Monday, December 20, 2021

[bmwg] AD Review of draft-ietf-bmwg-ngfw-performance

https://datatracker. … g-ngfw-performance

My recent review of the latest IETF NGFW performance testing Draft for RFC:

I think these guys are way off base with no grasp of reality. If you just want a raw
number of what a firewall can do without any real world issues, then MAYBE it’ll work
although I would argue that point…

Tim copley

Dec 16, 2021, 1:59 PM (4 days ago)

to Warren, draft-ietf-bmwg-ngfw-performance, bmwg
I also, wanted to chime in regarding this and again, I also apologize for not reviewing earlier.

I’ve not really been too involved in security devices until the last couple years, but boy has it changed
drastically from when I was. Also, I noted that this document is basically following prior standards that
are also a bit out dated.

Some of the evolution, I’ve noticed which I think should at least be addressed in. I think you tried
to exclude these in the Scope.? However I’m not really sure you are covering but maybe 1/2 of the devices
that are being deployed at this time without addressing:

Virtualization. / Remote FWs in the next gen.

*) Large FWs are compartmentalizing Customers and serving multiple customers with the same firewall. So while
you have said what would happen to a customer when The Firewall is UT, you don’t really address what’s going
on with all the other customers on this DUT. If there are 10 Customers going through 1 large FW, what are the
other 9 experiencing when this is under Test. Would be interesting to have multiple parallel tests underway
and verify that behaviour is consistent across every “VDOM” within the system?

*) Time to Change. If things are changed during your Load profile.perhaps even on a different virtual Firewall
within the system,

*) Sandbox dips. Several of the firewall vendors send stuff through labs / temp work spaces either online or
offline that allow them to test against Zero Day scenarios. What happens to traffic flows during anomalies
in the traffic flows. Does it change the throughput of the DUT? I know this is kind of an open ended question.
but not sure you have good benchmark stats for a FW without it…

*) Cloud based scenarios. If the firewall is removed, and I’m not really sure how you would test this with
consistent results, but if the FW is offsite and the traffic is being routed through a Cloud based FW What does
that do to your traffic results?

Fruth Group

Timothy Copley