Re: [bmwg] NGFW Security Features Text

Timothy Carlin <tjcarlin@iol.unh.edu> Wed, 03 June 2020 12:53 UTC

Return-Path: <tjcarlin@iol.unh.edu>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5CBD3A10B2 for <bmwg@ietfa.amsl.com>; Wed, 3 Jun 2020 05:53:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iol.unh.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F3Ne3xkLPJyU for <bmwg@ietfa.amsl.com>; Wed, 3 Jun 2020 05:53:00 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FDC83A10B4 for <bmwg@ietf.org>; Wed, 3 Jun 2020 05:53:00 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id c3so2212761wru.12 for <bmwg@ietf.org>; Wed, 03 Jun 2020 05:52:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iol.unh.edu; s=unh-iol; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DxvJY0xe/ApE45N9dg2q+F/clEU1CnIqocBxHQmEUe8=; b=cOEQ1CrHIreehr/kht+3MFWfdCaidIkrHZhpGiIlZXxxyqB2MVeoMXaT49rd7GIKh5 yNrV18fjH/SRElFXzfwlGDx9P1B8LA45/R5pukR10HcspNJNdiEnng9QRCktRlVI57kE WiwOrWcrByn1SOg/+0rBfgjEm3WyiVq2pNg0Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DxvJY0xe/ApE45N9dg2q+F/clEU1CnIqocBxHQmEUe8=; b=sOUdkBU3LMQs+XERrCkIrJo6Ulj7G4tIOAd6vZB0G+UeIf5wjecfuEVIKr/O27uLq5 AGohQwtgpg7KJnT3GaQs1fZftfuY1ZAEsPuTakv9rXHXT9T+xIDq+uZuDNW3AOSde+fp nRiCI8yVuafKYNokC2W18miJJ37MDoDEcCN40r5crUllIzPcCUYWYzyIPtls9Dp2Zivy 3CdiQqpm27sJfA7sdQEFwzEfUHXoZPqNdIvOL/RKexby605AlX4crPjuhfgZCkrfatzf LDbU2UQ1EezsRTS/V8Qy+5O8m/OB8CASfMbUYajDG5ua3TVpid9bVoxQl9+3FIhGDMzg HHrg==
X-Gm-Message-State: AOAM531tpgtjf6pNtavOkjPsKKKHrSiL6ofUgi80jnDTUU3HYCzXcY3O V+mD1CIV5ifXiD373DHBdPsmwqvZ9wHMOO+26yqLqw==
X-Google-Smtp-Source: ABdhPJySlxWNupyFMCfORNdTfYMnjEHC8Zws3L6qb9IcTbcVwbN3HrYNOebWMfx10nBCY1qgWVwudKzHVTJpWUIS7o4=
X-Received: by 2002:a5d:468d:: with SMTP id u13mr33178697wrq.73.1591188778189; Wed, 03 Jun 2020 05:52:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAB-aFv8W=bJUgtLNmXxjipk1zCGh_roBBSXC_FvFQDUPduPEuA@mail.gmail.com> <4D7F4AD313D3FC43A053B309F97543CF0108A5F083@njmtexg5.research.att.com>
In-Reply-To: <4D7F4AD313D3FC43A053B309F97543CF0108A5F083@njmtexg5.research.att.com>
From: Timothy Carlin <tjcarlin@iol.unh.edu>
Date: Wed, 03 Jun 2020 08:52:21 -0400
Message-ID: <CAB-aFv9a1=RrL9EDKj-G6++ZTdOasn2sxgQcQAeh3HdsE1=uyg@mail.gmail.com>
To: "MORTON, ALFRED C (AL)" <acm@research.att.com>
Cc: "bmwg@ietf.org" <bmwg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e523ca05a72d8162"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/ZsTV3NCpsFXZW5tdEAnoocbNODA>
Subject: Re: [bmwg] NGFW Security Features Text
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2020 12:53:02 -0000

Hi Al,

Thank you for the consideration and review of the text.  I agree with your
suggestion, that seems like a helpful addition!

I also wanted to add that this review follows from testing NGFW products,
and overall the draft seems solid in that context.

Thanks again,
Tim

On Tue, Jun 2, 2020 at 6:25 PM MORTON, ALFRED C (AL) <acm@research.att.com>
wrote:

> Hi Tim,
>
>
>
> Thanks for doing your volunteer work with this review, much appreciated!
>
>
>
> May I make a small suggestion on your proposed text?
>
> I think we achieve some clarity if we add “limit” near the end:
>
>
>
> s/ this MAY be configurable../ this limit MAY be configurable./
>
>
>
> assuming that’s what you meant!
>
>
>
> thanks again and regards,
>
> Al
>
>
>
>
>
> *From:* bmwg [mailto:bmwg-bounces@ietf.org] *On Behalf Of *Timothy Carlin
> *Sent:* Tuesday, June 2, 2020 12:45 PM
> *To:* bmwg@ietf.org
> *Subject:* [bmwg] NGFW Security Features Text
>
>
>
> Hi all,
>
>
>
> I wanted to mention that I have read draft-ietf-bmwg-ngfw-performance-03
> and I support it.
>
>
>
> I have additional text I would like to suggest be included to help to
> clarify an ambiguity with regards to security feature processing.
> Specifically, in the case that a DUT discontinues processing a security
> feature (for example, SSL Inspection), traffic should still be processed by
> the remainder of the applicable security features.  Said another way, the
> traffic should NOT "fail open".
>
>
>
> Here is some proposed text to add to Section 4.2, in the itemized list as
> the 2nd item (below "All security inspection enabled"):
>
>
>
> ==
>
> * All applicable traffic MUST be processed by the configured security
> feature(s) in table 1.  In the case that applicable traffic can no longer
> be processed for a given security feature (e.g. due to processing or
> throughput limits, etc.), the portion of traffic which exceeds the limit
> SHOULD be blocked and this MAY be configurable..
>
> ==
>
>
>
> Please let us know if you have any questions or comments.
>
>
>
> Best Regards,
>
> Tim C.
>
> UNH-IOL
>
>
>
>
>