[NSIS] NSIS Interop Summary Report from Karlsruhe
Roland Bless <bless@tm.uka.de> Mon, 18 June 2007 23:47 UTC
Return-path: <nsis-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I0QwM-00059y-91; Mon, 18 Jun 2007 19:47:22 -0400
Received: from nsis by megatron.ietf.org with local (Exim 4.43) id 1I0QwK-000550-Lr for nsis-confirm+ok@megatron.ietf.org; Mon, 18 Jun 2007 19:47:20 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I0QwK-00054s-CC for nsis@ietf.org; Mon, 18 Jun 2007 19:47:20 -0400
Received: from iramx2.ira.uni-karlsruhe.de ([141.3.10.81]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I0QwI-0003rG-GY for nsis@ietf.org; Mon, 18 Jun 2007 19:47:20 -0400
Received: from i72ms.tm.uni-karlsruhe.de ([141.3.70.5] helo=smtp.ipv6.tm.uni-karlsruhe.de) by iramx2.ira.uni-karlsruhe.de with esmtps id 1I0QwF-0003Z2-8a; Tue, 19 Jun 2007 01:47:17 +0200
Received: from vorta.ipv6.tm.uni-karlsruhe.de (vorta.ipv6.tm.uni-karlsruhe.de [IPv6:2001:638:204:6:207:e9ff:fe0c:5e44]) by smtp.ipv6.tm.uni-karlsruhe.de (Postfix) with ESMTP id 163162FC1F2; Tue, 19 Jun 2007 01:47:15 +0200 (CEST)
Received: from localhost ([127.0.0.1]) by vorta.ipv6.tm.uni-karlsruhe.de with esmtp (Exim 4.44) id 1I0QwE-00040Z-CN; Tue, 19 Jun 2007 01:47:14 +0200
Message-ID: <46771981.60907@tm.uka.de>
Date: Tue, 19 Jun 2007 01:47:13 +0200
From: Roland Bless <bless@tm.uka.de>
Organization: Institute of Telematics, University of Karlsruhe
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060111 Thunderbird/1.5 Mnenhy/0.7.3.0
MIME-Version: 1.0
To: "nsis@ietf.org" <nsis@ietf.org>, nsis-chairs@tools.ietf.org
X-Enigmail-Version: 0.94.1.1
Content-Type: text/plain; charset="ISO-8859-15"
Content-Transfer-Encoding: 8bit
X-Spam-Status: No
X-Spam-Score: -1.4 (-)
X-Spam-Report: -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP 0.1 AWL AWL: From: address is in the auto white-list
X-ATIS-Checksum: v3zoCAcc32ckk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9af087f15dbdd4c64ae6bbcdbc5b1d44
Cc:
Subject: [NSIS] NSIS Interop Summary Report from Karlsruhe
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
Errors-To: nsis-bounces@ietf.org
Hi all,
the WG chairs solicited feedback about the latest NSIS interop in
Karlsruhe. So here it is (sorry for the long delay):
Overview:
=========
* Implementation teams:
- University of Coimbra (GIST, QoS NSLP, NAT/FW) each Draft -13
- Uni Goettingen (GIST, QoS NSLP, NAT/FW) each Draft-13
- Uni Karlsruhe (GIST, QoS NSLP, NAT/FW) each Draft-13
- Siemens Roke Manor Research was planned to participate but
could not make it.
* We mainly concentrated on GIST tests, because
this spec has to be off the table first.
* We used test cases that were defined by Christian Dickmann
(and discussed at last IETF among Christian, Alan Ford, Andrew
McDonald and partially me). You can find the document here
(though in a format of an internet-draft, it is not published as such
yet)
http://user.informatik.uni-goettingen.de/~cdickman/draft-dickmann-nsis-ntlp-interop-00.txt
* Christian did a great job in setting up tools for performing
automated tests. This sped up testing a lot.
* GIST was quite thoroughly tested with Goettingen vs. Karlsruhe
(in both directions, see below).
We tested all the main protocol features like D-Mode, C-Mode,
TLS+TCP, v4,v6, late state installation, etc.
* The GIST Spec is implementable; we found no major issues
with the GIST spec, only the need for
some clarifications that can be found here in our tracker:
https://projekte.tm.uka.de/trac/NSIS/report/10
(I entered some additional tickets after the interop event).
* A major open issue is, however, NAT traversal functionality
that could not be tested yet.
* Interop URL: https://projekte.tm.uka.de/trac/NSIS/wiki/Interop-20070509
Details (as written in a mail from Christian)
=================================================
Christian created a report based on the data collected by the
Interop Tools. Take a look at:
http://dickmann.homeunix.org/nsis/displayReportList.php
---------------------------------------------------------------------
Christian's mail:
Of course, this is only a subset of all tests that were made (and only
the last run of each test case), but I guess we are close to 90 or 95%
coverage. A lot of test cases come with captures so that you can look up
the message exchange for successful or failed tests. I set the
success-flag for most tests directly during the interop event once the
test was completed. However, for some test cases I set the flag today
based on my notes (and my memory).
As you know the test cases were based on [1].
Each test case belongs into one of these categories: "normal operation",
"recoverable problems", "unrecoverable problems".
I analyzed the report based on these categories (notation "X vs. Y"
means X is Initiator and Y is Responder):
Normal operation:
Goettingen vs. Karlsruhe:
3-Way Handshake: 7 PASSED, 10 run of 11 test cases
Refresh of soft state: 2 PASSED, 2 run of 5 test cases
Setup of multiple sessions: 3 PASSED, 3 run of 4 test cases
Interception on NSIS forwarders: 3 PASSED, 4 run of 4 test cases
GIST Stateless operation: 0 PASSED, 1 run of 2 test cases
Karlsruhe vs. Goettingen:
3-Way Handshake: 8 PASSED, 9 run of 11 test cases
Refresh of soft state: 0 PASSED, 1 run of 5 test cases
Goettingen vs. Coimbra:
3-Way Handshake: 8 PASSED, 9 run of 11 test cases
Refresh of soft state: 2 PASSED, 2 run of 5 test cases
Coimbra vs. Goettingen:
3-Way Handshake: 2 PASSED, 3 run of 11 test cases
Karlsruhe vs. Coimbra:
3-Way Handshake: 5 PASSED, 5 run of 11 test cases
Recoverable problems:
Goettingen vs. Karlsruhe:
3-Way Handshake: 2 PASSED, 3 run of 3 test cases
Refresh of soft state: 4 PASSED, 4 run of 5 test cases
Karlsruhe vs. Goettingen:
3-Way Handshake: 1 PASSED, 1 run of 3 test cases
Goettingen vs. Coimbra:
3-Way Handshake: 2 PASSED, 2 run of 3 test cases
Refresh of soft state: 4 PASSED, 4 run of 5 test cases
Unrecoverable problems:
Goettingen vs. Karlsruhe:
3-Way Handshake: 5 PASSED, 5 run of 5 test cases
Karlsruhe vs. Goettingen:
3-Way Handshake: 3 PASSED, 4 run of 5 test cases
Goettingen vs. Coimbra:
3-Way Handshake: 4 PASSED, 5 run of 5 test cases
As we can see, we did not test all test cases, even for Goettingen vs.
Karlsruhe.
However, for Goe vs. Ka we can say that we covered a really good part of
the GIST specification. In particular we tested all important features
(except for NAT traversal and Stateless mode). This makes me very
confident that the spec is implementable (except for NAT traversal, see
NSIS mailing list).
I think we tested Goettingen against Karlsruhe quite thoroughly (in both
directions). We ran 47 test cases (IPv4 only) and passed 38 of these.
That's a success rate of 80%. The tests against Coimbra were not as
complete. We ran 25 test cases (IPv4 only) between Göttingen and Coimbra
and passed 22 of them (= 88%). Thus, the test cases we tested were quite
successful, but we ran only half of the test cases compared to Goe/Ka.
Also note that we did only very few test cases with IPv6 and only with
Göttingen vs. Karlsruhe. However, those were all successful.
My personal lessons learned from this interop:
- Even 3 days were not enough. Considering that we only had 3 GIST
implementations to test, this sounds like we wasted too much time. I try
to find reasons below.
- I guess 70% of the problems we found between Göttingen and Karlsruhe
were NOT related to interop problems. On the other hand, all bugs found
in our (Göttingen) implementation (very few overall) were related to
real interop issues. I guess the reason is quite simple: I ran ALL test
cases defined in [1] with Göttingen vs. Göttingen and so found and fixed
a lot of bugs before arriving in Karlsruhe. I suppose the other
participants did not do internal tests as thorough as ours, which
resulted in this rate of non-interop issues.
- More internal tests (see above) but also remote tests before the
actual interop event can save a lot of time. I did some remote tests
with Karlsruhe and we were able to detect and fix some problems before
meeting in person. With Coimbra I also performed some remote tests (just
basic D-Mode and C-Mode, both failed), but not as thorough as with
Karlsruhe. We ended up having problems with TLS for many hours during
the interop event. We should do much more remote testing to avoid these
lengthy debugging phases!
- The interop draft [1] helped a lot. First, it has so many test cases
that you would not think of during an interop event. Second, for complex
tests the expected behavior and useful triggers are not always obvious.
Having them written down with one or two rounds of review saves time and
avoids mistakes during the interop event. Third, the interop draft now
helps to write this report, as we can "measure" the success.
- The interop tools helped a lot and saved a lot of time. I guess the
tools saved roughly 50% of my time. Maybe even more. Considering that we
are very short on time, this is a huge improvement. Besides that, many
test cases are simply not feasible without tools (for example attack
scenarios, corrupted objects, etc.). We should continue to use the tools
and extend them so that they can become the default tool to do the
interop. That would also help in remote testing.
- The organization by Roland was very good. We had enough switches,
cables, spare machines, space, etc. The network setup we discussed on
this mailing list a week before the interop was well set up and avoided
long setup and re-plugging phases. You can see that this is important
when you look at Luis and Vitor who tried to configure their network on
site to correspond to the network layout. It took them quite a while of
debugging to configure their machines correctly. More preparation from
all sides and an agreed-upon network setup help to avoid these kinds of
delay.
- Taking all these issues into account, I think that 3 days CAN be
enough time, if and only if enough preparation is done in form of
defining test cases, writing tools to help with testing, testing
internally against the test cases, doing remote tests and organizing and
preparing for the event itself.
Overall I am quite satisfied with the interop. I think we made a big
step ahead towards mature and interoperable implementations. We tested
and discussed a good portion of the spec and found no (or very few and
minor) real problems. And we tested quite a lot of test cases and had a
reasonable success rate that is even going to improve with remote tests
taking place in the next few weeks.
Thank you all. I had a great time at the interop and special thanks go
to Roland and the University of Karlsruhe for doing a very good job of
hosting this interop event.
Regards,
Christian Dickmann
[1]
http://user.informatik.uni-goettingen.de/~cdickman/draft-dickmann-nsis-ntlp-interop-00.txt
--------------------------------------------------------------------
_______________________________________________
nsis mailing list
nsis@ietf.org
https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] NSIS Interop Summary Report from Karlsruhe Roland Bless
- RE: [NSIS] NSIS Interop Summary Report from Karls… Hancock, Robert
- [NSIS] Re: NSIS Interop Summary Report from Karls… Martin Stiemerling