RFC3511防火墙性能基准测试方法

测评技术体系之测试方法篇（测试文档）RFC3511BenchmarkingMethodologyforFirewallPerformance，2003.4北京国信网安信息系统测评技术实验室BenchmarkingMethodologyforFirewallPerformanceRFC3511，2003.4NetworkWorkingGroup                    B.HickmanRequestforComments:3511            SpirentCommunicationsCategory:Informational                    D.NewmanNetworkTestS.TadjudinSpirentCommunicationsT.MartinGVNWConsultingIncStatusofthisMemoThismemoprovidesinformationfortheInternetcommunity.ItdoesnotspecifyanInternetstandardofanykind. Distributionofthismemoisunlimited.CopyrightNoticeCopyright(C)TheInternetSociety(2003). AllRightsReserved.AbstractThisdocumentdiscussesanddefinesanumberofteststhatmaybeusedtodescribetheperformancecharacteristicsoffirewalls. Inadditiontodefiningthetests,thisdocumentalsodescribesspecificformatsforreportingtheresultsofthetests.ThisdocumentisaproductoftheBenchmarkingMethodologyWorkingGroup(BMWG)oftheInternetEngineeringTaskForce(IETF).1  Introduction2  Requirements3  Scope4  TestSetup4.1  TestConsiderations4.2  VirtualClients/Servers4.3  TestTrafficRequirements4.4  DUT/SUTTrafficFlows4.5  MultipleClient/ServerTesting4.6  NetworkAddressTranslation(NAT)4.7  RuleSets4.8  WebCaching4.9  Authentication4.10  TCPStackConsiderations5  BenchmarkingTests5.1  IPThroughput5.1.1  Objective5.1.2  SetupParameters5.1.3  Procedure5.1.4  Measurement5.1.5  ReportingFormat5.2  ConcurrentTCPConnectionCapacity5.2.1  Objective5.2.2  SetupParameters5.2.3  Procedure5.2.4  Measurements5.2.5  ReportingFormat5.3  MaximumTCPConnectionEstablishmentRate5.3.1  Objective5.3.2  SetupParameters5.3.3  Procedure5.3.4  Measurements5.3.5  ReportingFormat5.4  MaximumTCPConnectionTearDownRate5.4.1  Objective5.4.2  SetupParameters5.4.3  Procedure5.4.4  Measurements5.4.5  ReportingFormat5.5  DenialOfServiceHandling5.5.1  Objective5.5.2  SetupParameters5.5.3  5.5.3Procedure5.5.4  Measurements5.5.5  ReportingFormat5.6  HTTPTransferRate5.6.1  Objective5.6.2  SetupParameters5.6.3  Procedure5.6.4  Measurements5.6.5  ReportingFormat5.7  MaximumHTTPTransactionRate5.7.1  Objective5.7.2  SetupParameters5.7.3  Procedure5.7.4  Measurements5.7.5  ReportingFormat5.8  IllegalTrafficHandling5.8.1  Objective5.8.2  SetupParameters5.8.3  Procedure5.8.4  Measurements5.8.5  ReportingFormat5.9  IPFragmentationHandling5.9.1  Objective5.9.2  SetupParameters5.9.3  Procedure5.9.4  Measurements5.9.5  ReportingFormat5.10  Latency5.10.1  Objective5.10.2  SetupParameters5.10.3  Network-layerprocedure5.10.4  Applicationlayerprocedure5.10.5  Measurements5.10.6  Network-layerreportingformat5.10.7  Application-layerreportingformat6  References6.1  NormativeReferences6.2  InformativeReferences7  SecurityConsiderations8  APPENDIXA:HTTP(HyperTextTransferProtocol)9  APPENDIXB:ConnectionEstablishmentTimeMeasurements10  APPENDIXC:ConnectionTearDownTimeMeasurements11  Authors'Addresses1IntroductionThisdocumentprovidesmethodologiesfortheperformancebenchmarkingoffirewalls.Itcoversfourareas:forwarding,connection,latencyandfiltering. Inadditiontodefiningtests,thisdocumentalsodescribesspecificformatsforreportingtestresults.Apreviousdocument,"BenchmarkingTerminologyforFirewallPerformance"[1],definesmanyofthetermsthatareusedinthisdocument. TheterminologydocumentSHOULDbeconsultedbeforeattemptingtomakeuseofthisdocument.2RequirementsInthisdocument,thewordsthatareusedtodefinethesignificanceofeachparticularrequirementarecapitalized. Thesewordsare:⏹"MUST"，Thisword,orthewords"REQUIRED"and"SHALL"meanthattheitemisanabsoluterequirementofthespecification.⏹"SHOULD"，Thiswordortheadjective"RECOMMENDED"meansthattheremayexistvalidreasonsinparticularcircumstancestoignorethisitem,butthefullimplicationsshouldbeunderstoodandthecase carefullyweighedbeforechoosingadifferentcourse.⏹"MAY"，Thiswordortheadjective"OPTIONAL"meansthatthisitemistrulyoptional.Onevendormaychoosetoincludetheitembecauseaparticularmarketplacerequiresitorbecauseitenhancestheproduct,forexample;anothervendormayomitthesameitem.AnimplementationisnotcompliantifitfailstosatisfyoneormoreoftheMUSTrequirements. AnimplementationthatsatisfiesalltheMUSTandalltheSHOULDrequirementsissaidtobe"unconditionallycompliant";onethatsatisfiesalltheMUSTrequirementsbutnotalltheSHOULDrequirementsissaidtobe"conditionallycompliant".3ScopeFirewallscancontrolaccessbetweennetworks. Usually,afirewallprotectsaprivatenetworkfrompublicorsharednetwork(s)towhichitisconnected. Afirewallcanbeassimpleasasingledevicethatfilterspacketsorascomplexasagroupofdevicesthatcombinepacketfilteringandapplication-levelproxyandnetworktranslationservices. Thisdocumentfocusesonbenchmarkingfirewallperformance,whereverpossible,independentofimplementation.4TestSetupTestconfigurationsdefinedinthisdocumentwillbeconfinedtodual-homedandtri-homedasshowninfigure1andfigure2respectively.Firewallsemployingdual-homedconfigurationsconnecttwonetworks.Oneinterfaceofthefirewallisattachedtotheunprotectednetwork[1],typicallythepublicnetwork(Internet). Theotherinterfaceisconnectedtotheprotectednetwork[1],typicallytheinternalLAN.Inthecaseofdual-homedconfigurations,serverswhicharemadeaccessibletothepublic(Unprotected)networkareattachedtotheprivate(Protected)network.----------                   ----------|     |  |   ----------    |   |     ||Servers/|----|   |     |    |------|Servers/||Clients |  |   |     |    |   |Clients ||     |  |-------| DUT/SUT|--------|   |     |----------  |   |     |    |   ----------Protected |   ----------    |UnprotectedNetwork |             | NetworkFigure1(Dual-Homed)Tri-homed[1]configurationsemployathirdsegmentcalledaDemilitarizedZone(DMZ).Withtri-homedconfigurations,serversaccessibletothepublicnetworkareattachedtotheDMZ.Tri-Homedconfigurationsofferadditionalsecuritybyseparatingserver(s)accessibletothepublicnetworkfrominternalhosts.----------                   ----------|     |  |   ----------    |   |     ||Clients |----|   |     |    |------|Servers/||     |  |   |     |    |   |Clients |----------  |-------| DUT/SUT|--------|   |     ||   |     |    |   ----------|   ----------    |Protected|      |       |UnprotectedNetwork       |         Network|-----------------|  DMZ||-----------|     ||Servers ||     |-----------Figure2(Tri-Homed)4.1TestConsiderations4.2VirtualClients/ServersSincefirewalltestingmayinvolvedatasources，whichemulatemultipleusersorhosts,themethodologyusesthetermsvirtualclients/servers.Forthesefirewalltests,virtualclients/serversspecifyapplicationlayerentities，whichmaynotbeassociatedwithauniquephysicalinterface. Forexample,fourvirtualclientsmayoriginatefromthesamedatasource[1]. ThetestreportMUSTindicatethenumberofvirtualclientsandvirtualserversparticipatinginthetest.4.3TestTrafficRequirementsWhilethefunctionofafirewallistoenforceaccesscontrolpolicies,thecriteriabywhichthosepoliciesaredefinedvarydependingontheimplementation. Firewallsmayusenetworklayer,transportlayeror,inmanycases,application-layercriteriatomakeaccess-controldecisions.Forthepurposesofbenchmarkingfirewallperformance,thisdocumentreferencesHTTP1.1orhigherastheapplicationlayerentity. ThemethodologiesMAYbeusedasatemplateforbenchmarkingwithotherapplications. SincetestingmayinvolveproxybasedDUT/SUTs,HTTPversionconsiderationsarediscussedinappendixA.4.4DUT/SUTTrafficFlowsSincethenumberofinterfacesarenotfixed,thetrafficflowswillbedependentupontheconfigurationusedinbenchmarkingtheDUT/SUT.Notethattheterm"trafficflows"isassociatedwithclient-to-serverrequests.ForDual-Homedconfigurations,therearetwouniquetrafficflows:Client    Server------    ------Protected ->UnprotectedUnprotected->ProtectedForTri-Homedconfigurations,therearethreeuniquetrafficflows:Client    Server------    ------Protected-> UnprotectedProtected-> DMZUnprotected->DMZ4.5MultipleClient/ServerTestingOneormoreclientsmaytargetmultipleserversforagivenapplication. EachvirtualclientMUSTinitiateconnectionsinaround-robinfashion. Forexample,ifthetestconsistedofsixvirtualclientstargetingthreeservers,thepatternwouldbeasfollows:Client     TargetServer(Inorderofrequest)#1       1  2  3  1...#2       2  3  1  2...#3       3  1  2  3...#4       1  2  3  1...#5       2  3  1  2...#6       3  1  2  3...4.6NetworkAddressTranslation(NAT)Manyfirewallsimplementnetworkaddresstranslation(NAT)[1],afunctionwhichtranslatesprivateinternetaddressestopublicinternetaddresses.ThisinvolvesadditionalprocessingonthepartoftheDUT/SUTandmayimpactperformance. Therefore,testsSHOULDberanwithNATdisabledandNATenabledtodeterminetheperformancedifferential,ifany. ThetestreportMUSTindicatewhetherNATwasenabledordisabled.4.7RuleSetsRulesets[1]areacollectionofaccesscontrolpoliciesthatdeterminewhichpacketstheDUT/SUTwillforwardandwhichitwillreject[1]. SincecriteriabywhichtheseaccesscontrolpoliciesmaybedefinedwillvarydependingonthecapabilitiesoftheDUT/SUT,thefollowingislimitedtoprovidingguidelinesforconfiguringrulesetswhenbenchmarkingtheperformanceoftheDUT/SUT.ItisRECOMMENDEDthatarulebeenteredforeachhost(Virtualclient). Inaddition,testingSHOULDbeperformedusingdifferentsizerulesetstodetermineitsimpactontheperformanceoftheDUT/SUT. RulesetsMUSTbeconfiguredinamanner,suchthat,rulesassociatedwithactualtesttrafficareconfiguredattheendoftherulesetandnotatthebeginning.TheDUT/SUTSHOULDbeconfiguredtodenyaccesstoalltrafficwhichwasnotpreviouslydefinedintheruleset. ThetestreportSHOULDincludetheDUT/SUTconfiguredruleset(s).4.8WebCachingSomefirewallsincludecachingagentstoreducenetworkload. Whenmakingarequestthroughacachingagent,thecachingagentattemptstoservicetheresponsefromitsinternalmemory. Thecacheitselfsavesresponsesitreceives,suchasresponsesforHTTPGETrequests.TestingSHOULDbeperformedwithanycachingagentsontheDUT/SUTdisabled.4.9AuthenticationAccesscontrolmayinvolveauthenticationprocessessuchasuser,clientorsessionauthentication. Authenticationisusuallyperformedbydevicesexternaltothefirewallitself,suchasanauthenticationserver(s)andmayaddtothelatencyofthesystem.AnyauthenticationprocessesMUSTbeincludedaspartofconnectionsetupprocess.4.10TCPStackConsiderationsSometestinstrumentsallowconfigurationofoneormoreTCPstackparameters,therebyinfluencingthetrafficflowswhichwillbeofferedandimpactingperformancemeasurements. WhilethisdocumentdoesnotattempttospecifywhichTCPparametersshouldbeconfigurable,anysuchTCPparameter(s)MUSTbenotedinthetestreport. Inaddition,whencomparingmultipleDUT/SUTs,thesameTCPparametersMUSTbeused.5BenchmarkingTests5.1IPThroughput5.1.1ObjectiveTodeterminethethroughputofnetwork-layerdatatraversingtheDUT/SUT,asdefinedinRFC1242[3]. NotethatwhileRFC1242usesthetermframes,whichisassociatedwiththelinklayer,theprocedureusesthetermpackets,sinceitisreferencingthenetworklayer.5.1.2SetupParametersThefollowingparametersMUSTbedefined:⏹Packetsize-NumberofbytesintheIPpacket,exclusiveofanylinklayerheaderorchecksums.⏹TestDuration-Durationofthetest,expressedinseconds.5.1.3ProcedureThetestinstrumentMUSTofferunicastIPpacketstotheDUT/SUTataconstantrate.ThetestMAYconsistofeitherbi-directionalorunidirectionaltraffic;forexample,anemulatedclientmayofferaunicaststreamofpacketstoanemulatedserver,orthetestinstrumentmaysimulateaclient/serverexchangebyofferingbi-directionaltraffic.Thistestwillemployaniterativesearchalgorithm.Eachiterationwillinvolvethetestinstrumentvaryingtheintendedloaduntilthemaximumrate,atwhichnopacketlossoccurs,isfound. Sincebackpressuremechanismsmaybeemployed,resultingintheintendedloadandofferedloadbeingdifferent,thetestSHOULDbeperformedineitherapacketbasedortimebasedmannerasdescribedinRFC2889[5]. AswithRFC1242,thetermpacketisusedinplaceofframe. ThedurationofthetestportionofeachtrialMUSTbeatleast30seconds.ItisRECOMMENDEDtoperformthethroughputmeasurementswithdifferentpacketsizes.WhentestingwithdifferentpacketsizestheDUT/SUTconfigurationMUSTremainthesame.5.1.4Measurement5.1.4.1NetworkLayerThroughput:Maximumofferedload,expressedineitherbitspersecondorpacketspersecond,atwhichnopacketlossisdetected.ThebitstobecountedareintheIPpacket(headerpluspayload);otherfields,suchaslink-layerheadersandtrailers,MUSTNOTbeincludedinthemeasurement.ForwardingRate：Forwardingrate,expressedineitherbitspersecondorpacketspersecond,thedeviceisobservedtosuccessfullyforwardtothecorrectdestinationinterfaceinresponsetoaspecifiedofferedload.ThebitstobecountedareintheIPpacket(headerpluspayload);otherfields,suchaslink-layerheadersandtrailers,MUSTNOTbeincludedinthemeasurement.5.1.5ReportingFormatThetestreportMUSTnotethepacketsize(s),testduration,throughputandforwardingrate.Inaddition,thetestreportMUSTconformtothereportingrequirementssetinsection4,TestSetup.Ifthetestinvolvedofferingpacketswhichtargetmorethanonesegment(Protected,UnprotectedorDMZ),thereportMUSTidentifytheresultsasanaggregatethroughputmeasurement.ThethroughputresultsSHOULDbereportedintheformatofatablewitharowforeachofthetestedpacketsizes. ThereSHOULDbecolumnsforthepacketsize,theintendedload,theofferedload,resultantthroughputandforwardingrateforeachtest.TheintermediateresultsofthesearchalgorithmMAYbesavedinlogfilewhichincludesthepacketsize,testdurationandforeachiteration:-StepIteration-Pass/FailStatus-Totalpacketsoffered-Totalpacketsforwarded-Intendedload-Offeredload(Ifapplicable)-Forwardingrate5.2ConcurrentTCPConnectionCapacity5.2.1ObjectiveTodeterminethemaximumnumberofconcurrentTCPconnectionssupportedthroughorwiththeDUT/SUT,asdefinedinRFC2647[1].ThistestisintendedtofindthemaximumnumberofentriestheDUT/SUTcanstoreinitsconnectiontable.5.2.2SetupParametersThefollowingparametersMUSTbedefinedforalltests:5.2.2.1Transport-LayerSetupParametersConnectionAttemptRate:Theaggregaterate,expressedinconnectionspersecond,atwhichTCPconnectionrequestsareattempted.TherateSHOULDbesetatorlowerthanthemaximumrateatwhichtheDUT/SUTcanacceptconnectionrequests.AgingTime:Thetime,expressedinseconds,theDUT/SUTwillkeepaconnectioninitsconnectiontableafterreceivingaTCPFINorRSTpacket.5.2.2.2Application-LayerSetupParametersValidationMethod:HTTP1.1orhigherMUSTbeusedforthistestforbothclientsandservers.TheclientandserverMUSTusethesameHTTPversion.ObjectSize:Definesthenumberofbytes,excludinganybytesassociatedwiththeHTTPheader,tobetransferredinresponsetoanHTTP1.1orhigherGETrequest.5.2.3ProcedureThistestwillemployaniterativesearchalgorithmtodeterminethemaximumnumberofconcurrentTCPconnectionssupportedthroughorwiththeDUT/SUT.Foreachiteration,theaggregatenumberofconcurrentTCPconnectionsattemptedbythevirtualclient(s)willbevaried. ThedestinationaddresswillbethatoftheserverorthatoftheNATproxy. Theaggregateratewillbedefinedbyconnectionattemptrate,andwillbeattemptedinaround-robinfashion(See4.5).Tovalidateallconnections,thevirtualclient(s)MUSTrequestanobjectusinganHTTP1.1orhigherGETrequest. TherequestsMUSTbeinitiatedoneachconnectionafteralloftheTCPconnectionshavebeenestablished.Whentestingproxy-basedDUT/SUTs,thevirtualclient(s)MUSTrequesttwoobjectsusingHTTP1.1orhigherGETrequests. ThefirstGETrequestisrequiredforconnectiontimeestablishment[1]measurementsasspecifiedinappendixB. Thesecondrequestisusedforvalidationaspreviouslymentioned. Whencomparingproxyandnon-proxybasedDUT/SUTs,thetestMUSTbeperformedinthesamemanner.Betweeneachiteration,itisRECOMMENDEDthatthetestinstrumentissueaTCPRSTreferencingeachconnectionattemptedforthepreviousiteration,regardlessofwhetherornottheconnectionattemptwassuccessful. Thetestinstrumentwillwaitforagingtimebeforecontinuingtothenextiteration.5.2.4Measurements5.2.4.1Application-LayermeasurementsNumberofobjectsrequestedNumberofobjectsreturned5.2.4.2Transport-LayermeasurementsMaximumconcurrentconnections:TotalnumberofTCPconnectionsopenforthelastsuccessfuliterationperformedinthesearchalgorithm.Minimumconnectionestablishmenttime:LowestTCPconnectionestablishmenttimemeasured,asdefinedinappendixB.Maximumconnectionestablishmenttime:HighestTCPconnectionestablishmenttimemeasured,asdefinedinappendixB.Averageconnectionestablishmenttime:Themeanofallmeasurementsofconnectionestablishmenttimes.Aggregateconnectionestablishmenttime:Thetotalofallmeasurementsofconnectionestablishmenttimes.5.2.5ReportingFormatThetestreportMUSTconformtothereportingrequirementssetinsection4,TestSetup.5.2.5.1Application-LayerReporting:ThetestreportMUSTnotetheobjectsize,numberofcompletedrequestsandnumberofcompletedresponses.TheintermediateresultsofthesearchalgorithmMAYbereportedinatabularformatwithacolumnforeachiteration. ThereSHOULDberowsforthenumberofrequestsattempted,numberandpercentagerequestscompleted,numberofresponsesattempted,numberandpercentageofresponsescompleted. ThetableMAYbecombinedwiththetransport-layerreporting,providedthatthetableidentifythisasanapplicationlayermeasurement.Versioninformation:ThetestreportMUSTnotetheversionofHTTPclient(s)andserver(s).5.2.5.2Transport-LayerReporting:ThetestreportMUSTnotetheconnectionattemptrate,agingtime,minimumTCPconnectionestablishmenttime,maximumTCPconnectionestablishmenttime,averageconnectionestablishmenttime,aggregateconnectionestablishmenttimeandmaximumconcurrentconnectionsmeasured.TheintermediateresultsofthesearchalgorithmMAYbereportedintheformatofatablewithacolumnforeachiteration. ThereSHOULDberowsforthetotalnumberofTCPconnectionsattempted,numberandpercentageofTCPconnectionscompleted,minimumTCPconnectionestablishmenttime,maximumTCPconnectionestablishmenttime,averageconnectionestablishmenttimeandtheaggregateconnectionestablishmenttime.5.3MaximumTCPConnectionEstablishmentRate5.3.1ObjectiveTodeterminethemaximumTCPconnectionestablishmentratethroughorwiththeDUT/SUT,asdefinedbyRFC2647[1]. ThistestisintendedtofindthemaximumratetheDUT/SUTcanupdateitsconnectiontable.5.3.2SetupParametersThefollowingparametersMUSTbedefinedforalltests:5.3.2.1Transport-LayerSetupParametersNumberofConnections:DefinestheaggregatenumberofTCPconnectionsthatmustbeestablished.AgingTime:Thetime,expressedinseconds,theDUT/SUTwillkeepaconnectioninit'sstatetableafterreceivingaTCPFINorRSTpacket.5.3.2.2Application-LayerSetupParametersValidationMethod:HTTP1.1orhigherMUSTbeusedforthistestforbothclientsandservers. TheclientandserverMUSTusethesameHTTPversion.ObjectSize:Definesthenumberofbytes,excludinganybytesassociatedwiththeHTTPheader,tobetransferredinresponsetoanHTTP1.1orhigherGETrequest.5.3.3ProcedureThistestwillemployaniterativesearchalgorithmtodeterminethemaximumrateatwhichtheDUT/SUTcanacceptTCPconnectionrequests.Foreachiteration,theaggregaterateatwhichTCPconnectionrequestsareattemptedbythevirtualclient(s)willbevaried. ThedestinationaddresswillbethatoftheserverorthatoftheNATproxy. Theaggregatenumberofconnections,definedbynumberofconnections,willbeattemptedinaround-robinfashion(See4.5).Thesameapplication-layerobjecttransfersrequiredforvalidationandestablishmenttimemeasurementsasdescribedintheconcurrentTCPconnectioncapacitytestMUSTbeperformed.Betweeneachiteration,itisRECOMMENDEDthatthetestinstrumentissueaTCPRSTreferencingeachconnectionattemptedforthepreviousiteration,regardlessofwhetherornottheconnectionattemptwassuccessful. Thetestinstrumentwillwaitforagingtimebeforecontinuingtothenextiteration.5.3.4Measurements5.3.4.1Application-LayermeasurementsNumberofobjectsrequestedNumberofobjectsreturned5.3.4.2Transport-LayermeasurementsHighestconnectionrate:Highestrate,inconnectionspersecond,forwhichallconnectionssuccessfullyopenedinthesearchalgorithm.Minimumconnectionestablishmenttime:LowestTCPconnectionestablishmenttimemeasured,asdefinedinappendixB.Maximumconnectionestablishmenttime:HighestTCPconnectionestablishmenttimemeasured,asdefinedinappendixB.Averageconnectionestablishmenttime:Themeanofallmeasurementsofconnectionestablishmenttimes.Aggregateconnectionestablishmenttime:Thetotalofallmeasurementsofconnectionestablishmenttimes.5.3.5ReportingFormatThetestreportMUSTconformtothereportingrequirementssetinsection4,TestSetup.5.3.5.1Application-LayerReporting:ThetestreportMUSTnoteobjectsize(s),numberofcompletedrequestsandnumberofcompletedresponses.TheintermediateresultsofthesearchalgorithmMAYbereportedinatabularformatwithacolumnforeachiteration. ThereSHOULDberowsforthenumberofrequestsattempted,numberandpercentagerequestscompleted,numberofresponsesattempted,numberandpercentageofresponsescompleted. ThetableMAYbecombinedwiththetransport-layerreporting,providedthatthetableidentifythisasanapplicationlayerm