Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-performance
tim copley <timcopley@gmail.com> Thu, 16 December 2021 20:59 UTC
Return-Path: <timcopley@gmail.com>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF0FC3A04BB; Thu, 16 Dec 2021 12:59:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJ96tNNrFvxZ; Thu, 16 Dec 2021 12:59:38 -0800 (PST)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5BFC3A0483; Thu, 16 Dec 2021 12:59:37 -0800 (PST)
Received: by mail-lj1-x22f.google.com with SMTP id z8so111586ljz.9; Thu, 16 Dec 2021 12:59:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fvCoOFSPniohKR3QDchhM1xb2WywMY9pJ9d3wtyqrYA=; b=VFVjFJ3zjWlHGob6c16L4EXD7ZBA2JPpMTi5qXTMsfmvtIh0XH4suA+nkCSQOWWV4r 84NJnjcXRYyfII/jEdTqtVHOC4CQKhFuUeBaTTW5NW3kkut0fB32lKTdMEWpax1b591K 6tijl2ryNhYBMPatV2NoGVj0f1w6BYiOhe0E+iXtTndGkgHP4xynCoHLcOQhJFCg4nrN i+uHstTW/9Na8LD2XvXPVt2WzuO7v6Ki75ZBlPqtdBwffvMKwUtAr8TbWqGYYOMmeXOR tT7VScsKJQs8gFv2Qja7GvwC01XeEo3oJP9HJ6goXt0adySE/hWPR5ClY8MBZTNCRfK5 V13A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fvCoOFSPniohKR3QDchhM1xb2WywMY9pJ9d3wtyqrYA=; b=hlH/Um2cyVRp3hfoStvyqqar46nzTd4V5xT1oLv5hmgPMgpO4J+SuwHBBrP321sROn RatphgBuPQpyP5hJrx+cTpFBTtWHxOfEA9c+7s74yzzn/721+GVdMj6ZkqWsKWOvSDrm aij4+wt04km1PW0HhydYpNRJh4Gao962v6XlBoNZ6YZwP7zKikHfEXDDl/+XlBPpmfPP TkjZWACuGH2yN4qeEz/woEZx8DFaQXUXlgZzEtFKUkoXHFfmmqNKaeH2fb4j6XXDOnmv kd+dRAYXO4PL4vvz4rwLUxzFNOw54ehwKIkmZkh3p6yNSPnEOtCRrgwK8mG+in2nkE18 ZF4w==
X-Gm-Message-State: AOAM532mBFtAXEN54//sRaCc7k02H2MXhVm4/s2smtPRaemlkOCcCuDJ jijojkB3Fp1xNu0EsjY4ls17fZLtR4AfptVUqsuoa3NdNxdmHQ==
X-Google-Smtp-Source: ABdhPJz5+fomP7ThUQdjukeyPlHYmHfes3l4BefSXDylpLtvS3FP8u5eN/l2x002ph+AXfqDc2H9TkpEJjIrixBMuK4=
X-Received: by 2002:a2e:5445:: with SMTP id y5mr16436944ljd.189.1639688372741; Thu, 16 Dec 2021 12:59:32 -0800 (PST)
MIME-Version: 1.0
References: <CAHw9_iJxxM5PM+MFv=u_GZPM8_frZDW70NzTtpdX4aa6=r+faA@mail.gmail.com>
In-Reply-To: <CAHw9_iJxxM5PM+MFv=u_GZPM8_frZDW70NzTtpdX4aa6=r+faA@mail.gmail.com>
From: tim copley <timcopley@gmail.com>
Date: Thu, 16 Dec 2021 13:59:30 -0700
Message-ID: <CAArhv62DA5mWFCgYi4qPCkEokdQxpHnrKhVmAkr6tvVRaNst_Q@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: draft-ietf-bmwg-ngfw-performance@ietf.org, bmwg@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ffe9ea05d349b22d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/V-ZPbMk_-xTiZxcsNsDN-FG57eQ>
Subject: Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-performance
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2021 20:59:43 -0000
I also, wanted to chime in regarding this and again, I also apologize for not reviewing earlier. I've not really been too involved in security devices until the last couple years, but boy has it changed drastically from when I was. Also, I noted that this document is basically following prior standards that are also a bit out dated. Some of the evolution, I've noticed which I think should at least be addressed in. I think you tried to exclude these in the Scope.? However I'm not really sure you are covering but maybe 1/2 of the devices that are being deployed at this time without addressing: Virtualization. / Remote FWs in the next gen. *) Large FWs are compartmentalizing Customers and serving multiple customers with the same firewall. So while you have said what would happen to a customer when The Firewall is UT, you don't really address what's going on with all the other customers on this DUT. If there are 10 Customers going through 1 large FW, what are the other 9 experiencing when this is under Test. Would be interesting to have multiple parallel tests underway and verify that behaviour is consistent across every "VDOM" within the system? *) Time to Change. If things are changed during your Load profile.perhaps even on a different virtual Firewall within the system, *) Sandbox dips. Several of the firewall vendors send stuff through labs / temp work spaces either online or offline that allow them to test against Zero Day scenarios. What happens to traffic flows during anomalies in the traffic flows. Does it change the throughput of the DUT? I know this is kind of an open ended question. but not sure you have good benchmark stats for a FW without it... *) Cloud based scenarios. If the firewall is removed, and I'm not really sure how you would test this with consistent results, but if the FW is offsite and the traffic is being routed through a Cloud based FW What does that do to your traffic results? TimC Fruth Group tcopley@fruthgroup.com On Wed, Dec 15, 2021 at 8:38 AM Warren Kumari <warren@kumari.net> wrote: > Hi there all, > > I'd like to apologize to the authors and WG for how long it has taken me > to post this review; I read the document a while back, but forgot to post > it :-( > > I only had a few editorial / readability suggestions -- they are > sufficiently minor (and I'm embarrassed by how long my review took!) that > I'll kick off LC without asking for a new version -- authors, please > consider them if you post a new version addressing LC comments, or to > address IESG Eval comments. > > Chairs / Al: The document state is listed as: "Doc Shepherd Follow-up > Underway" - I'm assuming that this is from: > https://mailarchive.ietf.org/arch/msg/bmwg/EonLD10nf0xQfWzHt0YT0QDK6lU - > can you please confirm (LOUDLY) that this is OK now and I'll kick off LC. > > > W > > > 1. Introduction > > 18 years have passed since IETF recommended test methodology and > terminology for firewalls initially ([RFC3511]). The requirements > for network security element performance and effectiveness have > increased tremendously since then. Security function implementations > > [O] 18 years have passed since IETF recommended test methodology and > > terminology for firewalls initially ([RFC3511]). The requirements > for network security element performance and effectiveness have > increased tremendously since then. > [P] In the eighteen years since [RFC3511] was published, recommending test methodology and terminology for firewalls, requirements and expectations for network security elements has increased tremendously. > > have evolved to more advanced areas and have diversified into > intrusion detection and prevention, threat management, analysis of > encrypted traffic, etc. In an industry of growing importance, well- > defined, and reproducible key performance indicators (KPIs) are > increasingly needed as they enable fair and reasonable comparison of > > [O] as they enable > [P] to enable > > network security functions. > > > > > -- > Perhaps they really do strive for incomprehensibility in their specs. > After all, when the liturgy was in Latin, the laity knew their place. > -- Michael Padlipsky > _______________________________________________ > bmwg mailing list > bmwg@ietf.org > https://www.ietf.org/mailman/listinfo/bmwg > -- Timothy Copley 602.350.0633
- [bmwg] AD Review of draft-ietf-bmwg-ngfw-performa… Warren Kumari
- Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-perf… MORTON JR., AL
- Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-perf… Warren Kumari
- Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-perf… tim copley
- Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-perf… bmonkman
- Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-perf… Carsten Rossenhoevel