NetSecOPEN + RFC 9411 alignment¶
Scope status (post-Scope-Freeze 2026-05-10) — See ARCHITECTURE.md for the canonical 37 MÓDULOs + 7 Test Kinds + DOM/CPOS/PIE-PA safety architecture. ADRs 0014, 0019-0025 cover post-Freeze additions.
Strategic positioning: TLSStress.Art is not a NetSecOPEN approved-tool (Spirent Avalanche / Keysight CyPerf-BreakingPoint are the only two as of 2026). We are however vocabulary-aligned + methodology-aligned with RFC 9411 + NetSecOPEN test plans, so a customer can cross-reference our reports against any NetSecOPEN-certified vendor datasheet without translation friction.
Per the locked decision in
discuss_netsecopen_rfc9411.md(Option C: RFC 9411-compliant + Production Realism extensions).
Standards reference¶
- RFC 9411 — Benchmarking Methodology for Network Security Device Performance (Informational, Mar 2023, obsoletes RFC 3511). Authors include NetSecOPEN consortium members.
- RFC 2544 — Benchmarking Methodology for Network Interconnect Devices (older but still cited for L2/L3 reference points).
- RFC 6349 — Framework for TCP Throughput Testing (used by our Branch Office tests for asymmetric WAN scenarios).
- NetSecOPEN test methodology documents — published by the NetSecOPEN consortium; cite RFC 9411 + add per-vendor approved certification procedures.
Vocabulary mapping (TLSStress.Art ↔ RFC 9411)¶
| TLSStress.Art term | RFC 9411 § | Notes |
|---|---|---|
| TLS Decryption / TLS Inspection | §3.1.5 + §6.x | We never use deprecated "SSL Inspection" — see TLS_INSPECTION_TRAPS.md |
| HTTP Throughput (Mbps / Gbps) | §6.1.1 (HTTP Throughput Capacity) | Reported per-quadrant in Annex I |
| HTTPS Throughput (Mbps / Gbps) | §6.1.2 (HTTPS Throughput Capacity) | Reported per-quadrant + per-cipher |
| Connections Per Second (CPS) | §6.2 (Connection Rate) | We split: HTTP-CPS, HTTPS-CPS, TLS-handshake-only |
| Concurrent Connections | §6.3 (Concurrent Connection Capacity) | Tracked via NAT/conntrack table at peak |
| Time To First Byte (TTFB) | §6.4 (Latency / Application Response) | p50, p95, p99, max — Annex H |
| Application Mix | §6.5 (Application Transaction Capacity) | Our Synthetic + Cloned Personas + HAR replay |
| Inspection Profile (5 named) | §6 §6.1-§6.5 dial subset | See INSPECTION_PROFILE.md §"RFC 9411 §6 cross-reference" |
| Quadrant Decomposition (Q1-Q4) | n/a (TLSStress.Art-original) | Adds production-realism beyond RFC 9411 — Annex I |
| Branch Office (asymmetric WAN) | RFC 6349 (not RFC 9411) | Annex J |
| BGP routing-table saturation | n/a (TLSStress.Art-original) | Control-plane stress; ADR 0012 |
| Geo-CA distribution | n/a (TLSStress.Art-original) | Annex F (multi-region cert chain validation) |
| Airgap attestation | n/a (TLSStress.Art-original) | Annex G (5-layer L2/L3 isolation chain) |
RFC 9411 §6 benchmarks — coverage matrix¶
| RFC 9411 §6 benchmark | TLSStress.Art coverage | Where |
|---|---|---|
| §6.1.1 HTTP Throughput Capacity | ✅ full | browser-engine + synthetic-load fleets, Annex I |
| §6.1.2 HTTPS Throughput Capacity | ✅ full | TLS leg 2 to Caddy origins, Annex I |
| §6.2 Connection Rate | ✅ full | synthetic-load engine ramp + browser engine sustained |
| §6.3 Concurrent Connection Capacity | ✅ full | NAT/conntrack peak, Annex H |
| §6.4 Latency / Application Response | ✅ full | TTFB p50/p95/p99/max, Annex H |
| §6.5 Application Transaction Capacity | ✅ partial | Synthetic + cloned personas; HAR replay; does NOT include the proprietary app-replay library Spirent/Keysight ship (Office 365, Skype, Salesforce) — see Ixia comparativo |
| §6.6 (DDoS) | ❌ | Not in scope (we are not an attack-traffic generator) |
| §6.7 (Malware) | ❌ | Not in scope; future BreakingPoint-equivalent track |
Production-realism extensions (NetSecOPEN-aligned, beyond RFC 9411)¶
These are TLSStress.Art-original extensions that map cleanly onto NetSecOPEN's "production realism" goals without violating any RFC 9411 invariant:
- Quadrant Decomposition (Q1-Q4) — partitions the run into four traffic-shape quadrants so a single number ("HTTPS throughput") is replaced with per-quadrant breakdowns. Useful when a vendor passes the aggregate but fails specific quadrants. Annex I.
- Inspection Profile — 5 named profiles (
minimal,balanced,paranoid,compliance,sandbox) that map onto RFC 9411 §6 dial subsets. Per INSPECTION_PROFILE.md. - Cloned Personas — real public sites cloned via headful browser engine into the bench. Closer fidelity than synthetic patterns; complements (does not replace) HAR replay.
- Geo-CA distribution — multi-region cert chain validation, relevant for global SD-WAN deployments. Annex F.
- Airgap attestation — 5-layer L2/L3 isolation proof. Annex G.
Annex labels (cross-reference quick lookup)¶
For operators reading our reports against a NetSecOPEN-certified vendor datasheet:
| Annex | TLSStress.Art topic | RFC 9411 § anchored |
|---|---|---|
| F | Geo-CA distribution | n/a (original) |
| G | Airgap attestation | n/a (original) |
| H | NAT engine performance | §6.3 (concurrent) + §6.4 (latency) |
| I | Quadrant decomposition | §6.1.1 + §6.1.2 + §6.2 (per-quadrant) |
| J | Branch Office WAN | RFC 6349 (not RFC 9411) |
| K | Inspection Profile (planned) | §6 dial subset |
| L | BGP routing-table saturation (planned) | n/a (original) |
What this is NOT¶
- Not a NetSecOPEN approved-tool listing — we are not in the consortium's certification program.
- Not a claim that our results are interchangeable with Spirent / Keysight numbers — apples-to-apples requires running both tools against the same DUT under identical conditions.
- Not a pre-test of NetSecOPEN certification — vendors needing certification still go through Spirent / Keysight; we provide a sanity-check + production-realism overlay.
Future workstreams¶
- NetSecOPEN consortium membership (Option D in the original memo) — under separate strategic decision.
- §6.6 DDoS + §6.7 Malware — needs the attack/exploit content library gap identified in the Ixia comparativo.
- Per-Annex RFC 9411 §X labels in PDF report headers — small doc-only PR that adds the §X tag next to each annex title in the rendered report.