Re: [bmwg] WGLC on New version of draft-ietf-bmwg-ngfw-performance
"MORTON JR., AL" <acmorton@att.com> Tue, 13 July 2021 15:02 UTC
Return-Path: <acmorton@att.com>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 186D53A1576 for <bmwg@ietfa.amsl.com>; Tue, 13 Jul 2021 08:02:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_QUOTING=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5baLsX7CHasZ for <bmwg@ietfa.amsl.com>; Tue, 13 Jul 2021 08:02:15 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B5133A156E for <bmwg@ietf.org>; Tue, 13 Jul 2021 08:02:15 -0700 (PDT)
Received: from pps.filterd (m0048589.ppops.net [127.0.0.1]) by m0048589.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 16DEsPGk038069; Tue, 13 Jul 2021 11:01:57 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0048589.ppops.net-00191d01. with ESMTP id 39rw0aeg6u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 13 Jul 2021 11:01:56 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 16DF1rhA010248; Tue, 13 Jul 2021 11:01:54 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [135.47.91.177]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 16DF1lYV010021 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 13 Jul 2021 11:01:47 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [127.0.0.1]) by zlp30486.vci.att.com (Service) with ESMTP id A55734005C1B; Tue, 13 Jul 2021 15:01:47 +0000 (GMT)
Received: from GAALPA1MSGEX1DA.ITServices.sbc.com (unknown [135.50.89.114]) by zlp30486.vci.att.com (Service) with ESMTP id 0FDB64005C1C; Tue, 13 Jul 2021 15:01:47 +0000 (GMT)
Received: from GAALPA1MSGED2DC.ITServices.sbc.com (135.50.89.140) by GAALPA1MSGEX1DA.ITServices.sbc.com (135.50.89.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Tue, 13 Jul 2021 11:01:46 -0400
Received: from GAALPA1MSGETA03.tmg.ad.att.com (144.160.249.125) by GAALPA1MSGED2DC.ITServices.sbc.com (135.50.89.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Tue, 13 Jul 2021 11:01:46 -0400
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.107) by edgeal3.exch.att.com (144.160.249.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.10; Tue, 13 Jul 2021 11:01:09 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N4O/8L6FXZrS9rL/4FuWiqMgUM8fd7pI3+L4EAaXuGLd29ypDTwwuK1GpJCf94NQlMO6qVBy10Fu7w1Sjeu0ujE7Sqr4yXWco6+DjP9fN2VXkAz8RF2eoAOGQ6T3cB+5B7i9ozGrazlj6kPMcXDIP1KvP4tfaCTbVPUFAD0kdMWN40gWwrsVHMeAfsiZC0wtRiyCepJL7u2z3iOzeDzejgXJnBQSpCDPe5pKRppv6c61Iih9NAlNhv2AmfrUG8J3jxhZSDRANmj5QVj4RX/TBR/Ei1+p2LSYouRhdu0cHvKV3fHsdyuOTdfAYUC+JXHq4PhbFLHbld35CFNFc8bpxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XUvAbiRtmYBf/URrXsO8UIA7YcQF5xuz6bIYdEuVwuY=; b=QJWKcheR3QhQuTtwwFbKrms9LZ8ua0HAGg3V/CD4IhqyBsl603Gpi1wL/G+Nr15lB+t2MhUusooLBSg5YYrOEL9ULNhopWrjYfsgR8JpWuKMYskKMuLLgGAn3cD1QeBKJqVzEX0XX+87u9fUmXZxuWimCHwk/WbVZWgIeylCuLAyZz14x7JqBy9rhsizQ8pB//1e40/K0wJVPWiylAJD7CLIhAgsfohEmvbh5uc6Gjhh6cGdeeQVN3XNPknbgYlXffSBgjlnzbwxy1Obie51kUD3+7gKKkmr/3ffe8GO6ZbasNRYKRZej6o0X4WkgXWk8dP/byYQ1S89z3EhgulR0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XUvAbiRtmYBf/URrXsO8UIA7YcQF5xuz6bIYdEuVwuY=; b=QGdg5VhZxFWhWY7HMrswPHb+TOfUt2CaGSr8BFALqjV1h3lsFUW31iLko0M+coAvxoxcj6ptO79Vhh64z6qpk/iaTRqHw7j0TG9140W2MEagyxapOzg7Bw35YF66Y9RsEwuTWqyVbkMrv7dPx+/Aui3h293zLpetmyVyWEoL2qk=
Received: from SJ0PR02MB7853.namprd02.prod.outlook.com (2603:10b6:a03:32e::8) by BY5PR02MB6817.namprd02.prod.outlook.com (2603:10b6:a03:20e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.22; Tue, 13 Jul 2021 15:00:38 +0000
Received: from SJ0PR02MB7853.namprd02.prod.outlook.com ([fe80::40d9:d8df:7dfa:3180]) by SJ0PR02MB7853.namprd02.prod.outlook.com ([fe80::40d9:d8df:7dfa:3180%6]) with mapi id 15.20.4308.027; Tue, 13 Jul 2021 15:00:38 +0000
From: "MORTON JR., AL" <acmorton@att.com>
To: "bmonkman@netsecopen.org" <bmonkman@netsecopen.org>, 'Sarah Banks' <sbanks@encrypted.net>, "'MORTON, ALFRED C (AL)'" <acm@research.att.com>
CC: "bmwg@ietf.org" <bmwg@ietf.org>, "asamonte@fortinet.com" <asamonte@fortinet.com>, "amritam.putatunda@keysight.com" <amritam.putatunda@keysight.com>, 'Bala Balarajah' <bala@netsecopen.org>, 'Carsten Rossenhoevel' <cross@eantc.de>, 'Christopher Brown' <cbrown@iol.unh.edu>, "'Jack, Mike'" <Mike.Jack@spirent.com>, "'Ryan Liles (ryliles)'" <ryliles@cisco.com>, 'Timothy Carlin' <tjcarlin@iol.unh.edu>, 'Timothy Otto' <totto@juniper.net>
Thread-Topic: [bmwg] WGLC on New version of draft-ietf-bmwg-ngfw-performance
Thread-Index: AQHXTbeaOGUmGWbtmESUQ0dgvoKXO6r2c6iAgBnsMwCAGZG0gIAWOoc4gAEjogCAAAQFUA==
Date: Tue, 13 Jul 2021 15:00:37 +0000
Message-ID: <SJ0PR02MB7853CAF5D40CBAFA6C3B4154D3149@SJ0PR02MB7853.namprd02.prod.outlook.com>
References: <413e779fd7eb4dd4b3aa8473c171e282@att.com> <f1a2b5c5-ebf2-12ab-b053-b9b2538342ad@hit.bme.hu> <047501d745bb$e22f4ab0$a68de010$@netsecopen.org> <7dc6b282-7f41-bf7c-f09c-65e7ce94b674@hit.bme.hu> <048801d745be$31424b50$93c6e1f0$@netsecopen.org> <84196d5ce7474f9196ab000be64c49fd@att.com> <02629ACE-FDA4-4ACF-9459-825521596B83@encrypted.net> <001201d75266$05979140$10c6b3c0$@netsecopen.org> <059e01d75f7d$a62a4de0$f27ee9a0$@netsecopen.org> <009b01d76c46$8063e5a0$812bb0e0$@netsecopen.org> <770F93CB-A8CC-4420-8C1B-CB7B7A2289FB@encrypted.net> <021f01d77356$7e19a2f0$7a4ce8d0$@netsecopen.org> <D1ED6898-D8C3-4C56-A3D3-221DD16B7300@encrypted.net> <004701d777f5$94844bf0$bd8ce3d0$@netsecopen.org>
In-Reply-To: <004701d777f5$94844bf0$bd8ce3d0$@netsecopen.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: netsecopen.org; dkim=none (message not signed) header.d=none;netsecopen.org; dmarc=none action=none header.from=att.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2b003ec1-99ff-488e-7291-08d9460ef9a3
x-ms-traffictypediagnostic: BY5PR02MB6817:
x-microsoft-antispam-prvs: <BY5PR02MB6817DD3C67948FA60609F8CDD3149@BY5PR02MB6817.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5YqYN5ojoig2BBvvwSkQOzohV9eAs8jiXgqiMNh8qtdIdNGk7DiGge8Z52XIBfRU+uanR6dHJspo3KL5i0JpgtxUIYOHplkYFcjL64GbrfSz1wAV4adx3VrIRm7d4klKfddv+HfrI1mmgEV+sZ7TzkSApadsvWzspPLOH50xGD0LAOl1W9Qgjoeatz0F+8nM9l5R43UCtGLUIJ0nESgDxoNV0mcRYk/6Ah/3Q76is3HqoizNokEBHzIxMprFM/WrpL1QHVO3s/C801HHxOAAYx5H/p7Y/CM0ZY95MdCTqTE8e8b2utOUjJEUMjPHfoHlwxqUdV2b80nOlLjCdLsC3soMjz3vCG7JoKwAlxgN/vThlki5xDh/Cgs/UCs4sBQeChfxI7esva8TsgR/f2LeJVud2GWPg7xchWdbGQBNCSLNPdScNUYB2zFtaQKJTKeQJohXYgZrMxULuAAt+SpuydU7AZ+OeeXRFqXtOt5RRROaH85mGwPBiNkYcfNysvBZTwsecIWPQNOyyf1UkCztI4u1nHsckLztnF8XdTMK2cFVrD/UgkDITa2oBGcL1BKjkJ5rx6jq+CvwAqloHE+kt8vSNCP8cMeMbUy9DVwzMJJGDbOFMg99RJ5iMxa0pj814Lio2wz26TTbmEoKpIzl4Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR02MB7853.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(39860400002)(396003)(376002)(346002)(8676002)(6506007)(4326008)(316002)(71200400001)(7416002)(110136005)(54906003)(86362001)(9686003)(8936002)(478600001)(53546011)(83380400001)(186003)(55016002)(82202003)(64756008)(33656002)(26005)(5660300002)(66556008)(7696005)(38100700002)(52536014)(76116006)(122000001)(66476007)(66946007)(2906002)(30864003)(66574015)(66446008)(579004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: YxCM5nvCBYsrU29N/G/K+xDdF0+IzyJujCnhShelI9amrcXvG4VGUQ3BfNYQJSeL5xhE2Bl5BRCcPY+Nj/ea0eq4tMuuqOiJm1KlmGlZFHVBsS8Pb420gmU39dLbl+J4KnDsPnKid/tOFwLVvoGCqECXff2ZUOp4KSZ1AC5A2Q5ObL1VNoc4bW++mgZfEVEk/f01PT9zD6O0rDRd2S5Tt1ELmn31S2EIzTiyxfn04xEgSb78e4UAJJFxcPim7v5Sm1SATNiTOcDjLsRVoZUIT4IO1hLd96rmdo9sVtSzJPqw/ukT4S9tyAC/G2GV3u1qfzw5kkwgn/AUGTsFWgh3LCJxgdehQVkSKHfrrY0DUQ7OSSCswtDA7xIBEcQrAXPKYf3Nxfho9LoeoZ6KHOgZF9aK15ivASSzR6iWJHzgJLJtf1UxAwjZ29SNXjmyt0KdJFijJ8XQ7PtH/YhFGsNTJwddd4qHyEZv62Cg0Y4utbEhbd1xjJUW5zXM2wcNKACdRY0FnKkVVRgVLSB4ApnX4NOvEu2dOvqT7M+bltRwkREQyQIYSGQWMyxLckNUyq4TdVHJ1Lsaqs3prfKM8R8SPpm3UishdDdxjCNJ3dOO80DIwlcvBVO3x1gZ534TXbXznM3aZfMWFNEZJ1cXmSkVDxjQxT+c36sWH+yNo+EUXsTA5RvIzfaXpsjXtvbp8AiAj8ZG9mNZprHD78YcoHfYtzxZhIWbaLyMcyLrZoYMyy5M2i8YazioULHWnIeWEEY/IYiVa2D4hNbGozxjB9q1VvSTHLukH/i4I2rRkb7Abw1Bwjts6UrKzgQwecQCyj9KCKADayZcdgRtEMg3H1Q7c5uk8Ifg6+NqgCO9sL7mJp20w+dxtPtXgbIl9tY+WcEEAZFNHNTCOiGHCKVSIiafyS/ccTtUVgdUC226V+wtKE7uvtk4rd7+r4tQSn6+681DfhWKLSpDcJpfEwwGnX8TC/pIa46/f25NT7ImMNx3Hdh2PHFWF9cHMZaGBIWXUV1tXvhmJwDlmumuxtbphlkFlqGH6ojEt7Zk4vqi4GH+XD5W6++D2Ms443kIpNtB8OiFErN27DcCrUo8nDljrOD2S9ww7tyRd2guNaqQqw09fYcHkGEd5/SsLB5MqzCDVXUEBB6oyNWDy6VLO2UH5Wjourb8DxSGInxPk7kXbiAXe/gft0G8EH8bVHcIcPIbwMT9SvlELP85X4RB0DUdxK+F5d1neNdJxXntkg+Liy4LtuiT+aWUK6cs9dCT0MoSdu6JjS+Jjg5DucEkTRUXZ65vEVqY1ktoSPga8Vj5xI2F+ij7RhyvCRx4NRa1Kf33fW2y
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7853.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2b003ec1-99ff-488e-7291-08d9460ef9a3
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2021 15:00:38.0006 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qcLKAwqmJTV4eDybSwtB9/CNw/aH38LTNwIfPadUFhpkoq9APT1Mgq0tO/5m2b/n
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR02MB6817
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: 8148BED1547F1716ED115B82C8D0963907CD0DD068180190C455B39F2B2869FD2
X-Proofpoint-GUID: 9aNMzOwNTf_kZ3ew_qvv6KwrMxsZjV8_
X-Proofpoint-ORIG-GUID: 9aNMzOwNTf_kZ3ew_qvv6KwrMxsZjV8_
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-13_07:2021-07-13, 2021-07-13 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 suspectscore=0 adultscore=0 priorityscore=1501 malwarescore=0 lowpriorityscore=0 bulkscore=0 clxscore=1011 impostorscore=0 phishscore=0 mlxlogscore=999 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107130095
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/YMmUxSRwYOekZKkriBuoSaMag_Q>
X-Mailman-Approved-At: Tue, 13 Jul 2021 08:06:59 -0700
Subject: Re: [bmwg] WGLC on New version of draft-ietf-bmwg-ngfw-performance
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 15:02:21 -0000
Hi Brian, Our next opportunity to discuss this draft and comment resolution is during the BMWG session at IETF-111. Let's try to make that work for everyone. thanks! Al > -----Original Message----- > From: bmonkman@netsecopen.org <bmonkman@netsecopen.org> > Sent: Tuesday, July 13, 2021 10:44 AM > To: 'Sarah Banks' <sbanks@encrypted.net>; 'MORTON, ALFRED C (AL)' > <acm@research.att.com> > Cc: bmwg@ietf.org; asamonte@fortinet.com; amritam.putatunda@keysight.com; > 'Bala Balarajah' <bala@netsecopen.org>; 'Carsten Rossenhoevel' > <cross@eantc.de>; 'Christopher Brown' <cbrown@iol.unh.edu>; 'Jack, Mike' > <Mike.Jack@spirent.com>; 'Ryan Liles (ryliles)' <ryliles@cisco.com>; 'Timothy > Carlin' <tjcarlin@iol.unh.edu>; 'Timothy Otto' <totto@juniper.net> > Subject: RE: [bmwg] WGLC on New version of draft-ietf-bmwg-ngfw-performance > > Looping in the others on my original post. > > Thanks Sarah, > > Good to see the issues are being whittled down. Of the remaining five or six > issues I doubt we will have a response prior to IETF 111. > > Al, > > Could we schedule an interim meetup/call for some time early August? > > Brian > > > -----Original Message----- > From: Sarah Banks <sbanks@encrypted.net> > Sent: Monday, July 12, 2021 5:20 PM > To: bmonkman@netsecopen.org > Cc: bmwg@ietf.org > Subject: Re: [bmwg] WGLC on New version of draft-ietf-bmwg-ngfw-performance > > Hi Brian et al, > First, my apologies for the delay, and I very much appreciate your > patience. I also appreciate the time and effort that went into the reply to > my comments, which can be even more difficult to do as a large group :) > Please see inline. > > Thank you, > Sarah (as a participant) > > >> > >> Hi Sarah, > >> > >> As I mentioned in the previous message, we will remove reference to > >> IDS from the draft. Given that, none of the IDS related > >> comments/questions are being addressed. > > SB// Makes sense, thank you. > > >> - The draft aims to replace RFC3511, but expands scope past > >> Firewalls, to "next generation security devices". I'm not finding a > >> definition of what a "next generation security device is", nor an > >> exhaustive list of the devices covered in this draft. A list that > >> includes is nice, but IMO not enough to cover what would be > >> benchmarked here - I'd prefer to see a definition and an exhaustive list. > >> > >> [bpm] "We avoid limiting the draft by explicitly adding a list of NG > >> security devices currently available in the market only. In the > >> future, there may be more and more new types of NG security devices > >> that will appear on the market. > > SB// I think there are 2 types of devices called out; I'm not seeing a > definition of what a "NG security device" is, and I'm not comfortable with a > draft that has a blanket to encompass what would come later. Who knows what > new characteristics would arrive with that new device? I think the scope > here is best suited for the devices we know about today and can point to and > say we're applying knowledgeable benchmarking tests against. > > >> > >> [bpm] This draft includes a list of security features that the > >> security device can have ( RFC 3511 doesn't have such a list). Also, > >> we will describe in the draft that the security devices must be > configured ""in-line"" mode. > >> We believe these two points qualifying the definition of next > >> generation security. > >> > > SB// I strongly disagree. Well, I mean OK, for active inline devices maybe > this is OK, but to say that the only way a device can be "NG" is to be > active/inline, I disagree with. And if there is, have we gathered all of the > items we'd want to actively test for in that case? For example, what about > their abilities to handle traffic when a failure occurs? (fail open/closed). > What about alerts and detections and the whole federation of tests around > positives/false positives/false negatives, etc? I'm onboard with expanding > the scope, but then we have to do the devices benchmarking justice, and I > feel we're missing a lot here. > > >> - What is a NGIPS or NGIDS? If there are standardized definitions > >> pointing to them is fine, otherwise, there's a lot of wiggle room here. > >> > >> [bpm] See above. We are removing NGIDS from the draft. > > SB// Understood, thank you. > > >> > >> - I still have the concern I shared at the last IETF meeting, where > >> here, we're putting active inline security devices in the same > >> category as passive devices. On one hand, I'm not sure I'd lump these > >> three together in the first place; on the other, active inline > >> devices typically include additional functions to allow > >> administrators to control what happens to packets in the case of > >> failure, and I don't see those test cases included here. > >> > >> [bpm] This draft focuses on ""in-line"" mode security devices only. > >> We will describe this in section 4 in more detail. > > SB// Understood, thank you. > > >> > >> [bpm] Additionally, the draft focuses mainly on performance tests. > >> The DUT must be configured in ""fail close"" mode. We will describe > >> this under section 4. Any failure scenarios like ""fail open"" mode is > out of scope. > > SB// OK, but I think an RFC that is going to encompass this device under the > "NG security devices" classification is missing out on large portions of > what customers will want to test. It'll also beg for another draft to cover > them, and then I'm not sure we're serving the industry as well as we could. > > >> > >> - Section 4.1 - it reads as if ANY device in the test setup cannot > >> contribute to network latency or throughput issues, including the > >> DUTs > >> - is that what you intended? > >> > >> [bpm] "Our intention is, if the external devices (routers and > >> switches) are used in the test bed, they should not negatively impact > DUT/SUT performance. > >> To address this, we added a section ( section 5 ""Test Bed > >> Considerations"") which recommends a pre-test. We can rename this as > >> reference test or baseline test. " > >> > > SB// Thank you for the clarification. I think there's still a concern there. > Who defines what "negative impact" is? You're traversing at least another L2 > or L3 step in the network with each bump, which contributes some amount of > latency. If they don't serve in control plane decisions and are passively > passing data on, then we could consider removing them from the setup and > removing the potential skew on results. > > > >> - Option 1: It'd be nice to see a specific, clean, recommended test bed. > >> There are options for multiple emulated routers. As a tester, I > >> expect to see a specific, proscribed test bed that I should configure > >> and test against. > >> > >> [bpm] The draft describes that Option 1 is the recommended test setup. > >> However. We added emulated routers as optional in option 1. The > >> reason for > >> that: > >> Some type of security devices for some deployment scenarios requires > >> routers between test client/server and the DUT (e.g., NGFW) and some > >> DUT/SUT doesn't need router (e.g. NGIPS ) > >> > >> - Follow on: I'm curious as to the choice of emulated routers here. > >> The previous test suggests you avoid routers and switches in the > >> topo, but then there are emulated ones here. I'm curious as to what > >> advantages you think these bring over the real deal, and why they > >> aren't subject to the same limitations previously described? > >> > >> [bpm] Comparing real router, the emulated router gives more > >> advantages for > >> L7 testing. > >> > >> [bpm] - Emulated router doesn't add latency. Even if it adds delay > >> due to the routing process, the test equipment can report the added > >> latency, or it can consider this for the latency measurement. > >> > >> [bpm] - Emulated routers simply do routing function only. But in a "real" > >> router, we are not sure what else the router is doing with the packets. > > SB// Maybe I'm missing something here - a device can't perform a function > for free, right? Even if it's impact is negligible, it's an impact of some > sort. We're saying the emulated router is doing the routing - OK - but I > think the same thing applies to the physical router - how do you know what > else the emulated router is doing? if the test gear can call out the > latency, I'd like to see clarification around how it's doing that and > distinguishing the latency introduced by Device A, versus Device B, versus > the DUT, etc. > > > >> > >> [bpm] Your question regarding the need for routers: > >> > >> [bpm] - We avoid impacting the DUT/SUT performance due to ARP or ND > >> process > >> > >> [bpm] - Represent realistic scenario (In the production environment > >> the security devices will not be directly connected with the > >> clients.) > >> > >> [bpm] - Routing (L3 mode) is commonly used in the NG security devices. > >> > >> [bpm] However, in both figures we mentioned that router including > >> emulated router is optional. If there is no need have routing > >> functionality on the test bed (e.g., if we used very small number of > >> clients and server IPs or the DUT operates in Layer 2 mode), it can be > ignored. > >> > >> [bpm] Also, we described in Option 1, that the external devices are > >> if there is need to aggregate the interfaces of the tester or DUT. > >> For an example, DUT has 2 Interfaces, but tester need to use it's 4 > >> interfaces to achieve the performance. So here we need switch/router > >> to aggregate tester interface from 4 to 2. > >> > >> - In section 4.1 the text calls out Option 1 as the preferred test > >> bed, which includes L3 routing, but it's not clear why that's needed? > >> > >> [bpm] See above. > >> > >> - The difference between Option 1 and Option 2 is the inclusion of > >> additional physical gear in Option 2 - it's not clear why that's > >> needed, or why the tester can't simply directly connect the test > >> equipment to the DUT and remove extraneous devices from potential > influence on results? > >> > >> [bpm] See above. > >> > >> - Section 4.2, the table for NGFW features - I'm not sure what the > >> difference is between RECOMMENDED and OPTIONAL? (I realize that you > >> might be saying that RECOMMENDED is the "must have enabled" features, > >> where as optional is at your discretion, but would suggest that you > >> make that clear) > >> > >> [bpm] The definition for OPTIONAL and RECOMMENDED is described in, > >> and recommended, RFC2119. We already referenced this under the > >> section > >> 2 "Requirements". > >> > > SB// Thanks! > > >> - Proscribing a list of features that have to be enabled for the > >> test, or at least more than 1, feels like a strange choice here - I'd > >> have expected tests cases that either test the specific features one > >> at a time, or suggest several combinations, but that ultimately, we'd > >> tell the tester to document WHICH features were enabled, to make the > >> test cases repeatable? This allows the tester to apply a same set of > >> apples to apples configurations to different vendor gear, and omit > >> the 1 feature that doesn't exist on a different NGFW (for example), but > hold a baseline that could be tested. > >> > >> - Table 2: With the assumption that NGIPS/IDS are required to have > >> the features under "recommended", I disagree with this list. For > >> example, some customers break and inspect at the tap/agg layer of the > >> network - in this case, the feed into the NGIDS might be decrypted, > >> and there's no need to enable SSL inspection, for example. > >> > >> [bpm] IDS is being removed. > > SB// OK...I'm not sure this addresses the feedback though :) A NGFW for sure > will do break/inspect as well, right? > > >> > >> - Table 3: I disagree that an NGIDS IS REQUIRED to decrypt SSL. This > >> behaviour might be suitable for an NGIPS, but the NGIDS is not a bump > >> on the wire, and often isn't decrypting and re-encrypting the traffic. > >> > >> [bpm] IDS is being removed. > > SB// See comment above. > > >> > >> - Table 3: An NGIDS IMO is still a passive device - it wouldn't be > >> blocking anything, but agree that it might tell you that it happened > after the fact. > >> > >> [bpm] IDS is being removed. > SB// Thanks! > > >> > >> - Table 3: Anti-evasion definition - define "mitigates". > >> > >> [bpm] Not sure why you are asking this as mitigate is not an uncommon > >> term/word. > >> > >> - Table 3: Web-filtering - not a function of an NGIDS. > >> > >> [bpm] IDS is being removed. > >> > >> - Table 3: DLP: Not applicable for an NGIDS. > >> > >> [bpm] IDS is being removed. > >> > >> - Can you expand on "disposition of all flows of traffic are logged" > >> - what's meant here specifically, and why do they have to be logged? > >> (Logging, particularly under high loads, will impact it's own > >> performance marks, and colours output) > >> > >> [bpm] We intentionally recommended enabling logging which will impact > >> the performance. The draft is not aiming to get high performance > >> number with minimal DUT/SUT configuration. In contrast, it aims to > >> get reasonable performance number with realistic DUT configuration. > >> The realistic configuration can vary based on DUT/SUT deployment > scenario. > >> > >> [bpm] In most of the DUT/SUT deployment scenarios or customer > >> environments, logging is enabled as default configuration. > >> > >> [bpm] "Disposition of all flows of traffic are logged": means that > >> the DUT/SUT need to log all the traffic at the flow level not each > packet. > >> > >> [bpm] We will add more clarification for the meaning of "disposition > >> of all flows of traffic are logged". > >> > > SB// Thanks! > > >> - ACLs wouldn't apply to an IDS because IDS's aren't blocking traffic > >> :) > >> > >> [bpm] IDS is being removed. > >> > >> - It might be helpful to testers to say something like "look, here's > >> one suggested set of ACLs. If you're using them, great, reference > >> that, but otherwise, make note of the ACLs you use, and use the same > >> ones for repeatable testing". > >> > >> [bpm] The draft gives guidance how to choose the ACL rules. We > >> describe here a methodology to create ACL. > >> > >> - 4.3.1.1 The doc proscribes specific MSS values for v4/v6 with no > >> discussion around why they're chosen - that color could be useful to > >> the reader. > >> > >> [bpm] We will add some more clarification that these are the default > >> number used in most of the client operating systems currently. > >> > > SB// Thanks! > > >> - 4.3.1.1 - there's a period on the 3rd to last line "(SYN/ACL, ACK). > and" > >> that should be changed. > >> > >> [bpm] Thank you. > >> > >> - 4.3.1.1 - As a tester with long time experience with major test > >> equipment manufacturers, I can't possibly begin to guess which ones > >> of them would conform to this - or even if they'd answer these questions. > >> How helpful is this section to the non test houses? I suggest > >> expansion here, ideally with either covering the scope of what you > >> expect to cover, or hopefully which (open source/generally available) > >> test tools or emulators could be considered for use as examples. > >> > >> [bpm] We extensively discussed with Ixia and Spirent about this section. > >> This section was developed with significant input from these test > >> tools vendors in addition to others. > > SB// OK, that's really good to know, but there are plenty of us working with > and looking for more cost effective options to Ixia and Spirent. :) I think > the expansion would be good here. > > >> > >> - 4.3.1.3 - Do the emulated web browser attributes really apply to > >> testing the NGIPS? > >> > >> [bpm] Yes, we performed many PoC tests with test tools. Ixia and > >> Spirent confirmed this. > >> > >> - 4.3.2.3 - Do you expect to also leverage TLS 1.3 as a configuration > >> option here? > >> > >> [bpm] Yes > >> > >> - 4.3.4 - I'm surprised to see the requirement that all sessions > >> establish a distinct phase before moving on to the next. You might > >> clarify why this is a requirement, and why staggering them is > specifically rejected? > >> > >> [bpm] This draft doesn't describe that all sessions establish a > >> distinct phase before moving on to the next. We will remove the word > >> "distinct" from the 1st paragraph in section 4.3.4. > > SB// Thanks! > > >> > >> [bpm] Unlike Layer 2/3 testing, Layer 7 testing requires several > >> phases in the traffic load profile. The traffic load profile > >> described in the draft is the common profile mostly used for Layer 7 > testing. > >> > >> - 5.1 - I like the sentence, but it leaves a world of possibilities > >> open as to how one confirmed that the ancillary switching, or routing > >> functions didn't limit the performance, particularly the virtualized > components? > >> > >> [bpm] The sentence says, "Ensure that any ancillary switching or > >> routing functions between the system under test and the test > >> equipment do not limit the performance of the traffic generator." > >> > >> [bpm] Here we discuss the traffic generator performance, and this can > >> be confirmed by doing reference test. > >> > >> [bpm] The section 5 recommends reference test to ensure that the > >> maximum desired traffic generator's performance. Based on the > >> reference test results it can be identified, if the external device > >> added any impact on traffic generator's performance. > >> > >> [bpm] We will add more content in section 5 to provide more details > >> about reference test. > >> > > SB// Thanks! > > >> - 5.3 - this is a nice assertion but again, how do I reasonably make > >> the assertion? > >> > >> [bpm] We will change the word from "Assertion" to "Ensure". Also, we > >> will add more clarity about reference testing. > > > SB// Thanks! > > >> > >> - 6.1 - I would suggest that the test report include the > >> configuration of ancillary devices on both client/server side as well > >> > >> [bpm] We believe that adding configuration of the ancillary devices > >> doesn't add more value in the report. Instead of this, we will > >> recommend documenting the configuration of the ancillary devices by > >> doing reference test. We will add this under the section 5 "Test bed > consideration". > >> > > SB// I think including them assists greatly in the repeatability of the > testing, for what it's worth. > > >> - 6.3 - Nothing on drops anywhere? > >> > >> [bpm] Are you referring to packet drops? If you are, there is no > >> packet loss in stateful traffic. Instead of packet loss, the stateful > >> traffic has retransmissions. > >> > >> - 7.1.3.2 - Where are these numbers coming from? How are you > >> determining the "initial inspected throughput"? Maybe I missed that > >> in the document overall, but it's not clear to me where these KPIs > >> are collected? I suggest this be called out. > >> > >> [bpm] We will add more clarification in the next version. Thank you. > > SB// Thanks! > > >> > >> - 7.1.3.3 - what is a "relevant application traffic mix" profile? > >> > >> [bpm] This is described in section7.1.1 (2nd paragraph). We will add > >> the word "relevant" in the 1st sentence of the 2nd pragraph.so the > >> sentence will be "Based on customer use case, users can choose the > >> relevant application traffic mix for this test. The details about > >> the traffic mix MUST be documented in the report. At least the > >> following traffic mix details MUST be documented and reported together > with the test results: > > SB// A set of example(s) could be helpful. Not required, just helpful. > > >> > >> - 7.1.3.4 - where does this monitoring occur? > >> > >> [bpm] The monitoring or measurement must occur in the test equipment. > >> Section 4.3.4 describes this. > >> > >> - 7.1.3.4 - This looks a bit like conformance testing - Why does > >> item > >> (b) require a specific number/threshold? > >> > >> [bpm] These numbers are synonymous with the zero-packet loss criteria > >> for [RFC2544] Throughput and recognize the additional complexity of > >> application layer performance. This was agreed by the IETF BMWG. > >> > >> - 9: Why is the cipher squite recommendation for a real deployment > >> outside the scope of this document? > >> > >> [bpm] Because new cipher suites are frequently developed. Given that > >> the draft will not be easily updated once it is accepted as an RFC we > >> wanted to ensure there was flexibility to use future developed cipher > suites. > >> > >> Brian Monkman on behalf of.... > >> > >> Alex Samonte (Fortinet), Amritam Putatunda (Ixia/Keysight), Bala > >> Balarajah (NetSecOPEN), Carsten Rossenhoevel (EANTC), Chris Brown > >> (UNH-IOL), Mike Jack (Spirent), Ryan Liles (Cisco), Tim Carlin > >> (UNH-IOL), Tim Otto (Juniper) > >> >
- [bmwg] FW: WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… Gabor LENCSE
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… bmonkman
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… Gabor LENCSE
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… bmonkman
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… MORTON JR., AL
- [bmwg] Second part -- Re: FW: WGLC on New version… Gabor LENCSE
- Re: [bmwg] Second part -- Re: FW: WGLC on New ver… bmonkman
- [bmwg] Sequential vs. random -- Re: FW: WGLC on N… Gábor LENCSE
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… MORTON JR., AL
- Re: [bmwg] FW: WGLC on New version of draft-ietf-… bmonkman
- Re: [bmwg] Sequential vs. random -- Re: FW: WGLC … bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Carsten Rossenhoevel
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Carsten Rossenhoevel
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Sarah Banks
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… MORTON JR., AL
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… bmonkman
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Gábor LENCSE
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Carsten Rossenhoevel
- Re: [bmwg] WGLC on New version of draft-ietf-bmwg… Gábor LENCSE