Comments on "draft-ietf-bmwg-firewall-05.txt"

To: Brooks Hickman,  David Newman, Saldju Tadjudin, Terry Martin;

From: Brian Ford, Consulting Engineer, Cisco Systems

Regarding: Comments on "draft-ietf-bmwg-firewall-05.txt"

---------------------------------

In section 4 of the draft "Test Setup" you stated:

>One interface of the firewall is attached to the unprotected
>    network, typically the public network(Internet). The other interface
>    is connected to the protected network, typically the internal LAN.

You stated "One interface of the firewall is attached to the unprotected 
network, typically the public network(Internet).".  Given that this draft 
addresses Firewall performance I would suggest that you limit the 
definition to protected and an unprotected networks.  Attempting to measure 
performance of Firewalls at the Internet edge where other devices (some of 
which you have technically described in the draft) are not used limits the 
usefulness of this draft.

>Tri-homed[1] configurations employ a third segment called a
>    Demilitarized Zone(DMZ). With tri-homed configurations, servers
>    accessible to the public network are attached to the DMZ. Tri-Homed
>    configurations offer additional security by separating server(s)
>    accessible to the public network from internal hosts.

I want to point out several problems with this statement.

I-D ACTION:draft-ietf-bmwg-conterm-02.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Benchmarking Methodology Working Group of the IETF.

	Title		: Terminology for Benchmarking BGP Device Convergence in
                          the Control Plane
	Author(s)	: H. Berkowitz et al.
	Filename	: draft-ietf-bmwg-conterm-02.txt
	Pages		: 30
	Date		: 01-Jul-02
	
This draft establishes terminology to standardize the description of
benchmarking methodology for measuring eBGP convergence in the
control plane of a single BGP device. Future documents will address
iBGP convergence, the initiation of forwarding based on converged
control plane information and multiple interacting BGP devices. This
terminology is applicable to both IPv4 and IPv6. Illustrative
examples of each version are included where relevant.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-bmwg-conterm-02.txt

To remove yourself from the IETF Announcement list, send a message to 
ietf-announce-request with the word unsubscribe in the body of the message.

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
	"get draft-ietf-bmwg-conterm-02.txt".

A list of Internet-Drafts directories can be found in

WG Last Call: draft-ietf-bmwg-conterm-02.txt

BMWG'ers:

A WG Last Call period for the Internet-Draft on
    "Terminology for Benchmarking BGP Device Convergence in
     the Control Plane,"

     <draft-ietf-bmwg-conterm-02.txt>

will be open from 2 July 2002 until 10 July 2002.

This I-D version reflects changes from its previous Last Call;
it is thought the changes merit re-review.

If you feel that this draft should not be given to the Area Directors
for consideration in progressing the I-D to an Informational RFC,
please cite your basis to this list or kdubray <at> juniper.net.  This must
be done prior to close of the last call period. Of course, notes of
support are always welcome.

A URL for this Internet-Draft is:

http://www.ietf.org/internet-drafts/draft-ietf-bmwg-conterm-02.txt

Changes for draft-ietf-bmwg-conterm-02.txt

54th IETF - Benchmarking Methodology WG agenda

BMWG'ers:

Please find below the tentative BMWG agenda for Yokohama.  Please
email suggested modifications (or corrections) to me.

Thank you,
Kevin

-------------------------------------------------------------

Benchmarking Methodology WG (bmwg)

MONDAY, July 15, 2002, 1930-2200
================================

AGENDA:

1. Benchmarking Network-layer Traffic Control Mechanisms - status
     update.  (J. Perser)

http://www.ietf.org/internet-drafts/draft-ietf-bmwg-dsmterm-03.txt

2. Rationale and Goals for a proposed, new BMWG work item:
     "SONET/SDH APS Performance Benchmarking." (Takumi Kimura)

3. Disposition of Benchmarking Terminology for Routers Supporting
     Resource Reservation. <draft-ietf-bmwg-benchres-term-01.txt>

     Last spring a WG Last call was issued on the above (expired)
     draft. NO commentary, pro or con, was issued from this or other
     related WGs on the I-D. Does this WG really desire this work
     to die a quiet death? Please retrieve an archived copy of
     the I-D, read it, and bring a recommendation to Yokohama (or
     the list.) A cached copy of the document can be found here:

http://www.watersprings.org/pub/id/draft-ietf-bmwg-benchres-term-01.txt

     We'll do something (or nothing) based on your input.

Please help contribute to a successful meeting by reading the above
I-D(s) before the meeting.

To offer comments on BMWG work in progress or the agenda itself,
please send email to:

     bmwg <at> ietf.org

Alternatively, to offer potential agenda items, please email:

     kdubray <at> juniper.net

Last call comments on the firewall benchmarking draft

Dear Authors of the firewall benchmarking draft and Dear BMWG members,

I work for Stonesoft, which is a software company making firewall software
and other security solutions. We would like to suggest some modifications
to
the firewall benchmarking draft before moving it forward. I apologize for
commenting only at such a late phase of the draft, but I hope you take our
points into consideration. Naturally, we are willing to contribute to the
drafting
work, if considered appropriate by the authors.

The problem I see with the current draft is that the test traffic is
perhaps
not defined accurately enough. Rather than standardizing firewall
configurations
(such as security policies), I would like to standardize the test loads
(traffic patterns)
as accuarately as possible, as well as the quantities that can be measured
from
the received traffic.

For IP layer traffic there is not much problem, it is very much like what
is described
in RFC 2544. Also UDP is quite easy because it doesn't retransmit. However,
TCP
and the applications running over it (e.g. HTTP) seem quite problematic
because
there are some TCP parameters at the end-points (client/server) that
influence the traffic flow, most notably the TCP window size. The firewall
between
the TCP end-points may very well be a "long, fat pipe" as described in RFC
1323,
which means that the TCP or application throughput is not limited by the
firewall but
by the TCP window size at the client/server end-points.

Therefore I would suggest characterizing very accurately the traffic flows
and the test client/server behavior in the benchmarks. For TCP benchmarking
it would
be very useful to use a bit simplified TCP traffic so that it would have
e.g. "infinite window
size", which would mean that the end-points never paused transmitting even
if they didn't
receive certain acknowledgements. Another simplification might be to use
constant
RTT (round-trip time) instead of dynamic RTT measurement, so that a
possible
retransmission would always take place a constant time (e.g. 1s) after the
original
transmission (or use an infinite RTT meaning that the TCP never
retransmits). Even
if this traffic is not "real life TCP traffic", it would be very useful for
benchmarking
because the offered load would be easily controlled. The firewalls (in most
cases)
wouldn't see any difference between the "simplified" and "real" TCP
traffic.

Also the TCP connection closing sequences should be defined accurately.
There
are a few ways to close a connection, and in some firewalls it makes a
difference
whether the closed connection is considered to enter the TIME_WAIT state or
not.

In general, I would like to move the focus of the draft from application
(HTTP) level
benchmarking to TCP level benchmarking. For example, I'm missing a TCP
transfer rate test, as well as a TCP transaction test that both establishes
and closes
connections in the same test. In some sense a simple application level test
(e.g.
HTTP transfer rate with simple GET methods) can be used for these purposes
by measuring transport layer goodput as well as application  goodput, but I
feel
it would be clearer to define separate TCP benchmarks for cases where
application
data is not important, and separate application level  tests e.g for HTTP
if the
firewall happens to apply some sort of proxying, URL filtering or content
scanning.

I would also like to define which quantities are measured and reported for
each
traffic pattern,  including error statistics. The error information is
valuable for example
when bencharking fault tolerant firewall systems, where the firewall is
able to
recover from a HW or link failure by switching over to a redundant link or
HW unit. In
these cases some packets or connections are most probably lost, and it
would be
valuable to know how many. In any case the end condition of a test should
not
necessarily be a single error, but the tests should in general continue and
just
measure and report the errors. The current draft defines this kind of error
logging
for some tests, but I'd like to have it done for all tests where possible
and maybe
a bit more extensively.

I'd appreaciate your comments on the points I've tried to make above. They
are
mostly based on practical experience on testing our firewall software's
performance.
We've had quite a lot of trouble finding suitable tests equipment for
measuring TCP
performance, typically we've run into limitations of the test equipment
before
hitting the limits of the firewall, and also the available test cases don't
sometimes
make much sense . So we would really like to see some good TCP benchmarks
standardised. Of course we would also like to benchmark with application
protocols,
but currently we are mostly missing TCP benchmarks.

Sincerely,

Juha Pirkola
Software Specialist
Stonesoft Oyj, Finland

RE: Comments on "draft-ietf-bmwg-firewall-05.txt"

Thanks very much for your close read and many constructive comments. We have
responded inline.

> -----Original Message-----
> From: Brian Ford [mailto:brford <at> cisco.com]
> Sent: Monday, July 01, 2002 6:49 PM
> To: brooks.hickman <at> spirentcom.com; dnewman <at> networktest.com;
> saldju.Tadjudin <at> spirentcom.com; tmartin <at> gvnw.com
> Cc: bmwg <at> ietf.org
> Subject: Comments on "draft-ietf-bmwg-firewall-05.txt"
> 
> 
> To: Brooks Hickman,  David Newman, Saldju Tadjudin, Terry Martin;
> 
> From: Brian Ford, Consulting Engineer, Cisco Systems
> 
> Regarding: Comments on "draft-ietf-bmwg-firewall-05.txt"
> 
> ---------------------------------
> 
> In section 4 of the draft "Test Setup" you stated:
> 
> >One interface of the firewall is attached to the unprotected
> >    network, typically the public network(Internet). The 
> other interface
> >    is connected to the protected network, typically the 
> internal LAN.
> 
> You stated "One interface of the firewall is attached to the 
> unprotected 
> network, typically the public network(Internet).".  Given 
> that this draft 
> addresses Firewall performance I would suggest that you limit the 
> definition to protected and an unprotected networks.
> Attempting to measure 
> performance of Firewalls at the Internet edge

That's out of scope not only for this document but also for this working
group. This draft focuses on measurement of one or at most a few boxes, not
a box at the edge of a huge honking network.

We don't believe modification is needed on this point. The draft doesn't
advocate attaching the firewall to a production network before measuring its
performance.

Totally agree that the terms protected and unprotected networks are apropos.
The phrase "typically the public network" was intended only to show what is
by far the most common configuration.

where other 
> devices (some of 
> which you have technically described in the draft) are not 
> used limits the 
> usefulness of this draft.
> >Tri-homed[1] configurations employ a third segment called a
> >    Demilitarized Zone(DMZ). With tri-homed configurations, servers
> >    accessible to the public network are attached to the 
> DMZ. Tri-Homed
> >    configurations offer additional security by separating server(s)
> >    accessible to the public network from internal hosts.
> 
> I want to point out several problems with this statement.
> 
> OK.  This is a nit picking point.  There is no need to refer 
> to a third (or 
> additional Firewall interface) as a "DMZ".  In fact there is nothing 
> "militarized" about a Firewall.

Sure. At the same time, the documentation for 100 percent of tri-homed
firewalls on the market -- including those sold by a San Jose-based
networking company -- refers to a "DMZ."

We can debate whether the label is appropriate or not (one of us finds the
term "layer-4 switch" to be equally idiotic), but it is the commonly used
term. It's also the term already defined in the terminology document, RFC
2647.

I'd suggest a better choice 
> of wording 
> would be "perimeter network".
> 
> You stated "servers accessible to the public network are 
> attached to the 
> DMZ"; when in fact a perimeter network is used to implement 
> an often new 
> security policy on an additional network segment.  Those 
> servers don't have 
> to be servicing the public network and could instead be servicing the 
> inside network.
> 
> Further you state "Tri-Homed configurations offer additional 
> security by 
> separating server(s) accessible to the public network from internal 
> hosts.".  I would suggest that the security policy implemented on the 
> perimeter interface offers additional security; and not the 
> fact that the 
> interface was installed and is in use.

While we don't disagree, is there a specific methodological question here?

> 
> In section 4.2 you discuss "Virtual Clients / Servers":
> 
> You explained that data sources may emulate multiple users 
> and hosts; which 
> your methodology refers to as virtual servers and clients.  
> You stated that 
> the test report SHOULD indicate the number of virtual clients and 
> servers.  You stated that "Testers MUST synchronize all data sources 
> participating in a test.".  Could you elaborate as to how the 
> data sources 
> "MUST" be synchronized?  What's the reasoning behind that "MUST"?

It is impossible to obtain valid measurements of latency and other
delay-related metrics unless the transmitter and receiver are synchronized.

> 
> In section 4.3 Test Traffic Requirements you state:
> 
> >For the purposes of benchmarking firewall performance this document
> >    references HTTP 1.1 or higher as the application layer entity,
> >    although the methodologies may be used as a template for
> >    benchmarking with other applications.
> 
> Elsewhere in the document you stated that many different 
> types of Firewalls 
> could potentially be under test; yet you only call for HTTP 
> to be used to 
> develop a performance metric.
> 
> Another issue with HTTP testing is that it limits the type of 
> rules that 
> can be implemented and tested to the HTTP application only.
> 
> Why not include FTP transfers of several fixed sized files?  
> Why limit the 
> specification to just HTTP?

There's nothing in the draft that prevents implementers from doing other
protocols. We call for HTTP because it represents a large proportion of IP
traffic (for some definition of large).

Two of us are implementers of test tools that can be used to measure
firewall performance. In our experience getting the most common protocol
defined first is a sensible practice. We're certainly open to adding others
down the road, and again the draft does not discourage this.

> 
> In section 4.5 Multiple Client/Server Testing:
> 
> You stated "Each virtual client MUST initiate connections in 
> a round-robin 
> fashion.".  But wouldn't this "round robin" behavior create a 
> tailored 
> stream of traffic?  Would'nt this type of testing better 
> emulate a Firewall 
> behind a load balancing device (when in fact the majority of 
> Firewalls are 
> installed without a load balancing front end)?  I'd suggest 
> that the type 
> of test described doesn't adequately reflect real world 
> conditions and that 
> other methods should be considered.
> 
> Also see RFC 2544 section 21. regarding Bursty Traffic as an 
> alternative to 
> steady state (stream) traffic.

RFC2544 is not applicable in this case since it applies only to traffic at
or below the network layer. TCP is by nature both bursty and
self-throttling.

However, you are correct that we describe a methodology in which the
"connection requests" from each client->Server(s) are offered in an evenly
distributed manner. The intent here is to define a methodology that works
independent of the number of clients and/or servers specified.

The term "real world" is heard a lot in the testing arena. Defining what
that means, in terms of an algorithm, is usually difficult or impossible to
nail down.

> In section 4.7 Rule Sets:
> 
> I thought you did a good job of defining rule set 
> functionality.  I was 
> surprised that you didn't come out strongly for or against 
> zero or single 
> rule set tests.  I think they are irrelevant and turn 
> otherwise interesting 
> Firewall performance studies into a discussion of forwarding. 
> But in some 
> Firewalls it is worthwhile to test the default security policy.

In our opinion, the forwarding rate for a firewall's default security policy
SHOULD be 0 pps. While there is nothing like a consensus on what constitutes
"default security policy," there is agreement that firewalls (and security
devices in general) should not forward any traffic unless the user
explicitly allows it.

> 
> I would like to see you go further in defining how many rules 
> should be 
> included in any test.

We really wrestled with benchmarking involving rule sets. Among the major
issues:

--different rules may have different performance costs, even on the same DUT
--rule set order may have a different performance cost on different DUTs
--the same rule may have different performance costs on different DUTs

Of these, we only seek to measure the last. There's too much wiggle room in
the first two for us to be able to declare general test cases that are
meaningful for all DUTs.

  I'd also like to see you go further in 
> defining 
> locations were basic rule sets could be discovered.  See RFC 
> 2544 section 
> 11.4.1 on Filter Addresses.  I suggest that something like 
> that is needed 
> in this RFC.  For example; somewhere in the DUT / SUT there 
> should probably 
> be an RFC 1918 Private Address Filter (you did earlier make 
> the case for 
> Internet connectivity).  There are plenty of recommendations 
> about default 
> rule sets at the SANS and SecurityFocus; as well as almost 
> all Firewall 
> vendors sites.

Thanks; some of us are big fans of those sites. The issue of location of
rule sets is very router-like (ie, do we apply rules on ingress, egress, or
both). While there may be merit in such measurements, the general rule with
firewalls is that they apply filtering on one interface at a time.

> 
> in section 4.8 in your discussion of Authentication you point 
> out that 
> "Authentication is usually performed by devices external to 
> the firewall 
> itself, such as an authentication server(s) and may add to 
> the latency of 
> the system.".  But you did not go so far as to require that 
> an external 
> authentication source be used.  I think you should require the 
> authentication database (at least) to be external to the 
> Firewall SUT / DUT.

Why? Is authentication now an essential firewall function?

While there's certainly merit in such measurements, they are above and
beyond the fundamental firewall function of access control.

> Not included in Section 4 was any discussion of logging.  
> Reporting is 
> discussed in section 5 but Syslog is not required. At a 
> minimum Syslog MUST 
> be supported and enabled on a DUT / SUT.  The Syslog server MUST be a 
> separate device (so that Syslog is not recorded on the candidate 
> Firewall).  Berkeley Standard Syslog (RFC 3164) should be used.

External logging servers is an interesting suggestion, but unfortunately we
doubt such servers are used by even a significant minority of firewalls
deployed today.

We are careful in this document to avoid what are essentially security
assessments. The use of an external syslog server is one such security
check; it's a great idea from a security standpoint, but we are explicitly
not assessing device security. (If we were, we'd not only follow your
recommendation but also require that log data be transmitted with strong
encryption and that the logging server use write-once media).

Also, while logging isn't a MUST requirement, its use is implied ("If the
DUT/SUT has logging capability, the log SHOULD be checked...")

> 
> The log file that is called for in section 5.1.2 would be of 
> little use in 
> an operational Firewall.  I think that a test tool used to 
> create the test 
> environment might better create the type of log file discussed here.
> 
> In section 5 the end condition for the tests seems to be 
> anything more than 
> zero packet loss.  I'd suggest that zero packet loss is one 
> way of ending 
> the test but is really only realistic for higher end appliance 
> Firewalls.  You may want to suggest that some defined amount 
> of packet loss 
> that does not exceed some number (say .25, .5, or 1%) should 
> be the end 
> condition.

"Allowable packet loss" has already been the topic of much discussion over
many years. There is no consensus on how much loss is allowable; the only
number everyone agrees on is 0.

> 
> Also of interest is the DUT / SUT "overloaded behavior" as defined by 
> Bradner in RFC 1242.  Can the DUT / SUT recover from an 
> overload event?
> 
> Several times in section 5 it is stated:
> 
> >Between each iteration, it is RECOMMENDED that the tester issue a
> >    TCP RST referencing all connections attempted for the previous
> >    iteration, regardless of whether or not the connection 
> attempt was
> >    successful. The tester will wait for age time before 
> continuing to
> >    the next iteration.
> 
> In a network each of the individual connections would be 
> terminated with a 
> RST.  Why this RST for all connections?  Shouldn't there be 
> some section 
> were each of the connections gets an individual RST?

Each connection must be sent an RST since a TCP RST can only apply to one
connection at a time. Will reword the paragraph as follows:

Between each iteration, it is RECOMMENDED that the tester issue a TCP RST
for each connection attempted for the previous iteration, regardless of
whether or not the connection attempt was successful. The tester will wait
for age time before continuing to the next iteration.

> 
> Might you want to test whether and how the Firewall deals 
> with connections 
> that don't close?

Can you clarify? In a majority of cases, the clients and servers emulated by
the test instrument(s) will own both sides of the TCP connection and can
therefore determine if the connection closes properly.

Are you talking about the condition in which the test instrument properly
closes a connection, but the connection still exists in the DUT/SUT's state
table?

    Shouldn't the Firewall apply a connection 
> timer?  Shouldn't that be tested?

Testing the connection timer on a DUT/SUT would basically be a functional
test, not a performance metric.

> 
> Check section 5.4.3 as there seeming to be an incomplete 
> section of text 
> (typo?) repeated with that heading number.

Thanks. Good catch.

> In section 5.11 Latency you should note that Bradner states 
> in RFC 1242 
> under his discussion of testing latency:
> 
> >Measurements should be
> >                 taken for a spectrum of frame sizes without changing
> >                 the device setup.
> 
> and require that the device setup not be changed during 
> Firewall testing.

Thanks, this is a useful suggestion for network-layer measurements.

It's less useful for application-layer measurements, since TCP may (will?)
determine what frame sizes we'll be using.

Thanks again. We very much appreciate your comments.

Brooks Hickman
Spirent Communications

David Newman
Network Test

Saldju Tadjudin
Spirent Communications

Terry Martin
GVNW Consulting

> 
> Liberty for All,
> 
> Brian
> 
> 
> 
> 
> 
> 
> Brian Ford
> Consulting Engineer
> Corporate Consulting Engineering, Office of the Chief 
> Technology Officer
> Cisco Systems, Inc.
> http://www.cisco.com
> e-mail: brford <at> cisco.com
> 
> 

BMWG notes for 54th IETF.

BMWG'ers:

Marianne Lepp will chair the BMWG meeting in Yokohama for me.

Please note agenda item 3. Let's finish this one up.

The agenda can be found here:
     http://www.ietf.org/ietf/02jul/bmwg.txt

-Kevin

RE: Last call comments on the firewall benchmarking draft

Thanks very much for your close read and many constructive comments. We have
responded inline.

> -----Original Message-----
> From: Juha.Pirkola <at> stonesoft.com [mailto:Juha.Pirkola <at> stonesoft.com]
> Sent: Monday, July 08, 2002 6:28 AM
> To: bmwg <at> ietf.org
> Subject: [bmwg] Last call comments on the firewall benchmarking draft
> 
> 
> Dear Authors of the firewall benchmarking draft and Dear BMWG members,
> 
> I work for Stonesoft, which is a software company making 
> firewall software
> and other security solutions. We would like to suggest some 
> modifications
> to
> the firewall benchmarking draft before moving it forward. I 
> apologize for
> commenting only at such a late phase of the draft, but I hope 
> you take our
> points into consideration. Naturally, we are willing to 
> contribute to the
> drafting
> work, if considered appropriate by the authors.
> 
> The problem I see with the current draft is that the test traffic is
> perhaps
> not defined accurately enough. Rather than standardizing firewall
> configurations
> (such as security policies), I would like to standardize the 
> test loads
> (traffic patterns)
> as accuarately as possible, as well as the quantities that 
> can be measured
> from
> the received traffic.
> 
> For IP layer traffic there is not much problem, it is very 
> much like what
> is described
> in RFC 2544. Also UDP is quite easy because it doesn't 
> retransmit. However,
> TCP
> and the applications running over it (e.g. HTTP) seem quite 
> problematic
> because
> there are some TCP parameters at the end-points (client/server) that
> influence the traffic flow, most notably the TCP window size. 
> The firewall
> between
> the TCP end-points may very well be a "long, fat pipe" as 
> described in RFC
> 1323,
> which means that the TCP or application throughput is not 
> limited by the
> firewall but
> by the TCP window size at the client/server end-points.
> 
> Therefore I would suggest characterizing very accurately the 
> traffic flows
> and the test client/server behavior in the benchmarks. For 
> TCP benchmarking
> it would
> be very useful to use a bit simplified TCP traffic so that it 
> would have
> e.g. "infinite window
> size", which would mean that the end-points never paused 
> transmitting even
> if they didn't
> receive certain acknowledgements.

This would break goodput measurements. Also, while it's out of scope for
this document, note that some firewalls also offer TCP proxies and/or
bandwidth management functions. Both require correctly implemented TCP.

 Another simplification 
> might be to use
> constant
> RTT (round-trip time) instead of dynamic RTT measurement,

same issue

> so that a
> possible
> retransmission would always take place a constant time (e.g. 
> 1s) after the
> original
> transmission (or use an infinite RTT meaning that the TCP never
> retransmits). Even
> if this traffic is not "real life TCP traffic", it would be 
> very useful for
> benchmarking
> because the offered load would be easily controlled. The 
> firewalls (in most
> cases)
> wouldn't see any difference between the "simplified" and "real" TCP
> traffic.

While we agree that forwarding rate measurements are affected
by the TCP parameters of the client/server end-points, such as TCP Window
size,
what you are suggesting would turn TCP from a connection protocol to
a connectionless protocol. Therefore, any measurements using this "modified"
TCP would not be representative of legitimate TCP traffic. The methodology
already has a throughput test for a connectionless protocol(Section 5.1)

In addition, this methodology would not work with proxy based DUTs which
will terminate TCP connections. The intend is to make the methodology
independent of the firewall architecture. Apple to apple comparisons can
never be made if different methodologies are used which are dependent
on firewall architecture.

> 
> Also the TCP connection closing sequences should be defined 
> accurately.
> There
> are a few ways to close a connection, and in some firewalls it makes a
> difference
> whether the closed connection is considered to enter the 
> TIME_WAIT state or
> not.

A TCP connection is closed in either of two ways. Either by issuing a TCP
RST or TCP FIN packet. However, you are correct in that only one test, the
maximum TCP connection tear down rate, actually specifies which method must
be used. This is required so that the test instrument(s) can make connection
tear
down time measurements. Can you elaborate on why this would be required for
the other tests.

> 
> In general, I would like to move the focus of the draft from 
> application
> (HTTP) level
> benchmarking to TCP level benchmarking. For example, I'm missing a TCP
> transfer rate test, as well as a TCP transaction test that 
> both establishes
> and closes
> connections in the same test. In some sense a simple 
> application level test
> (e.g.
> HTTP transfer rate with simple GET methods) can be used for 
> these purposes
> by measuring transport layer goodput as well as application  
> goodput, but I
> feel
> it would be clearer to define separate TCP benchmarks for cases where
> application
> data is not important, and separate application level  tests 
> e.g for HTTP
> if the
> firewall happens to apply some sort of proxying, URL 
> filtering or content
> scanning.

There is nothing that prohibits the test instrument(s) from making
measurements at other layers, in addition to the application layer. In fact,
the HTTP
transfer rate test explicitly states that the goodput of all connection
oriented
protocols be measured, along with the application transfer rate.

Again, the intent of this document is to provide methodologies independent
of firewall architecture. Some firewalls do care about the data in the TCP
payload.

> 
> I would also like to define which quantities are measured and 
> reported for
> each
> traffic pattern,  including error statistics. The error information is
> valuable for example
> when bencharking fault tolerant firewall systems, where the 
> firewall is
> able to
> recover from a HW or link failure by switching over to a 
> redundant link or
> HW unit. In
> these cases some packets or connections are most probably lost, and it
> would be
> valuable to know how many.

The test you are describing seems to be functional tests like firewall
failover -- a very useful measurement, but outside the scope for a
performance methodology.

> In any case the end condition of a 
> test should
> not
> necessarily be a single error, but the tests should in 
> general continue and
> just
> measure and report the errors.

The objective of benchmarking the DUT is to determine its performance
limits(Maximum connection capacity, maximum connection rate, etc). This is
why
most of the tests use an iterative search algorithm that stops once that
limit
has been determined.

> The current draft defines this 
> kind of error
> logging
> for some tests, but I'd like to have it done for all tests 
> where possible
> and maybe
> a bit more extensively.

Will review draft for error logging. Can you elaborate on error conditions
that you think would be beneficial to include which are currently missing?

> I'd appreaciate your comments on the points I've tried to 
> make above. They
> are
> mostly based on practical experience on testing our firewall 
> software's
> performance.
> We've had quite a lot of trouble finding suitable tests equipment for
> measuring TCP
> performance, typically we've run into limitations of the test 
> equipment
> before
> hitting the limits of the firewall, and also the available 
> test cases don't
> sometimes
> make much sense . So we would really like to see some good 
> TCP benchmarks
> standardised. Of course we would also like to benchmark with 
> application
> protocols,
> but currently we are mostly missing TCP benchmarks.
> 
> Sincerely,
> 
> Juha Pirkola
> Software Specialist
> Stonesoft Oyj, Finland
> 
> 
> _______________________________________________
> bmwg mailing list
> bmwg <at> ietf.org
> https://www1.ietf.org/mailman/listinfo/bmwg

Thanks again. We very much appreciate your comments.

Brooks Hickman
Spirent Communications

David Newman
Network Test

Saldju Tadjudin
Spirent Communications

Terry Martin
GVNW Consulting

New version of BGP Convergence terminology draft posted