📄 rfc2647.txt
字号:
Discussion:
A connection is an abstraction describing an agreement between two
nodes: One agrees to send data and the other agrees to receive it.
Connections might use TCP, but they don't have to. Other protocols
such as ATM also might be used, either instead of or in addition to
TCP connections.
What constitutes a connection depends on the application. For a
native ATM application, connections and virtual circuits may be
synonymous. For TCP/IP applications on ATM networks (where multiple
TCP connections may ride over a single ATM virtual circuit), the
number of TCP connections may be the most important consideration.
Additionally, in some cases firewalls may handle a mixture of
native TCP and native ATM connections. In this situation, the
wrappers around user data will differ. The most meaningful metric
describes what an end-user will see.
Data connections describe state, not data transfer. The existence
of a connection does not imply that data travels on that connection
at any given time, although if data cannot be forwarded on a
previously established connection that connection should not be
considered in any aggregrate connection count (see concurrent
connections).
Newman Informational [Page 7]
RFC 2647 Firewall Performance Terminology August 1999
A firewall's architecture dictates where a connection terminates.
In the case of application or circuit proxy firewalls, a connection
terminates at the DUT/SUT. But firewalls using packet filtering or
stateful packet filtering designs act only as passthrough devices,
in that they reside between two connection endpoints. Regardless of
firewall architecture, the number of data connections is still
relevant, since all firewalls perform some form of connection
maintenance; at the very least, all check connection requests
against their rule sets.
Further, note that connection is not an atomic unit of measurement
in that it does not describe the various steps involved in
connection setup, maintenance, and teardown. Testers may wish to
take separate measurements of each of these components.
When benchmarking firewall performance, it's important to identify
the connection establishment and teardown procedures, as these must
not be included when measuring steady-state forwarding rates.
Further, forwarding rates must be measured only after any security
associations have been established.
Though it seems paradoxical, connectionless protocols such as UDP
may also involve connections, at least for the purposes of firewall
performance measurement. For example, one host may send UDP packets
to another across a firewall. If the destination host is listening
on the correct UDP port, it receives the UDP packets. For the
purposes of firewall performance measurement, this is considered a
connection.
Unit of measurement:
concurrent connections
connection
connection establishment time
maximum number of concurrent connections
connection teardown time
Issues:
application proxy vs. stateful packet filtering
TCP/IP vs. ATM
connection-oriented vs. connectionless
See also:
data source
concurrent connections
connection establishment
Newman Informational [Page 8]
RFC 2647 Firewall Performance Terminology August 1999
connection establishment time
connection teardown
connection teardown time
3.8 Connection establishment
Definition:
The data exchanged between hosts, or between a host and the
DUT/SUT, to initiate a connection.
Discussion:
Connection-oriented protocols like TCP have a proscribed
handshaking procedure when launching a connection. When
benchmarking firewall performance, it is import to identify this
handshaking procedure so that it is not included in measurements of
bit forwarding rate or UOTs per second.
Testers may also be interested in measurements of connection
establishment time through or with a given DUT/SUT.
Unit of measurement:
not applicable
See also:
connection
connection establishement time
connection maintenance
connection teardown
Issues:
not applicable
3.9 Connection establishment time
Definition:
The length of time needed for two hosts, or a host and the DUT/SUT,
to agree to set up a connection using a known protocol.
Discussion:
Each connection-oriented protocol has its own defined mechanisms
for setting up a connection. For purposes of benchmarking firewall
performance, this shall be the interval between receipt of the
first bit of the first octet of the packet carrying a connection
establishment request on a DUT/SUT interface until transmission of
the last bit of the last octet of the last packet of the connection
setup traffic headed in the opposite direction.
Newman Informational [Page 9]
RFC 2647 Firewall Performance Terminology August 1999
This definition applies only to connection-oriented protocols such
as TCP. For connectionless protocols such as UDP, the notion of
connection establishment time is not meaningful.
Unit of measurement:
Connection establishment time
Issues:
See also:
concurrent connections
connection
connection maintenance
3.10 Connection maintenance
Definition:
The data exchanged between hosts, or between a host and the
DUT/SUT, to ensure a connection is kept alive.
Discussion:
Some implementations of TCP and other connection-oriented protocols
use "keep-alive" data to maintain a connection during periods where
no user data is exchanged.
When benchmarking firewall performance, it is useful to identfy
connection maintenance traffic as distinct from UOTs per second.
Given that maintenance traffic may be characterized by short bursts
at periodical intervals, it may not be possible to describe a
steady-state forwarding rate for maintenance traffic. One possible
approach is to identify the quantity of maintenance traffic, in
bytes or bits, over a given interval, and divide through to derive
a measurement of maintenance traffic forwarding rate.
Unit of measurement:
maintenance traffic
forwarding rate
See also:
connection
connection establishment time
connection teardown
connection teardown time
Issues:
not applicable
Newman Informational [Page 10]
RFC 2647 Firewall Performance Terminology August 1999
3.11 Connection overhead
Definition:
The degradation in bit forwarding rate, if any, observed as a
result of the addition of one connection between two hosts through
the DUT/SUT, or the addition of one connection from a host to the
DUT/SUT.
Discussion:
The memory cost of connection establishment and maintenance is
highly implementation-specific. This metric is intended to describe
that cost in a method visible outside the firewall.
It may also be desirable to invert this metric to show the
performance improvement as a result of tearing down one connection.
Unit of measurement:
bit forwarding rate
Issues:
3.12 Connection teardown
Definition:
The data exchanged between hosts, or between a host and the
DUT/SUT, to close a connection.
Discussion:
Connection-oriented protocols like TCP follow a stated procedure
when ending a connection. When benchmarking firewall performance,
it is important to identify the teardown procedure so that it is
not included in measurements of bit forwarding rate or UOTs per
second.
Testers may also be interested in measurements of connection
teardown time through or with a given DUT/SUT.
Unit of measurement:
not applicable
See also:
connection teardown time
Issues:
not applicable
Newman Informational [Page 11]
RFC 2647 Firewall Performance Terminology August 1999
3.13 Connection teardown time
Definition:
The length of time needed for two hosts, or a host and the DUT/SUT,
to agree to tear down a connection using a known protocol.
Discussion:
Each connection-oriented protocol has its own defined mechanisms
for dropping a connection. For purposes of benchmarking firewall
performance, this shall be the interval between receipt of the
first bit of the first octet of the packet carrying a connection
teardown request on a DUT/SUT interface until transmission of the
last bit of the last octet of the last packet of the connection
teardown traffic headed in the opposite direction.
This definition applies only to connection-oriented protocols such
as TCP. For connectionless protocols such as UDP, the notion of
connection teardown time is not meaningful.
Unit of measurement:
Connection teardown time
Issues:
See also:
concurrent connections
connection
connection maintenance
3.14 Data source
Definition:
A host capable of generating traffic to the DUT/SUT.
Discussion:
One data source may emulate multiple users or hosts. In addition,
one data source may offer traffic to multiple network interfaces on
the DUT/SUT.
The term "data source" is deliberately independent of any number of
users. It is useful to think of data sources simply as traffic
generators, without any correlation to any given number of users.
Unit of measurement:
not applicable
Issues:
user
Newman Informational [Page 12]
RFC 2647 Firewall Performance Terminology August 1999
See also:
connection
user
3.15 Demilitarized zone
Definition:
A network segment or segments located between protected and
unprotected networks.
Discussion:
As an extra security measure, networks may be designed such that
protected and unprotected segments are never directly connected.
Instead, firewalls (and possibly public resources such as HTTP or
FTP servers) reside on a so-called DMZ network.
DMZ networks are sometimes called perimeter networks.
Unit of measurement:
not applicable
Issues:
Homed
See also:
protected network
unprotected network
3.16 Firewall
Definition:
A device or group of devices that enforces an access control policy
between networks.
Discussion:
While there are many different ways to accomplish it, all firewalls
do the same thing: control access between networks.
The most common configuration involves a firewall connecting two
segments (one protected and one unprotected), but this is not the
only possible configuration. Many firewalls support tri-homing,
allowing use of a DMZ network. It is possible for a firewall to
accommodate more than three interfaces, each attached to a
different network segment.
The criteria by which access are controlled are not specified here.
Typically this has been done using network- or transport-layer
criteria (such as IP subnet or TCP port number), but there is no
Newman Informational [Page 13]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -