Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-13: (with DISCUSS and COMMENT)
Warren Kumari <warren@kumari.net> Wed, 28 September 2022 01:37 UTC
Return-Path: <warren@kumari.net>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FACAC1522A3 for <bmwg@ietfa.amsl.com>; Tue, 27 Sep 2022 18:37:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tMIZLo6bieC8 for <bmwg@ietfa.amsl.com>; Tue, 27 Sep 2022 18:37:17 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BD70C1522A2 for <bmwg@ietf.org>; Tue, 27 Sep 2022 18:37:17 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id c7so12745168ljm.12 for <bmwg@ietf.org>; Tue, 27 Sep 2022 18:37:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date; bh=Jkx+WuUbOQjINMnoCAdFMXzAomXaOSE+YEldFl+iDTA=; b=Xu97ohR0idQ2gOkj9JGlEOWXRlxiEuLUbtWEVxvgE1vkM1TJSYm8O7SNsUZnu8Qh98 Fs6t5skm6VNuvGEw40FRpxolj86H167YSyRsDY02cBBLyaUI7qKrW/b5O8wUKUP+05/S I0aU+vTK3gRO13yy3ssIOXaz8M7qa9ryTbPxFCHpLsAOquoJdmLKfzOXAQPLEV3J17oM iimoLaSUtPksA1UYupx5G83ikBprBqfIFzzThfr/2c9IOYd/A4UWAOLY3CRRrWcYWz1G ef1PIUH/wEdCC1nEI/ivYCe6YID28cZ3JTK2w2GbWk4hnTOVyMcztM3nrAFTWafjSy2l xHwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=Jkx+WuUbOQjINMnoCAdFMXzAomXaOSE+YEldFl+iDTA=; b=uXjli03j3fcbbX7FMcgKOrZKHZx3/2vimSdNPKMM6hFDRwlafdBRT2QlFb+MHqdE0c EDGHhMKkbgmMriqxMdRMMcFRaVTUrj6lb7iWlyvC4atg2jHgZextMHDFySq1rvDsjOQq 1UcOxLhVB+kE6h1ZK6sOLRJHhDlK976YwSriquEvOvHQQ1PSgOSP0VN/CJMO8nbSSD0z Lm56US+mWGuSaotsutNor1drvOSfLSvUDxreJjHGRjj5T8NyK3x6KAoV4b85JTxRWDIu 64V4BYH2hGIZfpG9BMpv1fzzDP3E9cfuHk11t77487UO2VW17UOXcTy9onEydR/OtMEy rFDQ==
X-Gm-Message-State: ACrzQf0bdMORiAJ4/iiVaXULlRwogooacJ+sCqi4DR7Thn/WVQXOH4nx kbRlZcxmUjONdLBJD59enCyDCAdcQrWrcd+8lI08dBOWWhT0AA==
X-Google-Smtp-Source: AMsMyM4WrDpyGjq3U6ylqNinjljzKGeBn4b/jsEaD1vg9Bbdb2m6GYszIEIoZqQulCFABehbUYsw7i1uudQwoAw5nMs=
X-Received: by 2002:a05:651c:160c:b0:264:a5ae:7dd2 with SMTP id f12-20020a05651c160c00b00264a5ae7dd2mr11225771ljq.80.1664329034875; Tue, 27 Sep 2022 18:37:14 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Wed, 28 Sep 2022 01:37:13 +0000
Mime-Version: 1.0
X-Mailer: Superhuman Desktop (2022-09-27T22:05:53Z)
In-Reply-To: <4fcc01d81dca$a0353330$e09f9990$@netsecopen.org>
X-Superhuman-ID: l8kyissx.5d1444cd-2f5e-49c9-9c39-ac46f3d6aed6
X-Superhuman-Draft-ID: draft00e6c0963bbdca83
References: <164384157725.26994.16348654460944534798@ietfa.amsl.com> <eb00d292-d881-afcc-b580-3119ec178627@eantc.de> <4fcc01d81dca$a0353330$e09f9990$@netsecopen.org>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 28 Sep 2022 01:37:13 +0000
Message-ID: <CAHw9_iJBOUbdqV4Z-OCeh5L+=PK2MLdyBh-nLxXf5PQtB9663w@mail.gmail.com>
To: bmonkman@netsecopen.org
Cc: Carsten Rossenhoevel <cross@eantc.de>, Roman Danyliw <rdd@cert.org>, bmwg-chairs@ietf.org, draft-ietf-bmwg-ngfw-performance@ietf.org, bmwg@ietf.org, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e9df1505e9b2cc6e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/uW9MjuJQhBQNlGDjwWkAr8JdjFI>
Subject: Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-13: (with DISCUSS and COMMENT)
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2022 01:37:22 -0000
[ - Al (he is in the chairs expansion) ] Hi Roman. The authors have posted a new version of this document. Link to your DISCUSS for easy clickin': https://datatracker.ietf.org/doc/draft-ietf-bmwg-ngfw-performance/ Link to Diff: https://www.ietf.org/rfcdiff?url1=draft-ietf-bmwg-ngfw-performance-13&url2=draft-ietf-bmwg-ngfw-performance-14&difftype=--html I believe that the authors have attempted to answer / address your discuss positions in the draft, and Carsten Rossenhövel has also answered (or attempted to answer) many of the positions or get more information in email (see above/ below). Could you please review the updated document and the email discussion and clear your DISCUSS or let us know what else is needed to satisfy? Thank you, W On Wed, Feb 09, 2022 at 10:34 AM, <bmonkman@netsecopen.org> wrote: > Roman, > > Do you have response to the questions Carsten asked in response to you? > > Brian > > -----Original Message----- > From: Carsten Rossenhoevel <cross@eantc.de> Sent: Wednesday, February 2, > 2022 7:48 PM > To: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org> Cc: > draft-ietf-bmwg-ngfw-performance@ietf.org; bmwg-chairs@ietf.org; > bmwg@ietf.org; Al Morton <acm@research.att.com> Subject: Re: Roman > Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-13: (with DISCUSS and > COMMENT) > > Dear Roman, > > thank you for your comments and questions. Primarily, the document is > focused on performance benchmarking as mentioned in 4.2.1. This is the area > where the authors and contributors saw a major gap in test methodology. > Today's datasheets of commercial firewalls are sometimes difficult to > interpret. Performance benchmarking methodology applies across all types of > security features (per Table 1). > > Thus, we describe performance benchmarking methodology in great detail. > Sections 4.3 and 7 focus on representative and reproducible load profiles. > (Note - Training phases would not include threat emulation. This is normal > and not mentioned otherwise in the document - do you recommend we change > any text / add an explanation?) > > Advanced security features use a wide range of functions and methods, as > you mentioned. It would be very difficult (and a race against time) to > cover white-box test methodology exhaustively for such security features in > a standards document. Therefore in this document, we: > > a) describe the recommended and optional security features at high level > (section 4.2) > > b) suggest evaluating the correct functional security effectiveness of > these features in advance of performance benchmarking, outside of the core > performance benchmarking methodology (mentioned in section 4.2.1, second > paragraph) > > c) safeguard against the false testing of a firewall without proper > security features enabled (mentioned in section 4.2.1, first paragraph and > 2nd sentence in second paragraph) > > d) describe security effectiveness test methodology verifying protection > against common vulnerabilities and exposures (CVEs) in Appendix A. This > test methodology is a black-box approach not aiming to verify/compare > advanced concepts such as sandboxing, zero-day threat protection, and other > AI-based functions. We are working on test methodology for these areas in > the NetSecOPEN group; but it is difficult to come up with reasonable test > solutions (specifically if they should be reproducible and test > tool-agnostic), which is why this document does not include detailed > methodology yet. > > Regarding "CVE" nomenclature, I agree that the language in Appendix A is > not absolutely precise. The term CVE has become informally used for the > (NIST/Mitre) database entries, the firewall capability to protect, and for > the test tool attack type. The authors are open to improving the > terminology. What do you suggest (without making each sentence a mouthful)? > > I also agree with your observation that CVEs are often not atomic and that > test tool implementations and firewall implementations may cover parts of a > CVE. This is an issue of the CVE database - there is no consistent > numbering of sub-CVEs. We have suffered from this issue in our security > effectiveness methodology verification program we have conducted since > early 2021. Our goal is to create a standard document that is not tied to > any specific test tool or lab implementation. Two test labs (UNH-IOL and > EANTC) have worked with two test tool vendors (Spirent and Keysight) and > multiple firewall vendors. We have evaluated thousands of CVEs, comparing > test coverage and results. > > Each test tool vendor uses individual implementations to emulate threats > aligned with CVEs, and their implementations sometimes differ in the > sub-CVE coverage. Firewall vendors also have their individual code and do > not always cover all sub-CVEs - often for good reasons that need to be > analyzed on the application layer individually (very high effort). We > concluded that we have to accept the state of the art in CVE granularity > and that we have to live with the uncertainties of sub-CVE coverage in > general. (In detail we will continue to work with test tool and firewall > vendors to align implementations and aim for best-working CVE threat > protection.) If you have any ideas how this draft document could help > improve the industry more quickly, we are seriously open for suggestions. > > Re your other comments: > > - The introduction section and tables 1/2/3 are being rephrased > editorially to increase their readability and add more explanations, based > on feedback from other AD reviewers. > > - In section 4.2, I am not sure if I understand your comment about > logging. According to RFC 2119, "RECOMMEND" and "SHOULD" consistently > describe the same level of requirement? > > - Well-defined TCP stack attributes are required for a network security > device because transport layer attributes influence its performance > greatly. Many issues found in EANTC tests in the past originated from > incorrect TCP stack attributes, and non-reproducible behavior of a firewall > is often related to undocumented/uncontrolled TCP stack attributes. > > - From our understanding, TLS 1.3 cipher suites are all considered > adequate in the industry today, while some of the TLS 1.2 cipher suites > are considered deprecated. This is why we specify them in detail. That > said, the note below the list of TLS 1.2 recommended ciphers encourages the > use of ciphers appropriate for evolving use cases. This might lead to a > selection of specific TLS 1.3 ciphers in the future as well. > > - Good point regarding the use of emulated exploits in section 9. We agree > to add a note. > > - Regarding 2nd paragraph of A.1, second sentence ("In parallel..."), we > agree that the text is imprecise. Threats that apply to the connection > setup cannot be encrypted. We'll edit the text to apply to these cases as > well. > > Best regards, Carsten > > Am 2/2/2022 um 11:39 PM schrieb Roman Danyliw via Datatracker: > > Roman Danyliw has entered the following ballot position for > draft-ietf-bmwg-ngfw-performance-13: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > Please refer to > https://www.ietf.org/blog/handling-iesg-ballot-positions/ for more > information about how to handle DISCUSS and COMMENT positions. > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-bmwg-ngfw-performance/ > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > ** A key element of successfully running the throughput tests described in > Section 7, appears to be ensuring how to configure the device under test. > Section 4.2. helpfully specifies feature sets with recommendations > configurations. However, it appears there are elements of > under-specification given the level of detail specified with normative > language. Specifically: > > -- Section 4.2.1 seems unspecified regarding all the capabilities in Table > 1 and 2. The discussion around vulnerabilities (CVEs) does not appear to be > relevant to configuration of anti-spyware, anti-virus, anti-botnet, DLP, > and DDOS. > > -- Recognizing that NGFW, NGIPS and UTM are not precise product > categories, offerings in this space commonly rely on statistical models or > AI techniques (e.g., machine learning) to improve detection rates and > reduce false positives to realize the capabilities in Table 1 and 2. If > even possible, how should these settings be tuned? How should the training > period be handled when describing the steps of the test regime (e.g., in > Section 4.3.4? Section 7.2.4?) > > ** Appendix A. The KPI measures don’t seem precise here – CVEs are > unlikely to be the measure seen on the wire. Wouldn’t it be exploits > associated with a particular vulnerability (that’s numbered via CVE)? There > can be a one-to-many relationship between the vulnerability and exploits > (e.g., multiple products affected by a single CVE); or the multiple > implementations of an exploit. > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > ** Abstract. NGFW, NGIPS and UTM are fuzzy product categories. Do you want > to them somewhere? How do they differ in functionality? UTM is mentioned > here, but not again in the document. > > ** Section 1. > The requirements > for network security element performance and effectiveness have increased > tremendously since then. In the eighteen years since > [RFC3511] was published, recommending test methodology and terminology for > firewalls, requirements and expectations for network security elements has > increased tremendously. > > I don’t follow how the intent of these two sentences is different. Given > the other text in this paragraph, these sentences also appear redundant. > > ** Section 3. Per “This document focuses on advanced, …”, what makes a > testing method “advanced”? > > ** Section 4.2. The abstract said that testing for NGFW, NGIPS and UTM > would be provided. This section is silent on UTM. > > ** Section 4.2. Should the following additional features be noted as a > feature of NGFWs and NGIPS (Tables 1 and 2)? > > -- reconnaissance detection > > -- geolocation or network topology-based classification/filtering > > ** Section 4.2. Thanks for the capability taxonomies describe here. Should > it be noted that “Table 1 and 2 are approximate taxonomies of features > commonly found in currently deployed NGFW and NGIDS. The features provided > by specific implementations may be named differently and not necessarily > have configuration settings that align to the taxonomy.” > > ** Table 1. Is there a reason that DPI and Anti-Evasion (listed in Table 2 > for > NGIPS) are not mentioned here (for NGFW). I don’t see how many (all?) of > the features listed as RECOMMENDED could be done without it. > > ** Table 3. For Anti-Botnet, should it read “detects and blocks”? > > ** Table 3. For Web Filtering, is this scoped to be classification and > threat detection by URI? > > ** Table 3. This table is missing a description for DoS from Table 1 and > DPI and Anti-Evasion from Table 2. > > ** Section 4.2. Per “Logging SHOULD be enabled.” How does this > “SHOULD” align with “logging and reporting” being a RECOMMENDED in Table 1 > and 2? Same question on “Application Identification and Control SHOULD be > configured” > > ** Section 4.3.1.1. Why is such well-formed and well-behaved traffic > assumed for a security device? > > ** Section 4.3.1. What cipher suites should be used for TLS 1.3 based > tests? The text is prescriptive for TLS 1.2 (using a RECOMMEND) but simply > restates all of those registered by RFC8446. > > ** Section 9. Given that the configurations of these test will include > working exploits, it would be helpful to provide a reminder on the need > control access to them. > > ** Section A.1. > In parallel, the CVEs will be sent to the DUT/SUT as encrypted and as well > as clear text payload formats using a traffic generator. > > This guidance doesn’t seem appropriate for all cases. Couldn’t the > vulnerability being exploited involve a payload in the unencrypted part or > a phase in the communication exchange before a secure channel is > negotiated? > > ** Editorial nits > -- Section 1. Editorial. s/for firewalls initially/for firewalls/ > > -- Section 5. Typo. s/as test equipments/as test equipment/ > > -- > Carsten Rossenhövel > Managing Director, EANTC AG (European Advanced Networking Test Center) > Salzufer 14, 10587 Berlin, Germany office +49.30.3180595-21, fax > +49.30.3180595-10, mobile +49.177.2505721 cross@eantc.de, https://www. > eantc.de > > Place of Business/Sitz der Gesellschaft: Berlin, Germany > Chairman/Vorsitzender des Aufsichtsrats: Herbert Almus Managing > Directors/Vorstand: Carsten Rossenhövel, Gabriele Schrenk Registered: HRB > 73694, Amtsgericht Charlottenburg, Berlin, Germany EU VAT No: DE812824025 >
- [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg… Roman Danyliw via Datatracker
- [bmwg] FW: Roman Danyliw's Discuss on draft-ietf-… MORTON JR., AL
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… bmonkman
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Carsten Rossenhoevel
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… bmonkman
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Warren Kumari
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… bmonkman
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw