[bmwg] Comments on draft-ietf-bmwg-ngfw-performance-00

"MORTON, ALFRED C (AL)" <acm@research.att.com> Mon, 18 March 2019 22:13 UTC

Return-Path: <acm@research.att.com>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 26C0A127133; Mon, 18 Mar 2019 15:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_DYNAMIC=0.85, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0ONlqwD5agZw; Mon, 18 Mar 2019 15:13:19 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A868124B91; Mon, 18 Mar 2019 15:13:19 -0700 (PDT)
Received: from pps.filterd (m0049459.ppops.net []) by m0049459.ppops.net-00191d01. ( with SMTP id x2ILta15014277; Mon, 18 Mar 2019 18:13:18 -0400
Received: from tlpd255.enaf.dadc.sbc.com (sbcsmtp3.sbc.com []) by m0049459.ppops.net-00191d01. with ESMTP id 2rakbaguuk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Mar 2019 18:13:18 -0400
Received: from enaf.dadc.sbc.com (localhost []) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id x2IMDHUL022553; Mon, 18 Mar 2019 17:13:17 -0500
Received: from zlp30497.vci.att.com (zlp30497.vci.att.com []) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id x2IMDBIj022456; Mon, 18 Mar 2019 17:13:12 -0500
Received: from zlp30497.vci.att.com (zlp30497.vci.att.com []) by zlp30497.vci.att.com (Service) with ESMTP id AACA84000695; Mon, 18 Mar 2019 22:13:11 +0000 (GMT)
Received: from clpi183.sldc.sbc.com (unknown []) by zlp30497.vci.att.com (Service) with ESMTP id 837F7400069B; Mon, 18 Mar 2019 22:13:11 +0000 (GMT)
Received: from sldc.sbc.com (localhost []) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id x2IMD9Qg027755; Mon, 18 Mar 2019 17:13:11 -0500
Received: from mail-blue.research.att.com (mail-blue.research.att.com []) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id x2IMD2Dr027324; Mon, 18 Mar 2019 17:13:04 -0500
Received: from exchange.research.att.com (njbdcas1.research.att.com []) by mail-blue.research.att.com (Postfix) with ESMTP id 6CA3DF191F; Mon, 18 Mar 2019 18:13:02 -0400 (EDT)
Received: from njmtexg5.research.att.com ([fe80::b09c:ff13:4487:78b6]) by njbdcas1.research.att.com ([fe80::8c6b:4b77:618f:9a01%11]) with mapi id 14.03.0439.000; Mon, 18 Mar 2019 18:12:30 -0400
From: "MORTON, ALFRED C (AL)" <acm@research.att.com>
To: "draft-ietf-bmwg-ngfw-performance@ietf.org" <draft-ietf-bmwg-ngfw-performance@ietf.org>, "bmwg@ietf.org" <bmwg@ietf.org>
Thread-Topic: Comments on draft-ietf-bmwg-ngfw-performance-00
Thread-Index: AdTd1UG6o51GkYAKR4S8nmCdjoWFcA==
Date: Mon, 18 Mar 2019 22:12:30 +0000
Message-ID: <4D7F4AD313D3FC43A053B309F97543CF6C0060A7@njmtexg5.research.att.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-18_13:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903180153
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/GwBVYSjqE4ZAPszjJwLGghwQJSo>
Subject: [bmwg] Comments on draft-ietf-bmwg-ngfw-performance-00
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 22:13:21 -0000

Hi draft-ietf-bmwg-ngfw-performance authors,

Thanks for preparing a very complete and detailed

I have the following comments (through section 7.5,
there is some repetition for HTTPS after that), 
which I hope will help.

(as a participant)


3.  Scope

   This document provides testing terminology and testing methodology
   for next-generation firewalls and related security functions.  It
   covers two main areas: Performance benchmarks and security
   effectiveness testing.  This document focuses on advanced, realistic,
[acm] can you define "security effectiveness testing" here,
to distinguish it from performance benchmarking?

4.2.  DUT/SUT Configuration

   A unique DUT/SUT configuration MUST be used for all benchmarking
   tests described in Section 7.  Since each DUT/SUT will have their own
   unique configuration, users SHOULD configure their device with the
   same parameters that would be used in the actual deployment of the
   device or a typical deployment. * Users MUST enable security features *
   on the DUT/SUT to achieve maximum security coverage for a specific
   deployment scenario.
[acm] Is a compliant response to this requirement described below?
In Table 1?

   This document attempts to define the recommended security features
   which SHOULD be consistently enabled for all the benchmarking tests
   described in Section 7.  Table 1 below describes the RECOMMENDED sets
   of feature list which SHOULD be configured on the DUT/SUT.
[acm] SHOULD does not match the term Mandatory in Table 1.
maybe s/Mandatory/RECOMMENDED/
and s/Optional/OPTIONAL/

                   |         NGFW        |
   +-------------- +-----------+---------+
   |               |           |         |
   |DUT Features   | Mandatory | Optional|
   |               |           |         |

   o  Detection of CVEs matching the following characteristics when
[acm] Spell-out at first use CVE = Cert. Validation E???
      searching the National Vulnerability Database (NVD)

   different categories; namely small, medium, and maximum.
[acm] ...in four categories...  TCP Stack Attributes

   The TCP stack SHOULD use a TCP Reno [RFC5681] variant, which include
   congestion avoidance, back off and windowing, fast retransmission,
   and fast recovery on every TCP connection between client and server
   endpoints.  The default IPv4 and IPv6 MSS segments size MUST be set
   to 1460 bytes and 1440 bytes respectively and a TX and RX receive
   windows of 65536 bytes.  Client initial congestion window MUST NOT
How has the TCP window discussion on BMWG-list been considered here?

   The following equation can be used to determine the required total
   number of client IP address.
[acm] s/address/addresses/

   Based on deployment and use case scenario, the value for "Throughput
   per IP address" can be varied.

   (Option 1)  Enterprise customer use case: 6-7 Mbps per IP (e.g.
               1,400-1,700 IPs per 10Gbit/s throughput)

   (Option 2)  Mobile ISP use case: 0.1-0.2 Mbps per IP (e.g.
               50,000-100,000 IPs per 10Gbit/s throughput)

   Based on deployment and use case scenario, client IP addresses SHOULD
   be distributed between IPv4 and IPv6 type.  The Following options can
   be considered for a selection of traffic mix ratio.
[acm] don't have two "Option 1" with different meanings. Option Mobile ???
   (Option 1)  100 % IPv4, no IPv6

   (Option 2)  80 % IPv4, 20% IPv6


   For encrypted traffic, the following attributes SHALL define the
   negotiated encryption parameters.  The test clients MUST use TLSv1.2
   or higher.  TLS record size MAY be optimized for the HTTPS response
   object size up to a record size of 16 KByte.  The client endpoint
   MUST send TLS Extension Server Name Indication (SNI) information when
   opening a security tunnel.  Each client connection MUST perform a
   full handshake with server certificate and MUST NOT use session reuse
[acm] missing space "servercertificate"

4.3.2.  Backend Server Configuration

   This document specifies which parameters should be considerable while
[acm] s/considerable/considered/
   configuring emulated backend servers using test equipment.

   2.  In the ramp up phase, the test equipment SHOULD start to generate
       the test traffic.  It SHOULD use a set approximate number of
       unique client IP addresses actively to generate traffic.  The
       traffic SHOULD ramp from zero to desired target objective.  The
       target objective will be defined for each benchmarking test.  The
[acm] predefined, and where? target not mentioned before...

   Test bed reference pre-tests help to ensure that the desired traffic
   generator aspects such as maximum throughput and the network
   performance metrics such as maximum latency and maximum packet loss
   are met.
[acm] does this mean that the traffic gen + receiver might have 
limits on the max latency or loss it can measure?
OR, that the traffic gen + receiver can measure the 
max latency and packet loss accurately? 

   Once the desired maximum performance goals for the system under test

       C.  DUT Enabled Features

           +  Specific features, such as logging, NGFW, DPI MUST be
[acm] specific features *used* ??

   4.  Results Summary / Executive Summary

       1.  Results SHOULD resemble a pyramid in how it is reported, with
           the introduction section documenting the summary of results
           in a prominent, easy to read block.

       2.  In the result section of the test report, the following
           attributes should be present for each test scenario.

           a.  KPIs MUST be documented separately for each test
               scenario.  The format of the KPI metrics should be
               presented as described in Section 6.1.
[acm] Are some KPIs Benchmarks?

           b.  The next level of details SHOULD be graphs showing each
               of these metrics over the duration (sustain phase) of the
               test.  This allows the user to see the measured
[acm] see *if* the measured performance is stable over time.  ??
               performance stability changes over time.

6.1.  Key Performance Indicators

   This section lists KPIs for overall benchmarking tests scenarios.
   All KPIs MUST be measured during the sustain phase of the traffic
   load profile described in Section 4.3.4.  All KPIs MUST be measured
   from the result output of test equipment.

   o  Concurrent TCP Connections
      This key performance indicator measures the average concurrent
      open TCP connections in the sustaining period.
[acm] This is a Capacity Benchmark, IMO.


   o  Time to First Byte (TTFB)
      This key performance indicator will measure minimum, average and
      maximum the time to first byte.  TTFB is the elapsed time between
      sending the SYN packet from the client and receiving the first
      byte of application date from the DUT/SUT.  TTFB SHOULD be
      expressed in millisecond.
I recommend organizing these benchmarks (KPIs) using the 
3x3 Matrix described in 
Placing the benchmarks in the Table may reveal gaps 
that need to be addressed now, or in the future.

7.  Benchmarking Tests

7.1.  Throughput Performance With NetSecOPEN Traffic Mix
[acm] What's the Trademark situation for NetSecOpen,
and all the names listed in Appendix A???


      One of the following ciphers and keys are RECOMMENDED to use for
      this test scenarios.

      1.  ECHDE-ECDSA-AES128-GCM-SHA256 with Prime256v1 (Signature Hash
          Algorithm: ecdsa_secp256r1_sha256 and Supported group:

      2.  ECDHE-RSA-AES128-GCM-SHA256 with RSA 2048 (Signature Hash
          Algorithm: rsa_pkcs1_sha256 and Supported group: sepc256)

      3.  ECDHE-ECDSA-AES256-GCM-SHA384 with Secp521 (Signature Hash
          Algorithm: ecdsa_secp384r1_sha384 and Supported group:

      4.  ECDHE-RSA-AES256-GCM-SHA384 with RSA 4096 (Signature Hash
          Algorithm: rsa_pkcs1_sha384 and Supported group: secp256)
[acm] My guess is that someone will require that we cite a reference
for all of these ciphers...  Test Results Acceptance Criteria
[acm] IMO, Acceptance is the right action, but the wrong word
because these are not "Acceptance Tests".  I think something like
        Test Validation Criteria  will work here.

   The following test Criteria is defined as test results acceptance
[acm] s/acceptance/validation/ everywhere...
   criteria.  Test results acceptance criteria MUST be monitored during
   the whole sustain phase of the traffic load profile.

   a.  Number of failed Application transactions MUST be less than
       0.001% (1 out of 100,000 transactions) of total attempt

...  Step 3: Test Iteration

   Determine the maximum and average achievable connections per second
   within the acceptance criteria.
[acm] how? with additional tests using all 5 phases?

...  Measurement

   Following KPI metrics MUST be reported for each test scenario and
   HTTP response object sizes separately:

   average TCP connections per second and average application
   transaction latency
[acm] So, this is the Average of application transaction times
meeting the validation criteria, which does not limit the time variation?
Seems like a measure of the transaction time range is needed, too.

...  Test Results Acceptance Criteria
   d.  During the sustain phase, the maximum deviation (max. dev) of
       application transaction latency or TTLB (Time To Last Byte) MUST
       be less than 10%
[acm] Why doesn't criteria (d.) appear in 
7.4.TCP/HTTP Transaction Latency ??