Stress engines catalog¶
Other languages: English · Português · Español
Canonical reference for the orthogonal stress engines that exercise the NGFW alongside the primary L7 webserver workload. Each engine targets a different inspection surface — control plane, data-plane tables, overlay tunnels, packet generation — so an operator can compose a test plan that stresses the parts their procurement profile actually cares about.
Companion to: -
docs/DUT_TESTBED.md— test-bed operations -docs/ARCHITECTURE.md— canonical 37-MÓDULO map -docs/NGFW_CONFIGURATION_REFERENCE.en.md— vendor configs
Why orthogonal engines exist¶
A modern NGFW does not just decrypt TLS. It also:
- Maintains BGP / OSPF adjacencies that feed the routing table
- Forwards packets through MAC and ARP/NDP tables sized by deployment
- Terminates VPN / SDWAN tunnels (IPSec, GRE, WireGuard)
- Inspects VXLAN-encapsulated traffic in overlay deployments
- Handles ALG / NAT / inspection profile state machines under churn
- Performs packet capture, NetFlow / IPFIX export, and SIEM forwarding
Stressing only the L7 webserver path leaves 6 of 7 inspection surfaces unmeasured. The engines below close that gap.
Engine catalog¶
| Engine | Inspection surface | Code path | Module | Reference ADR |
|---|---|---|---|---|
| Primary L7 (Caddy personas) | TLS 1.2 + 1.3 · HTTP/2 · HTTP/3 / QUIC · cipher negotiation · session resumption (intentionally disabled) | webserver/, personas/ |
persona webservers · synthetic + cloned | ADR 0001 |
| BGP saturation | Routing-table RIB capacity · UPDATE storm handling · best-path computation under churn | control-plane-stress-agent/ (Go) · bgp-router-peer/ (Node) |
MÓDULO BGP-{1..4}.Art | ADR 0012 |
| OSPF LSA injection | Type-1/Type-2/Type-5 LSA processing · SPF recomputation · adjacency state under churn | ospf-router-peer/ (Node) · pkg/test-plan/ orchestration |
MÓDULO OSPF.Art | ADR 0011 |
| VPN / SDWAN On-Ramp | IPSec tunnel termination · Cloud On-Ramp / DIA paths · per-tunnel SA rekey under load | pkg/test-plan/ SDWAN scenarios · VyOS vpn-remote pods |
MÓDULO SDWAN CoR-{1..10}.Art | — |
| MAC / ARP table stress | L2 forwarding table capacity · ARP / NDP table fill · CAM table eviction · hash-bucket saturation | pkg/macarp-stress-agent/ (Go + gopacket) |
MÓDULO GO.Art | ADR 0011 |
| VXLAN VTEP (TRUST-only) | Underlay VTEP processing · VNI lookup · encapsulation/decapsulation throughput · MTU handling | vyos-vtep pods (data-plane TRUST-only) |
MÓDULO VXLAN-{1..3}.Art | ADR 0019 |
| HAR replay (L7 application) | Realistic session replay at scale (10k sessions/host vs ~50 for browser engine) · WAF rule firing · application-layer regression detection | har-engine/ (Go) |
MÓDULO HAR.Art | ADR 0021 |
| DPDK stateful (line-rate) | Userspace packet generation · 30 Mpps/core · 40M flows · stateful TCP/UDP/IPSec at line rate | trex/ profiles + trex-pod (DPDK + hugepages) |
MÓDULO TREX.Art | ADR 0011 |
| Throughput baseline | Apples-to-apples Gbps comparison vs vendor lab numbers · BBR-tuned host path | iperf3-agent/ (industry-standard binary) |
MÓDULO IPr.Art | — |
| Production URL Replay (PURE) | Real customer URL set against the DUT · pre-flight DUT-delta validation · PIE-PA 3-layer prod defense | pkg/test-plan/ PURE · har-engine/ · CLONER fn #9 |
(across modules) | ADR 0021 |
| Browser engine (production realism) | Real session reuse / retry / multiplex / cache behaviour · ALPN downgrade probes · HTTP/3 QUIC under genuine session churn | agent/ |
MÓDULO PW.Art | ADR 0003 |
| Programmable load | TLS 1.3 pinned · noConnectionReuse · ECDHE+AEAD only · scriptable scenarios | k6-agent/ |
MÓDULO K6.Art | ADR 0006 |
How they compose¶
Each engine runs as an independent Kubernetes Deployment on its own VLAN, attached via Multus macvlan. The NGFW under test sees:
- One L2 forwarding table being filled by MAC/ARP stress
- One routing table being filled by BGP / OSPF
- Many parallel inspection sessions from L7 + L4 + HAR + DPDK
- Configurable number of IPSec / VXLAN tunnels terminating concurrently
All metrics flow to the same Prometheus / Grafana / SNMP exporter
stack. Each engine carries a stable engine_id label so the
operator can isolate per-engine cost in the dashboards or split
the report by surface.
Which engine for which Test Kind¶
| Test Kind (§ ARCHITECTURE.md) | Engines exercised |
|---|---|
tls-throughput |
Primary L7 + Browser engine + Programmable load + Throughput baseline |
branch-office |
Primary L7 + Programmable load |
inspection-profile |
Primary L7 + Browser engine (per-profile expected behaviour) |
sdwan-cor |
VPN/SDWAN + Primary L7 (inside tunnels) + Programmable load (inside tunnels) |
bgp-saturation |
BGP saturation + Throughput baseline (path stability check) |
mac-arp-stress |
MAC/ARP table stress + Primary L7 (cohabitation check) |
pure |
Production URL Replay + HAR replay + Browser engine |
Quick reference: how to enable each¶
Engines are activated per test plan via the dashboard or the
pkg/test-plan/ YAML schema. Examples:
# test plan YAML excerpt
engines:
l7:
enabled: true
target: synthetic-personas-balanced
bgp:
enabled: true
peers: 4
prefixes_per_peer: 50_000 # → 200k RIB entries on DUT
mac_arp:
enabled: true
rate_pps: 500
table_target_size: 100_000
vxlan:
enabled: false
har_replay:
enabled: true
har_source: cloned-personas/news.tlsstress.local/2026-05-12.har
target_concurrency: 5_000
trex_dpdk:
enabled: false # requires hugepages + DPDK-ready node
The dashboard's test-plan composer renders the same schema as a UI form; operators can toggle engines on/off and adjust per-engine knobs without writing YAML.
Per-engine deep dives¶
Each engine has its own operator-facing primer:
- BGP saturation —
docs/help-center/primers/bgp-saturation.md - OSPF LSA injection —
docs/help-center/primers/ospf-lsa-injection.md - MAC / ARP table stress —
docs/help-center/primers/mac-arp-stress.md - VPN / SDWAN On-Ramp —
docs/help-center/primers/vpn-sdwan-onramp.md - VXLAN VTEP (TRUST-only) —
docs/help-center/primers/vxlan-vtep.md - HAR replay —
docs/help-center/primers/har-replay.md - TREX DPDK —
docs/help-center/primers/trex-dpdk.md - PURE —
docs/help-center/primers/pure-production-url-replay.md(operator) + ADR 0021 (design)
Verification — how to confirm each engine is actually firing¶
Every engine exports Prometheus metrics under the namespace
tlsstress_engine_<engine_id>. Quick checks:
# BGP — confirm peer count + announced prefixes
kubectl exec -n web-agents deploy/bgp-router-peer-1 -- \
vtysh -c 'show bgp summary'
# OSPF — confirm adjacency + LSA injection rate
kubectl exec -n web-agents deploy/ospf-router-peer -- \
vtysh -c 'show ip ospf neighbor'
kubectl logs -n web-agents deploy/ospf-router-peer | grep "LSA injected"
# MAC/ARP — confirm stress agent is generating traffic
kubectl exec -n web-agents ds/macarp-stress-agent -- \
cat /sys/class/net/net1/statistics/tx_packets # increments
kubectl exec -n web-agents ds/macarp-stress-agent -- \
ip neigh | wc -l # arriving at target
# L7 (Primary) — confirm persona pods serving + agents hitting them
kubectl get pods -n persona-news -o wide
kubectl logs -n persona-news deploy/caddy --tail 20
# HAR replay — confirm har-engine pod processing the HAR
kubectl logs -n web-agents deploy/har-engine | grep "session_replayed"
# Throughput baseline — confirm iperf3 streaming
kubectl logs -n web-agents deploy/iperf3-agent | tail -20
NGFW-side verification depends on vendor — see
NGFW_CONFIGURATION_REFERENCE.en.md
for the per-vendor "show" command catalog.
Engine status — what's shipping vs scheduled¶
| Engine | Status in v3.7.0 | Wave-B follow-up |
|---|---|---|
| Primary L7 | ✅ shipping | — |
| Browser engine (production realism) | ✅ shipping | — |
| Programmable load | ✅ shipping | — |
| Throughput baseline | ✅ shipping | — |
| BGP saturation | ✅ shipping | — |
| OSPF LSA injection | ✅ shipping (ospf-router-peer/ — OSPFv2 + OSPFv3 dual-stack, 16,384 Type-5 External LSAs per configs/ospfv2-process.yaml + ospfv3-process.yaml, graceful-restart scenario in configs/graceful-restart.yaml) |
cross-vendor interop validation |
| MAC/ARP stress | ✅ shipping (pkg/macarp-stress-agent/ + control-plane-stress-agent/internal/arpgen/ + internal/ndpgen/ IPv6 NDP variant with shared MAC pool for cross-protocol pcap correlation) |
dashboard fleet-wide capacity-fill heatmap |
| HAR replay | ✅ shipping (har-engine/) + WAF analyser sidecar (har-engine/cmd/waf-analyser/ Tier-3 batch E — 5-vendor signature catalog + Prometheus exposition on :8087/metrics) |
agent-side integration (HAR-WAF-3) · syslog-source detection · dashboard WAF heatmap |
| VPN/SDWAN | ⚠️ partial — VyOS pods scaffolded, single-vendor IPSec MVP shipping (Cisco FTD). Multi-tunnel multi-vendor matrix deferred pending real DUT hardware (FortiOS / PAN-OS / Check Point licensing) — see docs/governance/QUALITY_GATES.md § "Queued for enrolment" |
full IPSec + WireGuard + GRE matrix |
| VXLAN VTEP | ✅ scaffold shipping (k8s/vyos-vtep/ Tier-3 batch E — underlay NAD VLAN 10 + Deployment + jumbo-frame MTU 9050/9000 + VNI range 1101..1120; OOBI VNI 254254 OFF-LIMITS per ADR 0019) |
per-VNI lookup latency telemetry export (VXLAN-2) · stress driver consuming /etc/vyos/vxlan-stress.vyos (VXLAN-3) |
| TREX DPDK | ⚠️ scaffolded — pod manifest + profile catalog; line-rate runs require DPDK-ready hardware | full line-rate stateful matrix |
| PURE | ✅ shipping (PIE-PA 3-layer prod defense) | additional curated public URL feeds |
Cross-references¶
- Patent portfolio anchored in these engines: Patent #18 (cross-language signing — applies to test plan signing across engines), patent claims on BGP / OSPF / MAC-ARP saturation patterns (#22-#24)
- ZTP-prem posture: every engine writes its run record into the
sealed audit hash-chain via the license
authorize()gate. See SECURITY_ZTP_PREM.md - DOM (DUT Operating Mode): engines that touch DUT control plane
(BGP, OSPF, VPN/SDWAN, VXLAN) are gated by DDPB chain when
dom=production— see ADR 0014
Last verified against shipping code: v3.7.0 (2026-05-12).