IETF Logo Mail Archive

Re: [bmwg] Éric Vyncke's Discuss on draft-ietf-bmwg-ngfw-performance-13: (with DISCUSS and COMMENT)

bmonkman@netsecopen.org Wed, 09 February 2022 15:58 UTC

Return-Path: <bmonkman@netsecopen.org>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 769253A0C03 for <bmwg@ietfa.amsl.com>; Wed, 9 Feb 2022 07:58:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netsecopen-org.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SGHnB6xb18dy for <bmwg@ietfa.amsl.com>; Wed, 9 Feb 2022 07:58:38 -0800 (PST)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E26023A0C37 for <bmwg@ietf.org>; Wed, 9 Feb 2022 07:58:37 -0800 (PST)
Received: by mail-qt1-x82b.google.com with SMTP id x5so2133410qtw.10 for <bmwg@ietf.org>; Wed, 09 Feb 2022 07:58:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netsecopen-org.20210112.gappssmtp.com; s=20210112; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=2Z+Vsxg7kl0MAz9Er3NlWjt38PSsdnNcLo7Px5RBYLc=; b=7aN3tuG6Hs/XvDFT+UgEyQCfGsglkYMwOtAJUIniCN+qnqTt7uju6bLYXqwdflZK8Y DTi/qyQB4ibE4el4chRd5wSgS8bCdBU9LD4EMpZsGzsy2ZfdwxGL/pbAwhQ0N+/XBtg+ rg6YUTh8WUnRajmjflls53QRAw3G6r+u7V18hN/tVWSgQvYGSVnP2w3iVR9aa/XxQ+pr qeH4LEmRSCjwmts9xMewjlfMvqQ67Tr5I3HVWEBphXMDo3fpRyChM9Eii/H6foyC9DtX fIC5giKvs7uscVDaz+jW0fvSKGb8q2dxihdMvsL0hEIhm/LPKgWsX8V6NjyTlUjrV7UB g5dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=2Z+Vsxg7kl0MAz9Er3NlWjt38PSsdnNcLo7Px5RBYLc=; b=KrYMo038cDAPN83kwr08vuC/EpHx8xaQLhKpfjifvGRvjELo6xDOkTCJQiFoP+GKd5 7LZHSZXS/wnr/95Ib4er9su97WPfAVUCYsp1F8xB7txGSlKohWQ2nIhQ3j+KjYvK/ONw NyWW4hEBHqw/y4iYvH3l2Of1+NEesKoUP0tazFIzZCXoi2Tbla4DEjFPsq17FGzA4/Fc bcv1DOBNP42lyB1fUoghUM5UuYwxmR+V9RGiRcAMdFwGwIxKmifOuUT87zW2k/oMzEFC gfdMQC1MWKeAOTUm9N/ly6dJLsmXYW0fOoHF3pUGfG8ul5NGOyfN/tu15xG3ILplRAUZ z5Bg==
X-Gm-Message-State: AOAM532/zArW44b4TzHZ1NqLY4rFxVFk5kdEvAlcLbLaepafHk4LNDq3 NNp8EicYUPmRUS9J7mvDEuZQr9D+fxcUqA==
X-Google-Smtp-Source: ABdhPJyAguvNDAVlphrm/YliFazYgxMtdi0TaOGqhVwcQUpgmQR8A2ZpSFw7xEkR12qd+gLA9yjUFA==
X-Received: by 2002:a05:622a:1302:: with SMTP id v2mr1822107qtk.223.1644422315968; Wed, 09 Feb 2022 07:58:35 -0800 (PST)
Received: from DESKTOP42TMNEU (c-98-235-212-118.hsd1.pa.comcast.net. [98.235.212.118]) by smtp.gmail.com with ESMTPSA id y20sm8815420qta.9.2022.02.09.07.58.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Feb 2022 07:58:35 -0800 (PST)
From: bmonkman@netsecopen.org
To: tte@cs.fau.de, "'Eric Vyncke (evyncke)'" <evyncke@cisco.com>
Cc: 'Carsten Rossenhoevel' <cross@eantc.de>, 'The IESG' <iesg@ietf.org>, 'Al Morton' <acm@research.att.com>, bmwg-chairs@ietf.org, bmwg@ietf.org, draft-ietf-bmwg-ngfw-performance@ietf.org
References: <164387980959.17096.3334808754490050779@ietfa.amsl.com> <9fd0def5-05b0-4c25-0f6a-ea864bf02d1e@eantc.de> <4FE589A0-BF14-4D88-8EA7-66D65762C82A@cisco.com> <Yfvx1UEjogZCkjT3@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <Yfvx1UEjogZCkjT3@faui48e.informatik.uni-erlangen.de>
Date: Wed, 09 Feb 2022 10:58:12 -0500
Message-ID: <506a01d81dcd$e49a0570$adce1050$@netsecopen.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQH4/Uam4SFvJFk0Dv4cqIKaMtZabgLBjRUWAmN0zKUCA1Qo0awQXgeQ
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/XXK8LErSpIrPIpBJ7R5hqkMVyEU>
Subject: Re: [bmwg] Éric Vyncke's Discuss on draft-ietf-bmwg-ngfw-performance-13: (with DISCUSS and COMMENT)
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2022 15:58:44 -0000

Éric,

Do you have any feedback to the responses from Carsten and Toerless?

Brian

-----Original Message-----
From: tte@cs.fau.de <tte@cs.fau.de> 
Sent: Thursday, February 3, 2022 10:17 AM
To: Eric Vyncke (evyncke) <evyncke@cisco.com>
Cc: Carsten Rossenhoevel <cross@eantc.de>; The IESG <iesg@ietf.org>; Al Morton <acm@research.att.com>; bmwg-chairs@ietf.org; bmwg@ietf.org; draft-ietf-bmwg-ngfw-performance@ietf.org
Subject: Re: Éric Vyncke's Discuss on draft-ietf-bmwg-ngfw-performance-13: (with DISCUSS and COMMENT)

a) FYI in support of Carstens assesment:
 I think to remember that one common occurance for fragmented IP traffic where  routers between inside and outside tunneling traffic and then often creating  fragmented traffic. But some time after 2003 more and more routers with  hardware acceleration started to support tunneling, but then of course with a  much bigger performance drop when fragmenting themselves. Hence practices changed  to only supporte reduced tunneled traffic MTU and prohibiting fragmentation. 
 And in parallel of course host stacks PMTUD improved.

b) In a section summarizing differences over rfc3511, absence of IP fragementation measurement might be explained with a simple statment like:

Measurement of performance for processing of IP fragmented traffic (RFC3511, section 5.9) was removed in this document because IP fragmentation does today not commonly occur in traffic anymore, unlike it might have been at the time when RFC3511 was written.

c) It might also be useful to add something like the following at the end of the security section:

Security assessment of an NGFW/NGIPS product could also include an analysis whether any type of uncommon traffic characteristics would have significant impact on performance. Such performance impacts would allow an attacker to use such specifically crafted traffic as a DoS attack to reduce the remaining performance available to other traffic through the NGFW/NGIPS. Such uncommon traffic characteristic might include for example IP fragmented traffic, specific type of application traffic or uncommonly high HTTP transaction rate traffic.

Cheers
    Toerless

On Thu, Feb 03, 2022 at 02:27:59PM +0000, Eric Vyncke (evyncke) wrote:
> Dear Carsten
> 
> [thank you for writing Éric BTW :-)  -- and we chatted years ago at 
> the MPLS World Congress ]
> 
> While I do not disagree with your arguments, I still think that some text (perhaps verbatim from your explanation below) is required in the document to justify the absence of fragmentation-related text (as RFC 3511 had some text).
> 
> BTW, like all IESG ballot/review, there is no need to reply before the telechat[1] of course, it can be done in a later stage.
> 
> Regards
> 
> -éric
> 
> [1] like always, every IETF participant is welcome to listen to the 
> IESG telechat 'live' (i.e., in 30 minutes) see 
> https://mailarchive.ietf.org/arch/msg/ietf-announce/2rCa7yESyR7lDErcB2
> 3fpFPH8ig/
> 
> 
> On 03/02/2022, 14:14, "iesg on behalf of Carsten Rossenhoevel" <iesg-bounces@ietf.org on behalf of cross@eantc.de> wrote:
> 
>     Dear Éric,
> 
>      From our point of view, testing of IP fragmentation does not belong 
>     into a network security test plan these days.
> 
>     1) IP fragmentation was indeed an issue across the industry in the early 
>     2000s.  If I remember correctly, Path MTU discovery sometimes did not 
>     work well back in those days, and MTUs had to be fixed per hop 
>     occasionally.  To my knowledge, this is not usually the case today 
>     anymore.  This test case is genuinely obsoleted by technical progress.
> 
>     2) In case there are still any MTU issues, they would be better covered 
>     in a network-level (IPv4 / IPv6) test plan because IP fragmentation is a 
>     function of the IP layer, not related to security nor applications.
> 
>     3) The IP fragmentation test in RFC3511 wasn't even a real benchmark 
>     because it mainly inspected incorrect configuration. The KPI was not 
>     "measure throughput when fragmentation is misconfigured" (this KPI is 
>     rather useless) but rather an ordinal pass/fail "check that the 
>     bandwidth is not reduced by incorrect IP fragmentation in any way."
> 
>     For all these reasons we do not consider the IP fragmentation test case 
>     in RFC3511 applicable specifically for network security devices today.  
>     Since this is due to technical progress and lack of applicability for 
>     network security testing, I am not sure if a statement is needed in the 
>     new document?  If so, please suggest some wording.
> 
>     Best regards, Carsten
> 
> 
>     Am 03.02.2022 um 10:16 schrieb Éric Vyncke via Datatracker:
>     > Éric Vyncke has entered the following ballot position for
>     > draft-ietf-bmwg-ngfw-performance-13: Discuss
>     >
>     > When responding, please keep the subject line intact and reply to all
>     > email addresses included in the To and CC lines. (Feel free to cut this
>     > introductory paragraph, however.)
>     >
>     >
>     > Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/
>     > for more information about how to handle DISCUSS and COMMENT positions.
>     >
>     >
>     > The document, along with other ballot positions, can be found here:
>     > https://datatracker.ietf.org/doc/draft-ietf-bmwg-ngfw-performance/
>     >
>     >
>     >
>     > ----------------------------------------------------------------------
>     > DISCUSS:
>     > ----------------------------------------------------------------------
>     >
>     > Thank you for the work put into this document.
>     >
>     > Please find below one blocking DISCUSS points (probably easy to address but
>     > really important), some non-blocking COMMENT points (but replies would be
>     > appreciated even if only for my own education).
>     >
>     > Thanks to Toerless for his deep and detailed IoT directorate review, I have
>     > seen as well that the authors are engaged in email discussions on this review:
>     > https://datatracker.ietf.org/doc/review-ietf-bmwg-ngfw-performance-13-iotdir-telechat-eckert-2022-01-30/
>     >
>     > Special thanks to Al Morton for the shepherd's write-up including the section
>     > about the WG consensus.
>     >
>     > I hope that this helps to improve the document,
>     >
>     > Regards,
>     >
>     > -éric
>     >
>     > # DISCUSS
>     >
>     > As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a
>     > DISCUSS ballot is a request to have a discussion on the following topics
>     >
>     > The document obsoletes RFC 3511, but it does not include any performance
>     > testing of IP fragmentation (which RFC 3511 did), which is AFAIK still a
>     > performance/evasion problem. What was the reason for this lack of IP
>     > fragmentation support ? At the bare minimum, there should be some text
>     > explaining why IP fragmentation can be ignored.
>     >
>     >
>     > ----------------------------------------------------------------------
>     > COMMENT:
>     > ----------------------------------------------------------------------
>     >
>     > One generic comment about the lack of testing with IPv6 extension headers as
>     > they usually reduce the performance (even for NGFW/NGIPS). There should be some
>     > words about this lack of testing.
>     >
>     > ## Section 4.1
>     >
>     > Please always use "ARP/ND" rather than "ARP".
>     >
>     > ## Section 4.2
>     >
>     > Any reason why "SSL" is used rather than "TLS" ?
>     >
>     > Suggest to replace "IP subnet" by "IP prefix".
>     >
>     > ## Section 4.3.1.2 (and other sections)
>     >
>     > "non routable Private IPv4 address ranges" unsure what it is ? RFC 1918
>     > addresses are routable albeit private, or is it about link-local IPv4 address ?
>     > 169.254.0.0/16 or 198.18.0.0/15 ?
>     >
>     > ## Section 4.3.1.3
>     >
>     > Suggest to add a date information (e.g., 2022) in the sentence "The above
>     > ciphers and keys were those commonly used enterprise grade encryption cipher
>     > suites for TLS 1.2".
>     >
>     > In "[RFC8446] defines the following cipher suites for use with TLS 1.3." is
>     > this about a SHOULD or a MUST ?
>     >
>     > ## Section 6.1
>     >
>     > In "Results SHOULD resemble a pyramid in how it is reported" I have no clue how
>     > a report could resemble a pyramid. Explanations/descriptions are welcome in the
>     > text.
>     >
>     > ## Section 7.8.4 (and other sections)
>     >
>     > In "This test procedure MAY be repeated multiple times with different IP types
>     > (IPv4 only, IPv6 only and IPv4 and IPv6 mixed traffic distribution)" should it
>     > be a "SHOULD" rather than a "MAY" ?
>     >
>     >
>     >
>     -- 
>     Carsten Rossenhövel
>     Managing Director, EANTC AG (European Advanced Networking Test Center)
>     Salzufer 14, 10587 Berlin, Germany
>     office +49.30.3180595-21, fax +49.30.3180595-10, mobile +49.177.2505721
>     cross@eantc.de, https://www.eantc.de
> 
>     Place of Business/Sitz der Gesellschaft: Berlin, Germany
>     Chairman/Vorsitzender des Aufsichtsrats: Herbert Almus
>     Managing Directors/Vorstand: Carsten Rossenhövel, Gabriele Schrenk
>     Registered: HRB 73694, Amtsgericht Charlottenburg, Berlin, Germany
>     EU VAT No: DE812824025
> 
> 

--
---
tte@cs.fau.de

v2.38.3 | Report a Bug | By Email | System Status