IETF Logo Mail Archive

Re: [bmwg] FW: WGLC on New version of draft-ietf-bmwg-ngfw-performance

bmonkman@netsecopen.org Mon, 10 May 2021 16:45 UTC

Return-Path: <bmonkman@netsecopen.org>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56DA83A232B for <bmwg@ietfa.amsl.com>; Mon, 10 May 2021 09:45:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.798
X-Spam-Level:
X-Spam-Status: No, score=-1.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netsecopen-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LIESnauwoOJR for <bmwg@ietfa.amsl.com>; Mon, 10 May 2021 09:45:32 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3196E3A232A for <bmwg@ietf.org>; Mon, 10 May 2021 09:45:32 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id f29so3709854qka.0 for <bmwg@ietf.org>; Mon, 10 May 2021 09:45:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netsecopen-org.20150623.gappssmtp.com; s=20150623; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=Wn1UnLRCQDmlXn2FIGIFiZp0DJKdWLlNW8vcA8AomGI=; b=UuRQZTUPPdVERj5bM8N7u2moF0tVSd6hgO49Jab7I1ZMDbR2FebsN3/XfZ4tZYcJsB UjtCWfhcc8rmcfpTtII/Ldvzxz2JkQQkREbnqHOMuJQZVBm3kjvqtvQpnVEGJ1/l5Sh8 3iuXiheSRgugf2oV7JEuRvkmGUuNVRgc/CsehLClMFlV8paSKobiKu3EWDKQQeOy5Qoz JctK+1ZnqGvnsyVW69bPctDLwn8wNjIho81Dd0rRZKsfi6afbksTjToWURyxjuyWGdG4 f6nwfBmF3XRJjPHMJ+geW7Wawcp4n5b5JIzF+Zuqf4SEjZEBMp8wpi/kLfOm5k5JWAi5 mYSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=Wn1UnLRCQDmlXn2FIGIFiZp0DJKdWLlNW8vcA8AomGI=; b=JFer7hhs1tXkAt4j2K+4YIh+Gd43HJHS8W0yy+UXes/8zvXTWIwfEm8ATvsAH79phb nDNpwXDYHjcEB5hjGwe16fak0hOX/+5SFfPj6ziAfLT7WuFoJ13o9kD4wXqBqjscIEw3 KuLpqkSfI35ESkmaECAuZ8pDxvbGJxsP1wHWU4VIj5ddnB64tEcPFb9Y9uSKU4kfHt9+ 7YpsSXoJJLN3rkLYmX+n31Jtg8H/uJwxMyxVBoQ2435jcLwPMkkaTSn4vSOtLgEQLB3v bb1/l2E1KS3zGNekNfFu7Vpw3Rk6NvVXmSauxrE1RD40dmMfZ4I+Uew3BF44/qD+Mup8 O2lg==
X-Gm-Message-State: AOAM533iUZWCQ9CQpDd612GrcfNAQsgNM8bTSjo5PYinSZ6l67+eExGP 8373H6XXsPXgNFSHhrybSGDb1w==
X-Google-Smtp-Source: ABdhPJy7faEjRhS6Z4Fi20UdI4I9RFzxV3Ap3beSwuHYf6Rsp49/91VweRVsoYYGFCuBE/WjfYT++w==
X-Received: by 2002:a37:a2c5:: with SMTP id l188mr23655884qke.413.1620665129936; Mon, 10 May 2021 09:45:29 -0700 (PDT)
Received: from DESKTOP42TMNEU (c-98-235-212-118.hsd1.pa.comcast.net. [98.235.212.118]) by smtp.gmail.com with ESMTPSA id t139sm2780311qka.85.2021.05.10.09.45.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 May 2021 09:45:29 -0700 (PDT)
From: bmonkman@netsecopen.org
To: 'Gabor LENCSE' <lencse@hit.bme.hu>
Cc: 'Bala Balarajah' <bala@netsecopen.org>, 'Bala Balarajah' <bm.balarajah@gmail.com>, bmwg@ietf.org, "'MORTON, ALFRED C (AL)'" <acm@research.att.com>, 'Sarah Banks' <sbanks@encrypted.net>
References: <413e779fd7eb4dd4b3aa8473c171e282@att.com> <f1a2b5c5-ebf2-12ab-b053-b9b2538342ad@hit.bme.hu>
In-Reply-To: <f1a2b5c5-ebf2-12ab-b053-b9b2538342ad@hit.bme.hu>
Date: Mon, 10 May 2021 12:45:27 -0400
Message-ID: <047501d745bb$e22f4ab0$a68de010$@netsecopen.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0476_01D7459A.5B1EBC20"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFRbj6fJkgW8izlvCwqrrFMnkxIIgCInYIRq+RVrRA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/GmXn5iPlNwHqnOfMFCdJJtvlBuc>
Subject: Re: [bmwg] FW: WGLC on New version of draft-ietf-bmwg-ngfw-performance
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 16:45:37 -0000

Hi Gabor,

 

Thank you very much for your comments. On initial review they all look
reasonable to us. How long do you think it will take you to complete your
review of the rest of the document?

 

Brian

 

From: bmwg <bmwg-bounces@ietf.org> On Behalf Of Gabor LENCSE
Sent: Monday, May 10, 2021 11:09 AM
To: bmwg@ietf.org
Subject: Re: [bmwg] FW: WGLC on New version of
draft-ietf-bmwg-ngfw-performance

 

Dear Al, Authors and BMWG members,

I have reviewed the first 22 pages of the draft. 

As far as I could read, I have found the draft reasonable and well written.
I have found some minor issues, which I classified as Discuss/Bugs/Nits:

Discuss:
--------

page 13-14

   (Option 2)  DUT/SUT deployment scenario 2 : 0.1-0.2 Mbit/s per IP
               (e.g.  50,000-100,000 IPs per 10Gbit/s throughput)

[...]

   (Option 1)  100 % IPv4, no IPv6

[...]

   Note: The IANA has assigned IP address range for the testing purpose
   as described in Section 8.

However, from the 198.18.0.0/15 range, only 198.18.0.0/16 can be used on the
one side, 198.19.0.0/16 is for the other side of the DUT.
A /16 has only 64k number of IP addresses, thus 100,000 IPs can not be
ensured for the 10Gbit/s throughput. (And of course, there are even faster
links, e.g. 25/40/100Gbit/s)

As a possible resolution, perhaps the usage of the private use 10.0.0.0/8
range could be allowed?

------------------

page 14

   For HTTP traffic emulation, the emulated browser MUST negotiate HTTP
   1.1.  HTTP persistence MAY be enabled depending on the test scenario.
   The browser MAY open multiple TCP connections per Server endpoint IP
   at any time depending on how many sequential transactions are needed
   to be processed.  Within the TCP connection multiple transactions MAY
   be processed if the emulated browser has available connections.  The
   browser SHOULD advertise a User-Agent header.  Headers MUST be sent
   uncompressed.  The browser SHOULD enforce content length validation.


I highly recommend to include HTTP/2 (defined by RFC 7540 in 2015), too.

Rationale:

"The standardization effort was supported by Chrome, Opera, Firefox,[11]
Internet Explorer 11, Safari, Amazon Silk, and Edge browsers.[12] Most major
browsers had added HTTP/2 support by the end of 2015.[13] About 97% of web
browsers used have the capability,[14] while according to W3Techs, as of
April 2021, 50% of the top 10 million websites supported HTTP/2.[15]"
Source: https://en.wikipedia.org/wiki/HTTP/2

As I expect that HTTP/2 will dominate withing a few years, I recommend to
include HTTP/2 with a SHOULD and include HTTP/1.1 either also with a SHOULD
or with a MAY.

What do others think?

------------------

page 16

   The server pool for HTTP SHOULD listen on TCP port 80 and emulate
   HTTP version 1.1 with persistence.  


As for the HTTP version, please see my comments regarding the client side
text on page 14.

------------------

page 16

   [...]  The behavior of the
   client is to sweep through the given server IP space, sequentially
   generating a recognizable service by the DUT.  

I am not sure if sequential sweep is the right choice for two reasons:
- I feel that the spirit of RFC 4814 would rather suggest pseudorandom. To
surely include all of them, I recommend random permutation.
- According to my experience, iptables has shown significantly different
maximum connection establishment rate, when I used pseudorandom port numbers
or when I enumerated the port numbers in increasing order. (Details
available upon request.)

------------------




Bugs:
-----

Page 9 / Table 3:

DLP ??? -- Previously, in Table 1 (on page 7)  DLP was used for Data Loss
Protection

I do not understand this definition:

   +------------------+------------------------------------------------+
   | DLP              | DUT/SUT detects and blocks the transmission    |
   |                  | of Personally Identifiable Information (PII)   |
   |                  | and specific files across the monitored network|
   +------------------+------------------------------------------------+

To me it sounds like preventing the leaking of sensitive information. 
If it is so, then I would call DLP as Data *Leak* Protection in Table 1.

------------------

page 13

   o  The IPv4 Type of Service (ToS) byte or IPv6 traffic class should
      be set to '00' or '000000' respectively.

According to RFC 8200, IPv6 Traffic Class field is 8 bits wide.

------------------

page 16

   o  A default gateway is permitted.  The IPv4 ToS byte and IPv6
      traffic class bytes should be set to '00' and '000000'
      respectively.

According to RFC 8200, IPv6 Traffic Class field is 8 bits wide.

------------------

page 18

   Test bed reference pre-tests help to ensure that the maximum desired
   traffic generator aspects such as throughput, transaction per second,
   connection per second, concurrent connection, and latency.

I do not understand this sentence. I feel that something is missing from the
end of the sentence (e.g. "are satisfied").



Nits:
-----

page 5

   In some deployment scenarios, the network security devices (Device
   Under Test/System Under Test) are connected to routers and switches
   which will reduce the number of entries in MAC or ARP tables of the
   Device Under Test/System Under Test (DUT/SUT).  

I THINK it is non-defining:

swithes which
--> 
swithes, which

------------------

Page 9 / Table 3:

   +------------------+------------------------------------------------+
   | Logging and      | DUT/SUT logs and reports all traffic at the    |
   | Reporting        | flow level across the monitored.               |
   +------------------+------------------------------------------------+

-->

   +------------------+------------------------------------------------+
   | Logging and      | DUT/SUT logs and reports all traffic at the    |
   | Reporting        | flow level across the monitored network.       |
   +------------------+------------------------------------------------+

------------------

   o  All RECOMMENDED security inspection enabled
-->
   o  All RECOMMENDED security inspections enabled

I think here "inspection" is used in a countable sense (various types of
inspections), thus it has a plural, please refer to:
https://www.wordhippo.com/what-is/the-plural-of/inspection.html


------------------

page 13

   SYN/ACK, ACK).  and it MUST be closed via either a TCP three way
-->
   SYN/ACK, ACK), and it MUST be closed via either a TCP three way

------------------

page 14

   profile,the 
-->
   profile, the

------------------

page 17

use a set approximate number of
-->
use a set of approximate number of

(If I understood the sentence correctly.)

------------------

page 17

traffic SHOULD ramp from zero 
-->
traffic SHOULD ramp up from zero 

(perhaps)

------------------

page 19

   2.  Summary of test bed software and Hardware details
-->
   2.  Summary of test bed software and hardware details

(I felt it inconsistent to capitalize "software" and "hardware"
differently.)

 

page 22

HTTP Transaction Latency (Section 7.8)
-->
HTTPS Transaction Latency (Section 7.8)

 

That's all for today. (Now I had only so much time.)

 

If you find my comments useful, I would be happy to read the rest of the
document, however, I cannot promise to keep the below deadline due to my
other workload.

 

Best regards,

 

Gábor

 

On 5/3/2021 7:36 PM, MORTON JR., AL wrote:

BMWG,

 

After extensive discussion at previous sessions, a revised draft (08) is
available for 

another Working Group Last Call.

 

Please review and express your support and/or comments on the bmwg-list by 

 

                23:59 UTC on May 17, 2021

 

Thanks to the author/editors for their efforts to bring us to this point,
and to everyone

who has participated in previous reviews!

 

see you on the list,

Al

bmwg co-chair and doc shepherd

 

 

 

From: bmwg  <mailto:bmwg-bounces@ietf.org> <bmwg-bounces@ietf.org> On Behalf
Of bmonkman@netsecopen.org <mailto:bmonkman@netsecopen.org> 
Sent: Thursday, April 22, 2021 1:28 PM
To: bmwg@ietf.org <mailto:bmwg@ietf.org> 
Subject: [bmwg] New version of draft-ietf-bmwg-ngfw-performance

 

Folks,

 

The latest draft has been posted and is ready for review. The Diff between
version 7 and version 8 can be found here:

 

https://tools.ietf.org/rfcdiff?difftype=--hwdiff
<https://urldefense.com/v3/__https:/tools.ietf.org/rfcdiff?difftype=--hwdiff
&url2=draft-ietf-bmwg-ngfw-performance-08.txt__;!!BhdT!3RQm3tbMKyQIuhNFujUDy
lH-nbgBFbOTdtctPaeeez96m7LPH8uNNegRqDFu$>
&url2=draft-ietf-bmwg-ngfw-performance-08.txt 

 

and here:

 

https://tools.ietf.org/rfcdiff?url2=draft-ietf-bmwg-ngfw-performance-08.txt
<https://urldefense.com/v3/__https:/tools.ietf.org/rfcdiff?url2=draft-ietf-b
mwg-ngfw-performance-08.txt__;!!BhdT!3RQm3tbMKyQIuhNFujUDylH-nbgBFbOTdtctPae
eez96m7LPH8uNNf1_GGQU$> 

 

Please review and provide comments. I believe Al Morton is going to call for
last call.

 

Brian

 

 





_______________________________________________
bmwg mailing list
bmwg@ietf.org <mailto:bmwg@ietf.org> 
https://www.ietf.org/mailman/listinfo/bmwg

v2.23.0 | Report a Bug | By Email