draft-ietf-bmwg-ipsec-term-07.txt   draft-ietf-bmwg-ipsec-term-08.txt 
Benchmarking Working Group M. Kaeo Benchmarking Working Group M. Kaeo
Internet-Draft Double Shot Security Internet-Draft Double Shot Security
Expires: May 5, 2006 T. Van Herck Expires: September 6, 2006 T. Van Herck
Cisco Systems Cisco Systems
M. Bustos M. Bustos
IXIA IXIA
November 2005 March 5, 2006
Terminology for Benchmarking IPsec Devices Terminology for Benchmarking IPsec Devices
draft-ietf-bmwg-ipsec-term-07 draft-ietf-bmwg-ipsec-term-08
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 37 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 5, 2006. This Internet-Draft will expire on September 6, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
This purpose of this document is to define terminology specific to This purpose of this document is to define terminology specific to
measuring the performance of IPsec devices. It builds upon the measuring the performance of IPsec devices. It builds upon the
tenets set forth in [RFC1242], [RFC2544], [RFC2285] and other IETF tenets set forth in [RFC1242], [RFC2544], [RFC2285] and other IETF
Benchmarking Methodology Working Group (BMWG) documents used for Benchmarking Methodology Working Group (BMWG) documents used for
benchmarking routers and switches. This document seeks to extend benchmarking routers and switches. This document seeks to extend
these efforts specific to the IPsec paradigm. The BMWG produces two these efforts specific to the IPsec paradigm. The BMWG produces two
major classes of documents: Benchmarking Terminology documents and major classes of documents: Benchmarking Terminology documents and
skipping to change at page 3, line 22 skipping to change at page 3, line 22
9.1. IPsec Tunnels Per Second (TPS) . . . . . . . . . . . . . . 34 9.1. IPsec Tunnels Per Second (TPS) . . . . . . . . . . . . . . 34
9.2. Tunnel Rekeys Per Seconds (TRPS) . . . . . . . . . . . . . 35 9.2. Tunnel Rekeys Per Seconds (TRPS) . . . . . . . . . . . . . 35
9.3. IPsec Tunnel Attempts Per Second (TAPS) . . . . . . . . . 35 9.3. IPsec Tunnel Attempts Per Second (TAPS) . . . . . . . . . 35
10. Test Definitions . . . . . . . . . . . . . . . . . . . . . . . 36 10. Test Definitions . . . . . . . . . . . . . . . . . . . . . . . 36
10.1. Capacity . . . . . . . . . . . . . . . . . . . . . . . . . 36 10.1. Capacity . . . . . . . . . . . . . . . . . . . . . . . . . 36
10.1.1. IKE SA Capacity . . . . . . . . . . . . . . . . . . . 36 10.1.1. IKE SA Capacity . . . . . . . . . . . . . . . . . . . 36
10.1.2. IPsec SA Capacity . . . . . . . . . . . . . . . . . . 37 10.1.2. IPsec SA Capacity . . . . . . . . . . . . . . . . . . 37
10.2. Throughput . . . . . . . . . . . . . . . . . . . . . . . . 37 10.2. Throughput . . . . . . . . . . . . . . . . . . . . . . . . 37
10.2.1. IPsec Throughput . . . . . . . . . . . . . . . . . . . 37 10.2.1. IPsec Throughput . . . . . . . . . . . . . . . . . . . 37
10.2.2. IPsec Encryption Throughput . . . . . . . . . . . . . 38 10.2.2. IPsec Encryption Throughput . . . . . . . . . . . . . 38
10.2.3. IPsec Decryption Throughput . . . . . . . . . . . . . 38 10.2.3. IPsec Decryption Throughput . . . . . . . . . . . . . 39
10.2.4. IPsec Fragmentation Throughput . . . . . . . . . . . . 39
10.2.5. IPsec Reassembly Throughput . . . . . . . . . . . . . 40
10.3. Latency . . . . . . . . . . . . . . . . . . . . . . . . . 40 10.3. Latency . . . . . . . . . . . . . . . . . . . . . . . . . 40
10.3.1. IPsec Latency . . . . . . . . . . . . . . . . . . . . 40 10.3.1. IPsec Latency . . . . . . . . . . . . . . . . . . . . 40
10.3.2. IPsec Encryption Latency . . . . . . . . . . . . . . . 41 10.3.2. IPsec Encryption Latency . . . . . . . . . . . . . . . 41
10.3.3. IPsec Decryption Latency . . . . . . . . . . . . . . . 42 10.3.3. IPsec Decryption Latency . . . . . . . . . . . . . . . 41
10.3.4. Time To First Packet . . . . . . . . . . . . . . . . . 42 10.3.4. Time To First Packet . . . . . . . . . . . . . . . . . 42
10.4. Frame Loss . . . . . . . . . . . . . . . . . . . . . . . . 43 10.4. Frame Loss . . . . . . . . . . . . . . . . . . . . . . . . 43
10.4.1. IPsec Frame Loss . . . . . . . . . . . . . . . . . . . 43 10.4.1. IPsec Frame Loss . . . . . . . . . . . . . . . . . . . 43
10.4.2. IPsec Encryption Frame Loss . . . . . . . . . . . . . 44 10.4.2. IPsec Encryption Frame Loss . . . . . . . . . . . . . 44
10.4.3. IPsec Decryption Frame Loss . . . . . . . . . . . . . 44 10.4.3. IPsec Decryption Frame Loss . . . . . . . . . . . . . 44
10.4.4. IKE Phase 2 Rekey Frame Loss . . . . . . . . . . . . . 45 10.4.4. IKE Phase 2 Rekey Frame Loss . . . . . . . . . . . . . 45
10.5. Back-to-back Frames . . . . . . . . . . . . . . . . . . . 46 10.5. Back-to-back Frames . . . . . . . . . . . . . . . . . . . 46
10.5.1. IPsec Back-to-back Frames . . . . . . . . . . . . . . 46 10.5.1. IPsec Back-to-back Frames . . . . . . . . . . . . . . 46
10.5.2. IPsec Encryption Back-to-back Frames . . . . . . . . . 46 10.5.2. IPsec Encryption Back-to-back Frames . . . . . . . . . 46
10.5.3. IPsec Decryption Back-to-back Frames . . . . . . . . . 47 10.5.3. IPsec Decryption Back-to-back Frames . . . . . . . . . 47
skipping to change at page 3, line 50 skipping to change at page 3, line 48
10.6.1. IPsec Tunnel Setup Rate . . . . . . . . . . . . . . . 48 10.6.1. IPsec Tunnel Setup Rate . . . . . . . . . . . . . . . 48
10.6.2. IKE Phase 1 Setup Rate . . . . . . . . . . . . . . . . 49 10.6.2. IKE Phase 1 Setup Rate . . . . . . . . . . . . . . . . 49
10.6.3. IKE Phase 2 Setup Rate . . . . . . . . . . . . . . . . 49 10.6.3. IKE Phase 2 Setup Rate . . . . . . . . . . . . . . . . 49
10.7. IPsec Tunnel Rekey Behavior . . . . . . . . . . . . . . . 50 10.7. IPsec Tunnel Rekey Behavior . . . . . . . . . . . . . . . 50
10.7.1. IKE Phase 1 Rekey Rate . . . . . . . . . . . . . . . . 50 10.7.1. IKE Phase 1 Rekey Rate . . . . . . . . . . . . . . . . 50
10.7.2. IKE Phase 2 Rekey Rate . . . . . . . . . . . . . . . . 51 10.7.2. IKE Phase 2 Rekey Rate . . . . . . . . . . . . . . . . 51
10.8. IPsec Tunnel Failover Time . . . . . . . . . . . . . . . . 51 10.8. IPsec Tunnel Failover Time . . . . . . . . . . . . . . . . 51
11. Security Considerations . . . . . . . . . . . . . . . . . . . 52 11. Security Considerations . . . . . . . . . . . . . . . . . . . 52
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 52 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 52
13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 52 13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 52
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 52 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 53
14.1. Normative References . . . . . . . . . . . . . . . . . . . 52 14.1. Normative References . . . . . . . . . . . . . . . . . . . 53
14.2. Informative References . . . . . . . . . . . . . . . . . . 54 14.2. Informative References . . . . . . . . . . . . . . . . . . 54
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 56 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 56
Intellectual Property and Copyright Statements . . . . . . . . . . 57 Intellectual Property and Copyright Statements . . . . . . . . . . 57
1. Introduction 1. Introduction
Despite the need to secure communications over a public medium there Despite the need to secure communications over a public medium there
is no standard method of performance measurement nor a standard in is no standard method of performance measurement nor a standard in
the terminology used to develop such hardware and software solutions. the terminology used to develop such hardware and software solutions.
This results in varied implementations which challenge This results in varied implementations which challenge
skipping to change at page 36, line 36 skipping to change at page 36, line 36
10.1.1. IKE SA Capacity 10.1.1. IKE SA Capacity
Definition: Definition:
The maximum number of IKE SA's that can be sustained on an IPsec The maximum number of IKE SA's that can be sustained on an IPsec
Device. Device.
Discussion: Discussion:
TBD This metric will represent the quantity of peer a given IPsec
device can establish. It is the maximum number of Active Tunnels
that can be sustained by an IPsec Device.
Measurement Units: Measurement Units:
IKE SA's IKE SA's
Issues: Issues:
N/A N/A
See Also: See Also:
N/A IPsec SA Capacity
10.1.2. IPsec SA Capacity 10.1.2. IPsec SA Capacity
Definition: Definition:
The maximum number of IPsec SA's that can be sustained on an IPsec The maximum number of IPsec SA's that can be sustained on an IPsec
Device. Device.
Discussion: Discussion:
TBD This metric will represent the quantity of traffic flows a given
IPsec Device can protect. In contrast with the IKE SA Capacity,
the emphasis for this test lies on the number of IPsec SA's that
can be established in the worst case scenario. This scenario
would be a case where 1 IKE SA is used to negotiate multiple IPsec
SA's. It is the maximum number of Active Tunnels that can be
sustained by an IPsec Device where only 1 IKE SA is used to
exchange keying material.
Measurement Units: Measurement Units:
IPsec SA's IPsec SA's
Issues: Issues:
N/A N/A
See Also: See Also:
N/A IKE SA Capacity
10.2. Throughput 10.2. Throughput
10.2.1. IPsec Throughput 10.2.1. IPsec Throughput
Definition: Definition:
The maximum rate through an Active Tunnel at which none of the The maximum rate through an Active Tunnel at which none of the
offered frames are dropped by the device under test. offered frames are dropped by the device under test.
skipping to change at page 38, line 41 skipping to change at page 38, line 49
originate and terminate IPsec and IKE SA. As defined in originate and terminate IPsec and IKE SA. As defined in
[RFC1242], measurements should be taken with an assortment of [RFC1242], measurements should be taken with an assortment of
frame sizes. frame sizes.
Measurement Units: Measurement Units:
Packets per seconds (pps) Packets per seconds (pps)
Issues: Issues:
N/A In some cases packets are offered to an IPsec Device that have a
framesize that is larger then the MTU of the ingress interface of
the IPsec Tunnel that is transporting the packet. In this case
fragmentation will be required before IPsec services are applied.
In other cases, the packet is of a size very close to the MTU of
the egress interface of the IPsec Tunnel. Here, the mere addition
of the IPsec header will create enough overhead to make the IPsec
packet larger then the MTU of the egress interface. In such
instance, the original payload packet must be fragmented either
before or after the IPsec overhead is applied.
Note that the two aforementioned scenario's can happen
simultaniously on a single packet, creating multiple small
fragments.
When measuring the IPsec Encryption Throughput, one has to
consider that when probing with packets of a size near MTU's
associated with the IPsec Tunnel, fragmentation may accor and the
decrypting IPsec Device (either a tester or a corresponding IPsec
peer) has to reassemble the IPsec and/or payload fragments to
validate its content.
The end points (i.e. hosts, subnets) should NOT see any fragments
at ANY time. Only on the IPsec link, fragments MAY occur.
See Also: See Also:
IPsec Throughput, IPsec Decryption Throughput IPsec Throughput, IPsec Decryption Throughput
10.2.3. IPsec Decryption Throughput 10.2.3. IPsec Decryption Throughput
Definition: Definition:
The maximum decryption rate through an Active Tunnel at which none The maximum decryption rate through an Active Tunnel at which none
skipping to change at page 39, line 26 skipping to change at page 40, line 9
of an IPsec aware test device that can originate and terminate of an IPsec aware test device that can originate and terminate
IPsec and IKE SA. As defined in [RFC1242], measurements should be IPsec and IKE SA. As defined in [RFC1242], measurements should be
taken with an assortment of frame sizes. taken with an assortment of frame sizes.
Measurement Units: Measurement Units:
Packets per seconds (pps) Packets per seconds (pps)
Issues: Issues:
Recommended test frame sizes will be addressed in future When measuring the IPsec Decryption Throughput, one has to
methodology document. consider that it is likely that the encrypting IPsec Device has to
fragment certain packets that have a frame size near MTU's
See Also: associated with the IPsec Tunnel.
IPsec Throughput, IPsec Encryption Throughput
10.2.4. IPsec Fragmentation Throughput
Definition:
The maximum rate through an Active Tunnel at which none of the
offered frames ,which require fragmentation after applying the
transform overhead, are dropped by the device under test.
Discussion:
TBD
Measurement Units:
Packets per seconds (pps)
Issues:
N/A
See Also:
N/A
10.2.5. IPsec Reassembly Throughput
Definition:
The maximum rate through an Active Tunnel at which none of the
offered fragmented frames are dropped by the device under test.
Discussion:
TBD
Measurement Units:
Packets per seconds (pps)
Issues: The decrypting IPsec Device has to reassemble the IPsec and/or
payload fragments to validate its content.
N/A The end points (i.e. hosts, subnets) should NOT see any fragments
at ANY time. Only on the IPsec link, fragments MAY occur.
See Also: See Also:
N/A IPsec Throughput, IPsec Encryption Throughput
10.3. Latency 10.3. Latency
10.3.1. IPsec Latency 10.3.1. IPsec Latency
Definition: Definition:
Time required to propagate a cleartext frame from the input Time required to propagate a cleartext frame from the input
interface of an initiator, through an Active Tunnel, to the output interface of an initiator, through an Active Tunnel, to the output
interface of the responder. interface of the responder.
skipping to change at page 52, line 11 skipping to change at page 52, line 11
Time required to recover all IPsec Tunnels on a stanby IPsec Time required to recover all IPsec Tunnels on a stanby IPsec
Device, after a catastrophic failure occurs on the active IPsec Device, after a catastrophic failure occurs on the active IPsec
Device. Device.
Discussion: Discussion:
Recovery time required to re-establish all IPsec Tunnels and Recovery time required to re-establish all IPsec Tunnels and
reroute all traffic on a standby node or other failsafe system reroute all traffic on a standby node or other failsafe system
after a failure has occurred in the DUT/SUT. Failure can include after a failure has occurred in the DUT/SUT. Failure can include
but are not limited to a catastrophic IPsec Device failure, a but are not limited to a catastrophic IPsec Device failure, a
encryption engine failure, link outage. The recovery time is encryption engine failure, link outage, etc ... . The recovery
delta between the point of failure and the time the first packet time is delta between the point of failure and the time the first
is seen on the last restored IPsec Tunnel on the backup device. packet is seen on the last restored IPsec Tunnel on the backup
device.
Measurement Units: Measurement Units:
Time units with enough precision to reflect IPsec Tunnel Failover Time units with enough precision to reflect IPsec Tunnel Failover
Time. Time.
Issues: Issues:
N/A N/A
skipping to change at page 57, line 41 skipping to change at page 57, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 19 change blocks. 
68 lines changed or deleted 61 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/