As per Relevance of the word forwarding, we have this rfc below:
Network Working Group D.
Request for Comments: 2647 Data
Category: Informational August 1999
Benchmarking Terminology for Firewall
Status of this
This memo provides information for the Internet community. It
not specify an Internet standard of any kind. Distribution of
memo is unlimited
Copyright
Copyright (C) The Internet Society (1999). All Rights Reserved
Table of
1. Introduction...................................................2
2. Existing definitions...........................................2
3. Term definitions...............................................3
3.1 Allowed traffic...............................................3
3.2 Application proxy.............................................3
3.3 Authentication................................................4
3.4 Bit forwarding rate...........................................5
3.5 Circuit proxy.................................................6
3.6 Concurrent connections........................................6
3.7 Connection....................................................7
3.8 Connection establishment......................................9
3.9 Connection establishment time.................................9
3.10 Connection maintenance......................................10
3.11 Conection overhead..........................................11
3.12 Connection teardown.........................................11
3.13 Connection teardown time....................................12
3.14 Data source.................................................12
3.15 Demilitarized zone..........................................13
3.16 Firewall....................................................13
3.17 Goodput.....................................................14
3.18 Homed.......................................................15
3.19 Illegal traffic.............................................15
3.20 Logging.....................................................16
3.21 Network address translation.................................16
3.22 Packet filtering............................................17
3.23 Policy......................................................17
3.24 Protected network...........................................18
3.25 Proxy.......................................................19
3.26 Rejected traffic............................................19
Newman Informational [Page 1]
RFC 2647 Firewall Performance Terminology August 1999
3.27 Rule set....................................................20
3.28 Security association........................................20
3.29 Stateful packet filtering...................................21
3.30 Tri-homed...................................................22
3.31 Unit of transfer............................................22
3.32 Unprotected network.........................................23
3.33 User........................................................23
4. Security considerations.......................................24
5. References....................................................25
6. Acknowledgments...............................................25
7. Contact Information...........................................25
8. Full Copyright Statement......................................26
1.
This document defines terms used in measuring the performance
firewalls. It extends the terminology already used for
routers and switches with definitions specific to firewalls
Forwarding rate and connection-oriented measurements are the
metrics used in this document
Why do we need firewall performance measurements? First, despite
rapid rise in firewall deployment, there is no standard method
performance measurement. Second, implementations vary widely,
it difficult to do direct performance comparisons. Finally, more
more organizations are deploying firewalls on internal
operating at relatively high speeds, while most
implementations remain optimized for use over relatively low-
wide-area connections. As a result, users are often unsure
the products they buy will stand up to relatively heavy loads
2. Existing
This document uses the conceptual framework established in RFCs 1242
and 2544 (for routers) and RFC 2285 (for switches). The router
switch documents contain discussions of several terms relevant
benchmarking the performance of firewalls. Readers should consult
router and switch documents before making use of this document
This document uses the definition format described in RFC 1242,
Section 2. The sections in each definition are: definition
discussion, measurement units (optional), issues (optional),
cross-references
Newman Informational [Page 2]
RFC 2647 Firewall Performance Terminology August 1999
3. Term
3.1 Allowed
Definition
Packets forwarded as a result of the rule set of the device
test/system under test (DUT/SUT).
Discussion
Firewalls typically are configured to forward only those
explicitly permitted in the rule set. Forwarded packets must
included in calculating the bit forwarding rate or maximum
forwarding rate of the DUT/SUT. All other packets must not
included in bit forwarding rate calculations
This document assumes 1:1 correspondence of allowed traffic
to the DUT/SUT and forwarded by the DUT/SUT. There are cases
the DUT/SUT may forward more traffic than it is offered;
example, the DUT/SUT may act as a mail exploder or a
server. Any attempt to benchmark forwarding rates of such
must include a description of how much traffic the tester
to be forwarded
Unit of measurement
not
Issues
See also
rule
3.2 Application
Definition
A proxy service that is set up and torn down in response to
client request, rather than existing on a static basis
Discussion
Circuit proxies always forward packets containing a given
number if that port number is permitted by the rule set
Application proxies, in contrast, forward packets only once
connection has been established using some known protocol. When
connection closes, a firewall using applicaton proxies
individual packets, even if they contain port numbers allowed by
rule set
Newman Informational [Page 3]
RFC 2647 Firewall Performance Terminology August 1999
Unit of measurement
not
Issues
circuit
rule
See also
allowed
circuit
rejected
rule
3.3
Definition
The process of verifying that a user requesting a network
is who he, she, or it claims to be, and vice versa
Discussion
Trust is a critical concept in network security. Any
resource (such as a file server or printer) typically
authentication before granting access
Authentication takes many forms, including but not limited to
addresses; TCP or UDP port numbers; passwords; external
authentication cards; and biometric identification such
signature, speech, or retina recognition systems
The entity being authenticated might be the client machine (
example, by proving that a given IP source address really is
address, and not a rogue machine spoofing that address) or a
(by proving that the user really is who he, she, or it claims
be). Servers might also authenticate themselves to clients
Testers should be aware that in an increasingly mobile society
authentication based on machine-specific criteria such as an
address or port number is not equivalent to verifying that a
individual is making an access request. At this writing
that verify the identity of users are typically external to
firewall, and may introduce additional latency to the overall SUT
Unit of measurement
not
Issues
Newman Informational [Page 4]
RFC 2647 Firewall Performance Terminology August 1999
See also
3.4 Bit forwarding
Definition
The number of bits per second of allowed traffic a DUT/SUT can
observed to transmit to the correct destination interface(s)
response to a specified offered load
Discussion
This definition differs substantially from section 3.17 of RFC 1242
and section 3.6.1 of RFC 2285.
Unlike both RFCs 1242 and 2285, this definition introduces
notion of different classes of traffic: allowed, illegal,
rejected (see definitions for each term). For
purposes, it is assumed that bit forwarding rate
include only allowed traffic
Unlike RFC 1242, there is no reference to lost or
data. Forwarding rate is assumed to be a goodput measurement,
that only data successfully forwarded to the destination
is measured. Bit forwarding rate must be measured in relation
the offered load. Bit forwarding rate may be measured
differed load levels, traffic orientation, and
distribution
Unlike RFC 2285, this measurement counts bits per second
than frames per second. Testers interested in frame (or frame-like
measurements should use units of transfer
Unit of measurement
bits per
Issues
Allowed traffic vs. rejected
See also
allowed
illegal
rejected
unit of
Newman Informational [Page 5]
RFC 2647 Firewall Performance Terminology August 1999
3.5 Circuit
Definition
A proxy service that statically defines which traffic will
forwarded
Discussion
The key difference between application and circuit proxies is
the latter are static and thus will always set up a connection
the DUT/SUT's rule set allows it. For example, if a firewall's
set permits ftp connections, a circuit proxy will always
traffic on TCP port 20 (ftp-data) even if no control connection
first established on TCP port 21 (ftp-control).
Unit of measurement
not
Issues
application
rule
See also
allowed
application
rejected
rule
3.6 Concurrent
Definition
The aggregate number of simultaneous connections between
across the DUT/SUT, or between hosts and the DUT/SUT
Discussion
The number of concurrent connections a firewall can support is
as important a metric for some users as maximum bit
rate
While "connection" describes only a state and not necessarily
transfer of data, concurrency assumes that all existing
are in fact capable of transferring data. If a data cannot be
over a connection, that connection should not be counted toward
number of concurrent connections
Further, this definition assumes that the ability (or lack thereof
to transfer data on a given connection is solely the
of the DUT/SUT. For example, a TCP connection that a DUT/SUT
Newman Informational [Page 6]
RFC 2647 Firewall Performance Terminology August 1999
left in a FIN_WAIT_2 state clearly should not be counted.
another connection that has temporarily stopped transferring
because some external device has restricted the flow of data is
necessarily defunct. The tester should take measures to
changes in connection state to those effected by the DUT/SUT
Unit of measurement
Concurrent
Maximum number of concurrent
Issues
See also
connection establishment
connection
3.7
Definition
A state in which two hosts, or a host and the DUT/SUT, agree
exchange data using a known protocol
Discussion
A connection is an abstraction describing an agreement between
nodes: One agrees to send data and the other agrees to receive it
Connections might use TCP, but they don't have to. Other
such as ATM also might be used, either instead of or in addition
TCP connections
What constitutes a connection depends on the application. For
native ATM application, connections and virtual circuits may
synonymous. For TCP/IP applications on ATM networks (where
TCP connections may ride over a single ATM virtual circuit),
number of TCP connections may be the most important consideration
Additionally, in some cases firewalls may handle a mixture
native TCP and native ATM connections. In this situation,
wrappers around user data will differ. The most meaningful
describes what an end-user will see
Data connections describe state, not data transfer. The
of a connection does not imply that data travels on that
at any given time, although if data cannot be forwarded on
previously established connection that connection should not
considered in any aggregrate connection count (see
connections).
Newman Informational [Page 7]
RFC 2647 Firewall Performance Terminology August 1999
A firewall's architecture dictates where a connection terminates
In the case of application or circuit proxy firewalls, a
terminates at the DUT/SUT. But firewalls using packet filtering
stateful packet filtering designs act only as passthrough devices
in that they reside between two connection endpoints. Regardless
firewall architecture, the number of data connections is
relevant, since all firewalls perform some form of
maintenance; at the very least, all check connection
against their rule sets
Further, note that connection is not an atomic unit of
in that it does not describe the various steps involved
connection setup, maintenance, and teardown. Testers may wish
take separate measurements of each of these components
When benchmarking firewall performance, it's important to
the connection establishment and teardown procedures, as these
not be included when measuring steady-state forwarding rates
Further, forwarding rates must be measured only after any
associations have been established
Though it seems paradoxical, connectionless protocols such as
may also involve connections, at least for the purposes of
performance measurement. For example, one host may send UDP
to another across a firewall. If the destination host is
on the correct UDP port, it receives the UDP packets. For
purposes of firewall performance measurement, this is considered
connection
Unit of measurement
concurrent
connection establishment
maximum number of concurrent
connection teardown
Issues
application proxy vs. stateful packet
TCP/IP vs.
connection-oriented vs.
See also
data
concurrent
connection
Newman Informational [Page 8]
RFC 2647 Firewall Performance Terminology August 1999
connection establishment
connection
connection teardown
3.8 Connection
Definition
The data exchanged between hosts, or between a host and
DUT/SUT, to initiate a connection
Discussion
Connection-oriented protocols like TCP have a
handshaking procedure when launching a connection.
benchmarking firewall performance, it is import to identify
handshaking procedure so that it is not included in measurements
bit forwarding rate or UOTs per second
Testers may also be interested in measurements of
establishment time through or with a given DUT/SUT
Unit of measurement
not
See also
connection establishement
connection
connection
Issues
not
3.9 Connection establishment
Definition
The length of time needed for two hosts, or a host and the DUT/SUT
to agree to set up a connection using a known protocol
Discussion
Each connection-oriented protocol has its own defined
for setting up a connection. For purposes of benchmarking
performance, this shall be the interval between receipt of
first bit of the first octet of the packet carrying a
establishment request on a DUT/SUT interface until transmission
the last bit of the last octet of the last packet of the
setup traffic headed in the opposite direction
Newman Informational [Page 9]
RFC 2647 Firewall Performance Terminology August 1999
This definition applies only to connection-oriented protocols
as TCP. For connectionless protocols such as UDP, the notion
connection establishment time is not meaningful
Unit of measurement
Connection establishment
Issues
See also
concurrent
connection
3.10 Connection
Definition
The data exchanged between hosts, or between a host and
DUT/SUT, to ensure a connection is kept alive
Discussion
Some implementations of TCP and other connection-oriented
use "keep-alive" data to maintain a connection during periods
no user data is exchanged
When benchmarking firewall performance, it is useful to
connection maintenance traffic as distinct from UOTs per second
Given that maintenance traffic may be characterized by short
at periodical intervals, it may not be possible to describe
steady-state forwarding rate for maintenance traffic. One
approach is to identify the quantity of maintenance traffic,
bytes or bits, over a given interval, and divide through to
a measurement of maintenance traffic forwarding rate
Unit of measurement
maintenance
forwarding
See also
connection establishment
connection
connection teardown
Issues
not
Newman Informational [Page 10]
RFC 2647 Firewall Performance Terminology August 1999
3.11 Connection
Definition
The degradation in bit forwarding rate, if any, observed as
result of the addition of one connection between two hosts
the DUT/SUT, or the addition of one connection from a host to
DUT/SUT
Discussion
The memory cost of connection establishment and maintenance
highly implementation-specific. This metric is intended to
that cost in a method visible outside the firewall
It may also be desirable to invert this metric to show
performance improvement as a result of tearing down one connection
Unit of measurement
bit forwarding
Issues
3.12 Connection
Definition
The data exchanged between hosts, or between a host and
DUT/SUT, to close a connection
Discussion
Connection-oriented protocols like TCP follow a stated
when ending a connection. When benchmarking firewall performance
it is important to identify the teardown procedure so that it
not included in measurements of bit forwarding rate or UOTs
second
Testers may also be interested in measurements of
teardown time through or with a given DUT/SUT
Unit of measurement
not
See also
connection teardown
Issues
not
Newman Informational [Page 11]
RFC 2647 Firewall Performance Terminology August 1999
3.13 Connection teardown
Definition
The length of time needed for two hosts, or a host and the DUT/SUT
to agree to tear down a connection using a known protocol
Discussion
Each connection-oriented protocol has its own defined
for dropping a connection. For purposes of benchmarking
performance, this shall be the interval between receipt of
first bit of the first octet of the packet carrying a
teardown request on a DUT/SUT interface until transmission of
last bit of the last octet of the last packet of the
teardown traffic headed in the opposite direction
This definition applies only to connection-oriented protocols
as TCP. For connectionless protocols such as UDP, the notion
connection teardown time is not meaningful
Unit of measurement
Connection teardown
Issues
See also
concurrent
connection
3.14 Data
Definition
A host capable of generating traffic to the DUT/SUT
Discussion
One data source may emulate multiple users or hosts. In addition
one data source may offer traffic to multiple network interfaces
the DUT/SUT
The term "data source" is deliberately independent of any number
users. It is useful to think of data sources simply as
generators, without any correlation to any given number of users
Unit of measurement
not
Issues
Newman Informational [Page 12]
RFC 2647 Firewall Performance Terminology August 1999
See also
3.15 Demilitarized
Definition
A network segment or segments located between protected
unprotected networks
Discussion
As an extra security measure, networks may be designed such
protected and unprotected segments are never directly connected
Instead, firewalls (and possibly public resources such as HTTP
FTP servers) reside on a so-called DMZ network
DMZ networks are sometimes called perimeter networks
Unit of measurement
not
Issues
See also
protected
unprotected
3.16
Definition
A device or group of devices that enforces an access control
between networks
Discussion
While there are many different ways to accomplish it, all
do the same thing: control access between networks
The most common configuration involves a firewall connecting
segments (one protected and one unprotected), but this is not
only possible configuration. Many firewalls support tri-homing
allowing use of a DMZ network. It is possible for a firewall
accommodate more than three interfaces, each attached to
different network segment
The criteria by which access are controlled are not specified here
Typically this has been done using network- or transport-
criteria (such as IP subnet or TCP port number), but there is
Newman Informational [Page 13]
RFC 2647 Firewall Performance Terminology August 1999
reason this must always be so. A growing number of firewalls
controlling access at the application layer, using
identification as the criterion. And firewalls for ATM networks
control access based on data link-layer criteria
Unit of measurement
not
Issues
See also
tri-
3.17
Definition
The number of bits per unit of time forwarded to the
destination interface of the DUT/SUT, minus any bits lost
retransmitted
Discussion
Firewalls are generally insensitive to packet loss in the network
As such, measurements of gross bit forwarding rates are
meaningful since (in the case of proxy-based and stateful
filtering firewalls) a receiving endpoint directly attached to
DUT/SUT would not receive any data dropped by the DUT/SUT
The type of traffic lost or retransmitted is protocol-dependent
TCP and ATM, for example, request different types
retransmissions. Testers must observe retransmitted data for
protocol in use, and subtract this quantity from measurements
gross bit forwarding rate
Unit of measurement
bits per
Issues
allowed vs. rejected
See also
allowed
bit forwarding
rejected
Newman Informational [Page 14]
RFC 2647 Firewall Performance Terminology August 1999
3.18
Definition
The number of logical interfaces a DUT/SUT contains
Discussion
Firewalls typically contain at least two logical interfaces.
network topologies where a DMZ is used, the firewall
contains at least three interfaces and is said to be tri-homed
Additional interfaces would make a firewall quad-homed, quint
homed, and so on
It is theoretically possible for a firewall to contain one
interface and multiple logical interfaces. This configuration
discouraged for testing purposes because of the difficulty
verifying that no leakage occurs between protected and
segments
Unit of measurement
not
Issues
See also
tri-
3.19 Illegal
Definition
Packets specified for rejection in the rule set of the DUT/SUT
Discussion
A buggy or misconfigured firewall might forward packets even
its rule set specifies that these packets be dropped.
traffic differs from rejected traffic in that it describes
traffic specified for rejection by the rule set, while
traffic specifies only those packets actually dropped by
DUT/SUT
Unit of measurement
not
Issues
Newman Informational [Page 15]
RFC 2647 Firewall Performance Terminology August 1999
See also
accepted
rejected
rule
3.20
Definition
The recording of user requests made to the firewall
Discussion
Firewalls typically log all requests they handle, both allowed
rejected. For many firewall designs, logging requires a
amount of processing overhead, especially when complex rule
are in use
The type and amount of data logged varies by implementation
Testers may find it desirable to log equivalent data when
different DUT/SUTs
Some systems allow logging to take place on systems other than
DUT/SUT
Unit of measurement
not
Issues
rule
See also
allowed
rejected
3.21 Network address
Definition
A method of mapping one or more private, reserved IP addresses
one or more public IP addresses
Discussion
In the interest of conserving the IPv4 address space, RFC 1918
proposed the use of certain private (reserved) blocks of
addresses. Connections to public networks are made by use of
device that translates one or more RFC 1918 addresses to one
more public addresses--a network address translator (NAT).
Newman Informational [Page 16]
RFC 2647 Firewall Performance Terminology August 1999
The use of private addressing also introduces a security benefit
that RFC 1918 addresses are not visible to hosts on the
Internet
Some NAT implementations are computationally intensive, and
affect bit forwarding rate
Unit of measurement
not
Issues
See also
3.22 Packet
Definition
The process of controlling access by examining packets based on
content of packet headers
Discussion
Packet-filtering devices forward or deny packets based
information in each packet's header, such as IP address or TCP
number. A packet-filtering firewall uses a rule set to
which traffic should be forwarded and which should be blocked
Unit of measurement
not
Issues
static vs. stateful packet
See also
application
circuit
rule
stateful packet
3.23
Definition
A document defining acceptable access to protected, DMZ,
unprotected networks
Newman Informational [Page 17]
RFC 2647 Firewall Performance Terminology August 1999
Discussion
Security policies generally do not spell out
configurations for firewalls; rather, they set general
for what is and is not acceptable network access
The actual mechanism for controlling access is usually the rule
implemented in the DUT/SUT
Unit of measurement
not
Issues
See also
rule
3.24 Protected
Definition
A network segment or segments to which access is controlled by
DUT/SUT
Discussion
Firewalls are intended to prevent unauthorized access either to
from the protected network. Depending on the
specified by the policy and rule set, the DUT/SUT may allow
on the protected segment to act as clients for servers on
the DMZ or the unprotected network, or both
Protected networks are often called "internal networks." That
is not used here because firewalls increasingly are deployed
an organization, where all segments are by definition internal
Unit of measurement
not
Issues
See also
demilitarized zone (DMZ
unprotected
rule
unprotected
Newman Informational [Page 18]
RFC 2647 Firewall Performance Terminology August 1999
3.25
Definition
A request for a connection made on behalf of a host
Discussion
Proxy-based firewalls do not allow direct connections
hosts. Instead, two connections are established: one between
client host and the DUT/SUT, and another between the DUT/SUT
server host
As with packet-filtering firewalls, proxy-based devices use a
set to determine which traffic should be forwarded and which
be rejected
There are two types of proxies: application proxies and
proxies
Unit of measurement
not
Issues
See also
application
circuit
packet
stateful packet
3.26 Rejected
Definition
Packets dropped as a result of the rule set of the DUT/SUT
Discussion
For purposes of benchmarking firewall performance, it is
that firewalls will reject all traffic not explicitly permitted
the rule set. Dropped packets must not be included in
the bit forwarding rate or maximum bit forwarding rate of
DUT/SUT
Unit of measurement
not
Issues
Newman Informational [Page 19]
RFC 2647 Firewall Performance Terminology August 1999
See also
allowed
illegal
rule
3.27 Rule
Definition
The collection of access control rules that determines
packets the DUT/SUT will forward and which it will reject
Discussion
Rule sets control access to and from the network interfaces of
DUT/SUT. By definition, rule sets do not apply equally to
network interfaces; otherwise there would be no need for
firewall. For benchmarking purposes, a specific rule set
typically applied to each network interface in the DUT/SUT
The tester must describe the complete contents of the rule set
each DUT/SUT
To ensure measurements reflect only traffic forwarded by
DUT/SUT, testers are encouraged to include a rule denying
access except for those packets allowed by the rule set
Unit of measurement
not
Issues
See also
allowed
demilitarized zone (DMZ
illegal
protected
rejected
unprotected
3.28 Security
Definition
The set of security information relating to a given
connection or set of connections
Newman Informational [Page 20]
RFC 2647 Firewall Performance Terminology August 1999
Discussion
This definition covers the relationship between policy
connections. Security associations (SAs) are typically set
during connection establishment, and they may be reiterated
revoked during a connection
For purposes of benchmarking firewall performance, measurements
bit forwarding rate or UOTs per second must be taken after
security associations have been established
Unit of measurement
not
See also
connection
rule
3.29 Stateful packet
Definition
The process of forwarding or rejecting traffic based on
contents of a state table maintained by a firewall
Discussion
Packet filtering and proxy firewalls are essentially static,
that they always forward or reject packets based on the contents
the rule set
In contrast, devices using stateful packet filtering will
forward packets if they correspond with state
maintained by the device about each connection. For example,
stateful packet filtering device will reject a packet on port 20
(ftp-data) if no connection has been established over the
control port (usually port 21).
Unit of measurement
not
Issues
See also
applicaton
packet
Newman Informational [Page 21]
RFC 2647 Firewall Performance Terminology August 1999
3.30 Tri-
Definition
A firewall with three network interfaces
Discussion
Tri-homed firewalls connect three network segments with
network addresses. Typically, these would be protected, DMZ,
unprotected segments
A tri-homed firewall may offer some security advantages
firewalls with two interfaces. An attacker on an
network may compromise hosts on the DMZ but still not reach
hosts on the protected network
Unit of measurement
not
Issues
Usually the differentiator between one segment and another is
IP address. However, firewalls may connect different networks
other types, such as ATM or Netware segments
See also
3.31 Unit of
Definition
A discrete collection of bytes comprising at least one header
optional user data
Discussion
This metric is intended for use in describing steady-
forwarding rate of the DUT/SUT
The unit of transfer (UOT) definition is deliberately left open
interpretation, allowing the broadest possible application
Examples of UOTs include TCP segments, IP packets, Ethernet frames
and ATM cells
While the definition is deliberately broad, its interpretation
not be. The tester must describe what type of UOT will be
to the DUT/SUT, and must offer these UOTs at a consistent rate
Traffic measurement must begin after all connection
routines complete and before any connection completion
begins. Further, measurements must begin after any
associations (SAs) are established and before any SA is revoked
Newman Informational [Page 22]
RFC 2647 Firewall Performance Terminology August 1999
Testers also must compare only like UOTs. It is not appropriate
for example, to compare forwarding rates by offering 1,500-
Ethernet UOTs to one DUT/SUT and 53-byte ATM cells to another
Unit of measurement
Units of
Units of transfer per
Issues
See also
bit forwarding
3.32 Unprotected
Definition
A network segment or segments to which access is not controlled
the DUT/SUT
Discussion
Firewalls are deployed between protected and unprotected segments
The unprotected network is not protected by the DUT/SUT
Note that a DUT/SUT's policy may specify hosts on an
network. For example, a user on a protected network may
permitted to access an FTP server on an unprotected network.
the DUT/SUT cannot control access between hosts on the
network
Unit of measurement
not
Issues
See also
demilitarized zone (DMZ
protected
rule
3.33
Definition
A person or process requesting access to resources protected by
DUT/SUT
Newman Informational [Page 23]
RFC 2647 Firewall Performance Terminology August 1999
Discussion
"User" is a problematic term in the context of firewall
testing, for several reasons. First, a user may in fact be
process or processes requesting services through the DUT/SUT
Second, different "user" requests may require radically
amounts of DUT/SUT resources. Third, traffic profiles vary
from one organization to another, making it difficult
characterize the load offered by a typical user
For these reasons, testers should not attempt to measure DUT/
performance in terms of users supported. Instead, testers
describe performance in terms of maximum bit forwarding rate
maximum number of connections sustained. Further, testers
use the term "data source" rather than user to describe
generator(s).
Unit of measurement
not
Issues
See also
data
4. Security
The primary goal of this memo is to describe terms used
benchmarking firewall performance. However, readers should be
that there is some overlap between performance and security issues
Specifically, the optimal configuration for firewall performance
not be the most secure, and vice-versa
Further, certain forms of attack may degrade performance. One
form of denial-of-service (DoS) attack bombards a firewall with
much rejected traffic that it cannot forward allowed traffic.
attacks do not always involve heavy loads; by definition,
describes any state in which a firewall is offered rejected
that prohibits it from forwarding some or all allowed traffic. Even
small amount of traffic may significantly degrade
performance, or stop the firewall altogether. Further, the
in firewalls to guard against such attacks may have a
negative impact on performance
Since the library of attacks is constantly expanding, no attempt
made here to define specific attacks that may affect performance
Nonetheless, any reasonable performance benchmark should take
Newman Informational [Page 24]
RFC 2647 Firewall Performance Terminology August 1999
consideration safeguards against such attacks. Specifically, the
safeguards should be in place when comparing performance of
firewall implementations
5.
Bradner, S., Ed., "Benchmarking Terminology for
Interconnection Devices", RFC 1242, July 1991.
Bradner, S. and J. McQuaid, "Benchmarking Methodology for
Interconnect Devices", RFC 2544, March 1999.
Mandeville, R., "Benchmarking Terminology for LAN Switching Devices",
RFC 2285, February 1998.
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. and E. Lear
"Address Allocation for Private Internets", BCP 5, RFC 1918,
February 1996.
6.
The author wishes to thank the IETF Benchmarking Working Group
agreeing to review this document. Several other persons
valuable contributions and critiques during this project: Ted
(Internet Security Systems), Kevin Dubray (Ironbridge Networks),
Helen Holzbaur, Dale Lancaster, Robert Mandeville, Brent
(NSTL), Steve Platt (NSTL), Marcus Ranum (Network Flight Recorder),
Greg Shannon, Christoph Schuba (Sun Microsystems), Rick Siebenaler
and Greg Smith (Check Point Software Technologies).
7. Contact
David
Data Communications
3 Park Ave
31st
New York, NY 10016
Phone: 212-592-8256
Fax: 212-592-8265
EMail: dnewman@data.
Newman Informational [Page 25]
RFC 2647 Firewall Performance Terminology August 1999
8. Full Copyright
Copyright (C) The Internet Society (1999). All Rights Reserved
This document and translations of it may be copied and furnished
others, and derivative works that comment on or otherwise explain
or assist in its implementation may be prepared, copied,
and distributed, in whole or in part, without restriction of
kind, provided that the above copyright notice and this paragraph
included on all such copies and derivative works. However,
document itself may not be modified in any way, such as by
the copyright notice or references to the Internet Society or
Internet organizations, except as needed for the purpose
developing Internet standards in which case the procedures
copyrights defined in the Internet Standards process must
followed, or as required to translate it into languages other
English
The limited permissions granted above are perpetual and will not
revoked by the Internet Society or its successors or assigns
This document and the information contained herein is provided on
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
Funding for the RFC Editor function is currently provided by
Internet Society
Newman Informational [Page 26]
if you see any problems within the linking, don't worry be happy,
this is version 0.1 of the Relevance System and you gotta expect some crappy subroutines sometimes,
just be content we did not write this in Java, which would have made this "bigger and better" HAHAHHA.
RFC documents can be found at I.E.T.F.
Relevance System Copyright © 2002 Spectrum WorldResearch
other technical nosh by ServerMasters Corporation
collaboration of BobX
