Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-14: (with DISCUSS and COMMENT)
Bala Balarajah <bm.balarajah@gmail.com> Wed, 19 October 2022 22:41 UTC
Return-Path: <bm.balarajah@gmail.com>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 377E9C14F74C; Wed, 19 Oct 2022 15:41:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQZ1azwUJi-E; Wed, 19 Oct 2022 15:41:54 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81BA4C14F728; Wed, 19 Oct 2022 15:41:49 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id bv10so31354269wrb.4; Wed, 19 Oct 2022 15:41:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=H9G0b5H4OnK8nIute1ZpBwoK/EdEadjUM8klDYn9ZNQ=; b=gQFIQSDi4TNtq9n//15Svj7rBfQzXoJ/qvNwQDMDa4vfVvH/SgfwuZRYgy+h6yRWsT lnnD0qSI2ZV+vlp5oUqslkh8J6/4DFbS8ELJWSnJamFCxTJjMznhOcNRV8WzL6cWsCLw +IBTIuKD1/c4GaiWuULMiPOU17ZeBkKeTCM1KAdfkOnsHpJi6hYfp+HNcveeCUDafbH1 vkX/PbmbowfQNr6T6rlYvv9ZRqdAiGQpDDP2orRXLidHHcZ8C1txPqySsRv+AMpxW031 mnCrxQsj8kXMrrpP0NUsSWg3F35LQ/tLONjMV0Sk6G2jjnJMWSFVIXHywh5db1FUMynu YSxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=H9G0b5H4OnK8nIute1ZpBwoK/EdEadjUM8klDYn9ZNQ=; b=jBlY+P7sHW5+IzZjcrOJH8hCUYcx3zDWT4T+z4Z5CVp4OdvfoNOEr4WT4m/jyxQDXH 0eOyGXUPCKxqNa0I2FJ1ZNq6obQNvQ+C9f2yMex5hGhly3lOWwMvxNyroF/1WxjFM1fN 3WT9dWUnGM1hfEHugwurKEpsewvKtGvmi5wdejdftpK39Afv3jpuvTV9PokI7DATzVao x0dMQKbAJEl9je/DcL+e9/nl7oinTn7JDFLXqqlf1+Pu5CDTzNLVM4u3j+wlK8ogbIEa GUxebxb55MN0ZcpFJxsiX2B4du7AQ1Olz5MyRYRcyOKcXzAgBe9QGqpEA9sn8o2sq2++ cPJw==
X-Gm-Message-State: ACrzQf1aDCX4V2v+N5l1fCTLI+5NuhD+ndJ2frK9TLkMCEXbIqxe3nbs 9BH6f7sPIXUg0amiNFnUB9N8YO9EisxyoItJzRU=
X-Google-Smtp-Source: AMsMyM7mtBBcChm7wAyVQ2brog84z44VSr8m2PhFelJSqGFar/0SkWXTpszXxhsUwlwyOjiF+0WKx8lz8cBqX3cQSGE=
X-Received: by 2002:adf:f983:0:b0:22e:3c8:27ae with SMTP id f3-20020adff983000000b0022e03c827aemr6785784wrr.16.1666219307800; Wed, 19 Oct 2022 15:41:47 -0700 (PDT)
MIME-Version: 1.0
References: <166568668844.39192.10045972592261938837@ietfa.amsl.com>
In-Reply-To: <166568668844.39192.10045972592261938837@ietfa.amsl.com>
From: Bala Balarajah <bm.balarajah@gmail.com>
Date: Thu, 20 Oct 2022 00:41:38 +0200
Message-ID: <CA+7QJZhhdMgJ_eN1J1nKgmYNBAyOHrW2x-HF+_AaxvVQtcL0BQ@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-bmwg-ngfw-performance@ietf.org, bmwg-chairs@ietf.org, bmwg@ietf.org, Al Morton <acm@research.att.com>
Content-Type: multipart/alternative; boundary="000000000000f59ed805eb6ae91a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/nOPUwzD2zRUJmbT1JsA4bIjFqGo>
Subject: Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-14: (with DISCUSS and COMMENT)
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 22:41:55 -0000
Hi Roman, Thanks for the review. Please see our responses inline below. If you are satisfied with our responses, we will post the new draft version before IETF 115 draft cutoff (Monday, Oct 24th ). > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > (Updated Ballot) > > -- [per -13] Recognizing that NGFW, NGIPS and UTM are not precise product > categories, offerings in this space commonly rely on statistical models or > AI > techniques (e.g., machine learning) to improve detection rates and reduce > false > positives to realize the capabilities in Table 1 and 2. If even possible, > how > should these settings be tuned? How should the training period be handled > when > describing the steps of the test regime (e.g., in Section 4.3.4? Section > 7.2.4?) > > [per -14] Thank for explaining that the training phase would not be > included in > the threat emulating in your email response. Since the goal of these > document > is specify reproducible testing, the primary text I was look for was an > acknowledgment that the detection performance of some systems may be > affected > by learning from prior traffic. Any state kept by such systems much be > reset > between testing runs. > > [Authors] : Machine Learning and behavioral analysis systems are not included in the scope of this test, as it uses lab-generated traffic for measurement of performance KPIs, and captured/replayed traffic as the body of the security portion of testing. Neither of these environments is conducive to the use of ML or behavioral analysis solutions. We can add the following sentence in the draft, if it gives more clarity: "Machine Learning and behavioral analysis features are not included in the scope of the performance benchmarking test." > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > (Updated Ballot) > > Thanks for the changes made in -13. > > ** [per -13] Section 3. Per “This document focuses on advanced, …”, what > makes > a testing method “advanced”? > [Authors]: Comparing previous RFCs 2544 and RFC3511, this draft provides a more in-depth test methodology for test parameter definition, test results validation criteria, and test procedures defined in section 7 and its subsections. > > ** [per -13] Section 4.2. Should the following additional features be > noted as > a feature of NGFWs and NGIPS (Table 2 and 3 in -14)? > > -- geolocation or network topology-based classification/filtering (since > there > is normative text “Geographical location filtering SHOULD be configured.”) > [Authors]: We will add the following sentence in the next release: Geographical location filtering SHOULD be configured. If the DUT/SUT is not designed to perform geographical location filtering, it is acceptable to conduct tests without them. However, this MUST be noted in the test report. > ** [per -13/14] Table 2. Is there a Anti-Evasion (listed in Table 3 for > NGIPS) > are not mentioned here (for NGFW). > [Authors]: Anti-Evasion should be included in NGFW in the same manner as NGIPS. We will add this in the next release. > ** [per -13] Section 4.2. Per “Logging SHOULD be enabled.” How does this > “SHOULD” align with “logging and reporting” being a RECOMMENDED in Table 1 > and > 2? > [Authors]: According to the security product vendors (the draft contributors), "logging and reporting" is one of the mandatory (MUST) and default features for security devices. For this reason, we removed it from the tables that contain RECOMMENDED and OPTIONAL features only. Therefore, we added the following text below table 3, which applies to both NGFW and NGIPS: “Logging and reporting MUST be enabled." > [per -14] Thanks for the edits here. I think a regression was a > regression > introduced. Table 3 (NGIPS) used to have “Logging and Reporting” just like > Table 2 in -12. > [Authors]: There was a mistake. As mentioned above, "Logging and Reporting" will be removed from both tables. We will update this in the next release. Best Regards, Bala
- [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg… Roman Danyliw via Datatracker
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Bala Balarajah
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Bala Balarajah
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… MORTON JR., AL