IPsec%20Benchmarking%20Terminology/Methodology%20IETF69%20-%20Chicago,%20USA

1
IPsec Benchmarking Terminology/MethodologyIETF69
- Chicago, USA

• Merike Kaeo
• merike_at_doubleshotsecurit
  y.com

2
Latest Documents

• Terminology for Benchmarking IPsec Devices
• draft-ietf-bmwg-ipsec-term-09.txt
• Methodology for Benchmarking IPsec Devices
• draft-ietf-bmwg-ipsec-meth-02.txt

3
Terminology Document Changes

• Updated all references to latest IPsec RFCs
• Adding limited and scoped DoS Testing
• IKE Phase 1 PSK or certificate mismatch
• IKE Phase 2 hash mismatch (for AH or ESP/Null)
• Replay attack
• Still need to clean up section 8 Framesizes
• Need to clean up examples for IPv4/IPv6 cleartext
  and IPv4/IPv6 IPsec protected framesizes
• New consideration regarding section 10.5
  Back-to-Back Frames
• Is this test still relevant?
• Should the length of the burst be different than
  that which is defined in RFC1242?

4
Methodology Document Changes

• Updated all references to latest IPsec RFCs
• Modified transform sets to conform to latest
  algorithms
• Updated security context parameters
• Back-to-Back Frame Baseline
• The back-to-back value is the number of frames in
  the longest burst that the DUT will handle
  without the loss of any frames. The trial length
  MUST be at least 2 seconds and SHOULD be repeated
  at least 50 times with the average of the
  recorded values being reported.
• Is above text appropriate or should length of
  trial be increased?
• Need to still add DoS Resiliency Methodology

5
Final Steps.

• Input on missing items would be useful
• Will ask for last call on next revisions of both
  documents