Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-14: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Thu, 20 October 2022 17:13 UTC
Return-Path: <rdd@cert.org>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9AFCC14CE34; Thu, 20 Oct 2022 10:13:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zMqR4mXNsjeT; Thu, 20 Oct 2022 10:13:41 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0111.outbound.protection.office365.us [23.103.208.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92AB5C14CF16; Thu, 20 Oct 2022 10:13:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=nwmfTxe0dv84pastdX/qPNoNhOrTYDDkZyHnqC2DQdjwc0iFdnf5mO+tEyPshk8cvjieEcSHnzcxZA4xX4SfKOeBWFAp3Q4JXNvdWT1tQGiXC5tIYXDXXnXIbSDHR56OUTruXIJI/agIlPMZ2O3XzzwLfR0yb1dXJoxJgyiU4JGhbz5q7w68v34ueEUz+nz3HGd6uCiqmr5QHZHRsgpG9BpQVI2cH2cxv643uktOmnC2T1VRK56hNAdsHhSl66WJewXcYop2Vx3MdwE093B66yaiHxOb9o7x5Vm+3AVjFzRZQHVsxllLk309/WaQoPecQCtcJ2gbS/NxBzc8KqJhqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JnFy23JLZ+vDS834yUnL7PmPnCKtX7sJ1vnwpowxFsY=; b=XqtezlOK7G0aWe+BAGtLBVYuQfh7S53d0T0jVSdiD6l3dknQJH5tTGcawixteogaNqgkjvoGflDgDriynra9LjW9WO0sdmqZka0FpeY81ea8jr3tPRTYuMxjsSib5GgN8OYO5ZtB8zPYOq+kKCFFyXwXp3oloEIXw57OB/P0ioFhY8W3ASwHh+4fI0fIo6duK+BBNeM9DBt+IUePWatKDoMGo81nERelNEvnbIwGG5JDr+eiH/MWAJSkh+s9JhzsTI5iUvuVBX1gN83SC184bhtSO6sYwrTmNG6iqHh54o1H5rTg7OgArqw34nxuJiXI1Nus4TvwrvSJxh5zw5z6FA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1655.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17d::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.34; Thu, 20 Oct 2022 17:13:35 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429%6]) with mapi id 15.20.5723.034; Thu, 20 Oct 2022 17:13:35 +0000
From: Roman Danyliw <rdd@cert.org>
To: Bala Balarajah <bm.balarajah@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-bmwg-ngfw-performance@ietf.org" <draft-ietf-bmwg-ngfw-performance@ietf.org>, "bmwg-chairs@ietf.org" <bmwg-chairs@ietf.org>, "bmwg@ietf.org" <bmwg@ietf.org>, Al Morton <acm@research.att.com>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-14: (with DISCUSS and COMMENT)
Thread-Index: AQHY3zPkAAeAvGLxMUCdBadqdv1FCK4WWX4AgAEuzLA=
Date: Thu, 20 Oct 2022 17:13:35 +0000
Message-ID: <BN2P110MB110761D2C11A9E560BE7739FDC2A9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <166568668844.39192.10045972592261938837@ietfa.amsl.com> <CA+7QJZhhdMgJ_eN1J1nKgmYNBAyOHrW2x-HF+_AaxvVQtcL0BQ@mail.gmail.com>
In-Reply-To: <CA+7QJZhhdMgJ_eN1J1nKgmYNBAyOHrW2x-HF+_AaxvVQtcL0BQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1655:EE_
x-ms-office365-filtering-correlation-id: 11f48198-ecf6-419e-f7d3-08dab2be6c3f
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: s8siWm4IfPzBGqUQytznjVhGUht1Twt8dbXGBj0P1o0AU3hX6fLCepfeGig+9f1DGlVaz/syJQXtkZSJc2bDNpCFZHYQhgdTifD96aucaWW7eNIQnDnjPy+LFBVozB8LYcT2vla2UM3+UmcbGxAmMe/WFIBQ10eV+HiGGH9Jc4cAUgB6Sd1HEWJUjocHl4N3G6yXidqRPL6QJJIg9B9VpWa1aG/zkGRDBEdZe/rYhKUchLtcZQusS6lD5eqlPy/kQZC6mC94BfV1PeiPTK9ud7eO60bewEmQMccc+edEls5DGwaRWOguDcUE1Gbt9vtuYPYr1AZC8kndOt7m5Cl5kbj9c/ayrsboJkbo1qsRgO2WYlIn7XuUBVDJgbbY28GXtOPE/7uwi7kpH7pGvKymmutL9I+Idl+7+iigcx/e2qG7S5l3PS06oShYf04QJQu7zYucQfyiobgUkcfR/UYeXVa0JBCsbGI39HiDPW//1Fi7+x1oHeJzlT0jU7vk0wGvL2qVjaQWDW1eKVdmC/teZi8WTloSP1y6Vlcy6yL6NE8vPekT14k2Ke/+VnF0FvPCMZkH8SJHbhYh61aM2xq1IocQhnKkriQO7o3JYz9hpJU0GBoct/pnfCJvvcYVcwkz/RkO6QH734zaM+XOrEs6reJLj2QVLug0x8Vo59azMazMwBamvmX4Il7NML6Vq52s
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(38100700002)(122000001)(66899015)(498600001)(82960400001)(52536014)(55016003)(8936002)(9686003)(186003)(6916009)(54906003)(83380400001)(7696005)(53546011)(66946007)(86362001)(66556008)(71200400001)(38070700005)(8676002)(2906002)(33656002)(6506007)(5660300002)(26005)(64756008)(66446008)(66476007)(4326008)(76116006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: berv/EMfJWzoNUF1Fjn7uvGs2VwXa/SNJx2z3SkrRCPVTT4+jbgV8PiT1UuBJpFgXbYgUNQqDrODddW0FGe4Hoad2jCKW4mozS52Ui5g+INOzFVlrvsxyxMS7eGvArBbUU49yGn0VDPVGVtSt0NW1DeNp1YxQoGln/brzzeYa9l4ktORgU0loZ5S1rzczXMHfLDTnT2EkW/KfJ1VpZZWqmYS608dvZL/kyLrwGznyxkjvBhOscCSPLwZIYAI3oSHBe6RTb6K7EB1eCbBPuuQS1KCcjYgIjqXm/pGGuq42CkLbMj2Vjhr9U0F03/MnVcjQWK1v6yLwAHrxI9jO3oOwn9ed+vgkRGYlYnaZsuyjzkT4EMoCwuXS+fhAQNRM6oQHElITzUtUapCViPpck5jRiV9B/e02wLSZ1xzHyZ11Ow=
Content-Type: multipart/alternative; boundary="_000_BN2P110MB110761D2C11A9E560BE7739FDC2A9BN2P110MB1107NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 11f48198-ecf6-419e-f7d3-08dab2be6c3f
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2022 17:13:35.5695 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1655
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/kSt7HM0xW3HWxaqELmMBmdpyZeE>
Subject: Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-14: (with DISCUSS and COMMENT)
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2022 17:13:46 -0000
Hi Bala! From: Bala Balarajah <bm.balarajah@gmail.com> Sent: Wednesday, October 19, 2022 6:42 PM To: Roman Danyliw <rdd@cert.org> Cc: The IESG <iesg@ietf.org>; draft-ietf-bmwg-ngfw-performance@ietf.org; bmwg-chairs@ietf.org; bmwg@ietf.org; Al Morton <acm@research.att.com> Subject: Re: Roman Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-14: (with DISCUSS and COMMENT) Hi Roman, Thanks for the review. Please see our responses inline below. If you are satisfied with our responses, we will post the new draft version before IETF 115 draft cutoff (Monday, Oct 24th ). ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- (Updated Ballot) -- [per -13] Recognizing that NGFW, NGIPS and UTM are not precise product categories, offerings in this space commonly rely on statistical models or AI techniques (e.g., machine learning) to improve detection rates and reduce false positives to realize the capabilities in Table 1 and 2. If even possible, how should these settings be tuned? How should the training period be handled when describing the steps of the test regime (e.g., in Section 4.3.4? Section 7.2.4?) [per -14] Thank for explaining that the training phase would not be included in the threat emulating in your email response. Since the goal of these document is specify reproducible testing, the primary text I was look for was an acknowledgment that the detection performance of some systems may be affected by learning from prior traffic. Any state kept by such systems much be reset between testing runs. [Authors] : Machine Learning and behavioral analysis systems are not included in the scope of this test, as it uses lab-generated traffic for measurement of performance KPIs, and captured/replayed traffic as the body of the security portion of testing. Neither of these environments is conducive to the use of ML or behavioral analysis solutions. We can add the following sentence in the draft, if it gives more clarity: "Machine Learning and behavioral analysis features are not included in the scope of the performance benchmarking test." Thanks. Your proposed text and assessment seem a little bit different. The latter is more of what I expected, these systems are out of scope). The former seems to say something weaker, assessing these features aren’t in scope. My recommendation would be for something a bit stronger on what to do with a this testing regime relative to this class of system appended to the end of Section 3 that combines both the former and latter ideas. Roughly: ==[ snip ]== The performance testing methodology described in this document is not intended for devices that rely on machine learning or behavioral analysis. If such features are present in a device under test, they should be disabled. ==[ snip ]== ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- (Updated Ballot) Thanks for the changes made in -13. ** [per -13] Section 3. Per “This document focuses on advanced, …”, what makes a testing method “advanced”? [Authors]: Comparing previous RFCs 2544 and RFC3511, this draft provides a more in-depth test methodology for test parameter definition, test results validation criteria, and test procedures defined in section 7 and its subsections. [Roman] Makes sense. My intent was to suggest that this distinction from RFC2544/3511 being described as advanced was not clear. ** [per -13] Section 4.2. Should the following additional features be noted as a feature of NGFWs and NGIPS (Table 2 and 3 in -14)? -- geolocation or network topology-based classification/filtering (since there is normative text “Geographical location filtering SHOULD be configured.”) [Authors]: We will add the following sentence in the next release: Geographical location filtering SHOULD be configured. If the DUT/SUT is not designed to perform geographical location filtering, it is acceptable to conduct tests without them. However, this MUST be noted in the test report. [Roman] Thanks. ** [per -13/14] Table 2. Is there a Anti-Evasion (listed in Table 3 for NGIPS) are not mentioned here (for NGFW). [Authors]: Anti-Evasion should be included in NGFW in the same manner as NGIPS. We will add this in the next release. [Roman] Thanks. ** [per -13] Section 4.2. Per “Logging SHOULD be enabled.” How does this “SHOULD” align with “logging and reporting” being a RECOMMENDED in Table 1 and 2? [Authors]: According to the security product vendors (the draft contributors), "logging and reporting" is one of the mandatory (MUST) and default features for security devices. For this reason, we removed it from the tables that contain RECOMMENDED and OPTIONAL features only. Therefore, we added the following text below table 3, which applies to both NGFW and NGIPS: “Logging and reporting MUST be enabled." [Roman] The way I was approach it was with the expectation that all of the possible features described in Table 1 were going to be crossed walked with their normative requirements in Table 2 and 3. If the WG prefers to keep it as described, no problem. Thanks for explaining. [per -14] Thanks for the edits here. I think a regression was a regression introduced. Table 3 (NGIPS) used to have “Logging and Reporting” just like Table 2 in -12. [Authors]: There was a mistake. As mentioned above, "Logging and Reporting" will be removed from both tables. We will update this in the next release. [Roman] Thanks. It was the inconsistency that caught me. Thanks, Roman
- [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg… Roman Danyliw via Datatracker
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Bala Balarajah
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Bala Balarajah
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… MORTON JR., AL