Network Working Group D. Newman Request for Comments: 2647 Data Communications Category: Informational August 1999
Network Working Group D. Newman Request for Comments: 2647 Data Communications Category: Informational August 1999
Benchmarking Terminology for Firewall Performance
防火墙性能基准术语
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
Table of Contents
目录
1. Introduction...................................................2 2. Existing definitions...........................................2 3. Term definitions...............................................3 3.1 Allowed traffic...............................................3 3.2 Application proxy.............................................3 3.3 Authentication................................................4 3.4 Bit forwarding rate...........................................5 3.5 Circuit proxy.................................................6 3.6 Concurrent connections........................................6 3.7 Connection....................................................7 3.8 Connection establishment......................................9 3.9 Connection establishment time.................................9 3.10 Connection maintenance......................................10 3.11 Conection overhead..........................................11 3.12 Connection teardown.........................................11 3.13 Connection teardown time....................................12 3.14 Data source.................................................12 3.15 Demilitarized zone..........................................13 3.16 Firewall....................................................13 3.17 Goodput.....................................................14 3.18 Homed.......................................................15 3.19 Illegal traffic.............................................15 3.20 Logging.....................................................16 3.21 Network address translation.................................16 3.22 Packet filtering............................................17 3.23 Policy......................................................17 3.24 Protected network...........................................18 3.25 Proxy.......................................................19 3.26 Rejected traffic............................................19
1. Introduction...................................................2 2. Existing definitions...........................................2 3. Term definitions...............................................3 3.1 Allowed traffic...............................................3 3.2 Application proxy.............................................3 3.3 Authentication................................................4 3.4 Bit forwarding rate...........................................5 3.5 Circuit proxy.................................................6 3.6 Concurrent connections........................................6 3.7 Connection....................................................7 3.8 Connection establishment......................................9 3.9 Connection establishment time.................................9 3.10 Connection maintenance......................................10 3.11 Conection overhead..........................................11 3.12 Connection teardown.........................................11 3.13 Connection teardown time....................................12 3.14 Data source.................................................12 3.15 Demilitarized zone..........................................13 3.16 Firewall....................................................13 3.17 Goodput.....................................................14 3.18 Homed.......................................................15 3.19 Illegal traffic.............................................15 3.20 Logging.....................................................16 3.21 Network address translation.................................16 3.22 Packet filtering............................................17 3.23 Policy......................................................17 3.24 Protected network...........................................18 3.25 Proxy.......................................................19 3.26 Rejected traffic............................................19
3.27 Rule set....................................................20 3.28 Security association........................................20 3.29 Stateful packet filtering...................................21 3.30 Tri-homed...................................................22 3.31 Unit of transfer............................................22 3.32 Unprotected network.........................................23 3.33 User........................................................23 4. Security considerations.......................................24 5. References....................................................25 6. Acknowledgments...............................................25 7. Contact Information...........................................25 8. Full Copyright Statement......................................26
3.27 Rule set....................................................20 3.28 Security association........................................20 3.29 Stateful packet filtering...................................21 3.30 Tri-homed...................................................22 3.31 Unit of transfer............................................22 3.32 Unprotected network.........................................23 3.33 User........................................................23 4. Security considerations.......................................24 5. References....................................................25 6. Acknowledgments...............................................25 7. Contact Information...........................................25 8. Full Copyright Statement......................................26
This document defines terms used in measuring the performance of firewalls. It extends the terminology already used for benchmarking routers and switches with definitions specific to firewalls.
本文档定义了用于测量防火墙性能的术语。它使用特定于防火墙的定义扩展了路由器和交换机基准测试中已经使用的术语。
Forwarding rate and connection-oriented measurements are the primary metrics used in this document.
转发速率和面向连接的度量是本文档中使用的主要度量。
Why do we need firewall performance measurements? First, despite the rapid rise in firewall deployment, there is no standard method of performance measurement. Second, implementations vary widely, making it difficult to do direct performance comparisons. Finally, more and more organizations are deploying firewalls on internal networks operating at relatively high speeds, while most firewall implementations remain optimized for use over relatively low-speed wide-area connections. As a result, users are often unsure whether the products they buy will stand up to relatively heavy loads.
为什么我们需要防火墙性能度量?首先,尽管防火墙部署迅速增加,但没有标准的性能度量方法。其次,实现差异很大,因此很难进行直接的性能比较。最后,越来越多的组织正在以相对高速运行的内部网络上部署防火墙,而大多数防火墙实现仍在优化,以便在相对低速的广域连接上使用。因此,用户往往不确定他们购买的产品是否能够承受相对较重的负载。
This document uses the conceptual framework established in RFCs 1242 and 2544 (for routers) and RFC 2285 (for switches). The router and switch documents contain discussions of several terms relevant to benchmarking the performance of firewalls. Readers should consult the router and switch documents before making use of this document.
本文件使用RFC 1242和2544(路由器)和RFC 2285(交换机)中建立的概念框架。路由器和交换机文档包含与防火墙性能基准测试相关的几个术语的讨论。在使用本文档之前,读者应查阅路由器和交换机文档。
This document uses the definition format described in RFC 1242, Section 2. The sections in each definition are: definition, discussion, measurement units (optional), issues (optional), and cross-references.
本文件使用RFC 1242第2节中所述的定义格式。每个定义中的部分是:定义、讨论、度量单位(可选)、问题(可选)和交叉引用。
Definition: Packets forwarded as a result of the rule set of the device under test/system under test (DUT/SUT).
定义:根据被测设备/被测系统(DUT/SUT)的规则集转发的数据包。
Discussion: Firewalls typically are configured to forward only those packets explicitly permitted in the rule set. Forwarded packets must be included in calculating the bit forwarding rate or maximum bit forwarding rate of the DUT/SUT. All other packets must not be included in bit forwarding rate calculations.
讨论:防火墙通常配置为仅转发规则集中明确允许的数据包。在计算DUT/SUT的比特转发速率或最大比特转发速率时,必须包括转发的数据包。比特转发速率计算中不得包括所有其他数据包。
This document assumes 1:1 correspondence of allowed traffic offered to the DUT/SUT and forwarded by the DUT/SUT. There are cases where the DUT/SUT may forward more traffic than it is offered; for example, the DUT/SUT may act as a mail exploder or a multicast server. Any attempt to benchmark forwarding rates of such traffic must include a description of how much traffic the tester expects to be forwarded.
本文件假设提供给DUT/SUT并由DUT/SUT转发的允许通信量为1:1。在某些情况下,DUT/SUT转发的流量可能超过其提供的流量;例如,DUT/SUT可以充当邮件分解器或多播服务器。任何对此类流量的转发速率进行基准测试的尝试都必须包括对测试仪预期转发的流量的描述。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: policy rule set
另请参见:策略规则集
Definition: A proxy service that is set up and torn down in response to a client request, rather than existing on a static basis.
定义:为响应客户机请求而设置和拆除的代理服务,而不是静态存在的代理服务。
Discussion: Circuit proxies always forward packets containing a given port number if that port number is permitted by the rule set. Application proxies, in contrast, forward packets only once a connection has been established using some known protocol. When the connection closes, a firewall using applicaton proxies rejects individual packets, even if they contain port numbers allowed by a rule set.
讨论:如果规则集允许某个端口号,则电路代理始终转发包含该端口号的数据包。相反,应用程序代理仅在使用某些已知协议建立连接后转发数据包。当连接关闭时,使用applicaton代理的防火墙会拒绝单个数据包,即使它们包含规则集允许的端口号。
Unit of measurement: not applicable
计量单位:不适用
Issues: circuit proxy rule sets
问题:回路代理规则集
See also: allowed traffic circuit proxy proxy rejected traffic rule set
另请参见:允许的通信线路代理拒绝的通信规则集
Definition: The process of verifying that a user requesting a network resource is who he, she, or it claims to be, and vice versa.
定义:验证请求网络资源的用户是否是他、她或它声称的用户的过程,反之亦然。
Discussion: Trust is a critical concept in network security. Any network resource (such as a file server or printer) typically requires authentication before granting access.
讨论:信任是网络安全中的一个重要概念。任何网络资源(如文件服务器或打印机)在授予访问权限之前通常都需要身份验证。
Authentication takes many forms, including but not limited to IP addresses; TCP or UDP port numbers; passwords; external token authentication cards; and biometric identification such as signature, speech, or retina recognition systems.
身份验证有多种形式,包括但不限于IP地址;TCP或UDP端口号;密码;外部令牌认证卡;以及生物特征识别,如签名、语音或视网膜识别系统。
The entity being authenticated might be the client machine (for example, by proving that a given IP source address really is that address, and not a rogue machine spoofing that address) or a user (by proving that the user really is who he, she, or it claims to be). Servers might also authenticate themselves to clients.
被验证的实体可能是客户端计算机(例如,通过证明给定的IP源地址确实是该地址,而不是伪造该地址的恶意计算机)或用户(通过证明该用户确实是他、她或其声称的用户)。服务器也可以向客户机进行身份验证。
Testers should be aware that in an increasingly mobile society, authentication based on machine-specific criteria such as an IP address or port number is not equivalent to verifying that a given individual is making an access request. At this writing systems that verify the identity of users are typically external to the firewall, and may introduce additional latency to the overall SUT.
测试人员应该意识到,在日益移动的社会中,基于特定于机器的标准(如IP地址或端口号)的身份验证并不等同于验证给定的个人是否正在发出访问请求。此时,验证用户身份的写入系统通常位于防火墙外部,并且可能会给整个SUT带来额外的延迟。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: user
另见:用户
Definition: The number of bits per second of allowed traffic a DUT/SUT can be observed to transmit to the correct destination interface(s) in response to a specified offered load.
定义:DUT/SUT每秒可观察到的允许通信量的位数,以响应指定的提供负载,将其传输到正确的目标接口。
Discussion: This definition differs substantially from section 3.17 of RFC 1242 and section 3.6.1 of RFC 2285.
讨论:该定义与RFC 1242第3.17节和RFC 2285第3.6.1节有很大不同。
Unlike both RFCs 1242 and 2285, this definition introduces the notion of different classes of traffic: allowed, illegal, and rejected (see definitions for each term). For benchmarking purposes, it is assumed that bit forwarding rate measurements include only allowed traffic.
与RFCs 1242和2285不同,该定义引入了不同类别流量的概念:允许、非法和拒绝(参见每个术语的定义)。出于基准测试目的,假设比特转发速率测量仅包括允许的流量。
Unlike RFC 1242, there is no reference to lost or retransmitted data. Forwarding rate is assumed to be a goodput measurement, in that only data successfully forwarded to the destination interface is measured. Bit forwarding rate must be measured in relation to the offered load. Bit forwarding rate may be measured with differed load levels, traffic orientation, and traffic distribution.
与RFC 1242不同的是,没有对丢失或重新传输数据的引用。转发速率被认为是一个goodput度量,因为只有成功转发到目标接口的数据才会被度量。比特转发速率必须根据提供的负载进行测量。比特转发速率可以通过不同的负载水平、业务方向和业务分布来测量。
Unlike RFC 2285, this measurement counts bits per second rather than frames per second. Testers interested in frame (or frame-like) measurements should use units of transfer.
与RFC2285不同的是,此测量每秒计数位,而不是每秒计数帧。对帧(或类似帧)测量感兴趣的测试人员应使用传输单位。
Unit of measurement: bits per second
测量单位:位/秒
Issues: Allowed traffic vs. rejected traffic
问题:允许流量与拒绝流量
See also: allowed traffic goodput illegal traffic rejected traffic unit of transfer
另请参见:允许流量goodput非法流量拒绝传输的流量单位
Definition: A proxy service that statically defines which traffic will be forwarded.
定义:静态定义将转发哪些流量的代理服务。
Discussion: The key difference between application and circuit proxies is that the latter are static and thus will always set up a connection if the DUT/SUT's rule set allows it. For example, if a firewall's rule set permits ftp connections, a circuit proxy will always forward traffic on TCP port 20 (ftp-data) even if no control connection was first established on TCP port 21 (ftp-control).
讨论:应用程序代理和电路代理之间的关键区别在于后者是静态的,因此,如果DUT/SUT的规则集允许,将始终建立连接。例如,如果防火墙的规则集允许ftp连接,则电路代理将始终转发TCP端口20(ftp数据)上的流量,即使TCP端口21(ftp控制)上未首先建立控制连接。
Unit of measurement: not applicable
计量单位:不适用
Issues: application proxy rule sets
问题:应用程序代理规则集
See also: allowed traffic application proxy proxy rejected traffic rule set
另请参见:允许的流量应用程序代理拒绝的流量规则集
Definition: The aggregate number of simultaneous connections between hosts across the DUT/SUT, or between hosts and the DUT/SUT.
定义:DUT/SUT上主机之间或主机与DUT/SUT之间同时连接的总数。
Discussion: The number of concurrent connections a firewall can support is just as important a metric for some users as maximum bit forwarding rate.
讨论:防火墙可以支持的并发连接数对于某些用户来说与最大比特转发率同样重要。
While "connection" describes only a state and not necessarily the transfer of data, concurrency assumes that all existing connections are in fact capable of transferring data. If a data cannot be sent over a connection, that connection should not be counted toward the number of concurrent connections.
虽然“连接”仅描述一种状态,而不一定描述数据的传输,但并发性假设所有现有连接实际上都能够传输数据。如果无法通过连接发送数据,则该连接不应计入并发连接数。
Further, this definition assumes that the ability (or lack thereof) to transfer data on a given connection is solely the responsibility of the DUT/SUT. For example, a TCP connection that a DUT/SUT has
此外,该定义假设在给定连接上传输数据的能力(或缺乏能力)完全由DUT/SUT负责。例如,DUT/SUT具有的TCP连接
left in a FIN_WAIT_2 state clearly should not be counted. But another connection that has temporarily stopped transferring data because some external device has restricted the flow of data is not necessarily defunct. The tester should take measures to isolate changes in connection state to those effected by the DUT/SUT.
处于FIN_WAIT_2状态的左侧显然不应计算在内。但另一个由于某些外部设备限制了数据流而暂时停止传输数据的连接不一定会失效。测试仪应采取措施,将连接状态的变化与受DUT/SUT影响的变化隔离开来。
Unit of measurement: Concurrent connections Maximum number of concurrent connections
度量单位:并发连接最大并发连接数
Issues:
问题:
See also: connections connection establishment time connection overhead
另请参见:连接建立时间连接开销
Definition: A state in which two hosts, or a host and the DUT/SUT, agree to exchange data using a known protocol.
定义:两台主机或一台主机和DUT/SUT同意使用已知协议交换数据的状态。
Discussion: A connection is an abstraction describing an agreement between two nodes: One agrees to send data and the other agrees to receive it.
讨论:连接是描述两个节点之间协议的抽象:一个同意发送数据,另一个同意接收数据。
Connections might use TCP, but they don't have to. Other protocols such as ATM also might be used, either instead of or in addition to TCP connections.
连接可能使用TCP,但不一定要使用。也可以使用其他协议,如ATM,代替TCP连接或在TCP连接之外使用。
What constitutes a connection depends on the application. For a native ATM application, connections and virtual circuits may be synonymous. For TCP/IP applications on ATM networks (where multiple TCP connections may ride over a single ATM virtual circuit), the number of TCP connections may be the most important consideration.
什么构成连接取决于应用程序。对于本机ATM应用程序,连接和虚拟电路可能是同义的。对于ATM网络上的TCP/IP应用程序(其中多个TCP连接可能跨越单个ATM虚拟电路),TCP连接的数量可能是最重要的考虑因素。
Additionally, in some cases firewalls may handle a mixture of native TCP and native ATM connections. In this situation, the wrappers around user data will differ. The most meaningful metric describes what an end-user will see.
此外,在某些情况下,防火墙可能处理本机TCP和本机ATM连接的混合。在这种情况下,围绕用户数据的包装将有所不同。最有意义的指标描述了最终用户将看到什么。
Data connections describe state, not data transfer. The existence of a connection does not imply that data travels on that connection at any given time, although if data cannot be forwarded on a previously established connection that connection should not be considered in any aggregrate connection count (see concurrent connections).
数据连接描述状态,而不是数据传输。连接的存在并不意味着数据在任何给定时间在该连接上传输,尽管如果数据无法在先前建立的连接上转发,则不应在任何聚合连接计数中考虑该连接(请参阅并发连接)。
A firewall's architecture dictates where a connection terminates. In the case of application or circuit proxy firewalls, a connection terminates at the DUT/SUT. But firewalls using packet filtering or stateful packet filtering designs act only as passthrough devices, in that they reside between two connection endpoints. Regardless of firewall architecture, the number of data connections is still relevant, since all firewalls perform some form of connection maintenance; at the very least, all check connection requests against their rule sets.
防火墙的体系结构决定了连接的终止位置。在应用程序或电路代理防火墙的情况下,连接终止于DUT/SUT。但是,使用包过滤或有状态包过滤设计的防火墙只起到直通设备的作用,因为它们位于两个连接端点之间。无论防火墙体系结构如何,数据连接的数量仍然是相关的,因为所有防火墙都执行某种形式的连接维护;至少,所有连接请求都会根据其规则集进行检查。
Further, note that connection is not an atomic unit of measurement in that it does not describe the various steps involved in connection setup, maintenance, and teardown. Testers may wish to take separate measurements of each of these components.
此外,请注意,连接不是一个原子度量单位,因为它没有描述连接设置、维护和拆卸中涉及的各个步骤。测试人员可能希望对每个组件进行单独测量。
When benchmarking firewall performance, it's important to identify the connection establishment and teardown procedures, as these must not be included when measuring steady-state forwarding rates. Further, forwarding rates must be measured only after any security associations have been established.
在对防火墙性能进行基准测试时,确定连接建立和拆卸过程是很重要的,因为在测量稳态转发速率时不能包括这些过程。此外,只有在建立了任何安全关联之后,才能测量转发速率。
Though it seems paradoxical, connectionless protocols such as UDP may also involve connections, at least for the purposes of firewall performance measurement. For example, one host may send UDP packets to another across a firewall. If the destination host is listening on the correct UDP port, it receives the UDP packets. For the purposes of firewall performance measurement, this is considered a connection.
尽管看起来有些矛盾,但UDP等无连接协议也可能涉及连接,至少出于防火墙性能测量的目的。例如,一台主机可以通过防火墙向另一台主机发送UDP数据包。如果目标主机正在正确的UDP端口上侦听,它将接收UDP数据包。出于防火墙性能测量的目的,这被视为连接。
Unit of measurement: concurrent connections connection connection establishment time maximum number of concurrent connections connection teardown time
度量单位:并发连接建立时间最大并发连接数连接断开时间
Issues: application proxy vs. stateful packet filtering TCP/IP vs. ATM
问题:应用程序代理与有状态数据包过滤TCP/IP与ATM
connection-oriented vs. connectionless
面向连接与无连接
See also: data source concurrent connections connection establishment
另请参见:数据源并发连接建立
connection establishment time connection teardown connection teardown time
连接建立时间连接断开连接断开时间
Definition: The data exchanged between hosts, or between a host and the DUT/SUT, to initiate a connection.
定义:主机之间或主机与DUT/SUT之间为启动连接而交换的数据。
Discussion: Connection-oriented protocols like TCP have a proscribed handshaking procedure when launching a connection. When benchmarking firewall performance, it is import to identify this handshaking procedure so that it is not included in measurements of bit forwarding rate or UOTs per second.
讨论:像TCP这样的面向连接的协议在启动连接时有一个被禁止的握手过程。在对防火墙性能进行基准测试时,识别此握手过程非常重要,这样它就不会包含在比特转发速率或每秒UOT的测量中。
Testers may also be interested in measurements of connection establishment time through or with a given DUT/SUT.
测试人员还可能对通过或使用给定DUT/SUT测量连接建立时间感兴趣。
Unit of measurement: not applicable
计量单位:不适用
See also: connection connection establishement time connection maintenance connection teardown
另请参见:连接建立时间连接维护连接断开
Issues: not applicable
问题:不适用
Definition: The length of time needed for two hosts, or a host and the DUT/SUT, to agree to set up a connection using a known protocol.
定义:两台主机或一台主机和DUT/SUT同意使用已知协议建立连接所需的时间长度。
Discussion: Each connection-oriented protocol has its own defined mechanisms for setting up a connection. For purposes of benchmarking firewall performance, this shall be the interval between receipt of the first bit of the first octet of the packet carrying a connection establishment request on a DUT/SUT interface until transmission of the last bit of the last octet of the last packet of the connection setup traffic headed in the opposite direction.
讨论:每个面向连接的协议都有自己定义的建立连接的机制。为了对防火墙性能进行基准测试,这应该是在DUT/SUT接口上接收到承载连接建立请求的数据包的第一个八位组的第一位到传输反向连接建立流量的最后一个数据包的最后一个八位组的最后一位之间的间隔。
This definition applies only to connection-oriented protocols such as TCP. For connectionless protocols such as UDP, the notion of connection establishment time is not meaningful.
此定义仅适用于面向连接的协议,如TCP。对于UDP等无连接协议,连接建立时间的概念没有意义。
Unit of measurement: Connection establishment time
计量单位:连接建立时间
Issues:
问题:
See also: concurrent connections connection connection maintenance
另请参见:并发连接维护
Definition: The data exchanged between hosts, or between a host and the DUT/SUT, to ensure a connection is kept alive.
定义:主机之间或主机与DUT/SUT之间交换的数据,以确保连接保持活动状态。
Discussion: Some implementations of TCP and other connection-oriented protocols use "keep-alive" data to maintain a connection during periods where no user data is exchanged.
讨论:TCP和其他面向连接的协议的一些实现在没有用户数据交换的期间使用“保持活动”数据来维护连接。
When benchmarking firewall performance, it is useful to identfy connection maintenance traffic as distinct from UOTs per second. Given that maintenance traffic may be characterized by short bursts at periodical intervals, it may not be possible to describe a steady-state forwarding rate for maintenance traffic. One possible approach is to identify the quantity of maintenance traffic, in bytes or bits, over a given interval, and divide through to derive a measurement of maintenance traffic forwarding rate.
在对防火墙性能进行基准测试时,将连接维护流量与每秒UOT区分开来非常有用。鉴于维护业务可能以周期性的短突发为特征,因此不可能描述维护业务的稳态转发速率。一种可能的方法是确定给定间隔内的维护通信量(以字节或位为单位),并通过除以得出维护通信转发率的测量值。
Unit of measurement: maintenance traffic forwarding rate
计量单位:维护流量转发率
See also: connection connection establishment time connection teardown connection teardown time
另请参见:连接建立时间连接拆卸连接拆卸时间
Issues: not applicable
问题:不适用
Definition: The degradation in bit forwarding rate, if any, observed as a result of the addition of one connection between two hosts through the DUT/SUT, or the addition of one connection from a host to the DUT/SUT.
定义:由于通过DUT/SUT在两台主机之间添加一个连接,或从主机到DUT/SUT添加一个连接,观察到的位转发速率下降(如有)。
Discussion: The memory cost of connection establishment and maintenance is highly implementation-specific. This metric is intended to describe that cost in a method visible outside the firewall.
讨论:连接建立和维护的内存成本与实现高度相关。该指标旨在描述防火墙外可见方法的成本。
It may also be desirable to invert this metric to show the performance improvement as a result of tearing down one connection.
还可能需要反转此度量以显示由于拆下一个连接而导致的性能改进。
Unit of measurement: bit forwarding rate
计量单位:比特转发速率
Issues:
问题:
Definition: The data exchanged between hosts, or between a host and the DUT/SUT, to close a connection.
定义:主机之间或主机与DUT/SUT之间为关闭连接而交换的数据。
Discussion: Connection-oriented protocols like TCP follow a stated procedure when ending a connection. When benchmarking firewall performance, it is important to identify the teardown procedure so that it is not included in measurements of bit forwarding rate or UOTs per second.
讨论:面向连接的协议(如TCP)在结束连接时遵循规定的过程。在对防火墙性能进行基准测试时,重要的是确定拆卸过程,以便不将其包括在比特转发速率或每秒UOT的测量中。
Testers may also be interested in measurements of connection teardown time through or with a given DUT/SUT.
测试人员还可能对通过或使用给定DUT/SUT测量连接断开时间感兴趣。
Unit of measurement: not applicable
计量单位:不适用
See also: connection teardown time
另请参见:连接断开时间
Issues: not applicable
问题:不适用
Definition: The length of time needed for two hosts, or a host and the DUT/SUT, to agree to tear down a connection using a known protocol.
定义:两台主机或一台主机和DUT/SUT同意使用已知协议中断连接所需的时间长度。
Discussion: Each connection-oriented protocol has its own defined mechanisms for dropping a connection. For purposes of benchmarking firewall performance, this shall be the interval between receipt of the first bit of the first octet of the packet carrying a connection teardown request on a DUT/SUT interface until transmission of the last bit of the last octet of the last packet of the connection teardown traffic headed in the opposite direction.
讨论:每个面向连接的协议都有自己定义的删除连接的机制。为了对防火墙性能进行基准测试,这应该是从在DUT/SUT接口上接收到承载连接断开请求的数据包的第一个八位组的第一位到传输反向连接断开流量的最后一个数据包的最后一个八位组的最后一位之间的间隔。
This definition applies only to connection-oriented protocols such as TCP. For connectionless protocols such as UDP, the notion of connection teardown time is not meaningful.
此定义仅适用于面向连接的协议,如TCP。对于UDP等无连接协议,连接断开时间的概念没有意义。
Unit of measurement: Connection teardown time
计量单位:连接拆卸时间
Issues:
问题:
See also: concurrent connections connection connection maintenance
另请参见:并发连接维护
Definition: A host capable of generating traffic to the DUT/SUT.
定义:能够向DUT/SUT生成通信量的主机。
Discussion: One data source may emulate multiple users or hosts. In addition, one data source may offer traffic to multiple network interfaces on the DUT/SUT.
讨论:一个数据源可以模拟多个用户或主机。此外,一个数据源可以向DUT/SUT上的多个网络接口提供流量。
The term "data source" is deliberately independent of any number of users. It is useful to think of data sources simply as traffic generators, without any correlation to any given number of users.
术语“数据源”有意独立于任何数量的用户。将数据源简单地视为流量生成器是很有用的,与任何给定数量的用户没有任何关联。
Unit of measurement: not applicable
计量单位:不适用
Issues: user
问题:用户
See also: connection user
另请参见:连接用户
Definition: A network segment or segments located between protected and unprotected networks.
定义:位于受保护和未受保护网络之间的一个或多个网段。
Discussion: As an extra security measure, networks may be designed such that protected and unprotected segments are never directly connected. Instead, firewalls (and possibly public resources such as HTTP or FTP servers) reside on a so-called DMZ network.
讨论:作为一种额外的安全措施,网络的设计应确保受保护和未受保护的网段不会直接连接。相反,防火墙(以及可能的公共资源,如HTTP或FTP服务器)驻留在所谓的DMZ网络上。
DMZ networks are sometimes called perimeter networks.
DMZ网络有时称为周界网络。
Unit of measurement: not applicable
计量单位:不适用
Issues: Homed
问题:主页
See also: protected network unprotected network
另请参见:受保护的网络未受保护的网络
Definition: A device or group of devices that enforces an access control policy between networks.
定义:在网络之间实施访问控制策略的设备或设备组。
Discussion: While there are many different ways to accomplish it, all firewalls do the same thing: control access between networks.
讨论:虽然有许多不同的方法来实现它,但所有防火墙都做同样的事情:控制网络之间的访问。
The most common configuration involves a firewall connecting two segments (one protected and one unprotected), but this is not the only possible configuration. Many firewalls support tri-homing, allowing use of a DMZ network. It is possible for a firewall to accommodate more than three interfaces, each attached to a different network segment.
最常见的配置涉及连接两个段(一个受保护,一个不受保护)的防火墙,但这不是唯一可能的配置。许多防火墙支持三重定位,允许使用DMZ网络。防火墙可以容纳三个以上的接口,每个接口连接到不同的网段。
The criteria by which access are controlled are not specified here. Typically this has been done using network- or transport-layer criteria (such as IP subnet or TCP port number), but there is no
此处未指定控制访问的标准。通常,这是使用网络或传输层标准(如IP子网或TCP端口号)完成的,但没有
reason this must always be so. A growing number of firewalls are controlling access at the application layer, using user identification as the criterion. And firewalls for ATM networks may control access based on data link-layer criteria.
这一点必须始终如此。越来越多的防火墙使用用户身份作为标准,在应用层控制访问。ATM网络的防火墙可以根据数据链路层标准控制访问。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: DMZ tri-homed user
另请参见:DMZ三总部用户
Definition: The number of bits per unit of time forwarded to the correct destination interface of the DUT/SUT, minus any bits lost or retransmitted.
定义:转发到DUT/SUT的正确目标接口的每单位时间的位数,减去任何丢失或重新传输的位数。
Discussion: Firewalls are generally insensitive to packet loss in the network. As such, measurements of gross bit forwarding rates are not meaningful since (in the case of proxy-based and stateful packet filtering firewalls) a receiving endpoint directly attached to a DUT/SUT would not receive any data dropped by the DUT/SUT.
讨论:防火墙通常对网络中的数据包丢失不敏感。因此,总比特转发速率的测量没有意义,因为(在基于代理和有状态包过滤防火墙的情况下)直接连接到DUT/SUT的接收端点不会接收DUT/SUT丢弃的任何数据。
The type of traffic lost or retransmitted is protocol-dependent. TCP and ATM, for example, request different types of retransmissions. Testers must observe retransmitted data for the protocol in use, and subtract this quantity from measurements of gross bit forwarding rate.
丢失或重新传输的通信量类型取决于协议。例如,TCP和ATM请求不同类型的重传。测试人员必须观察正在使用的协议的重传数据,并从总比特转发率的测量值中减去该数量。
Unit of measurement: bits per second
测量单位:位/秒
Issues: allowed vs. rejected traffic
问题:允许流量与拒绝流量
See also: allowed traffic bit forwarding rate rejected traffic
另请参阅:允许的流量位转发速率拒绝的流量
Definition: The number of logical interfaces a DUT/SUT contains.
定义:DUT/SUT包含的逻辑接口数。
Discussion: Firewalls typically contain at least two logical interfaces. In network topologies where a DMZ is used, the firewall usually contains at least three interfaces and is said to be tri-homed. Additional interfaces would make a firewall quad-homed, quint-homed, and so on.
讨论:防火墙通常至少包含两个逻辑接口。在使用DMZ的网络拓扑中,防火墙通常至少包含三个接口,称为三宿主。额外的接口将使防火墙成为四主机、五主机等等。
It is theoretically possible for a firewall to contain one physical interface and multiple logical interfaces. This configuration is discouraged for testing purposes because of the difficulty in verifying that no leakage occurs between protected and unprotected segments.
理论上,防火墙可能包含一个物理接口和多个逻辑接口。出于测试目的,不建议使用此配置,因为难以验证受保护和未受保护的段之间是否发生泄漏。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: tri-homed
另见:三总部
Definition: Packets specified for rejection in the rule set of the DUT/SUT.
定义:在DUT/SUT的规则集中指定要拒绝的数据包。
Discussion: A buggy or misconfigured firewall might forward packets even though its rule set specifies that these packets be dropped. Illegal traffic differs from rejected traffic in that it describes all traffic specified for rejection by the rule set, while rejected traffic specifies only those packets actually dropped by the DUT/SUT.
讨论:有缺陷或配置错误的防火墙可能转发数据包,即使其规则集指定丢弃这些数据包。非法流量与拒绝流量的不同之处在于,它描述了规则集为拒绝指定的所有流量,而拒绝流量仅指定DUT/SUT实际丢弃的数据包。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: accepted traffic policy rejected traffic rule set
另请参见:已接受的流量策略已拒绝的流量规则集
Definition: The recording of user requests made to the firewall.
定义:记录用户对防火墙的请求。
Discussion: Firewalls typically log all requests they handle, both allowed and rejected. For many firewall designs, logging requires a significant amount of processing overhead, especially when complex rule sets are in use.
讨论:防火墙通常会记录它们处理的所有请求,包括允许和拒绝的请求。对于许多防火墙设计,日志记录需要大量的处理开销,特别是在使用复杂规则集时。
The type and amount of data logged varies by implementation. Testers may find it desirable to log equivalent data when comparing different DUT/SUTs.
记录的数据类型和数量因实现而异。测试人员可能会发现,在比较不同DUT/SUT时,需要记录等效数据。
Some systems allow logging to take place on systems other than the DUT/SUT.
某些系统允许在DUT/SUT以外的系统上进行日志记录。
Unit of measurement: not applicable
计量单位:不适用
Issues: rule sets
问题:规则集
See also: allowed traffic connection rejected traffic
另请参见:允许的流量连接拒绝的流量
Definition: A method of mapping one or more private, reserved IP addresses to one or more public IP addresses.
定义:将一个或多个专用保留IP地址映射到一个或多个公用IP地址的方法。
Discussion: In the interest of conserving the IPv4 address space, RFC 1918 proposed the use of certain private (reserved) blocks of IP addresses. Connections to public networks are made by use of a device that translates one or more RFC 1918 addresses to one or more public addresses--a network address translator (NAT).
讨论:为了节省IPv4地址空间,RFC1918建议使用某些专用(保留)IP地址块。到公共网络的连接是通过使用将一个或多个RFC1918地址转换为一个或多个公共地址的设备实现的——网络地址转换器(NAT)。
The use of private addressing also introduces a security benefit in that RFC 1918 addresses are not visible to hosts on the public Internet.
使用私有寻址还带来了一个安全优势,即RFC1918地址对公共Internet上的主机不可见。
Some NAT implementations are computationally intensive, and may affect bit forwarding rate.
一些NAT实现是计算密集型的,可能会影响比特转发速率。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also:
另见:
Definition: The process of controlling access by examining packets based on the content of packet headers.
定义:通过根据数据包头的内容检查数据包来控制访问的过程。
Discussion: Packet-filtering devices forward or deny packets based on information in each packet's header, such as IP address or TCP port number. A packet-filtering firewall uses a rule set to determine which traffic should be forwarded and which should be blocked.
讨论:包过滤设备根据每个包头中的信息(如IP地址或TCP端口号)转发或拒绝包。包过滤防火墙使用一个规则集来确定哪些流量应该转发,哪些应该阻止。
Unit of measurement: not applicable
计量单位:不适用
Issues: static vs. stateful packet filtering
问题:静态与有状态数据包过滤
See also: application proxy circuit proxy proxy rule set stateful packet filtering
另请参见:应用程序代理电路代理规则集有状态数据包过滤
Definition: A document defining acceptable access to protected, DMZ, and unprotected networks.
定义:定义对受保护、DMZ和未受保护网络的可接受访问的文档。
Discussion: Security policies generally do not spell out specific configurations for firewalls; rather, they set general guidelines for what is and is not acceptable network access.
讨论:安全策略通常不会详细说明防火墙的具体配置;相反,他们为什么是和什么是不可接受的网络访问制定了一般准则。
The actual mechanism for controlling access is usually the rule set implemented in the DUT/SUT.
控制访问的实际机制通常是DUT/SUT中实现的规则集。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: rule set
另请参见:规则集
Definition: A network segment or segments to which access is controlled by the DUT/SUT.
定义:由DUT/SUT控制访问的一个或多个网段。
Discussion: Firewalls are intended to prevent unauthorized access either to or from the protected network. Depending on the configuration specified by the policy and rule set, the DUT/SUT may allow hosts on the protected segment to act as clients for servers on either the DMZ or the unprotected network, or both.
讨论:防火墙旨在防止未经授权访问受保护的网络。根据策略和规则集指定的配置,DUT/SUT可允许受保护段上的主机充当DMZ或未受保护网络上或两者上服务器的客户端。
Protected networks are often called "internal networks." That term is not used here because firewalls increasingly are deployed within an organization, where all segments are by definition internal.
受保护的网络通常被称为“内部网络”。此处不使用该术语,因为防火墙越来越多地部署在一个组织内,根据定义,所有网段都是内部的。
Unit of measurement:
计量单位:
not applicable
不适用
Issues:
问题:
See also: demilitarized zone (DMZ) unprotected network policy rule set unprotected network
另请参见:非军事区(DMZ)未受保护的网络策略规则集未受保护的网络
Definition: A request for a connection made on behalf of a host.
定义:代表主机发出的连接请求。
Discussion: Proxy-based firewalls do not allow direct connections between hosts. Instead, two connections are established: one between the client host and the DUT/SUT, and another between the DUT/SUT and server host.
讨论:基于代理的防火墙不允许主机之间直接连接。相反,建立了两个连接:一个在客户机主机和DUT/SUT之间,另一个在DUT/SUT和服务器主机之间。
As with packet-filtering firewalls, proxy-based devices use a rule set to determine which traffic should be forwarded and which should be rejected.
与包过滤防火墙一样,基于代理的设备使用规则集来确定哪些流量应该转发,哪些应该拒绝。
There are two types of proxies: application proxies and circuit proxies.
代理有两种类型:应用程序代理和电路代理。
Unit of measurement: not applicable
计量单位:不适用
Issues: application
问题:申请
See also: application proxy circuit proxy packet filtering stateful packet filtering
另请参见:应用程序代理电路代理数据包过滤有状态数据包过滤
Definition: Packets dropped as a result of the rule set of the DUT/SUT.
定义:由于DUT/SUT的规则集而丢弃的数据包。
Discussion: For purposes of benchmarking firewall performance, it is expected that firewalls will reject all traffic not explicitly permitted in the rule set. Dropped packets must not be included in calculating the bit forwarding rate or maximum bit forwarding rate of the DUT/SUT.
讨论:为了对防火墙性能进行基准测试,预计防火墙将拒绝规则集中未明确允许的所有流量。在计算DUT/SUT的位转发速率或最大位转发速率时,不得包括丢弃的数据包。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: allowed traffic illegal traffic policy rule set
另请参见:允许的流量非法流量策略规则集
Definition: The collection of access control rules that determines which packets the DUT/SUT will forward and which it will reject.
定义:访问控制规则的集合,用于确定DUT/SUT将转发哪些数据包以及拒绝哪些数据包。
Discussion: Rule sets control access to and from the network interfaces of the
讨论:规则集控制对网络接口的访问
DUT/SUT. By definition, rule sets do not apply equally to all network interfaces; otherwise there would be no need for the firewall. For benchmarking purposes, a specific rule set is typically applied to each network interface in the DUT/SUT.
DUT/SUT。根据定义,规则集并不平等地适用于所有网络接口;否则就不需要防火墙了。为了进行基准测试,特定的规则集通常应用于DUT/SUT中的每个网络接口。
The tester must describe the complete contents of the rule set of each DUT/SUT.
测试人员必须描述每个DUT/SUT规则集的完整内容。
To ensure measurements reflect only traffic forwarded by the DUT/SUT, testers are encouraged to include a rule denying all access except for those packets allowed by the rule set.
为了确保测量仅反映DUT/SUT转发的流量,鼓励测试人员包括一条规则,拒绝除规则集允许的数据包之外的所有访问。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: allowed traffic demilitarized zone (DMZ) illegal traffic policy protected network rejected traffic unprotected network
另请参见:允许的流量非军事区(DMZ)非法流量策略受保护的网络拒绝的流量未受保护的网络
Definition: The set of security information relating to a given network connection or set of connections.
定义:与给定网络连接或连接集相关的一组安全信息。
Discussion: This definition covers the relationship between policy and connections. Security associations (SAs) are typically set up during connection establishment, and they may be reiterated or revoked during a connection.
讨论:此定义涵盖策略和连接之间的关系。安全关联(SA)通常在连接建立期间建立,并且在连接期间可以重复或撤销。
For purposes of benchmarking firewall performance, measurements of bit forwarding rate or UOTs per second must be taken after all security associations have been established.
为了对防火墙性能进行基准测试,必须在建立所有安全关联后测量比特转发速率或每秒UOT。
Unit of measurement: not applicable
计量单位:不适用
See also: connection connection establishment policy rule set
另请参见:连接建立策略规则集
Definition: The process of forwarding or rejecting traffic based on the contents of a state table maintained by a firewall.
定义:根据防火墙维护的状态表的内容转发或拒绝流量的过程。
Discussion: Packet filtering and proxy firewalls are essentially static, in that they always forward or reject packets based on the contents of the rule set.
讨论:包过滤和代理防火墙本质上是静态的,因为它们总是根据规则集的内容转发或拒绝包。
In contrast, devices using stateful packet filtering will only forward packets if they correspond with state information maintained by the device about each connection. For example, a stateful packet filtering device will reject a packet on port 20 (ftp-data) if no connection has been established over the ftp control port (usually port 21).
相反,使用有状态包过滤的设备只有在包与设备维护的关于每个连接的状态信息相对应时才会转发包。例如,如果ftp控制端口(通常为端口21)上未建立连接,则有状态数据包过滤设备将拒绝端口20(ftp数据)上的数据包。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: applicaton proxy packet filtering proxy
另请参见:应用程序代理包过滤代理
Definition: A firewall with three network interfaces.
定义:具有三个网络接口的防火墙。
Discussion: Tri-homed firewalls connect three network segments with different network addresses. Typically, these would be protected, DMZ, and unprotected segments.
讨论:三主机防火墙用不同的网络地址连接三个网段。通常,这些将是受保护、DMZ和未受保护的段。
A tri-homed firewall may offer some security advantages over firewalls with two interfaces. An attacker on an unprotected network may compromise hosts on the DMZ but still not reach any hosts on the protected network.
与具有两个接口的防火墙相比,三宿主防火墙可能具有一些安全优势。未受保护网络上的攻击者可能会危害DMZ上的主机,但仍然无法到达受保护网络上的任何主机。
Unit of measurement: not applicable
计量单位:不适用
Issues: Usually the differentiator between one segment and another is its IP address. However, firewalls may connect different networks of other types, such as ATM or Netware segments.
问题:通常一个网段和另一个网段的区别在于它的IP地址。但是,防火墙可以连接其他类型的不同网络,如ATM或Netware段。
See also: homed
另见:homed
Definition: A discrete collection of bytes comprising at least one header and optional user data.
定义:包含至少一个标头和可选用户数据的离散字节集合。
Discussion: This metric is intended for use in describing steady-state forwarding rate of the DUT/SUT.
讨论:该度量用于描述DUT/SUT的稳态转发速率。
The unit of transfer (UOT) definition is deliberately left open to interpretation, allowing the broadest possible application. Examples of UOTs include TCP segments, IP packets, Ethernet frames, and ATM cells.
传输单位(UOT)的定义有意保留在解释范围内,以允许尽可能广泛的应用。UOT的示例包括TCP段、IP数据包、以太网帧和ATM信元。
While the definition is deliberately broad, its interpretation must not be. The tester must describe what type of UOT will be offered to the DUT/SUT, and must offer these UOTs at a consistent rate. Traffic measurement must begin after all connection establishment routines complete and before any connection completion routine begins. Further, measurements must begin after any security associations (SAs) are established and before any SA is revoked.
虽然定义有意宽泛,但其解释绝不能含糊不清。测试人员必须说明将向DUT/SUT提供何种类型的UOT,并且必须以一致的速率提供这些UOT。流量测量必须在所有连接建立例程完成之后和任何连接完成例程开始之前开始。此外,必须在建立任何安全关联(SA)之后和撤销任何SA之前开始测量。
Testers also must compare only like UOTs. It is not appropriate, for example, to compare forwarding rates by offering 1,500-byte Ethernet UOTs to one DUT/SUT and 53-byte ATM cells to another.
测试人员还必须仅与UOT进行比较。例如,通过向一个DUT/SUT提供1500字节以太网UOT和向另一个DUT/SUT提供53字节ATM信元来比较转发速率是不合适的。
Unit of measurement: Units of transfer Units of transfer per second
计量单位:传输单位每秒传输单位
Issues:
问题:
See also: bit forwarding rate connection
另请参见:位转发速率连接
Definition: A network segment or segments to which access is not controlled by the DUT/SUT.
定义:DUT/SUT不控制访问的一个或多个网段。
Discussion: Firewalls are deployed between protected and unprotected segments. The unprotected network is not protected by the DUT/SUT.
讨论:防火墙部署在受保护和未受保护的段之间。未受保护的网络不受DUT/SUT的保护。
Note that a DUT/SUT's policy may specify hosts on an unprotected network. For example, a user on a protected network may be permitted to access an FTP server on an unprotected network. But the DUT/SUT cannot control access between hosts on the unprotected network.
请注意,DUT/SUT的策略可能指定未受保护网络上的主机。例如,可能允许受保护网络上的用户访问未受保护网络上的FTP服务器。但DUT/SUT无法控制未受保护网络上主机之间的访问。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: demilitarized zone (DMZ) policy protected network rule set
另请参见:非军事区(DMZ)策略保护的网络规则集
Definition: A person or process requesting access to resources protected by the DUT/SUT.
定义:请求访问受DUT/SUT保护的资源的人员或进程。
Discussion: "User" is a problematic term in the context of firewall performance testing, for several reasons. First, a user may in fact be a process or processes requesting services through the DUT/SUT. Second, different "user" requests may require radically different amounts of DUT/SUT resources. Third, traffic profiles vary widely from one organization to another, making it difficult to characterize the load offered by a typical user.
讨论:“用户”在防火墙性能测试中是一个有问题的术语,原因有几个。首先,用户实际上可以是通过DUT/SUT请求服务的一个或多个进程。其次,不同的“用户”请求可能需要截然不同的DUT/SUT资源量。第三,不同组织的流量分布差异很大,因此很难描述典型用户提供的负载。
For these reasons, testers should not attempt to measure DUT/SUT performance in terms of users supported. Instead, testers should describe performance in terms of maximum bit forwarding rate and maximum number of connections sustained. Further, testers should use the term "data source" rather than user to describe traffic generator(s).
出于这些原因,测试人员不应试图根据所支持的用户来衡量DUT/SUT的性能。相反,测试人员应该用最大比特转发速率和持续的最大连接数来描述性能。此外,测试人员应该使用术语“数据源”而不是用户来描述流量生成器。
Unit of measurement: not applicable
计量单位:不适用
Issues:
问题:
See also: data source
另见:数据源
The primary goal of this memo is to describe terms used in benchmarking firewall performance. However, readers should be aware that there is some overlap between performance and security issues. Specifically, the optimal configuration for firewall performance may not be the most secure, and vice-versa.
本备忘录的主要目的是描述防火墙性能基准测试中使用的术语。但是,读者应该知道,性能和安全问题之间存在一些重叠。具体来说,防火墙性能的最佳配置可能不是最安全的,反之亦然。
Further, certain forms of attack may degrade performance. One common form of denial-of-service (DoS) attack bombards a firewall with so much rejected traffic that it cannot forward allowed traffic. DoS attacks do not always involve heavy loads; by definition, DoS describes any state in which a firewall is offered rejected traffic that prohibits it from forwarding some or all allowed traffic. Even a small amount of traffic may significantly degrade firewall performance, or stop the firewall altogether. Further, the safeguards in firewalls to guard against such attacks may have a significant negative impact on performance.
此外,某些形式的攻击可能会降低性能。一种常见形式的拒绝服务(DoS)攻击使用大量被拒绝的流量轰炸防火墙,使其无法转发允许的流量。拒绝服务攻击并不总是涉及重负载;根据定义,DoS描述了防火墙提供拒绝流量的任何状态,该拒绝流量禁止防火墙转发部分或全部允许的流量。即使是少量流量也可能会显著降低防火墙性能,或完全停止防火墙。此外,防火墙中防范此类攻击的安全措施可能会对性能产生重大负面影响。
Since the library of attacks is constantly expanding, no attempt is made here to define specific attacks that may affect performance. Nonetheless, any reasonable performance benchmark should take into
由于攻击库不断扩展,因此此处不尝试定义可能影响性能的特定攻击。尽管如此,任何合理的绩效基准都应考虑
consideration safeguards against such attacks. Specifically, the same safeguards should be in place when comparing performance of different firewall implementations.
考虑防范此类攻击的措施。具体来说,在比较不同防火墙实现的性能时,应该有相同的保护措施。
Bradner, S., Ed., "Benchmarking Terminology for Network Interconnection Devices", RFC 1242, July 1991.
Bradner,S.,编辑,“网络互连设备的基准术语”,RFC 1242,1991年7月。
Bradner, S. and J. McQuaid, "Benchmarking Methodology for Network Interconnect Devices", RFC 2544, March 1999.
Bradner,S.和J.McQuaid,“网络互连设备的基准测试方法”,RFC 25441999年3月。
Mandeville, R., "Benchmarking Terminology for LAN Switching Devices", RFC 2285, February 1998.
Mandeville,R.,“局域网交换设备的基准术语”,RFC 2285,1998年2月。
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996.
Rekhter,Y.,Moskowitz,B.,Karrenberg,D.,de Groot,G.和E.Lear,“私人互联网地址分配”,BCP 5,RFC 1918,1996年2月。
The author wishes to thank the IETF Benchmarking Working Group for agreeing to review this document. Several other persons offered valuable contributions and critiques during this project: Ted Doty (Internet Security Systems), Kevin Dubray (Ironbridge Networks), Helen Holzbaur, Dale Lancaster, Robert Mandeville, Brent Melson (NSTL), Steve Platt (NSTL), Marcus Ranum (Network Flight Recorder), Greg Shannon, Christoph Schuba (Sun Microsystems), Rick Siebenaler, and Greg Smith (Check Point Software Technologies).
作者希望感谢IETF基准工作组同意审查本文件。在这个项目中,其他几个人提供了宝贵的贡献和评论:泰德·多蒂(互联网安全系统)、凯文·杜布雷(铁桥网络)、海伦·霍尔兹堡、戴尔·兰卡斯特、罗伯特·曼德维尔、布伦特·梅尔森(NSTL)、史蒂夫·普拉特(NSTL)、马库斯·拉努姆(网络飞行记录器)、格雷格·香农(Greg Shannon)、克里斯托夫·舒巴(太阳微系统公司),Rick Siebenaler和Greg Smith(检查点软件技术)。
David Newman Data Communications magazine 3 Park Ave. 31st Floor New York, NY 10016 USA
美国纽约州纽约市帕克大道3号31楼David Newman数据通信杂志10016
Phone: 212-592-8256 Fax: 212-592-8265 EMail: dnewman@data.com
电话:212-592-8256传真:212-592-8265电子邮件:dnewman@data.com
Copyright (C) The Internet Society (1999). All Rights Reserved.
版权所有(C)互联网协会(1999年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。