014637; Mon, 8 Jan 2018 20:09:24 -0600
Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.178.11]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id w0929F3x014318; Mon, 8 Jan 2018 20:09:18 -0600
Received: from exchange.research.att.com (njmtcas2.research.att.com [135.207.255.47]) by mail-blue.research.att.com (Postfix) with ESMTP id 58605F0573; Mon, 8 Jan 2018 21:09:15 -0500 (EST)
Received: from njmtexg4.research.att.com ([fe80::8cd:baa3:219e:5bd4]) by njmtcas2.research.att.com ([fe80::d550:ec84:f872:cad9%15]) with mapi id 14.03.0361.001; Mon, 8 Jan 2018 21:09:15 -0500
From: "MORTON, ALFRED C (AL)" <acmorton@att.com>
To: Carsten Rossenhoevel <cross@eantc.de>, "bmwg@ietf.org" <bmwg@ietf.org>
Thread-Topic: [bmwg] First draft for next-gen firewall (NGFW) performance benchmarking uploaded
Thread-Index: AQHTeBXu9q1yKov8nUiU2sl0Jjjxc6Nqn8rA
Date: Tue, 9 Jan 2018 02:09:14 +0000
Message-ID: <4D7F4AD313D3FC43A053B309F97543CF49087299@njmtexg4.research.att.com>
References: <2e2f64cb-4c63-f7eb-f43b-33d9b1255cd1@eantc.de> <44a149d0-9c97-3795-4c1c-aa30a93e9a55@eantc.de>
In-Reply-To: <44a149d0-9c97-3795-4c1c-aa30a93e9a55@eantc.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [69.141.203.172]
Content-Type: multipart/alternative; boundary="_000_4D7F4AD313D3FC43A053B309F97543CF49087299njmtexg4researc_"
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-08_15:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801090024
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/EJ_9zhLc-I069Ophba_Fu3SLwPQ>
X-Mailman-Approved-At: Mon, 08 Jan 2018 18:11:07 -0800
Subject: Re: [bmwg] First draft for next-gen firewall (NGFW) performance benchmarking uploaded
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jan 2018 02:09:53 -0000

Hi Carsten and Bala,

Thanks for preparing a clear draft that describes
the work you propose.

I read your draft today, and have a few comments
(appended at the end of this message).

I’ll also try to answer your questions in-line, below.
regards,
Al
(as a participant)

From: bmwg [mailto:bmwg-bounces@ietf.org] On Behalf Of Carsten Rossenhoevel
Sent: Monday, December 18, 2017 10:36 AM
To: bmwg@ietf.org
Subject: [bmwg] First draft for next-gen firewall (NGFW) performance benchmarking uploaded


Dear Benchmarking Methodology WG,
My colleague Bala Balarajah has uploaded the first draft of the next-generation firewall (NGFW) benchmarking methodology for your review: draft-balarajah-bmwg-ngfw-performance-00<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dbalarajah-2Dbmwg-2Dngfw-2Dperformance-2D00&d=DwMDaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=OfsSu8kTIltVyD1oL72cBw&m=NSrvKLCc3BVODl6aPsYTR-ouHh9nc1inoRHhJLeNU60&s=O94wjso8epI3iVSQ2FxOKIWhFA66zEp4vWB04dfKQE8&e=>FA66zEp4vWB04dfKQE8&e=>.

Currently the document contains sections for the test setup, test bed preparation, reporting guidelines and test cases (complete TOC below).  Please let us know specifically:

- How do you assess the first test case in section 7?  Its format and level of details is meant to serve as a blueprint for additional test cases.
[ACM]
The use of many different dimensions of performance criteria in
7.1.3.4.  Test Results Acceptance Criteria
such as:
   a.  Number of failed Application transaction MUST be 0.01%.

   b.  Number of Terminated TCP connection due to unexpected TCP RST
       sent by DUT/SUT MUST be less than 0.01%
seems very close to PASS/FAIL criteria, which BMWG’s charter precludes:
https://datatracker.ietf.org/wg/bmwg/about/
“Because the demands of a particular technology may vary from deployment
to deployment, a specific non-goal of the Working Group is to define
acceptance criteria or performance requirements.”

However, reporting the number|percent of failed Application transactions
(for example) along with a benchmark like Throughput would be seen
as providing reasonable auxiliary information about the measurement.
These Aux measurements seem to be referred to as KPIs in the draft.




- What do you think about the test equipment configuration section, specifically the traffic load profile and flows in section 4?
[ACM]
See below.

- Section 5 is a bit unusual as it defines test bed requirements for minimum performance.  These were usually taken for granted in the past; for virtualized test solutions they need to be made explicit we (Bala and I) feel.
[ACM]
I agree.

Any feedback and comments are very welcome!  Bala and I will process them swiftly - either before Dec 22 or in the first week of January.

Best regards, Carsten

[ACM]
General:
it seems that a lot of “v” characters have been replaced with “^”.

Section 4.1
I think Figure 1 may not need the Emulated Router function
in the Test Equipment, since it includes external switch/router:

   +-------------------+      +-----------+      +--------------------+
   |Aggregation Switch/|      |           |      | Aggregation Switch/|
   | Router            +------+  DUT/SUT  +------+ Router             |
   |                   |      |           |      |                    |
   +----------+--------+      +-----------+      +----------+---------+
              |                                             |
              |                                             |
  +-----------+-----------+                    +------------+----------+
  |                       |                    |                       |
  | +-------------------+ |                    | +-------------------+ |
  | | Emulated Router(s)| |                    | | Emulated Router(s)| |
  | |     (Optional)    | |                    | |     (Optional)    | |
  | +-------------------+ |                    | +-------------------+ |
  | +-------------------+ |                    | +-------------------+ |
  | |      Clients      | |                    | |     Servers       | |
  | +-------------------+ |                    | +-------------------+ |
  |                       |                    |                       |
  |    Test Equipment     |                    |    Test Equipment     |
  +-----------------------+                    +-----------------------+

                    Figure 1: Testbed Setup - Option 1

COMMENT: I think the Figures should each indicate which side is
the “protected network”, as done in RFC 3511.

Section 4.2 DUT/SUT Config
I like the Table 1: DUT/SUT Feature List, it clearly shows
current coverage and future plans.

Section 4.3 Test Equipment Config
I suggest:
OLD
   This document attempts to explicitly specify which test equipment
   parameters SHOULD be configurable, any such parameter(s) MUST be
   noted in the test report.
NEW
   One goal of this document is to specify the set of test equipment
   parameters that SHOULD be configurable. All such configurable
   parameter(s) MUST be noted in the test report.

4.3.1.  Client Configuration
OLD
   This section specifies which parameters SHOULD be considerable while
   configuring emulated clients using test equipment.  Also this section
NEW
   This section specifies which parameters SHOULD be configurable when
   using emulated clients in the test equipment.  Also this section

4.3.1.1.  TCP Stack Attributes
OLD
   ... Up to 3 retries
   SHOULD be allowed before a timeout event is declared.
NEW
   ...Up to 3 retransmissions
   SHOULD be sent before a timeout event is declared.

COMMENT: TCP RTO isn’t actually calculated for these connections?

4.3.1.2.  Client IP Address Space
...
   The IPv4 ToS byte should be set to '00'.
COMMENT: the TOS byte is obsolete terminology, now DS Field, etc.
for v4 and v6.
...
   The following equation can be used to determine the required total
   number of client IP address.

   Desired total number of client IP = Target throughput [Mbit/s] /
   Throughput per IP address [Mbit/s]
COMMENT: This equation might work with CBR UDP senders, but using many
         parallel TCP connections results in less predictable bit
         rate per connection.

4.3.1.3.  Emulated Web Browser Attributes
COMMENT: Reacting to
“each browser will open up to 6 TCP connections per Server endpoint IP”
The performance variation that results from interactions between
independent TCP connection flow-control is now understood to be
significant, and may affect the results repeatability. See
https://tools.ietf.org/html/draft-ietf-ippm-model-based-metrics-13#section-4
(which is approved, and awaiting publication).
There is much to discuss here that requires full appreciation of
TCP operation in some detail. One major risk is that different
test equipment cannot produce equivalent results when testing
the same DUT with the same configurations.

It is also worthwhile to consider some of the techniques for
stateful TCP described in RFC 7640:
https://tools.ietf.org/html/rfc7640#section-5.2


4.3.1.4.  Client Emulated Web Browser SSL/TLS Layer Attributes
COMMENT:  SSL Inspection seems to be for future work in Table 1.  ??


4.3.2.  Backend Server Configuration
4.3.2.1.  TCP Stack Attributes
...
“... Up to 2 retries SHOULD be allowed
   before a timeout event is declared.
COMMENT: why is the number of retries lower for backend servers
than for clients?  (see 4.3.1.1, similar wording changes suggested here)

4.3.2.2.  Server Endpoint IP Addressing
>>> same comment on TOS byte

4.3.3.1.  Description of Intra-Client Behavior
COMMENT: This is likely another critical specification to
support repeatable results. Also:
s/conical/canonical/  (I think)

4.3.4.  Traffic Load Profile
COMMENT: It seems that attaining “sustain” phase, where:
“  ... the test equipment should keep to generate
   traffic at constant rate for a constant number of active client IPs.
   The recommended time duration for sustain phase is 600 seconds.  This
   is the phase where measurements occur.”
requires some special control over TCP connections, which are generally
not considered to be constant rate.  Maybe this is an Average rate over
some averaging time?

5.  Test Bed Considerations
OLD
   Once the desired maximum performance goals for the system under test
   have been identified, a safety margin of 10 % SHOULD be added for
   throughput and subtracted for maximum latency and maximum packet
   loss.
Suggest:
   Once the desired maximum performance capabilities of the Test Bed
   have been identified, a safety margin of 10 % SHOULD be subtracted for
   throughput and added for maximum latency and maximum packet
   loss. These values MUST exceed the performance goals of the SUT/DUT.

OLD
   Test bed preparation can be performed either by configuring the DUT
   in the most trivial setup (fast forwarding) or without presence of
   DUT.
Suggest:
   Test bed preparation can be performed either by configuring the DUT
   in the most trivial setup (fast forwarding) or without presence of
   DUT (and adding emulated delay to match the SUT/DUT when under test.

Skipping Section 6 for now.
Section 7 comments above.

10.  Security Considerations
The BMWG has a “standard” Security Considerations section text
that you can use as a starting point.

12 Normative references.
RFC 3511 should be prominent in this list (after considering its content).