Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-performance
Carsten Rossenhoevel <cross@eantc.de> Wed, 05 January 2022 23:17 UTC
Return-Path: <cross@eantc.de>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 907543A0917; Wed, 5 Jan 2022 15:17:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.612
X-Spam-Level:
X-Spam-Status: No, score=-2.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.714, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIhCFu6hUGr7; Wed, 5 Jan 2022 15:17:18 -0800 (PST)
Received: from obelix.eantc.de (ns.eantc.com [89.27.172.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 384C43A09D9; Wed, 5 Jan 2022 15:17:18 -0800 (PST)
Received: from [172.31.5.2] by obelix.eantc.de with esmtp (Exim 4.89) (envelope-from <cross@eantc.de>) id 1n5FWs-0003W0-Va; Thu, 06 Jan 2022 00:17:15 +0100
Content-Type: multipart/alternative; boundary="------------mqm4hjL1uqtuK80vM002Gjyb"
Message-ID: <9d48bf22-0d75-692b-84f7-1f9e8c35b8c8@eantc.de>
Date: Thu, 06 Jan 2022 00:17:14 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1
To: tim copley <timcopley@gmail.com>, Warren Kumari <warren@kumari.net>
Cc: draft-ietf-bmwg-ngfw-performance@ietf.org, bmwg@ietf.org
References: <CAHw9_iJxxM5PM+MFv=u_GZPM8_frZDW70NzTtpdX4aa6=r+faA@mail.gmail.com> <CAArhv62DA5mWFCgYi4qPCkEokdQxpHnrKhVmAkr6tvVRaNst_Q@mail.gmail.com>
From: Carsten Rossenhoevel <cross@eantc.de>
Organization: EANTC AG
In-Reply-To: <CAArhv62DA5mWFCgYi4qPCkEokdQxpHnrKhVmAkr6tvVRaNst_Q@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/sN9KXdkC8j59kCke1nd2RAeE-U0>
Subject: Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-performance
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2022 23:17:24 -0000
Dear Tim, Happy New Year! Apologies for not responding earlier due to the Christmas break. Thank you for taking the time to provide your comments/suggestions regarding the draft on Dec 16. The scope of the draft certainly includes virtualized next-generation firewalls (NGFWs), as it is outlined in sections 5 (testbed considerations). Virtualization-specific reporting requirements to ensure reproducibility of results are specified in section 6. The test methodology is robust and applicable to any size and type of firewalls. Large perimeter firewalls can be tested, as well as smaller firewalls, whether physical or virtual, whether in a private or public cloud. Multi-tenancy does not require any changes to the methodology; in fact, it is just a choice of test traffic patterns (see section 4.3.1.2). To emulate traffic in multiple tenant domains, it may be necessary to include a router as described in Figure 2. Sandboxing techniques are included in the "Anti-evasion" category in Table 1. It is possible and supported to enable such sandboxing features during tests. The test methodology remains unchanged, although probably the resulting performance will be different once additional functions are added. As mentioned in section 4.2.1, the draft is primarily focused on performance benchmarking. However, it is recommended to validate the security features configuration of a solution under test by evaluating the security effectiveness as a prerequisite for performance benchmarking tests. Security effectiveness methodology is specified in Appendix A. Best regards, Carsten Am 12/16/2021 um 9:59 PM schrieb tim copley: > I also, wanted to chime in regarding this and again, I also apologize > for not reviewing earlier. > > I've not really been too involved in security devices until the last > couple years, but boy has it changed > drastically from when I was. Also, I noted that this document is > basically following prior standards that > are also a bit out dated. > > Some of the evolution, I've noticed which I think should at least be > addressed in. I think you tried > to exclude these in the Scope.? However I'm not really sure you are > covering but maybe 1/2 of the devices > that are being deployed at this time without addressing: > > Virtualization. / Remote FWs in the next gen. > > *) Large FWs are compartmentalizing Customers and serving multiple > customers with the same firewall. So while > you have said what would happen to a customer when The Firewall is UT, > you don't really address what's going > on with all the other customers on this DUT. If there are 10 > Customers going through 1 large FW, what are the > other 9 experiencing when this is under Test. Would be interesting to > have multiple parallel tests underway > and verify that behaviour is consistent across every "VDOM" within > the system? > > *) Time to Change. If things are changed during your Load > profile.perhaps even on a different virtual Firewall > within the system, > > *) Sandbox dips. Several of the firewall vendors send stuff through > labs / temp work spaces either online or > offline that allow them to test against Zero Day scenarios. What > happens to traffic flows during anomalies > in the traffic flows. Does it change the throughput of the DUT? I > know this is kind of an open ended question. > but not sure you have good benchmark stats for a FW without it... > > *) Cloud based scenarios. If the firewall is removed, and I'm not > really sure how you would test this with > consistent results, but if the FW is offsite and the traffic is being > routed through a Cloud based FW What does > that do to your traffic results? > > TimC > Fruth Group > tcopley@fruthgroup.com > > > On Wed, Dec 15, 2021 at 8:38 AM Warren Kumari <warren@kumari.net> wrote: > > Hi there all, > > I'd like to apologize to the authors and WG for how long it has > taken me to post this review; I read the document a while back, > but forgot to post it :-( > > I only had a few editorial / readability suggestions -- they are > sufficiently minor (and I'm embarrassed by how long my review > took!) that I'll kick off LC without asking for a new version -- > authors, please consider them if you post a new version addressing > LC comments, or to address IESG Eval comments. > > Chairs / Al: The document state is listed as: "Doc Shepherd > Follow-up Underway" - I'm assuming that this is from: > https://mailarchive.ietf.org/arch/msg/bmwg/EonLD10nf0xQfWzHt0YT0QDK6lU > - can you please confirm (LOUDLY) that this is OK now and I'll > kick off LC. > > > W > > > 1. Introduction > > 18 years have passed since IETF recommended test methodology and > terminology for firewalls initially ([RFC3511]). The requirements > for network security element performance and effectiveness have > increased tremendously since then. Security function implementations > > [O] 18 years have passed since IETF recommended test methodology and > > terminology for firewalls initially ([RFC3511]). The requirements > for network security element performance and effectiveness have > increased tremendously since then. > [P] In the eighteen years since [RFC3511] was published, recommending test methodology and terminology for firewalls, requirements and expectations for network security elements has increased tremendously. > > have evolved to more advanced areas and have diversified into > intrusion detection and prevention, threat management, analysis of > encrypted traffic, etc. In an industry of growing importance, well- > defined, and reproducible key performance indicators (KPIs) are > increasingly needed as they enable fair and reasonable comparison of > > [O] as they enable > [P] to enable > > network security functions. > > > > > -- > Perhaps they really do strive for incomprehensibility in their specs. > After all, when the liturgy was in Latin, the laity knew their place. > -- Michael Padlipsky > _______________________________________________ > bmwg mailing list > bmwg@ietf.org > https://www.ietf.org/mailman/listinfo/bmwg > > > > -- > Timothy Copley > 602.350.0633 -- Carsten Rossenhövel Managing Director, EANTC AG (European Advanced Networking Test Center) Salzufer 14, 10587 Berlin, Germany office +49.30.3180595-21, fax +49.30.3180595-10, mobile +49.177.2505721 cross@eantc.de,https://www.eantc.de Place of Business/Sitz der Gesellschaft: Berlin, Germany Chairman/Vorsitzender des Aufsichtsrats: Herbert Almus Managing Directors/Vorstand: Carsten Rossenhövel, Gabriele Schrenk Registered: HRB 73694, Amtsgericht Charlottenburg, Berlin, Germany EU VAT No: DE812824025
- [bmwg] AD Review of draft-ietf-bmwg-ngfw-performa… Warren Kumari
- Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-perf… MORTON JR., AL
- Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-perf… Warren Kumari
- Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-perf… tim copley
- Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-perf… bmonkman
- Re: [bmwg] AD Review of draft-ietf-bmwg-ngfw-perf… Carsten Rossenhoevel