[171061] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (David Newman)
Thu Apr 17 11:26:41 2014
Date: Thu, 17 Apr 2014 08:26:03 -0700
From: David Newman <dnewman@networktest.com>
To: nanog@nanog.org
In-Reply-To: <4FC140D7-7464-4BDA-9562-A79A37F1458F@arbor.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 4/17/14, 5:51 AM, Dobbins, Roland wrote:
>> - packets per second
>> - Firewall Level
>> - Hosts level
>
> This is getting into QoS territory . . .
>
>> - packet size information
>
> Concur - packet-length.
The use of RFC 2544-esque metrics for firewall performance testing
mostly benefits ill-informed or unscrupulous firewall marketeers, who
send 1500-byte UDP packets and then brag about excellent performance.
For firewalls handling TCP traffic, upper-layer traffic metrics such as
HTTP object size, concurrent connection capacity, and connection setup
rate are a lot more meaningful.
The RFC 2544/2889 approach is OK if you only ever use your firewall as a
router or a switch. The performance of a firewall used as an L2-L7
device should be measured with L2-L7 traffic.
dn
