📄 rfc2647.txt
字号:
Network Working Group D. Newman
Request for Comments: 2647 Data Communications
Category: Informational August 1999
Benchmarking Terminology for Firewall Performance
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Table of Contents
1. Introduction...................................................2
2. Existing definitions...........................................2
3. Term definitions...............................................3
3.1 Allowed traffic...............................................3
3.2 Application proxy.............................................3
3.3 Authentication................................................4
3.4 Bit forwarding rate...........................................5
3.5 Circuit proxy.................................................6
3.6 Concurrent connections........................................6
3.7 Connection....................................................7
3.8 Connection establishment......................................9
3.9 Connection establishment time.................................9
3.10 Connection maintenance......................................10
3.11 Conection overhead..........................................11
3.12 Connection teardown.........................................11
3.13 Connection teardown time....................................12
3.14 Data source.................................................12
3.15 Demilitarized zone..........................................13
3.16 Firewall....................................................13
3.17 Goodput.....................................................14
3.18 Homed.......................................................15
3.19 Illegal traffic.............................................15
3.20 Logging.....................................................16
3.21 Network address translation.................................16
3.22 Packet filtering............................................17
3.23 Policy......................................................17
3.24 Protected network...........................................18
3.25 Proxy.......................................................19
3.26 Rejected traffic............................................19
Newman Informational [Page 1]
RFC 2647 Firewall Performance Terminology August 1999
3.27 Rule set....................................................20
3.28 Security association........................................20
3.29 Stateful packet filtering...................................21
3.30 Tri-homed...................................................22
3.31 Unit of transfer............................................22
3.32 Unprotected network.........................................23
3.33 User........................................................23
4. Security considerations.......................................24
5. References....................................................25
6. Acknowledgments...............................................25
7. Contact Information...........................................25
8. Full Copyright Statement......................................26
1. Introduction
This document defines terms used in measuring the performance of
firewalls. It extends the terminology already used for benchmarking
routers and switches with definitions specific to firewalls.
Forwarding rate and connection-oriented measurements are the primary
metrics used in this document.
Why do we need firewall performance measurements? First, despite the
rapid rise in firewall deployment, there is no standard method of
performance measurement. Second, implementations vary widely, making
it difficult to do direct performance comparisons. Finally, more and
more organizations are deploying firewalls on internal networks
operating at relatively high speeds, while most firewall
implementations remain optimized for use over relatively low-speed
wide-area connections. As a result, users are often unsure whether
the products they buy will stand up to relatively heavy loads.
2. Existing definitions
This document uses the conceptual framework established in RFCs 1242
and 2544 (for routers) and RFC 2285 (for switches). The router and
switch documents contain discussions of several terms relevant to
benchmarking the performance of firewalls. Readers should consult the
router and switch documents before making use of this document.
This document uses the definition format described in RFC 1242,
Section 2. The sections in each definition are: definition,
discussion, measurement units (optional), issues (optional), and
cross-references.
Newman Informational [Page 2]
RFC 2647 Firewall Performance Terminology August 1999
3. Term definitions
3.1 Allowed traffic
Definition:
Packets forwarded as a result of the rule set of the device under
test/system under test (DUT/SUT).
Discussion:
Firewalls typically are configured to forward only those packets
explicitly permitted in the rule set. Forwarded packets must be
included in calculating the bit forwarding rate or maximum bit
forwarding rate of the DUT/SUT. All other packets must not be
included in bit forwarding rate calculations.
This document assumes 1:1 correspondence of allowed traffic offered
to the DUT/SUT and forwarded by the DUT/SUT. There are cases where
the DUT/SUT may forward more traffic than it is offered; for
example, the DUT/SUT may act as a mail exploder or a multicast
server. Any attempt to benchmark forwarding rates of such traffic
must include a description of how much traffic the tester expects
to be forwarded.
Unit of measurement:
not applicable
Issues:
See also:
policy
rule set
3.2 Application proxy
Definition:
A proxy service that is set up and torn down in response to a
client request, rather than existing on a static basis.
Discussion:
Circuit proxies always forward packets containing a given port
number if that port number is permitted by the rule set.
Application proxies, in contrast, forward packets only once a
connection has been established using some known protocol. When the
connection closes, a firewall using applicaton proxies rejects
individual packets, even if they contain port numbers allowed by a
rule set.
Newman Informational [Page 3]
RFC 2647 Firewall Performance Terminology August 1999
Unit of measurement:
not applicable
Issues:
circuit proxy
rule sets
See also:
allowed traffic
circuit proxy
proxy
rejected traffic
rule set
3.3 Authentication
Definition:
The process of verifying that a user requesting a network resource
is who he, she, or it claims to be, and vice versa.
Discussion:
Trust is a critical concept in network security. Any network
resource (such as a file server or printer) typically requires
authentication before granting access.
Authentication takes many forms, including but not limited to IP
addresses; TCP or UDP port numbers; passwords; external token
authentication cards; and biometric identification such as
signature, speech, or retina recognition systems.
The entity being authenticated might be the client machine (for
example, by proving that a given IP source address really is that
address, and not a rogue machine spoofing that address) or a user
(by proving that the user really is who he, she, or it claims to
be). Servers might also authenticate themselves to clients.
Testers should be aware that in an increasingly mobile society,
authentication based on machine-specific criteria such as an IP
address or port number is not equivalent to verifying that a given
individual is making an access request. At this writing systems
that verify the identity of users are typically external to the
firewall, and may introduce additional latency to the overall SUT.
Unit of measurement:
not applicable
Issues:
Newman Informational [Page 4]
RFC 2647 Firewall Performance Terminology August 1999
See also:
user
3.4 Bit forwarding rate
Definition:
The number of bits per second of allowed traffic a DUT/SUT can be
observed to transmit to the correct destination interface(s) in
response to a specified offered load.
Discussion:
This definition differs substantially from section 3.17 of RFC 1242
and section 3.6.1 of RFC 2285.
Unlike both RFCs 1242 and 2285, this definition introduces the
notion of different classes of traffic: allowed, illegal, and
rejected (see definitions for each term). For benchmarking
purposes, it is assumed that bit forwarding rate measurements
include only allowed traffic.
Unlike RFC 1242, there is no reference to lost or retransmitted
data. Forwarding rate is assumed to be a goodput measurement, in
that only data successfully forwarded to the destination interface
is measured. Bit forwarding rate must be measured in relation to
the offered load. Bit forwarding rate may be measured with
differed load levels, traffic orientation, and traffic
distribution.
Unlike RFC 2285, this measurement counts bits per second rather
than frames per second. Testers interested in frame (or frame-like)
measurements should use units of transfer.
Unit of measurement:
bits per second
Issues:
Allowed traffic vs. rejected traffic
See also:
allowed traffic
goodput
illegal traffic
rejected traffic
unit of transfer
Newman Informational [Page 5]
RFC 2647 Firewall Performance Terminology August 1999
3.5 Circuit proxy
Definition:
A proxy service that statically defines which traffic will be
forwarded.
Discussion:
The key difference between application and circuit proxies is that
the latter are static and thus will always set up a connection if
the DUT/SUT's rule set allows it. For example, if a firewall's rule
set permits ftp connections, a circuit proxy will always forward
traffic on TCP port 20 (ftp-data) even if no control connection was
first established on TCP port 21 (ftp-control).
Unit of measurement:
not applicable
Issues:
application proxy
rule sets
See also:
allowed traffic
application proxy
proxy
rejected traffic
rule set
3.6 Concurrent connections
Definition:
The aggregate number of simultaneous connections between hosts
across the DUT/SUT, or between hosts and the DUT/SUT.
Discussion:
The number of concurrent connections a firewall can support is just
as important a metric for some users as maximum bit forwarding
rate.
While "connection" describes only a state and not necessarily the
transfer of data, concurrency assumes that all existing connections
are in fact capable of transferring data. If a data cannot be sent
over a connection, that connection should not be counted toward the
number of concurrent connections.
Further, this definition assumes that the ability (or lack thereof)
to transfer data on a given connection is solely the responsibility
of the DUT/SUT. For example, a TCP connection that a DUT/SUT has
Newman Informational [Page 6]
RFC 2647 Firewall Performance Terminology August 1999
left in a FIN_WAIT_2 state clearly should not be counted. But
another connection that has temporarily stopped transferring data
because some external device has restricted the flow of data is not
necessarily defunct. The tester should take measures to isolate
changes in connection state to those effected by the DUT/SUT.
Unit of measurement:
Concurrent connections
Maximum number of concurrent connections
Issues:
See also:
connections
connection establishment time
connection overhead
3.7 Connection
Definition:
A state in which two hosts, or a host and the DUT/SUT, agree to
exchange data using a known protocol.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -