IETF Logo Mail Archive

Re: [bmwg] WGLC on New version of draft-ietf-bmwg-ngfw-performance

"MORTON JR., AL" <acmorton@att.com> Tue, 13 July 2021 15:02 UTC

Return-Path: <acmorton@att.com>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 186D53A1576 for <bmwg@ietfa.amsl.com>; Tue, 13 Jul 2021 08:02:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_QUOTING=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5baLsX7CHasZ for <bmwg@ietfa.amsl.com>; Tue, 13 Jul 2021 08:02:15 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B5133A156E for <bmwg@ietf.org>; Tue, 13 Jul 2021 08:02:15 -0700 (PDT)
Received: from pps.filterd (m0048589.ppops.net [127.0.0.1]) by m0048589.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 16DEsPGk038069; Tue, 13 Jul 2021 11:01:57 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0048589.ppops.net-00191d01. with ESMTP id 39rw0aeg6u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 13 Jul 2021 11:01:56 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 16DF1rhA010248; Tue, 13 Jul 2021 11:01:54 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [135.47.91.177]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 16DF1lYV010021 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 13 Jul 2021 11:01:47 -0400
Received: from zlp30486.vci.att.com (zlp30486.vci.att.com [127.0.0.1]) by zlp30486.vci.att.com (Service) with ESMTP id A55734005C1B; Tue, 13 Jul 2021 15:01:47 +0000 (GMT)
Received: from GAALPA1MSGEX1DA.ITServices.sbc.com (unknown [135.50.89.114]) by zlp30486.vci.att.com (Service) with ESMTP id 0FDB64005C1C; Tue, 13 Jul 2021 15:01:47 +0000 (GMT)
Received: from GAALPA1MSGED2DC.ITServices.sbc.com (135.50.89.140) by GAALPA1MSGEX1DA.ITServices.sbc.com (135.50.89.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10; Tue, 13 Jul 2021 11:01:46 -0400
Received: from GAALPA1MSGETA03.tmg.ad.att.com (144.160.249.125) by GAALPA1MSGED2DC.ITServices.sbc.com (135.50.89.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.10 via Frontend Transport; Tue, 13 Jul 2021 11:01:46 -0400
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (104.47.55.107) by edgeal3.exch.att.com (144.160.249.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2242.10; Tue, 13 Jul 2021 11:01:09 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N4O/8L6FXZrS9rL/4FuWiqMgUM8fd7pI3+L4EAaXuGLd29ypDTwwuK1GpJCf94NQlMO6qVBy10Fu7w1Sjeu0ujE7Sqr4yXWco6+DjP9fN2VXkAz8RF2eoAOGQ6T3cB+5B7i9ozGrazlj6kPMcXDIP1KvP4tfaCTbVPUFAD0kdMWN40gWwrsVHMeAfsiZC0wtRiyCepJL7u2z3iOzeDzejgXJnBQSpCDPe5pKRppv6c61Iih9NAlNhv2AmfrUG8J3jxhZSDRANmj5QVj4RX/TBR/Ei1+p2LSYouRhdu0cHvKV3fHsdyuOTdfAYUC+JXHq4PhbFLHbld35CFNFc8bpxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XUvAbiRtmYBf/URrXsO8UIA7YcQF5xuz6bIYdEuVwuY=; b=QJWKcheR3QhQuTtwwFbKrms9LZ8ua0HAGg3V/CD4IhqyBsl603Gpi1wL/G+Nr15lB+t2MhUusooLBSg5YYrOEL9ULNhopWrjYfsgR8JpWuKMYskKMuLLgGAn3cD1QeBKJqVzEX0XX+87u9fUmXZxuWimCHwk/WbVZWgIeylCuLAyZz14x7JqBy9rhsizQ8pB//1e40/K0wJVPWiylAJD7CLIhAgsfohEmvbh5uc6Gjhh6cGdeeQVN3XNPknbgYlXffSBgjlnzbwxy1Obie51kUD3+7gKKkmr/3ffe8GO6ZbasNRYKRZej6o0X4WkgXWk8dP/byYQ1S89z3EhgulR0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XUvAbiRtmYBf/URrXsO8UIA7YcQF5xuz6bIYdEuVwuY=; b=QGdg5VhZxFWhWY7HMrswPHb+TOfUt2CaGSr8BFALqjV1h3lsFUW31iLko0M+coAvxoxcj6ptO79Vhh64z6qpk/iaTRqHw7j0TG9140W2MEagyxapOzg7Bw35YF66Y9RsEwuTWqyVbkMrv7dPx+/Aui3h293zLpetmyVyWEoL2qk=
Received: from SJ0PR02MB7853.namprd02.prod.outlook.com (2603:10b6:a03:32e::8) by BY5PR02MB6817.namprd02.prod.outlook.com (2603:10b6:a03:20e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.22; Tue, 13 Jul 2021 15:00:38 +0000
Received: from SJ0PR02MB7853.namprd02.prod.outlook.com ([fe80::40d9:d8df:7dfa:3180]) by SJ0PR02MB7853.namprd02.prod.outlook.com ([fe80::40d9:d8df:7dfa:3180%6]) with mapi id 15.20.4308.027; Tue, 13 Jul 2021 15:00:38 +0000
From: "MORTON JR., AL" <acmorton@att.com>
To: "bmonkman@netsecopen.org" <bmonkman@netsecopen.org>, 'Sarah Banks' <sbanks@encrypted.net>, "'MORTON, ALFRED C (AL)'" <acm@research.att.com>
CC: "bmwg@ietf.org" <bmwg@ietf.org>, "asamonte@fortinet.com" <asamonte@fortinet.com>, "amritam.putatunda@keysight.com" <amritam.putatunda@keysight.com>, 'Bala Balarajah' <bala@netsecopen.org>, 'Carsten Rossenhoevel' <cross@eantc.de>, 'Christopher Brown' <cbrown@iol.unh.edu>, "'Jack, Mike'" <Mike.Jack@spirent.com>, "'Ryan Liles (ryliles)'" <ryliles@cisco.com>, 'Timothy Carlin' <tjcarlin@iol.unh.edu>, 'Timothy Otto' <totto@juniper.net>
Thread-Topic: [bmwg] WGLC on New version of draft-ietf-bmwg-ngfw-performance
Thread-Index: AQHXTbeaOGUmGWbtmESUQ0dgvoKXO6r2c6iAgBnsMwCAGZG0gIAWOoc4gAEjogCAAAQFUA==
Date: Tue, 13 Jul 2021 15:00:37 +0000
Message-ID: <SJ0PR02MB7853CAF5D40CBAFA6C3B4154D3149@SJ0PR02MB7853.namprd02.prod.outlook.com>
References: <413e779fd7eb4dd4b3aa8473c171e282@att.com> <f1a2b5c5-ebf2-12ab-b053-b9b2538342ad@hit.bme.hu> <047501d745bb$e22f4ab0$a68de010$@netsecopen.org> <7dc6b282-7f41-bf7c-f09c-65e7ce94b674@hit.bme.hu> <048801d745be$31424b50$93c6e1f0$@netsecopen.org> <84196d5ce7474f9196ab000be64c49fd@att.com> <02629ACE-FDA4-4ACF-9459-825521596B83@encrypted.net> <001201d75266$05979140$10c6b3c0$@netsecopen.org> <059e01d75f7d$a62a4de0$f27ee9a0$@netsecopen.org> <009b01d76c46$8063e5a0$812bb0e0$@netsecopen.org> <770F93CB-A8CC-4420-8C1B-CB7B7A2289FB@encrypted.net> <021f01d77356$7e19a2f0$7a4ce8d0$@netsecopen.org> <D1ED6898-D8C3-4C56-A3D3-221DD16B7300@encrypted.net> <004701d777f5$94844bf0$bd8ce3d0$@netsecopen.org>
In-Reply-To: <004701d777f5$94844bf0$bd8ce3d0$@netsecopen.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: netsecopen.org; dkim=none (message not signed) header.d=none;netsecopen.org; dmarc=none action=none header.from=att.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2b003ec1-99ff-488e-7291-08d9460ef9a3
x-ms-traffictypediagnostic: BY5PR02MB6817:
x-microsoft-antispam-prvs: <BY5PR02MB6817DD3C67948FA60609F8CDD3149@BY5PR02MB6817.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5YqYN5ojoig2BBvvwSkQOzohV9eAs8jiXgqiMNh8qtdIdNGk7DiGge8Z52XIBfRU+uanR6dHJspo3KL5i0JpgtxUIYOHplkYFcjL64GbrfSz1wAV4adx3VrIRm7d4klKfddv+HfrI1mmgEV+sZ7TzkSApadsvWzspPLOH50xGD0LAOl1W9Qgjoeatz0F+8nM9l5R43UCtGLUIJ0nESgDxoNV0mcRYk/6Ah/3Q76is3HqoizNokEBHzIxMprFM/WrpL1QHVO3s/C801HHxOAAYx5H/p7Y/CM0ZY95MdCTqTE8e8b2utOUjJEUMjPHfoHlwxqUdV2b80nOlLjCdLsC3soMjz3vCG7JoKwAlxgN/vThlki5xDh/Cgs/UCs4sBQeChfxI7esva8TsgR/f2LeJVud2GWPg7xchWdbGQBNCSLNPdScNUYB2zFtaQKJTKeQJohXYgZrMxULuAAt+SpuydU7AZ+OeeXRFqXtOt5RRROaH85mGwPBiNkYcfNysvBZTwsecIWPQNOyyf1UkCztI4u1nHsckLztnF8XdTMK2cFVrD/UgkDITa2oBGcL1BKjkJ5rx6jq+CvwAqloHE+kt8vSNCP8cMeMbUy9DVwzMJJGDbOFMg99RJ5iMxa0pj814Lio2wz26TTbmEoKpIzl4Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR02MB7853.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(39860400002)(396003)(376002)(346002)(8676002)(6506007)(4326008)(316002)(71200400001)(7416002)(110136005)(54906003)(86362001)(9686003)(8936002)(478600001)(53546011)(83380400001)(186003)(55016002)(82202003)(64756008)(33656002)(26005)(5660300002)(66556008)(7696005)(38100700002)(52536014)(76116006)(122000001)(66476007)(66946007)(2906002)(30864003)(66574015)(66446008)(579004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: YxCM5nvCBYsrU29N/G/K+xDdF0+IzyJujCnhShelI9amrcXvG4VGUQ3BfNYQJSeL5xhE2Bl5BRCcPY+Nj/ea0eq4tMuuqOiJm1KlmGlZFHVBsS8Pb420gmU39dLbl+J4KnDsPnKid/tOFwLVvoGCqECXff2ZUOp4KSZ1AC5A2Q5ObL1VNoc4bW++mgZfEVEk/f01PT9zD6O0rDRd2S5Tt1ELmn31S2EIzTiyxfn04xEgSb78e4UAJJFxcPim7v5Sm1SATNiTOcDjLsRVoZUIT4IO1hLd96rmdo9sVtSzJPqw/ukT4S9tyAC/G2GV3u1qfzw5kkwgn/AUGTsFWgh3LCJxgdehQVkSKHfrrY0DUQ7OSSCswtDA7xIBEcQrAXPKYf3Nxfho9LoeoZ6KHOgZF9aK15ivASSzR6iWJHzgJLJtf1UxAwjZ29SNXjmyt0KdJFijJ8XQ7PtH/YhFGsNTJwddd4qHyEZv62Cg0Y4utbEhbd1xjJUW5zXM2wcNKACdRY0FnKkVVRgVLSB4ApnX4NOvEu2dOvqT7M+bltRwkREQyQIYSGQWMyxLckNUyq4TdVHJ1Lsaqs3prfKM8R8SPpm3UishdDdxjCNJ3dOO80DIwlcvBVO3x1gZ534TXbXznM3aZfMWFNEZJ1cXmSkVDxjQxT+c36sWH+yNo+EUXsTA5RvIzfaXpsjXtvbp8AiAj8ZG9mNZprHD78YcoHfYtzxZhIWbaLyMcyLrZoYMyy5M2i8YazioULHWnIeWEEY/IYiVa2D4hNbGozxjB9q1VvSTHLukH/i4I2rRkb7Abw1Bwjts6UrKzgQwecQCyj9KCKADayZcdgRtEMg3H1Q7c5uk8Ifg6+NqgCO9sL7mJp20w+dxtPtXgbIl9tY+WcEEAZFNHNTCOiGHCKVSIiafyS/ccTtUVgdUC226V+wtKE7uvtk4rd7+r4tQSn6+681DfhWKLSpDcJpfEwwGnX8TC/pIa46/f25NT7ImMNx3Hdh2PHFWF9cHMZaGBIWXUV1tXvhmJwDlmumuxtbphlkFlqGH6ojEt7Zk4vqi4GH+XD5W6++D2Ms443kIpNtB8OiFErN27DcCrUo8nDljrOD2S9ww7tyRd2guNaqQqw09fYcHkGEd5/SsLB5MqzCDVXUEBB6oyNWDy6VLO2UH5Wjourb8DxSGInxPk7kXbiAXe/gft0G8EH8bVHcIcPIbwMT9SvlELP85X4RB0DUdxK+F5d1neNdJxXntkg+Liy4LtuiT+aWUK6cs9dCT0MoSdu6JjS+Jjg5DucEkTRUXZ65vEVqY1ktoSPga8Vj5xI2F+ij7RhyvCRx4NRa1Kf33fW2y
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7853.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2b003ec1-99ff-488e-7291-08d9460ef9a3
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2021 15:00:38.0006 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qcLKAwqmJTV4eDybSwtB9/CNw/aH38LTNwIfPadUFhpkoq9APT1Mgq0tO/5m2b/n
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR02MB6817
X-OriginatorOrg: att.com
X-TM-SNTS-SMTP: 8148BED1547F1716ED115B82C8D0963907CD0DD068180190C455B39F2B2869FD2
X-Proofpoint-GUID: 9aNMzOwNTf_kZ3ew_qvv6KwrMxsZjV8_
X-Proofpoint-ORIG-GUID: 9aNMzOwNTf_kZ3ew_qvv6KwrMxsZjV8_
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-13_07:2021-07-13, 2021-07-13 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 suspectscore=0 adultscore=0 priorityscore=1501 malwarescore=0 lowpriorityscore=0 bulkscore=0 clxscore=1011 impostorscore=0 phishscore=0 mlxlogscore=999 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2107130095
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/YMmUxSRwYOekZKkriBuoSaMag_Q>
X-Mailman-Approved-At: Tue, 13 Jul 2021 08:06:59 -0700
Subject: Re: [bmwg] WGLC on New version of draft-ietf-bmwg-ngfw-performance
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 15:02:21 -0000

Hi Brian,

Our next opportunity to discuss this draft and comment resolution is during the BMWG session at IETF-111.
Let's try to make that work for everyone.

thanks!
Al


> -----Original Message-----
> From: bmonkman@netsecopen.org <bmonkman@netsecopen.org>
> Sent: Tuesday, July 13, 2021 10:44 AM
> To: 'Sarah Banks' <sbanks@encrypted.net>; 'MORTON, ALFRED C (AL)'
> <acm@research.att.com>
> Cc: bmwg@ietf.org; asamonte@fortinet.com; amritam.putatunda@keysight.com;
> 'Bala Balarajah' <bala@netsecopen.org>; 'Carsten Rossenhoevel'
> <cross@eantc.de>; 'Christopher Brown' <cbrown@iol.unh.edu>; 'Jack, Mike'
> <Mike.Jack@spirent.com>; 'Ryan Liles (ryliles)' <ryliles@cisco.com>; 'Timothy
> Carlin' <tjcarlin@iol.unh.edu>; 'Timothy Otto' <totto@juniper.net>
> Subject: RE: [bmwg] WGLC on New version of draft-ietf-bmwg-ngfw-performance
> 
> Looping in the others on my original post.
> 
> Thanks Sarah,
> 
> Good to see the issues are being whittled down. Of the remaining five or six
> issues I doubt we will have a response prior to IETF 111.
> 
> Al,
> 
> Could we schedule an interim meetup/call for some time early August?
> 
> Brian
> 
> 
> -----Original Message-----
> From: Sarah Banks <sbanks@encrypted.net>
> Sent: Monday, July 12, 2021 5:20 PM
> To: bmonkman@netsecopen.org
> Cc: bmwg@ietf.org
> Subject: Re: [bmwg] WGLC on New version of draft-ietf-bmwg-ngfw-performance
> 
> Hi Brian et al,
>     First, my apologies for the delay, and I very much appreciate your
> patience. I also appreciate the time and effort that went into the reply to
> my comments, which can be even more difficult to do as a large group :)
> Please see inline.
> 
> Thank you,
> Sarah (as a participant)
> 
> >>
> >> Hi Sarah,
> >>
> >> As I mentioned in the previous message, we will remove reference to
> >> IDS from the draft. Given that, none of the IDS related
> >> comments/questions are being addressed.
> 
> SB// Makes sense, thank you.
> 
> >> - The draft aims to replace RFC3511, but expands scope past
> >> Firewalls, to "next generation security devices". I'm not finding a
> >> definition of what a "next generation security device is", nor an
> >> exhaustive list of the devices covered in this draft. A list that
> >> includes is nice, but IMO not enough to cover what would be
> >> benchmarked here - I'd prefer to see a definition and an exhaustive list.
> >>
> >> [bpm] "We avoid limiting the draft by explicitly adding a list of NG
> >> security devices currently available in the market only. In the
> >> future, there may be more and more new types of NG security devices
> >> that will appear on the market.
> 
> SB// I think there are 2 types of devices called out; I'm not seeing a
> definition of what a "NG security device" is, and I'm not comfortable with a
> draft that has a blanket to encompass what would come later. Who knows what
> new characteristics would arrive with that new device? I think the scope
> here is best suited for the devices we know about today and can point to and
> say we're applying knowledgeable benchmarking tests against.
> 
> >>
> >> [bpm] This draft includes a list of security features that the
> >> security device can have ( RFC 3511 doesn't have such a list). Also,
> >> we will describe in the draft that the security devices must be
> configured ""in-line"" mode.
> >> We believe these two points qualifying the definition of next
> >> generation security.
> >>
> 
> SB// I strongly disagree. Well, I mean OK, for active inline devices maybe
> this is OK, but to say that the only way a device can be "NG" is to be
> active/inline, I disagree with. And if there is, have we gathered all of the
> items we'd want to actively test for in that case? For example, what about
> their abilities to handle traffic when a failure occurs? (fail open/closed).
> What about alerts and detections and the whole federation of tests around
> positives/false positives/false negatives, etc? I'm onboard with expanding
> the scope, but then we have to do the devices benchmarking justice, and I
> feel we're missing a lot here.
> 
> >> - What is a NGIPS or NGIDS? If there are standardized definitions
> >> pointing to them is fine, otherwise, there's a lot of wiggle room here.
> >>
> >> [bpm] See above. We are removing NGIDS from the draft.
> 
> SB// Understood, thank you.
> 
> >>
> >> - I still have the concern I shared at the last IETF meeting, where
> >> here, we're putting active inline security devices in the same
> >> category as passive devices. On one hand, I'm not sure I'd lump these
> >> three together in the first place; on the other, active inline
> >> devices typically include additional functions to allow
> >> administrators to control what happens to packets in the case of
> >> failure, and I don't see those test cases included here.
> >>
> >> [bpm] This draft focuses on ""in-line"" mode security devices only.
> >> We will describe this in section 4 in more detail.
> 
> SB// Understood, thank you.
> 
> >>
> >> [bpm] Additionally, the draft focuses mainly on performance tests.
> >> The DUT must be configured in ""fail close"" mode. We will describe
> >> this under section 4. Any failure scenarios like ""fail open"" mode is
> out of scope.
> 
> SB// OK, but I think an RFC that is going to encompass this device under the
> "NG security devices" classification is missing out on large portions of
> what customers will want to test. It'll also beg for another draft to cover
> them, and then I'm not sure we're serving the industry as well as we could.
> 
> >>
> >> - Section 4.1 - it reads as if ANY device in the test setup cannot
> >> contribute to network latency or throughput issues, including the
> >> DUTs
> >> - is that what you intended?
> >>
> >> [bpm] "Our intention is, if the external devices (routers and
> >> switches) are used in the test bed, they should not negatively impact
> DUT/SUT performance.
> >> To address this, we added a section ( section 5 ""Test Bed
> >> Considerations"") which recommends a pre-test.  We can rename this as
> >> reference test or baseline test. "
> >>
> 
> SB// Thank you for the clarification. I think there's still a concern there.
> Who defines what "negative impact" is? You're traversing at least another L2
> or L3 step in the network with each bump, which contributes some amount of
> latency. If they don't serve in control plane decisions and are passively
> passing data on, then we could consider removing them from the setup and
> removing the potential skew on results.
> 
> 
> >> - Option 1: It'd be nice to see a specific, clean, recommended test bed.
> >> There are options for multiple emulated routers. As a tester, I
> >> expect to see a specific, proscribed test bed that I should configure
> >> and test against.
> >>
> >> [bpm] The draft describes that Option 1 is the recommended test setup.
> >> However. We added emulated routers as optional in option 1. The
> >> reason for
> >> that:
> >> Some type of security devices for some deployment scenarios requires
> >> routers between test client/server and the DUT (e.g., NGFW) and some
> >> DUT/SUT doesn't need router (e.g. NGIPS )
> >>
> >> - Follow on: I'm curious as to the choice of emulated routers here.
> >> The previous test suggests you avoid routers and switches in the
> >> topo, but then there are emulated ones here. I'm curious as to what
> >> advantages you think these bring over the real deal, and why they
> >> aren't subject to the same limitations previously described?
> >>
> >> [bpm] Comparing real router, the emulated router gives more
> >> advantages for
> >> L7 testing.
> >>
> >> [bpm] - Emulated router doesn't add latency. Even if it adds delay
> >> due to the routing process, the test equipment can report the added
> >> latency, or it can consider this for the latency measurement.
> >>
> >> [bpm] - Emulated routers simply do routing function only. But in a "real"
> >> router, we are not sure what else the router is doing with the packets.
> 
> SB// Maybe I'm missing something here - a device can't perform a function
> for free, right? Even if it's impact is negligible, it's an impact of some
> sort. We're saying the emulated router is doing the routing - OK - but I
> think the same thing applies to the physical router - how do you know what
> else the emulated router is doing? if the test gear can call out the
> latency, I'd like to see clarification around how it's doing that and
> distinguishing the latency introduced by Device A, versus Device B, versus
> the DUT, etc.
> 
> 
> >>
> >> [bpm] Your question regarding the need for routers:
> >>
> >> [bpm] - We avoid impacting the DUT/SUT performance due to ARP or ND
> >> process
> >>
> >> [bpm] - Represent realistic scenario (In the production environment
> >> the security devices will not be directly connected with the
> >> clients.)
> >>
> >> [bpm] - Routing (L3 mode) is commonly used in the NG security devices.
> >>
> >> [bpm] However, in both figures we mentioned that router including
> >> emulated router is optional. If there is no need have routing
> >> functionality on the test bed (e.g., if we used very small number of
> >> clients and server IPs or the DUT operates in Layer 2 mode), it can be
> ignored.
> >>
> >> [bpm] Also, we described in Option 1, that the external devices are
> >> if there is need to aggregate the interfaces of the tester or DUT.
> >> For an example, DUT has 2 Interfaces, but tester need to use it's 4
> >> interfaces to achieve the performance. So here we need switch/router
> >> to aggregate tester interface from 4 to 2.
> >>
> >> - In section 4.1 the text calls out Option 1 as the preferred test
> >> bed, which includes L3 routing, but it's not clear why that's needed?
> >>
> >> [bpm] See above.
> >>
> >> - The difference between Option 1 and Option 2 is the inclusion of
> >> additional physical gear in Option 2 - it's not clear why that's
> >> needed, or why the tester can't simply directly connect the test
> >> equipment to the DUT and remove extraneous devices from potential
> influence on results?
> >>
> >> [bpm] See above.
> >>
> >> - Section 4.2, the table for NGFW features - I'm not sure what the
> >> difference is between RECOMMENDED and OPTIONAL? (I realize that you
> >> might be saying that RECOMMENDED is the "must have enabled" features,
> >> where as optional is at your discretion, but would suggest that you
> >> make that clear)
> >>
> >> [bpm] The definition for OPTIONAL and RECOMMENDED is described in,
> >> and recommended, RFC2119. We already referenced this under the
> >> section
> >> 2 "Requirements".
> >>
> 
> SB// Thanks!
> 
> >> - Proscribing a list of features that have to be enabled for the
> >> test, or at least more than 1, feels like a strange choice here - I'd
> >> have expected tests cases that either test the specific features one
> >> at a time, or suggest several combinations, but that ultimately, we'd
> >> tell the tester to document WHICH features were enabled, to make the
> >> test cases repeatable? This allows the tester to apply a same set of
> >> apples to apples configurations to different vendor gear, and omit
> >> the 1 feature that doesn't exist on a different NGFW (for example), but
> hold a baseline that could be tested.
> >>
> >> - Table 2: With the assumption that NGIPS/IDS are required to have
> >> the features under "recommended", I disagree with this list. For
> >> example, some customers break and inspect at the tap/agg layer of the
> >> network - in this case, the feed into the NGIDS might be decrypted,
> >> and there's no need to enable SSL inspection, for example.
> >>
> >> [bpm] IDS is being removed.
> 
> SB// OK...I'm not sure this addresses the feedback though :) A NGFW for sure
> will do break/inspect as well, right?
> 
> >>
> >> - Table 3: I disagree that an NGIDS IS REQUIRED to decrypt SSL. This
> >> behaviour might be suitable for an NGIPS, but the NGIDS is not a bump
> >> on the wire, and often isn't decrypting and re-encrypting the traffic.
> >>
> >> [bpm] IDS is being removed.
> 
> SB// See comment above.
> 
> >>
> >> - Table 3: An NGIDS IMO is still a passive device - it wouldn't be
> >> blocking anything, but agree that it might tell you that it happened
> after the fact.
> >>
> >> [bpm] IDS is being removed.
> SB// Thanks!
> 
> >>
> >> - Table 3: Anti-evasion definition - define "mitigates".
> >>
> >> [bpm] Not sure why you are asking this as mitigate is not an uncommon
> >> term/word.
> >>
> >> - Table 3: Web-filtering - not a function of an NGIDS.
> >>
> >> [bpm] IDS is being removed.
> >>
> >> - Table 3: DLP: Not applicable for an NGIDS.
> >>
> >> [bpm] IDS is being removed.
> >>
> >> - Can you expand on "disposition of all flows of traffic are logged"
> >> - what's meant here specifically, and why do they have to be logged?
> >> (Logging, particularly under high loads, will impact it's own
> >> performance marks, and colours output)
> >>
> >> [bpm] We intentionally recommended enabling logging which will impact
> >> the performance. The draft is not aiming to get high performance
> >> number with minimal DUT/SUT configuration. In contrast, it aims to
> >> get reasonable performance number with realistic DUT configuration.
> >> The realistic configuration can vary based on DUT/SUT deployment
> scenario.
> >>
> >> [bpm] In most of the DUT/SUT deployment scenarios or customer
> >> environments, logging is enabled as default configuration.
> >>
> >> [bpm] "Disposition of all flows of traffic are logged": means that
> >> the DUT/SUT need to log all the traffic at the flow level not each
> packet.
> >>
> >> [bpm] We will add more clarification for the meaning of "disposition
> >> of all flows of traffic are logged".
> >>
> 
> SB// Thanks!
> 
> >> - ACLs wouldn't apply to an IDS because IDS's aren't blocking traffic
> >> :)
> >>
> >> [bpm] IDS is being removed.
> >>
> >> - It might be helpful to testers to say something like "look, here's
> >> one suggested set of ACLs. If you're using them, great, reference
> >> that, but otherwise, make note of the ACLs you use, and use the same
> >> ones for repeatable testing".
> >>
> >> [bpm] The draft gives guidance how to choose the ACL rules. We
> >> describe here a methodology to create ACL.
> >>
> >> - 4.3.1.1 The doc proscribes specific MSS values for v4/v6 with no
> >> discussion around why they're chosen - that color could be useful to
> >> the reader.
> >>
> >> [bpm] We will add some more clarification that these are the default
> >> number used in most of the client operating systems currently.
> >>
> 
> SB// Thanks!
> 
> >> - 4.3.1.1 - there's a period on the 3rd to last line "(SYN/ACL, ACK).
> and"
> >> that should be changed.
> >>
> >> [bpm] Thank you.
> >>
> >> - 4.3.1.1 - As a tester with long time experience with major test
> >> equipment manufacturers, I can't possibly begin to guess which ones
> >> of them would conform to this - or even if they'd answer these questions.
> >> How helpful is this section to the non test houses? I suggest
> >> expansion here, ideally with either covering the scope of what you
> >> expect to cover, or hopefully which (open source/generally available)
> >> test tools or emulators could be considered for use as examples.
> >>
> >> [bpm] We extensively discussed with Ixia and Spirent about this section.
> >> This section was developed with significant input from these test
> >> tools vendors in addition to others.
> 
> SB// OK, that's really good to know, but there are plenty of us working with
> and looking for more cost effective options to Ixia and Spirent. :) I think
> the expansion would be good here.
> 
> >>
> >> - 4.3.1.3 - Do the emulated web browser attributes really apply to
> >> testing the NGIPS?
> >>
> >> [bpm] Yes, we performed many PoC tests with test tools. Ixia and
> >> Spirent confirmed this.
> >>
> >> - 4.3.2.3 - Do you expect to also leverage TLS 1.3 as a configuration
> >> option here?
> >>
> >> [bpm] Yes
> >>
> >> - 4.3.4 - I'm surprised to see the requirement that all sessions
> >> establish a distinct phase before moving on to the next. You might
> >> clarify why this is a requirement, and why staggering them is
> specifically rejected?
> >>
> >> [bpm] This draft doesn't describe that all sessions establish a
> >> distinct phase before moving on to the next. We will remove the word
> >> "distinct" from the 1st paragraph in section 4.3.4.
> 
> SB// Thanks!
> 
> >>
> >> [bpm] Unlike Layer 2/3 testing, Layer 7 testing requires several
> >> phases in the traffic load profile. The traffic load profile
> >> described in the draft is the common profile mostly used for Layer 7
> testing.
> >>
> >> - 5.1 - I like the sentence, but it leaves a world of possibilities
> >> open as to how one confirmed that the ancillary switching, or routing
> >> functions didn't limit the performance, particularly the virtualized
> components?
> >>
> >> [bpm] The sentence says, "Ensure that any ancillary switching or
> >> routing functions between the system under test and the test
> >> equipment do not limit the performance of the traffic generator."
> >>
> >> [bpm] Here we discuss the traffic generator performance, and this can
> >> be confirmed by doing reference test.
> >>
> >> [bpm] The section 5 recommends reference test to ensure that the
> >> maximum desired traffic generator's performance. Based on the
> >> reference test results it can be identified, if the external device
> >> added any impact on traffic generator's performance.
> >>
> >> [bpm] We will add more content in section 5 to provide more details
> >> about reference test.
> >>
> 
> SB// Thanks!
> 
> >> - 5.3 - this is a nice assertion but again, how do I reasonably make
> >> the assertion?
> >>
> >> [bpm] We will change the word from "Assertion" to "Ensure". Also, we
> >> will add more clarity about reference testing.
> 
> 
> SB// Thanks!
> 
> >>
> >> - 6.1 - I would suggest that the test report include the
> >> configuration of ancillary devices on both client/server side as well
> >>
> >> [bpm] We believe that adding configuration of the ancillary devices
> >> doesn't add more value in the report. Instead of this, we will
> >> recommend documenting the configuration of the ancillary devices by
> >> doing reference test. We will add this under the section 5 "Test bed
> consideration".
> >>
> 
> SB// I think including them assists greatly in the repeatability of the
> testing, for what it's worth.
> 
> >> - 6.3 - Nothing on drops anywhere?
> >>
> >> [bpm] Are you referring to packet drops? If you are, there is no
> >> packet loss in stateful traffic. Instead of packet loss, the stateful
> >> traffic has retransmissions.
> >>
> >> - 7.1.3.2 - Where are these numbers coming from? How are you
> >> determining the "initial inspected throughput"? Maybe I missed that
> >> in the document overall, but it's not clear to me where these KPIs
> >> are collected? I suggest this be called out.
> >>
> >> [bpm] We will add more clarification in the next version. Thank you.
> 
> SB// Thanks!
> 
> >>
> >> - 7.1.3.3 - what is a "relevant application traffic mix" profile?
> >>
> >> [bpm] This is described in section7.1.1  (2nd paragraph). We will add
> >> the word "relevant" in the 1st sentence of the 2nd pragraph.so the
> >> sentence will be "Based on customer use case, users can choose the
> >> relevant application traffic mix for this test.  The details about
> >> the traffic mix MUST be documented in the report.  At least the
> >> following traffic mix details MUST be documented and reported together
> with the test results:
> 
> SB// A set of example(s) could be helpful. Not required, just helpful.
> 
> >>
> >> - 7.1.3.4 - where does this monitoring occur?
> >>
> >> [bpm] The monitoring or measurement must occur in the test equipment.
> >> Section 4.3.4 describes this.
> >>
> >> - 7.1.3.4 - This looks a bit like conformance testing -  Why does
> >> item
> >> (b) require a specific number/threshold?
> >>
> >> [bpm] These numbers are synonymous with the zero-packet loss criteria
> >> for [RFC2544] Throughput and recognize the additional complexity of
> >> application layer performance. This was agreed by the IETF BMWG.
> >>
> >> - 9: Why is the cipher squite recommendation for a real deployment
> >> outside the scope of this document?
> >>
> >> [bpm] Because new cipher suites are frequently developed. Given that
> >> the draft will not be easily updated once it is accepted as an RFC we
> >> wanted to ensure there was flexibility to use future developed cipher
> suites.
> >>
> >> Brian Monkman on behalf of....
> >>
> >> Alex Samonte (Fortinet), Amritam Putatunda (Ixia/Keysight), Bala
> >> Balarajah (NetSecOPEN), Carsten Rossenhoevel (EANTC), Chris Brown
> >> (UNH-IOL), Mike Jack (Spirent), Ryan Liles (Cisco), Tim Carlin
> >> (UNH-IOL), Tim Otto (Juniper)
> >>
>

v2.23.0 | Report a Bug | By Email