Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-14: (with DISCUSS and COMMENT)
Bala Balarajah <bm.balarajah@gmail.com> Sat, 22 October 2022 20:33 UTC
Return-Path: <bm.balarajah@gmail.com>
X-Original-To: bmwg@ietfa.amsl.com
Delivered-To: bmwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0807C14F746; Sat, 22 Oct 2022 13:33:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4D0R4dCEPRfg; Sat, 22 Oct 2022 13:33:53 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B894CC14F744; Sat, 22 Oct 2022 13:33:53 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id r8-20020a1c4408000000b003c47d5fd475so7435277wma.3; Sat, 22 Oct 2022 13:33:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Tv9n/qhKf/g303cBjCmi0az747XDw3p1rI/RP6Rs82M=; b=a05XOC5YMiN6A9BpFQFGi+MEhk//wDnm08NQxrQpT7o+nDzuOjg8C2QJByVDaH5UlM EqXaAXr3PfH/ALu4+YWY0SNY0IPGWw7x08P1LeUCa+utFHeZzEaQrdinNOlgRc2+YIxi YepXIW3k5FG0TreQBlUZFh114x8oUkeCGc94whVwGjLb0xsyUBk5+608vj84Sg4MQGej EYJ7ituKJAnncNEuoWRf81keu/F8e8qWLodGdeks17cAkZ4VFg/inqyMauIuinfi//J5 Rin3+yWWbtfZUZwqiVRR7NhZQ15UTAdn65IMINF4Zr5t4QuXW15k5PGEAlI8fB9bD215 6sHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Tv9n/qhKf/g303cBjCmi0az747XDw3p1rI/RP6Rs82M=; b=V0yAvKxXu013nnx1WRczDieAE/LrZbVlrjko9JPB2GYtZCwMSyqD+FPUE623nMaGya eHDydjVTjTekxX+r3a9G6psBgeDA+zHz8mjskzi9DlINMSVjHASyopfi3y0ABWic35o/ 5QG+adMXKwit9uDxENxvTB1FW7dibf7F6nf+Z3HFYeewegO9RVg2MS/T7jZ8oHNbdW2Z OfyIOMHthrIQLe1lUez5ySNVYmPTKVdxgAqZCiBHk+pvv6e6ee51wAYYbym/JKZ1OUvk RahU2VrswWendCv1XBl8uQ8FbjoLY0l9AI1UipPkRgfGIRQ6kxZjjR4vW+5SW2iLSk0U 3OZA==
X-Gm-Message-State: ACrzQf2Pwbc0NDN/o6X7hp/aL4WmGJEJ4xAOXe9IgsNYic1xn03LVhXA l8uj048id9AOPOPIltKmSRueW20Wxd84rHoJhbg=
X-Google-Smtp-Source: AMsMyM7PH4aORKuKsfibKRSjDRmIhFZmvDujBZsWtjFMr+sOCtMPpk6afQJek+oLQ6a1cc3oIZvogvH08fQVWj5Lc+g=
X-Received: by 2002:a05:600c:3781:b0:3a6:804a:afc with SMTP id o1-20020a05600c378100b003a6804a0afcmr37689702wmr.27.1666470831606; Sat, 22 Oct 2022 13:33:51 -0700 (PDT)
MIME-Version: 1.0
References: <166568668844.39192.10045972592261938837@ietfa.amsl.com> <CA+7QJZhhdMgJ_eN1J1nKgmYNBAyOHrW2x-HF+_AaxvVQtcL0BQ@mail.gmail.com> <BN2P110MB110761D2C11A9E560BE7739FDC2A9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB110761D2C11A9E560BE7739FDC2A9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
From: Bala Balarajah <bm.balarajah@gmail.com>
Date: Sat, 22 Oct 2022 22:33:40 +0200
Message-ID: <CA+7QJZhnt9x8veGt_GbLuXjn+kq5rot12YXJoK6Br8ZRNwBbsw@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-bmwg-ngfw-performance@ietf.org" <draft-ietf-bmwg-ngfw-performance@ietf.org>, "bmwg-chairs@ietf.org" <bmwg-chairs@ietf.org>, "bmwg@ietf.org" <bmwg@ietf.org>, Al Morton <acm@research.att.com>
Content-Type: multipart/alternative; boundary="000000000000f2517005eba5798f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bmwg/xJ5coOqJU8mXVaowsiXoEsLkE2E>
Subject: Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg-ngfw-performance-14: (with DISCUSS and COMMENT)
X-BeenThere: bmwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Benchmarking Methodology Working Group <bmwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bmwg>, <mailto:bmwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bmwg/>
List-Post: <mailto:bmwg@ietf.org>
List-Help: <mailto:bmwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bmwg>, <mailto:bmwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2022 20:33:54 -0000
Hi Roman, Thank you for your recommended text. We have updated Section 3 and also incorporated all your comments into the new version. I have just posted the new version 15. Thanks, Bala Am Do., 20. Okt. 2022 um 19:13 Uhr schrieb Roman Danyliw <rdd@cert.org>: > Hi Bala! > > > > *From:* Bala Balarajah <bm.balarajah@gmail.com> > *Sent:* Wednesday, October 19, 2022 6:42 PM > *To:* Roman Danyliw <rdd@cert.org> > *Cc:* The IESG <iesg@ietf.org>; draft-ietf-bmwg-ngfw-performance@ietf.org; > bmwg-chairs@ietf.org; bmwg@ietf.org; Al Morton <acm@research.att.com> > *Subject:* Re: Roman Danyliw's Discuss on > draft-ietf-bmwg-ngfw-performance-14: (with DISCUSS and COMMENT) > > > > Hi Roman, > > > > Thanks for the review. Please see our responses inline below. If you are > satisfied with our responses, we will post the new draft version before > IETF 115 draft cutoff (Monday, Oct 24th ). > > > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > (Updated Ballot) > > -- [per -13] Recognizing that NGFW, NGIPS and UTM are not precise product > categories, offerings in this space commonly rely on statistical models or > AI > techniques (e.g., machine learning) to improve detection rates and reduce > false > positives to realize the capabilities in Table 1 and 2. If even possible, > how > should these settings be tuned? How should the training period be handled > when > describing the steps of the test regime (e.g., in Section 4.3.4? Section > 7.2.4?) > > [per -14] Thank for explaining that the training phase would not be > included in > the threat emulating in your email response. Since the goal of these > document > is specify reproducible testing, the primary text I was look for was an > acknowledgment that the detection performance of some systems may be > affected > by learning from prior traffic. Any state kept by such systems much be > reset > between testing runs. > > > > [Authors] : Machine Learning and behavioral analysis systems are not > included in the scope of this test, as it uses lab-generated traffic for > measurement of performance KPIs, and captured/replayed traffic as the body > of the security portion of testing. Neither of these environments is > conducive to the use of ML or behavioral analysis solutions. > > We can add the following sentence in the draft, if it gives more clarity: > > "Machine Learning and behavioral analysis features are not included in the > scope of the performance benchmarking test." > > > > Thanks. Your proposed text and assessment seem a little bit different. > The latter is more of what I expected, these systems are out of scope). > The former seems to say something weaker, assessing these features aren’t > in scope. My recommendation would be for something a bit stronger on what > to do with a this testing regime relative to this class of system appended > to the end of Section 3 that combines both the former and latter ideas. > Roughly: > > > > ==[ snip ]== > > > > The performance testing methodology described in this document is not > intended for devices that rely on machine learning or behavioral analysis. > If such features are present in a device under test, they should be > disabled. > > > > ==[ snip ]== > > > > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > (Updated Ballot) > > Thanks for the changes made in -13. > > ** [per -13] Section 3. Per “This document focuses on advanced, …”, what > makes > a testing method “advanced”? > > > > [Authors]: Comparing previous RFCs 2544 and RFC3511, this draft provides a > more in-depth test methodology for test parameter definition, test results > validation criteria, and test procedures defined in section 7 and its > subsections. > > > > [Roman] Makes sense. My intent was to suggest that this distinction from > RFC2544/3511 being described as advanced was not clear. > > > > > ** [per -13] Section 4.2. Should the following additional features be > noted as > a feature of NGFWs and NGIPS (Table 2 and 3 in -14)? > > -- geolocation or network topology-based classification/filtering (since > there > is normative text “Geographical location filtering SHOULD be configured.”) > > > > [Authors]: We will add the following sentence in the next release: > > Geographical location filtering SHOULD be configured. If the DUT/SUT is > not designed to perform geographical location filtering, it is acceptable > to conduct tests without them. However, this MUST be > noted in the test report. > > > > [Roman] Thanks. > > > > > ** [per -13/14] Table 2. Is there a Anti-Evasion (listed in Table 3 for > NGIPS) > are not mentioned here (for NGFW). > > > > [Authors]: Anti-Evasion should be included in NGFW in the same manner as > NGIPS. We will add this in the next release. > > > > [Roman] Thanks. > > > > > ** [per -13] Section 4.2. Per “Logging SHOULD be enabled.” How does this > “SHOULD” align with “logging and reporting” being a RECOMMENDED in Table 1 > and > 2? > > > > [Authors]: According to the security product vendors (the draft > contributors), "logging and reporting" is one of the mandatory (MUST) and > default features for security devices. For this reason, we removed it from > the tables that contain RECOMMENDED and > > OPTIONAL features only. Therefore, we added the following text below table > 3, which applies to both NGFW and NGIPS: > > “Logging and reporting MUST be enabled." > > > > [Roman] The way I was approach it was with the expectation that all of the > possible features described in Table 1 were going to be crossed walked with > their normative requirements in Table 2 and 3. If the WG prefers to keep > it as described, no problem. Thanks for explaining. > > > > > [per -14] Thanks for the edits here. I think a regression was a > regression > introduced. Table 3 (NGIPS) used to have “Logging and Reporting” just like > Table 2 in -12. > > > > [Authors]: There was a mistake. As mentioned above, "Logging and > Reporting" will be removed from both tables. We will update this in the > next release. > > > > [Roman] Thanks. It was the inconsistency that caught me. > > > > Thanks, > > Roman >
- [bmwg] Roman Danyliw's Discuss on draft-ietf-bmwg… Roman Danyliw via Datatracker
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Bala Balarajah
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Bala Balarajah
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw
- Re: [bmwg] Roman Danyliw's Discuss on draft-ietf-… MORTON JR., AL