|
Hi Merike,
I can live with this resolution.
We, and other implementors, will have to wait for test equipment
vendors to make progress on this front.
Thanks,
Yaron
Merike Kaeo wrote:
Hello.....
I wanted to touch base with Tim, my co-author on this one before
definitively replying our position.
We both feel that the document should stand as is for the tests that
require the tester to be IPsec-aware.....the intent was to create tests
that are useful for understanding issues/concerns in a real-world
environment and would act as incentive to the industry for following
our recommendations.
As for Yaron's comment on section 14, it is reasonable to also add a
single tunnel, maximum throughput failover case.
- merike
On Jun 28, 2008, at 9:30 AM, Al Morton wrote:
Hi Yaron, Merike, and all,
One of the chairman's jobs is to stimulate the discussion
needed to close open issues by summarizing a thread.
While most of the issues raised on the IPsec drafts were
discussed and closed, the message below is just hanging
out there.
*****************************************************************
I'm asking bmwg folks to think about this and weigh-in with their
opinions ASAP. The I-D submission deadlines are looming, and we
need to make some progress on this (and all our current work).
*****************************************************************
Yaron's message opened an issue, essentially pointing to
a mismatch between procedures which assume that the
negotiation phases are distinguishable/measurable, and
the capabilities of the equipment he and his colleagues are
familiar with. As I see it, we have some options:
A Move forward with the procedures as they are, endorsing
the useful information collected and giving the industry an
incentive to follow our recommendations.
B Modify the procedures to recognize limitations of some measurement
systems, possibly making the some steps optional (if that would
work).
C+ Other options.
thanks for your attention,
Al
bmwg chair
At 10:32 AM 3/20/2008, Yaron Sheffer wrote:
Hi Merike,
Just when we thought we had finished this round...
I have been looking at the IPsec drafts with our performance lab
people, and we have some questions regarding our ability to implement
some of the tests.
Background:
For performance testing, we use COTS test equipment from the large
equipment vendors. The equipment is IPsec-aware, but used in a
black-box fashion. For example, you cannot pause between IKE phase 1
and phase 2 negotiation.
Specifics (all related to the methodology draft):
Tests 12.1, 12.2, 12.3 all require "single stepping" the different
negotiation phases.
Similarly for 13.1 and 13.2.
Sec. 14 (this is NOT an implementation issue:) in addition to the
many-tunnels case, we would also like to benchmark the single-tunnel,
maximum throughput failover case. This is similar to many real life
deployments of site-to-site VPNs.
Thanks,
Yaron
_______________________________________________
bmwg mailing list
bmwg at ietf.org
https://www.ietf.org/mailman/listinfo/bmwg
Scanned by Check Point Total Security Gateway.
|