Re: [bmwg] IPsec drafts - implementation issues

[Merike Kaeo <kaeo at merike.com>]

Hello.....

I wanted to touch base with Tim, my co-author on this one before
definitively replying our position.

We both feel that the document should stand as is for the tests that
require the tester to be IPsec-aware.....the intent was to create tests
that are useful for understanding issues/concerns in a real-world
environment and would act as incentive to the industry for following
our recommendations.

As for Yaron's comment on section 14, it is reasonable to also add a
single tunnel, maximum throughput failover case.

- merike


On Jun 28, 2008, at 9:30 AM, Al Morton wrote:

> Hi Yaron, Merike, and all,
>
> One of the chairman's jobs is to stimulate the discussion
> needed to close open issues by summarizing a thread.
> While most of the issues raised on the IPsec drafts were
> discussed and closed, the message below is just hanging
> out there.
>
> *****************************************************************
> I'm asking bmwg folks to think about this and weigh-in with their
> opinions ASAP.  The I-D submission deadlines are looming, and we
> need to make some progress on this (and all our current work).
> *****************************************************************
>
> Yaron's message opened an issue, essentially pointing to
> a mismatch between procedures which assume that the
> negotiation phases are distinguishable/measurable, and
> the capabilities of the equipment he and his colleagues are
> familiar with.  As I see it, we have some options:
>
> A Move forward with the procedures as they are, endorsing
>   the useful information collected and giving the industry an
>   incentive to follow our recommendations.
>
> B Modify the procedures to recognize limitations of some measurement
>   systems, possibly making the some steps optional (if that would  
> work).
>
> C+ Other options.
>
> thanks for your attention,
> Al
> bmwg chair
>
> At 10:32 AM 3/20/2008, Yaron Sheffer wrote:
>
> > Hi Merike,
> >
> > Just when we thought we had finished this round...
> >
> > I have been looking at the IPsec drafts with our performance lab  
> > people, and we have some questions regarding our ability to  
> > implement some of the tests.
> >
> > Background:
> >
> > For performance testing, we use COTS test equipment from the large  
> > equipment vendors. The equipment is IPsec-aware, but used in a  
> > black-box fashion. For example, you cannot pause between IKE phase  
> > 1 and phase 2 negotiation.
> >
> > Specifics (all related to the methodology draft):
> > Tests 12.1, 12.2, 12.3 all require "single stepping" the different  
> > negotiation phases.
> > Similarly for 13.1 and 13.2.
> > Sec. 14 (this is NOT an implementation issue:) in addition to the  
> > many-tunnels case, we would also like to benchmark the single- 
> > tunnel, maximum throughput failover case. This is similar to many  
> > real life deployments of site-to-site VPNs.
> > Thanks,
> >     Yaron
> >
> >
> >
> > _______________________________________________
> > bmwg mailing list
> > bmwg at ietf.org
> > https://www.ietf.org/mailman/listinfo/bmwg

_______________________________________________
bmwg mailing list
bmwg at ietf.org
https://www.ietf.org/mailman/listinfo/bmwg