1 / 11

IPsec Benchmarking Methodology - Unifying Terminology and Creating Repeatable Tests

This document aims to provide a framework for benchmarking IPsec, unify IPsec terminology, create repeatable benchmark tests, and identify implementation issues for cohesive vendor comparison. The document is still being updated with upcoming changes.

garythompson
Download Presentation

IPsec Benchmarking Methodology - Unifying Terminology and Creating Repeatable Tests

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 63rd IETF Meeting Benchmarking Methodology Working Groupdraft-ietf-bmwg-ipsec-term-06draft-ietf-bmwg-ipsec-meth-00 Michele Bustos Merike Kaeo Tim Van Herck

  2. draft-ietf-bmwg-ipsec-*-nnIntroduction & motivation • Framework for benchmarking IPsec. • Unify IPsec terminology. • Create repeatable benchmark tests. • Identify implementation issues • NOT for interop issues • Provide cohesive vendor comparison. • Documents are still being synced up

  3. draft-ietf-bmwg-ipsec-term-06Changes • Tunnel definition re-org (major change) • Redefined ‘tunnel’ terms • Back to IKE Phase [1|2] primitives • IKE Phase 1 SA’s • IKE Phase 2 SA’s • IPsec Tunnel == 1 Ph.1 SA + 2 Ph.2 SA’s • Introduced IPv6 language • Expanded scope to introduce host testing. • Lots of I-D nits

  4. draft-ietf-bmwg-ipsec-term-06Upcoming changes • Based on WGLC comments: • Need for a Phase1 rekey frame loss? • IKE version agnostic document required? • Does scope need to be expanded to IKEv2 • Authors feel IKEv2 benchmarking should be a separate document. • Additional IPsec throughput terms • IPsec Fragmentation Throughput • IPsec Reassembly Throughput also required ?

  5. draft-ietf-bmwg-ipsec-term-06Upcoming changes (continued) • IPsec Capacity • Phase 1 SA Capacity  is this necessary. • Phase 2 SA Capacity (1 Phase 1 SA. Max. Phase 2 SA’s negotiated) • IPsec Tunnel Capacity • XAUTH/MODCFG  Is part of the Security Context which must be reported

  6. draft-ietf-bmwg-ipsec-term-06Upcoming changes (continued) • Author initiated • Measurement Units • Number of N-octet frames  Frames • ‘Time units with enough precision to reflect <a> measurement ‘  msec • Framesizes (L2/L3 encrypted/cleartext) need to be clarified.

  7. draft-ietf-bmwg-ipsec-term-06Upcoming changes (continued) • Iterated tunnel definition rework/scrap? • Time to First Packet  worth measuring ? • [configured | established | active] tunnels • Configured == cfg (+ SPI for manual keying) • Established == cfg + entry in SADB • Active  deprecated • Huge copy/paste error in IPsec Tunnel Discussion.

  8. draft-ietf-bmwg-ipsec-meth-00What’s new • The entire draft ! • Currently incomplete. Solid -00 available in next 2 weeks. • Expansive IPv6 language added

  9. draft-ietf-bmwg-ipsec-meth-00Input needed on … • Topologies • Test Setup Parameters • Minimal required transform sets • Keepalives / DPD • What is missing? • WGLC for both docs simultaneously.

  10. draft-ietf-bmwg-ipsec-meth-00Upcoming changes • Document will be completed to a solid -00 • Fragmentation discussion will be moved into the terminology document • Instrumentation data will be removed

  11. Contacts • Michele Bustosmbustos@ixiacom.com • Merike Kaeomerike@doubleshotsecurity.com • Tim Van Herck herckt@cisco.com • Mailers • Working Group: bmwg@ietf.org • Authors: bmwg-ipsec@external.cisco.com

More Related