2 title: "Internet Protocol Security (IPsec)"
6 # Internet Protocol Security (IPsec)
8 VPP IPsec performance tests are executed for the following crypto
11 - `crypto_native`, used for software based crypto leveraging CPU
12 platform optimizations e.g. Intel's AES-NI instruction set.
13 - `crypto_ipsecmb`, used for hardware based crypto with Intel QAT PCIe
16 ## IPsec with VPP Native SW Crypto
18 CSIT implements following IPsec test cases relying on VPP native crypto
19 (`crypto_native` plugin):
21 **VPP Crypto Engine** | **ESP Encryption** | **ESP Integrity** | **Scale Tested**
22 ----------------------:|-------------------:|------------------:|-----------------:
23 crypto_native | AES[128\|256]-GCM | GCM | 1 to 60k tunnels
24 crypto_native | AES128-CBC | SHA[256\|512] | 1 to 60k tunnels
26 VPP IPsec with SW crypto are executed in both tunnel and policy modes,
27 with tests running on 3-node testbeds: 3n-icx, 3n-tsh.
29 ## IPsec with Intel QAT HW
31 CSIT implements following IPsec test cases relying on ipsecmb library
32 (`crypto_ipsecmb` plugin) and Intel QAT 8950 (50G HW crypto card):
36 **VPP Crypto Engine** | **VPP Crypto Workers** | **ESP Encryption** | **ESP Integrity** | **Scale Tested**
37 ----------------------:|-----------------------:|-------------------:|------------------:|-----------------:
38 crypto_ipsecmb | sync/all workers | AES[128\|256]-GCM | GCM | 1, 1k tunnels
39 crypto_ipsecmb | sync/all workers | AES[128]-CBC | SHA[256\|512] | 1, 1k tunnels
40 crypto_ipsecmb | async/crypto worker | AES[128\|256]-GCM | GCM | 1, 4, 1k tunnels
41 crypto_ipsecmb | async/crypto worker | AES[128]-CBC | SHA[256\|512] | 1, 4, 1k tunnels
43 ## IPsec with Async Crypto Feature Workers
45 *TODO Description to be added*
47 ## IPsec Uni-Directional Tests with VPP Native SW Crypto
49 CSIT implements following IPsec uni-directional test cases relying on VPP native
50 crypto (`crypto_native` plugin) in tunnel mode:
52 **VPP Crypto Engine** | **ESP Encryption** | **ESP Integrity** | **Scale Tested**
53 ----------------------:|-------------------:|------------------:|-------------------:
54 crypto_native | AES[128\|256]-GCM | GCM | 4, 1k, 10k tunnels
55 crypto_native | AES128-CBC | SHA[512] | 4, 1k, 10k tunnels
59 **VPP Crypto Engine** | **ESP Encryption** | **ESP Integrity** | **Scale Tested**
60 ----------------------:|-------------------:|------------------:|------------------:
61 crypto_native | AES[256]-GCM | GCM | 1, 40, 1k tunnels
63 The tests are running on 2-node testbeds: 2n-tx2. The uni-directional tests
64 are partially addressing a weakness in 2-node testbed setups with T-Rex as
65 the traffic generator. With just one DUT node, we can either encrypt or decrypt
66 traffic in each direction.
68 The testcases are only doing encryption - packets are encrypted on the DUT and
69 then arrive at TG where no additional packet processing is needed (just
72 Decryption would require that the traffic generator generated encrypted packets
73 which the DUT then would decrypt. However, T-Rex does not have the capability