[171067] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Fernando Gont)
Thu Apr 17 12:02:10 2014
Date: Thu, 17 Apr 2014 12:59:53 -0300
From: Fernando Gont <fernando@gont.com.ar>
To: David Newman <dnewman@networktest.com>, nanog@nanog.org
In-Reply-To: <534FF28B.9090807@networktest.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi, David,
Thanks so much for your feedback! -- Comments in-line....
On 04/17/2014 12:26 PM, David Newman wrote:
>
> The use of RFC 2544-esque metrics for firewall performance testing
> mostly benefits ill-informed or unscrupulous firewall marketeers, who
> send 1500-byte UDP packets and then brag about excellent performance.
>
> For firewalls handling TCP traffic, upper-layer traffic metrics such as
> HTTP object size, concurrent connection capacity, and connection setup
> rate are a lot more meaningful.
>
> The RFC 2544/2889 approach is OK if you only ever use your firewall as a
> router or a switch. The performance of a firewall used as an L2-L7
> device should be measured with L2-L7 traffic.
Are you referring to this text from our document?
> REQ GEN-5:
> The firewall MUST include performance benchmarking documentation.
> Such documentation MUST include information that reflects firewall
> performance with respect to IPv6 packet, but also regarding how
> IPv6 traffic may affect the performance of IPv4 traffic. The
> aforementioned documentation MUST be, at the very least,
> conditionally-compliant with both [RFC3511] and [RFC5180] (that
> is, it MUST support all "MUST" requirements in such documents, and
> may also support the "SHOULD" requirements in such documents).
>
> NOTE: This is for operators to spot be able to identify cases
> where a devices may under-perform in the presence of IPv6
> traffic (see e.g. [FW-Benchmark]). XXX: This note may be
> removed before publication if deemed appropriate.
Because he RFCs we reference do require to make the measurements as you
describe...
Thanks!
Best regards,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
