nanog mailing list archives

Re: Requirements for IPv6 Firewalls

From: Fernando Gont <fernando () gont com ar>
Date: Thu, 17 Apr 2014 12:59:53 -0300

Hi, David,

Thanks so much for your feedback! -- Comments in-line....

On 04/17/2014 12:26 PM, David Newman wrote:


The use of RFC 2544-esque metrics for firewall performance testing
mostly benefits ill-informed or unscrupulous firewall marketeers, who
send 1500-byte UDP packets and then brag about excellent performance.

For firewalls handling TCP traffic, upper-layer traffic metrics such as
HTTP object size, concurrent connection capacity, and connection setup
rate are a lot more meaningful.

The RFC 2544/2889 approach is OK if you only ever use your firewall as a
router or a switch. The performance of a firewall used as an L2-L7
device should be measured with L2-L7 traffic.


Are you referring to this text from our document?

   REQ GEN-5:
      The firewall MUST include performance benchmarking documentation.
      Such documentation MUST include information that reflects firewall
      performance with respect to IPv6 packet, but also regarding how
      IPv6 traffic may affect the performance of IPv4 traffic.  The
      aforementioned documentation MUST be, at the very least,
      conditionally-compliant with both [RFC3511] and [RFC5180] (that
      is, it MUST support all "MUST" requirements in such documents, and
      may also support the "SHOULD" requirements in such documents).

         NOTE: This is for operators to spot be able to identify cases
         where a devices may under-perform in the presence of IPv6
         traffic (see e.g. [FW-Benchmark]).  XXX: This note may be
         removed before publication if deemed appropriate.



Because he RFCs we reference do require to make the measurements as you
describe...

Thanks!

Best regards,
-- 
Fernando Gont
e-mail: fernando () gont com ar || fgont () si6networks com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Current thread:

Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
- RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
  - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
    - Re: Requirements for IPv6 Firewalls David Newman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
    - Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
    - RE: Requirements for IPv6 Firewalls Dustin Jurman (Apr 17)
    - Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 17)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
  - Re: Requirements for IPv6 Firewalls Fernando Gont (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)
    - Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 17)
    - Re: Requirements for IPv6 Firewalls Timothy Morizot (Apr 17)
    - Re: Requirements for IPv6 Firewalls William Herrin (Apr 17)

(Thread continues...)