X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=docs%2Freport%2Fintroduction%2Fmethodology_ipsec.rst;h=ce10bd2a55bf415c72fff52d7b749fedde1cc6be;hb=2f469fe522e694c4b73db397244772e29eb5f9bb;hp=99119e18d098c2b75aed1c6cdaf14036abcb9638;hpb=c10980893443b59c464deb6cd0d66d5be972593f;p=csit.git diff --git a/docs/report/introduction/methodology_ipsec.rst b/docs/report/introduction/methodology_ipsec.rst index 99119e18d0..ce10bd2a55 100644 --- a/docs/report/introduction/methodology_ipsec.rst +++ b/docs/report/introduction/methodology_ipsec.rst @@ -24,7 +24,7 @@ on VPP native crypto (`crypto_native` plugin): +-------------------+------------------+----------------+------------------+ VPP IPsec with SW crypto are executed in both tunnel and policy modes, -with tests running on 3-node testbeds: 3n-skx. +with tests running on 3-node testbeds: 3n-skx, 3n-tsh. IPsec with Intel QAT HW ^^^^^^^^^^^^^^^^^^^^^^^ @@ -47,7 +47,41 @@ dpdk_cryptodev | crypto_ipsecmb | async/crypto worker | AES[128]-CBC | SHA[256|512] | 1, 4, 1k tunnels | +-------------------+---------------------+------------------+----------------+------------------+ -.. - VPP IPsec with HW crypto are executed in both tunnel and policy modes, - with tests running on 3-node Haswell testbeds (3n-hsw), as these are the - only testbeds equipped with Intel QAT cards. +IPsec with Async Crypto Feature Workers +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +*TODO Description to be added* + +IPsec Uni-Directional Tests with VPP Native SW Crypto +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Currently |csit-release| implements following IPsec uni-directional test cases +relying on VPP native crypto (`crypto_native` plugin) in tunnel mode: + ++-------------------+------------------+---------------+--------------------+ +| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested | ++===================+==================+===============+====================+ +| crypto_native | AES[128|256]-GCM | GCM | 4, 1k, 10k tunnels | ++-------------------+------------------+---------------+--------------------+ +| crypto_native | AES128-CBC | SHA[512] | 4, 1k, 10k tunnels | ++-------------------+------------------+---------------+--------------------+ + +In policy mode: ++-------------------+----------------+---------------+-------------------+ +| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested | ++===================+================+===============+===================+ +| crypto_native | AES[256]-GCM | GCM | 1, 40, 1k tunnels | ++-------------------+----------------+---------------+-------------------+ + +The tests are running on 2-node testbeds: 2n-tx2. The uni-directional tests +are partially addressing a weakness in 2-node testbed setups with T-Rex as +the traffic generator. With just one DUT node, we can either encrypt or decrypt +traffic in each direction. + +The testcases are only doing encryption - packets are encrypted on the DUT and +then arrive at TG where no additional packet processing is needed (just +counting packets). + +Decryption would require that the traffic generator generated encrypted packets +which the DUT then would decrypt. However, T-Rex does not have the capability +to encrypt packets.