[bmwg] Comments on draft-ietf-bmwg-ngfw-performance-00
"MORTON, ALFRED C (AL)" <acm@research.att.com> Mon, 18 March 2019 22:13 UTC
Return-Path: <acm@research.att.com>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26C0A127133; Mon, 18 Mar 2019 15:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Level:
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_DYNAMIC=0.85, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ONlqwD5agZw; Mon, 18 Mar 2019 15:13:19 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A868124B91; Mon, 18 Mar 2019 15:13:19 -0700 (PDT)
Received: from pps.filterd (m0049459.ppops.net [127.0.0.1]) by m0049459.ppops.net-00191d01. (8.16.0.27/8.16.0.27) with SMTP id x2ILta15014277; Mon, 18 Mar 2019 18:13:18 -0400
Received: from tlpd255.enaf.dadc.sbc.com (sbcsmtp3.sbc.com [144.160.112.28]) by m0049459.ppops.net-00191d01. with ESMTP id 2rakbaguuk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Mar 2019 18:13:18 -0400
Received: from enaf.dadc.sbc.com (localhost [127.0.0.1]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id x2IMDHUL022553; Mon, 18 Mar 2019 17:13:17 -0500
Received: from zlp30497.vci.att.com (zlp30497.vci.att.com [135.46.181.156]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id x2IMDBIj022456; Mon, 18 Mar 2019 17:13:12 -0500
Received: from zlp30497.vci.att.com (zlp30497.vci.att.com [127.0.0.1]) by zlp30497.vci.att.com (Service) with ESMTP id AACA84000695; Mon, 18 Mar 2019 22:13:11 +0000 (GMT)
Received: from clpi183.sldc.sbc.com (unknown [135.41.1.46]) by zlp30497.vci.att.com (Service) with ESMTP id 837F7400069B; Mon, 18 Mar 2019 22:13:11 +0000 (GMT)
Received: from sldc.sbc.com (localhost [127.0.0.1]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id x2IMD9Qg027755; Mon, 18 Mar 2019 17:13:11 -0500
Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.178.11]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id x2IMD2Dr027324; Mon, 18 Mar 2019 17:13:04 -0500
Received: from exchange.research.att.com (njbdcas1.research.att.com [135.197.255.61]) by mail-blue.research.att.com (Postfix) with ESMTP id 6CA3DF191F; Mon, 18 Mar 2019 18:13:02 -0400 (EDT)
Received: from njmtexg5.research.att.com ([fe80::b09c:ff13:4487:78b6]) by njbdcas1.research.att.com ([fe80::8c6b:4b77:618f:9a01%11]) with mapi id 14.03.0439.000; Mon, 18 Mar 2019 18:12:30 -0400
From: "MORTON, ALFRED C (AL)" <acm@research.att.com>
To: "draft-ietf-bmwg-ngfw-performance@ietf.org" <draft-ietf-bmwg-ngfw-performance@ietf.org>, "bmwg@ietf.org" <bmwg@ietf.org>
Thread-Topic: Comments on draft-ietf-bmwg-ngfw-performance-00
Thread-Index: AdTd1UG6o51GkYAKR4S8nmCdjoWFcA==
Date: Mon, 18 Mar 2019 22:12:30 +0000
Message-ID: <4D7F4AD313D3FC43A053B309F97543CF6C0060A7@njmtexg5.research.att.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.197.229.89]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-18_13:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903180153
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/GwBVYSjqE4ZAPszjJwLGghwQJSo>
Subject: [bmwg] Comments on draft-ietf-bmwg-ngfw-performance-00
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 22:13:21 -0000
Hi draft-ietf-bmwg-ngfw-performance authors, Thanks for preparing a very complete and detailed draft! I have the following comments (through section 7.5, there is some repetition for HTTPS after that), which I hope will help. regards, Al (as a participant) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 3. Scope This document provides testing terminology and testing methodology for next-generation firewalls and related security functions. It covers two main areas: Performance benchmarks and security effectiveness testing. This document focuses on advanced, realistic, [acm] can you define "security effectiveness testing" here, to distinguish it from performance benchmarking? 4.2. DUT/SUT Configuration A unique DUT/SUT configuration MUST be used for all benchmarking tests described in Section 7. Since each DUT/SUT will have their own unique configuration, users SHOULD configure their device with the same parameters that would be used in the actual deployment of the device or a typical deployment. * Users MUST enable security features * on the DUT/SUT to achieve maximum security coverage for a specific deployment scenario. [acm] Is a compliant response to this requirement described below? In Table 1? This document attempts to define the recommended security features which SHOULD be consistently enabled for all the benchmarking tests described in Section 7. Table 1 below describes the RECOMMENDED sets of feature list which SHOULD be configured on the DUT/SUT. [acm] SHOULD does not match the term Mandatory in Table 1. maybe s/Mandatory/RECOMMENDED/ and s/Optional/OPTIONAL/ +---------------------+ | NGFW | +-------------- +-----------+---------+ | | | | |DUT Features | Mandatory | Optional| | | | | +-------------------------------------+ o Detection of CVEs matching the following characteristics when [acm] Spell-out at first use CVE = Cert. Validation E??? searching the National Vulnerability Database (NVD) different categories; namely small, medium, and maximum. [acm] ...in four categories... 4.3.1.1. TCP Stack Attributes The TCP stack SHOULD use a TCP Reno [RFC5681] variant, which include congestion avoidance, back off and windowing, fast retransmission, and fast recovery on every TCP connection between client and server endpoints. The default IPv4 and IPv6 MSS segments size MUST be set to 1460 bytes and 1440 bytes respectively and a TX and RX receive windows of 65536 bytes. Client initial congestion window MUST NOT [acm] How has the TCP window discussion on BMWG-list been considered here? The following equation can be used to determine the required total number of client IP address. [acm] s/address/addresses/ ... Based on deployment and use case scenario, the value for "Throughput per IP address" can be varied. (Option 1) Enterprise customer use case: 6-7 Mbps per IP (e.g. 1,400-1,700 IPs per 10Gbit/s throughput) (Option 2) Mobile ISP use case: 0.1-0.2 Mbps per IP (e.g. 50,000-100,000 IPs per 10Gbit/s throughput) Based on deployment and use case scenario, client IP addresses SHOULD be distributed between IPv4 and IPv6 type. The Following options can be considered for a selection of traffic mix ratio. [acm] don't have two "Option 1" with different meanings. Option Mobile ??? (Option 1) 100 % IPv4, no IPv6 (Option 2) 80 % IPv4, 20% IPv6 ... For encrypted traffic, the following attributes SHALL define the negotiated encryption parameters. The test clients MUST use TLSv1.2 or higher. TLS record size MAY be optimized for the HTTPS response object size up to a record size of 16 KByte. The client endpoint MUST send TLS Extension Server Name Indication (SNI) information when opening a security tunnel. Each client connection MUST perform a full handshake with server certificate and MUST NOT use session reuse [acm] missing space "servercertificate" 4.3.2. Backend Server Configuration This document specifies which parameters should be considerable while [acm] s/considerable/considered/ configuring emulated backend servers using test equipment. ... 2. In the ramp up phase, the test equipment SHOULD start to generate the test traffic. It SHOULD use a set approximate number of unique client IP addresses actively to generate traffic. The traffic SHOULD ramp from zero to desired target objective. The target objective will be defined for each benchmarking test. The [acm] predefined, and where? target not mentioned before... Test bed reference pre-tests help to ensure that the desired traffic generator aspects such as maximum throughput and the network performance metrics such as maximum latency and maximum packet loss are met. [acm] does this mean that the traffic gen + receiver might have limits on the max latency or loss it can measure? OR, that the traffic gen + receiver can measure the max latency and packet loss accurately? Once the desired maximum performance goals for the system under test ... C. DUT Enabled Features + Specific features, such as logging, NGFW, DPI MUST be documented [acm] specific features *used* ?? 4. Results Summary / Executive Summary 1. Results SHOULD resemble a pyramid in how it is reported, with the introduction section documenting the summary of results in a prominent, easy to read block. 2. In the result section of the test report, the following attributes should be present for each test scenario. a. KPIs MUST be documented separately for each test scenario. The format of the KPI metrics should be presented as described in Section 6.1. [acm] Are some KPIs Benchmarks? b. The next level of details SHOULD be graphs showing each of these metrics over the duration (sustain phase) of the test. This allows the user to see the measured [acm] see *if* the measured performance is stable over time. ?? performance stability changes over time. 6.1. Key Performance Indicators This section lists KPIs for overall benchmarking tests scenarios. All KPIs MUST be measured during the sustain phase of the traffic load profile described in Section 4.3.4. All KPIs MUST be measured from the result output of test equipment. o Concurrent TCP Connections This key performance indicator measures the average concurrent open TCP connections in the sustaining period. [acm] This is a Capacity Benchmark, IMO. ... o Time to First Byte (TTFB) This key performance indicator will measure minimum, average and maximum the time to first byte. TTFB is the elapsed time between sending the SYN packet from the client and receiving the first byte of application date from the DUT/SUT. TTFB SHOULD be expressed in millisecond. [acm] I recommend organizing these benchmarks (KPIs) using the 3x3 Matrix described in https://tools.ietf.org/html/rfc8172#section-4.4 Placing the benchmarks in the Table may reveal gaps that need to be addressed now, or in the future. 7. Benchmarking Tests 7.1. Throughput Performance With NetSecOPEN Traffic Mix [acm] What's the Trademark situation for NetSecOpen, and all the names listed in Appendix A??? ... One of the following ciphers and keys are RECOMMENDED to use for this test scenarios. 1. ECHDE-ECDSA-AES128-GCM-SHA256 with Prime256v1 (Signature Hash Algorithm: ecdsa_secp256r1_sha256 and Supported group: sepc256r1) 2. ECDHE-RSA-AES128-GCM-SHA256 with RSA 2048 (Signature Hash Algorithm: rsa_pkcs1_sha256 and Supported group: sepc256) 3. ECDHE-ECDSA-AES256-GCM-SHA384 with Secp521 (Signature Hash Algorithm: ecdsa_secp384r1_sha384 and Supported group: sepc521r1) 4. ECDHE-RSA-AES256-GCM-SHA384 with RSA 4096 (Signature Hash Algorithm: rsa_pkcs1_sha384 and Supported group: secp256) [acm] My guess is that someone will require that we cite a reference for all of these ciphers... 7.1.3.4. Test Results Acceptance Criteria [acm] IMO, Acceptance is the right action, but the wrong word because these are not "Acceptance Tests". I think something like Test Validation Criteria will work here. The following test Criteria is defined as test results acceptance [acm] s/acceptance/validation/ everywhere... criteria. Test results acceptance criteria MUST be monitored during the whole sustain phase of the traffic load profile. a. Number of failed Application transactions MUST be less than 0.001% (1 out of 100,000 transactions) of total attempt transactions ... 7.2.4.3. Step 3: Test Iteration Determine the maximum and average achievable connections per second within the acceptance criteria. [acm] how? with additional tests using all 5 phases? ... 7.4.3.4. Measurement Following KPI metrics MUST be reported for each test scenario and HTTP response object sizes separately: average TCP connections per second and average application transaction latency [acm] So, this is the Average of application transaction times meeting the validation criteria, which does not limit the time variation? Seems like a measure of the transaction time range is needed, too. ... 7.5.3.3. Test Results Acceptance Criteria ... d. During the sustain phase, the maximum deviation (max. dev) of application transaction latency or TTLB (Time To Last Byte) MUST be less than 10% [acm] Why doesn't criteria (d.) appear in 7.4.TCP/HTTP Transaction Latency ??
- [bmwg] Comments on draft-ietf-bmwg-ngfw-performan… MORTON, ALFRED C (AL)