测评技术体系之测试方法篇(测试文档)RFC3511BenchmarkingMethodologyforFirewallPerformance,2003.4北京国信网安信息系统测评技术实验室BenchmarkingMethodologyforFirewallPerformanceRFC3511,2003.4NetworkWorkingGroup B.HickmanRequestforComments:3511 SpirentCommunicationsCategory:Informational D.NewmanNetworkTestS.TadjudinSpirentCommunicationsT.MartinGVNWConsultingIncStatusofthisMemoThismemoprovidesinformationfortheInternetcommunity.ItdoesnotspecifyanInternetstandardofanykind. Distributionofthismemoisunlimited.CopyrightNoticeCopyright(C)TheInternetSociety(2003). AllRightsReserved.AbstractThisdocumentdiscussesanddefinesanumberofteststhatmaybeusedtodescribetheperformancecharacteristicsoffirewalls. Inadditiontodefiningthetests,thisdocumentalsodescribesspecificformatsforreportingtheresultsofthetests.ThisdocumentisaproductoftheBenchmarkingMethodologyWorkingGroup(BMWG)oftheInternetEngineeringTaskForce(IETF).1 Introduction2 Requirements3 Scope4 TestSetup4.1 TestConsiderations4.2 VirtualClients/Servers4.3 TestTrafficRequirements4.4 DUT/SUTTrafficFlows4.5 MultipleClient/ServerTesting4.6 NetworkAddressTranslation(NAT)4.7 RuleSets4.8 WebCaching4.9 Authentication4.10 TCPStackConsiderations5 BenchmarkingTests5.1 IPThroughput5.1.1 Objective5.1.2 SetupParameters5.1.3 Procedure5.1.4 Measurement5.1.5 ReportingFormat5.2 ConcurrentTCPConnectionCapacity5.2.1 Objective5.2.2 SetupParameters5.2.3 Procedure5.2.4 Measurements5.2.5 ReportingFormat5.3 MaximumTCPConnectionEstablishmentRate5.3.1 Objective5.3.2 SetupParameters5.3.3 Procedure5.3.4 Measurements5.3.5 ReportingFormat5.4 MaximumTCPConnectionTearDownRate5.4.1 Objective5.4.2 SetupParameters5.4.3 Procedure5.4.4 Measurements5.4.5 ReportingFormat5.5 DenialOfServiceHandling5.5.1 Objective5.5.2 SetupParameters5.5.3 5.5.3Procedure5.5.4 Measurements5.5.5 ReportingFormat5.6 HTTPTransferRate5.6.1 Objective5.6.2 SetupParameters5.6.3 Procedure5.6.4 Measurements5.6.5 ReportingFormat5.7 MaximumHTTPTransactionRate5.7.1 Objective5.7.2 SetupParameters5.7.3 Procedure5.7.4 Measurements5.7.5 ReportingFormat5.8 IllegalTrafficHandling5.8.1 Objective5.8.2 SetupParameters5.8.3 Procedure5.8.4 Measurements5.8.5 ReportingFormat5.9 IPFragmentationHandling5.9.1 Objective5.9.2 SetupParameters5.9.3 Procedure5.9.4 Measurements5.9.5 ReportingFormat5.10 Latency5.10.1 Objective5.10.2 SetupParameters5.10.3 Network-layerprocedure5.10.4 Applicationlayerprocedure5.10.5 Measurements5.10.6 Network-layerreportingformat5.10.7 Application-layerreportingformat6 References6.1 NormativeReferences6.2 InformativeReferences7 SecurityConsiderations8 APPENDIXA:HTTP(HyperTextTransferProtocol)9 APPENDIXB:ConnectionEstablishmentTimeMeasurements10 APPENDIXC:ConnectionTearDownTimeMeasurements11 Authors'Addresses1IntroductionThisdocumentprovidesmethodologiesfortheperformancebenchmarkingoffirewalls.Itcoversfourareas:forwarding,connection,latencyandfiltering. Inadditiontodefiningtests,thisdocumentalsodescribesspecificformatsforreportingtestresults.Apreviousdocument,"BenchmarkingTerminologyforFirewallPerformance"[1],definesmanyofthetermsthatareusedinthisdocument. TheterminologydocumentSHOULDbeconsultedbeforeattemptingtomakeuseofthisdocument.2RequirementsInthisdocument,thewordsthatareusedtodefinethesignificanceofeachparticularrequirementarecapitalized. Thesewordsare:⏹"MUST",Thisword,orthewords"REQUIRED"and"SHALL"meanthattheitemisanabsoluterequirementofthespecification.⏹"SHOULD",Thiswordortheadjective"RECOMMENDED"meansthattheremayexistvalidreasonsinparticularcircumstancestoignorethisitem,butthefullimplicationsshouldbeunderstoodandthecase carefullyweighedbeforechoosingadifferentcourse.⏹"MAY",Thiswordortheadjective"OPTIONAL"meansthatthisitemistrulyoptional.Onevendormaychoosetoincludetheitembecauseaparticularmarketplacerequiresitorbecauseitenhancestheproduct,forexample;anothervendormayomitthesameitem.AnimplementationisnotcompliantifitfailstosatisfyoneormoreoftheMUSTrequirements. AnimplementationthatsatisfiesalltheMUSTandalltheSHOULDrequirementsissaidtobe"unconditionallycompliant";onethatsatisfiesalltheMUSTrequirementsbutnotalltheSHOULDrequirementsissaidtobe"conditionallycompliant".3ScopeFirewallscancontrolaccessbetweennetworks. Usually,afirewallprotectsaprivatenetworkfrompublicorsharednetwork(s)towhichitisconnected. Afirewallcanbeassimpleasasingledevicethatfilterspacketsorascomplexasagroupofdevicesthatcombinepacketfilteringandapplication-levelproxyandnetworktranslationservices. Thisdocumentfocusesonbenchmarkingfirewallperformance,whereverpossible,independentofimplementation.4TestSetupTestconfigurationsdefinedinthisdocumentwillbeconfinedtodual-homedandtri-homedasshowninfigure1andfigure2respectively.Firewallsemployingdual-homedconfigurationsconnecttwonetworks.Oneinterfaceofthefirewallisattachedtotheunprotectednetwork[1],typicallythepublicnetwork(Internet). Theotherinterfaceisconnectedtotheprotectednetwork[1],typicallytheinternalLAN.Inthecaseofdual-homedconfigurations,serverswhicharemadeaccessibletothepublic(Unprotected)networkareattachedtotheprivate(Protected)network.---------- ----------| | | ---------- | | ||Servers/|----| | | |------|Servers/||Clients | | | | | |Clients || | |-------| DUT/SUT|--------| | |---------- | | | | ----------Protected | ---------- |UnprotectedNetwork | | NetworkFigure1(Dual-Homed)Tri-homed[1]configurationsemployathirdsegmentcalledaDemilitarizedZone(DMZ).Withtri-homedconfigurations,serversaccessibletothepublicnetworkareattachedtotheDMZ.Tri-Homedconfigurationsofferadditionalsecuritybyseparatingserver(s)accessibletothepublicnetworkfrominternalhosts.---------- ----------| | | ---------- | | ||Clients |----| | | |------|Servers/|| | | | | | |Clients |---------- |-------| DUT/SUT|--------| | || | | | ----------| ---------- |Protected| | |UnprotectedNetwork | Network|-----------------| DMZ||-----------| ||Servers || |-----------Figure2(Tri-Homed)4.1TestConsiderations4.2VirtualClients/ServersSincefirewalltestingmayinvolvedatasources,whichemulatemultipleusersorhosts,themethodologyusesthetermsvirtualclients/servers.Forthesefirewalltests,virtualclients/serversspecifyapplicationlayerentities,whichmaynotbeassociatedwithauniquephysicalinterface. Forexample,fourvirtualclientsmayoriginatefromthesamedatasource[1]. ThetestreportMUSTindicatethenumberofvirtualclientsandvirtualserversparticipatinginthetest.4.3TestTrafficRequirementsWhilethefunctionofafirewallistoenforceaccesscontrolpolicies,thecriteriabywhichthosepoliciesaredefinedvarydependingontheimplementation. Firewallsmayusenetworklayer,transportlayeror,inmanycases,application-layercriteriatomakeaccess-controldecisions.Forthepurposesofbenchmarkingfirewallperformance,thisdocumentreferencesHTTP1.1orhigherastheapplicationlayerentity. ThemethodologiesMAYbeusedasatemplateforbenchmarkingwithotherapplications. SincetestingmayinvolveproxybasedDUT/SUTs,HTTPversionconsiderationsarediscussedinappendixA.4.4DUT/SUTTrafficFlowsSincethenumberofinterfacesarenotfixed,thetrafficflowswillbedependentupontheconfigurationusedinbenchmarkingtheDUT/SUT.Notethattheterm"trafficflows"isassociatedwithclient-to-serverrequests.ForDual-Homedconfigurations,therearetwouniquetrafficflows:Client Server------ ------Protected ->UnprotectedUnprotected->ProtectedForTri-Homedconfigurations,therearethreeuniquetrafficflows:Client Server------ ------Protected-> UnprotectedProtected-> DMZUnprotected->DMZ4.5MultipleClient/ServerTestingOneormoreclientsmaytargetmultipleserversforagivenapplication. EachvirtualclientMUSTinitiateconnectionsinaround-robinfashion. Forexample,ifthetestconsistedofsixvirtualclientstargetingthreeservers,thepatternwouldbeasfollows:Client TargetServer(Inorderofrequest)#1 1 2 3 1...#2 2 3 1 2...#3 3 1 2 3...#4 1 2 3 1...#5 2 3 1 2...#6 3 1 2 3...4.6NetworkAddressTranslation(NAT)Manyfirewallsimplementnetworkaddresstranslation(NAT)[1],afunctionwhichtranslatesprivateinternetaddressestopublicinternetaddresses.ThisinvolvesadditionalprocessingonthepartoftheDUT/SUTandmayimpactperformance. Therefore,testsSHOULDberanwithNATdisabledandNATenabledtodeterminetheperformancedifferential,ifany. ThetestreportMUSTindicatewhetherNATwasenabledordisabled.4.7RuleSetsRulesets[1]areacollectionofaccesscontrolpoliciesthatdeterminewhichpacketstheDUT/SUTwillforwardandwhichitwillreject[1]. SincecriteriabywhichtheseaccesscontrolpoliciesmaybedefinedwillvarydependingonthecapabilitiesoftheDUT/SUT,thefollowingislimitedtoprovidingguidelinesforconfiguringrulesetswhenbenchmarkingtheperformanceoftheDUT/SUT.ItisRECOMMENDEDthatarulebeenteredforeachhost(Virtualclient). Inaddition,testingSHOULDbeperformedusingdifferentsizerulesetstodetermineitsimpactontheperformanceoftheDUT/SUT. RulesetsMUSTbeconfiguredinamanner,suchthat,rulesassociatedwithactualtesttrafficareconfiguredattheendoftherulesetandnotatthebeginning.TheDUT/SUTSHOULDbeconfiguredtodenyaccesstoalltrafficwhichwasnotpreviouslydefinedintheruleset. ThetestreportSHOULDincludetheDUT/SUTconfiguredruleset(s).4.8WebCachingSomefirewallsincludecachingagentstoreducenetworkload. Whenmakingarequestthroughacachingagent,thecachingagentattemptstoservicetheresponsefromitsinternalmemory. Thecacheitselfsavesresponsesitreceives,suchasresponsesforHTTPGETrequests.TestingSHOULDbeperformedwithanycachingagentsontheDUT/SUTdisabled.4.9AuthenticationAccesscontrolmayinvolveauthenticationprocessessuchasuser,clientorsessionauthentication. Authenticationisusuallyperformedbydevicesexternaltothefirewallitself,suchasanauthenticationserver(s)andmayaddtothelatencyofthesystem.AnyauthenticationprocessesMUSTbeincludedaspartofconnectionsetupprocess.4.10TCPStackConsiderationsSometestinstrumentsallowconfigurationofoneormoreTCPstackparameters,therebyinfluencingthetrafficflowswhichwillbeofferedandimpactingperformancemeasurements. WhilethisdocumentdoesnotattempttospecifywhichTCPparametersshouldbeconfigurable,anysuchTCPparameter(s)MUSTbenotedinthetestreport. Inaddition,whencomparingmultipleDUT/SUTs,thesameTCPparametersMUSTbeused.5BenchmarkingTests5.1IPThroughput5.1.1ObjectiveTodeterminethethroughputofnetwork-layerdatatraversingtheDUT/SUT,asdefinedinRFC1242[3]. NotethatwhileRFC1242usesthetermframes,whichisassociatedwiththelinklayer,theprocedureusesthetermpackets,sinceitisreferencingthenetworklayer.5.1.2SetupParametersThefollowingparametersMUSTbedefined:⏹Packetsize-NumberofbytesintheIPpacket,exclusiveofanylinklayerheaderorchecksums.⏹TestDuration-Durationofthetest,expressedinseconds.5.1.3ProcedureThetestinstrumentMUSTofferunicastIPpacketstotheDUT/SUTataconstantrate.ThetestMAYconsistofeitherbi-directionalorunidirectionaltraffic;forexample,anemulatedclientmayofferaunicaststreamofpacketstoanemulatedserver,orthetestinstrumentmaysimulateaclient/serverexchangebyofferingbi-directionaltraffic.Thistestwillemployaniterativesearchalgorithm.Eachiterationwillinvolvethetestinstrumentvaryingtheintendedloaduntilthemaximumrate,atwhichnopacketlossoccurs,isfound. Sincebackpressuremechanismsmaybeemployed,resultingintheintendedloadandofferedloadbeingdifferent,thetestSHOULDbeperformedineitherapacketbasedortimebasedmannerasdescribedinRFC2889[5]. AswithRFC1242,thetermpacketisusedinplaceofframe. ThedurationofthetestportionofeachtrialMUSTbeatleast30seconds.ItisRECOMMENDEDtoperformthethroughputmeasurementswithdifferentpacketsizes.WhentestingwithdifferentpacketsizestheDUT/SUTconfigurationMUSTremainthesame.5.1.4Measurement5.1.4.1NetworkLayerThroughput:Maximumofferedload,expressedineitherbitspersecondorpacketspersecond,atwhichnopacketlossisdetected.ThebitstobecountedareintheIPpacket(headerpluspayload);otherfields,suchaslink-layerheadersandtrailers,MUSTNOTbeincludedinthemeasurement.ForwardingRate:Forwardingrate,expressedineitherbitspersecondorpacketspersecond,thedeviceisobservedtosuccessfullyforwardtothecorrectdestinationinterfaceinresponsetoaspecifiedofferedload.ThebitstobecountedareintheIPpacket(headerpluspayload);otherfields,suchaslink-layerheadersandtrailers,MUSTNOTbeincludedinthemeasurement.5.1.5ReportingFormatThetestreportMUSTnotethepacketsize(s),testduration,throughputandforwardingrate.Inaddition,thetestreportMUSTconformtothereportingrequirementssetinsection4,TestSetup.Ifthetestinvolvedofferingpacketswhichtargetmorethanonesegment(Protected,UnprotectedorDMZ),thereportMUSTidentifytheresultsasanaggregatethroughputmeasurement.ThethroughputresultsSHOULDbereportedintheformatofatablewitharowforeachofthetestedpacketsizes. ThereSHOULDbecolumnsforthepacketsize,theintendedload,theofferedload,resultantthroughputandforwardingrateforeachtest.TheintermediateresultsofthesearchalgorithmMAYbesavedinlogfilewhichincludesthepacketsize,testdurationandforeachiteration:-StepIteration-Pass/FailStatus-Totalpacketsoffered-Totalpacketsforwarded-Intendedload-Offeredload(Ifapplicable)-Forwardingrate5.2ConcurrentTCPConnectionCapacity5.2.1ObjectiveTodeterminethemaximumnumberofconcurrentTCPconnectionssupportedthroughorwiththeDUT/SUT,asdefinedinRFC2647[1].ThistestisintendedtofindthemaximumnumberofentriestheDUT/SUTcanstoreinitsconnectiontable.5.2.2SetupParametersThefollowingparametersMUSTbedefinedforalltests:5.2.2.1Transport-LayerSetupParametersConnectionAttemptRate:Theaggregaterate,expressedinconnectionspersecond,atwhichTCPconnectionrequestsareattempted.TherateSHOULDbesetatorlowerthanthemaximumrateatwhichtheDUT/SUTcanacceptconnectionrequests.AgingTime:Thetime,expressedinseconds,theDUT/SUTwillkeepaconnectioninitsconnectiontableafterreceivingaTCPFINorRSTpacket.5.2.2.2Application-LayerSetupParametersValidationMethod:HTTP1.1orhigherMUSTbeusedforthistestforbothclientsandservers.TheclientandserverMUSTusethesameHTTPversion.ObjectSize:Definesthenumberofbytes,excludinganybytesassociatedwiththeHTTPheader,tobetransferredinresponsetoanHTTP1.1orhigherGETrequest.5.2.3ProcedureThistestwillemployaniterativesearchalgorithmtodeterminethemaximumnumberofconcurrentTCPconnectionssupportedthroughorwiththeDUT/SUT.Foreachiteration,theaggregatenumberofconcurrentTCPconnectionsattemptedbythevirtualclient(s)willbevaried. ThedestinationaddresswillbethatoftheserverorthatoftheNATproxy. Theaggregateratewillbedefinedbyconnectionattemptrate,andwillbeattemptedinaround-robinfashion(See4.5).Tovalidateallconnections,thevirtualclient(s)MUSTrequestanobjectusinganHTTP1.1orhigherGETrequest. TherequestsMUSTbeinitiatedoneachconnectionafteralloftheTCPconnectionshavebeenestablished.Whentestingproxy-basedDUT/SUTs,thevirtualclient(s)MUSTrequesttwoobjectsusingHTTP1.1orhigherGETrequests. ThefirstGETrequestisrequiredforconnectiontimeestablishment[1]measurementsasspecifiedinappendixB. Thesecondrequestisusedforvalidationaspreviouslymentioned. Whencomparingproxyandnon-proxybasedDUT/SUTs,thetestMUSTbeperformedinthesamemanner.Betweeneachiteration,itisRECOMMENDEDthatthetestinstrumentissueaTCPRSTreferencingeachconnectionattemptedforthepreviousiteration,regardlessofwhetherornottheconnectionattemptwassuccessful. Thetestinstrumentwillwaitforagingtimebeforecontinuingtothenextiteration.5.2.4Measurements5.2.4.1Application-LayermeasurementsNumberofobjectsrequestedNumberofobjectsreturned5.2.4.2Transport-LayermeasurementsMaximumconcurrentconnections:TotalnumberofTCPconnectionsopenforthelastsuccessfuliterationperformedinthesearchalgorithm.Minimumconnectionestablishmenttime:LowestTCPconnectionestablishmenttimemeasured,asdefinedinappendixB.Maximumconnectionestablishmenttime:HighestTCPconnectionestablishmenttimemeasured,asdefinedinappendixB.Averageconnectionestablishmenttime:Themeanofallmeasurementsofconnectionestablishmenttimes.Aggregateconnectionestablishmenttime:Thetotalofallmeasurementsofconnectionestablishmenttimes.5.2.5ReportingFormatThetestreportMUSTconformtothereportingrequirementssetinsection4,TestSetup.5.2.5.1Application-LayerReporting:ThetestreportMUSTnotetheobjectsize,numberofcompletedrequestsandnumberofcompletedresponses.TheintermediateresultsofthesearchalgorithmMAYbereportedinatabularformatwithacolumnforeachiteration. ThereSHOULDberowsforthenumberofrequestsattempted,numberandpercentagerequestscompleted,numberofresponsesattempted,numberandpercentageofresponsescompleted. ThetableMAYbecombinedwiththetransport-layerreporting,providedthatthetableidentifythisasanapplicationlayermeasurement.Versioninformation:ThetestreportMUSTnotetheversionofHTTPclient(s)andserver(s).5.2.5.2Transport-LayerReporting:ThetestreportMUSTnotetheconnectionattemptrate,agingtime,minimumTCPconnectionestablishmenttime,maximumTCPconnectionestablishmenttime,averageconnectionestablishmenttime,aggregateconnectionestablishmenttimeandmaximumconcurrentconnectionsmeasured.TheintermediateresultsofthesearchalgorithmMAYbereportedintheformatofatablewithacolumnforeachiteration. ThereSHOULDberowsforthetotalnumberofTCPconnectionsattempted,numberandpercentageofTCPconnectionscompleted,minimumTCPconnectionestablishmenttime,maximumTCPconnectionestablishmenttime,averageconnectionestablishmenttimeandtheaggregateconnectionestablishmenttime.5.3MaximumTCPConnectionEstablishmentRate5.3.1ObjectiveTodeterminethemaximumTCPconnectionestablishmentratethroughorwiththeDUT/SUT,asdefinedbyRFC2647[1]. ThistestisintendedtofindthemaximumratetheDUT/SUTcanupdateitsconnectiontable.5.3.2SetupParametersThefollowingparametersMUSTbedefinedforalltests:5.3.2.1Transport-LayerSetupParametersNumberofConnections:DefinestheaggregatenumberofTCPconnectionsthatmustbeestablished.AgingTime:Thetime,expressedinseconds,theDUT/SUTwillkeepaconnectioninit'sstatetableafterreceivingaTCPFINorRSTpacket.5.3.2.2Application-LayerSetupParametersValidationMethod:HTTP1.1orhigherMUSTbeusedforthistestforbothclientsandservers. TheclientandserverMUSTusethesameHTTPversion.ObjectSize:Definesthenumberofbytes,excludinganybytesassociatedwiththeHTTPheader,tobetransferredinresponsetoanHTTP1.1orhigherGETrequest.5.3.3ProcedureThistestwillemployaniterativesearchalgorithmtodeterminethemaximumrateatwhichtheDUT/SUTcanacceptTCPconnectionrequests.Foreachiteration,theaggregaterateatwhichTCPconnectionrequestsareattemptedbythevirtualclient(s)willbevaried. ThedestinationaddresswillbethatoftheserverorthatoftheNATproxy. Theaggregatenumberofconnections,definedbynumberofconnections,willbeattemptedinaround-robinfashion(See4.5).Thesameapplication-layerobjecttransfersrequiredforvalidationandestablishmenttimemeasurementsasdescribedintheconcurrentTCPconnectioncapacitytestMUSTbeperformed.Betweeneachiteration,itisRECOMMENDEDthatthetestinstrumentissueaTCPRSTreferencingeachconnectionattemptedforthepreviousiteration,regardlessofwhetherornottheconnectionattemptwassuccessful. Thetestinstrumentwillwaitforagingtimebeforecontinuingtothenextiteration.5.3.4Measurements5.3.4.1Application-LayermeasurementsNumberofobjectsrequestedNumberofobjectsreturned5.3.4.2Transport-LayermeasurementsHighestconnectionrate:Highestrate,inconnectionspersecond,forwhichallconnectionssuccessfullyopenedinthesearchalgorithm.Minimumconnectionestablishmenttime:LowestTCPconnectionestablishmenttimemeasured,asdefinedinappendixB.Maximumconnectionestablishmenttime:HighestTCPconnectionestablishmenttimemeasured,asdefinedinappendixB.Averageconnectionestablishmenttime:Themeanofallmeasurementsofconnectionestablishmenttimes.Aggregateconnectionestablishmenttime:Thetotalofallmeasurementsofconnectionestablishmenttimes.5.3.5ReportingFormatThetestreportMUSTconformtothereportingrequirementssetinsection4,TestSetup.5.3.5.1Application-LayerReporting:ThetestreportMUSTnoteobjectsize(s),numberofcompletedrequestsandnumberofcompletedresponses.TheintermediateresultsofthesearchalgorithmMAYbereportedinatabularformatwithacolumnforeachiteration. ThereSHOULDberowsforthenumberofrequestsattempted,numberandpercentagerequestscompleted,numberofresponsesattempted,numberandpercentageofresponsescompleted. ThetableMAYbecombinedwiththetransport-layerreporting,providedthatthetableidentifythisasanapplicationlayerm