SSL VPN terminology time

Mention metrics like throughput and latency, and most network professionals will understand these concepts. There are even IETF RFCs with formal definitions of some of the best-known test metrics.

Not so when it comes to testing SSL VPNs. This is a relatively young area, and neither the IETF nor any other standards body has yet defined an official set of terms to use when assessing device performance.

Lacking any standard specification to point to, we used the following terms:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Mention metrics like throughput and latency, and most network professionals will understand these concepts. There are even IETF RFCs with formal definitions of some of the best-known test metrics.

Not so when it comes to testing SSL VPNs. This is a relatively young area, and neither the IETF nor any other standards body has yet defined an official set of terms to use when assessing device performance.

Lacking any standard specification to point to, we used the following terms:

SSL setup and teardown rate: This test measures the rate at which a device creates and destroys SSL tunnels.

An SSL tunnel consists of one client successfully establishing an SSL session with a unique session ID with the device under test (DUT). Our tests added some extra steps: We also required the client to logon to the DUT before establishing the SSL session, set up the SSL session, request and retrieve a 1K-byte object through the DUT, and then log out. Taken together, these transactions comprised one SSL session setup and teardown. Our tests measured the number of these sessions a DUT could process per second.

Maximum concurrent users: The number of concurrent users retrieving data through active SSL sessions. This definition requires clients to establish an SSL tunnel and to retrieve data through that tunnel. Some vendors define this metric differently, using only the number of clients logged on, not those doing actual work. We strongly prefer the more stressful definition to the vendorspeak version: Users are those using the DUT.

Forwarding rate: The rate at which a DUT transmits traffic to the correct destination interface in response to a specified offered load. This metric is formally defined in RFC 2285.

The Spirent Avalanche and Reflector test tools we used measure the forwarding rate of all the bits on the wire, including some extra overhead from Ethernet, IP and TCP headers. Because we used large (5M byte) objects in this test, the overhead is minuscule relative to the data bytes being transferred. In future tests, we might use HTTP goodput - the layer-7 forwarding rate minus any lost or retransmitted data - as a more meaningful indicator of how quickly the DUT passes data up to the application.

Read more about security in Network World's Security section.