docs/content/methodology/test/internet_protocol_security.md

   1 ---
   2 title: "Internet Protocol Security"
   3 weight: 4
   4 ---
   5
   6 # Internet Protocol Security
   7
   8 VPP Internet Protocol Security (IPsec) performance tests are executed for the
   9 following crypto plugins:
  10
  11 - `crypto_native`, used for software based crypto leveraging CPU
  12   platform optimizations e.g. Intel's AES-NI instruction set.
  13 - `crypto_ipsecmb`, used for hardware based crypto with Intel QAT PCIe cards.
  14
  15 ## IPsec with VPP Native SW Crypto
  16
  17 CSIT implements following IPsec test cases relying on VPP native crypto
  18 (`crypto_native` plugin):
  19
  20  **VPP Crypto Engine** | **ESP Encryption** | **ESP Integrity** | **Scale Tested**
  21 ----------------------:|-------------------:|------------------:|-----------------:
  22  crypto_native         | AES[128\|256]-GCM  | GCM               | 1 to 60k tunnels
  23  crypto_native         | AES128-CBC         | SHA[256\|512]     | 1 to 60k tunnels
  24
  25 VPP IPsec with SW crypto are executed in both tunnel and policy modes,
  26 with tests running on 3-node testbeds: 3n-icx, 3n-tsh.
  27
  28 ## IPsec with Intel QAT HW
  29
  30 CSIT implements following IPsec test cases relying on ipsecmb library
  31 (`crypto_ipsecmb` plugin) and Intel QAT 8950 (50G HW crypto card):
  32
  33 dpdk_cryptodev
  34
  35  **VPP Crypto Engine** | **VPP Crypto Workers** | **ESP Encryption** | **ESP Integrity** | **Scale Tested**
  36 ----------------------:|-----------------------:|-------------------:|------------------:|-----------------:
  37  crypto_ipsecmb        | sync/all workers       | AES[128\|256]-GCM  | GCM               | 1, 1k tunnels
  38  crypto_ipsecmb        | sync/all workers       | AES[128]-CBC       | SHA[256\|512]     | 1, 1k tunnels
  39  crypto_ipsecmb        | async/crypto worker    | AES[128\|256]-GCM  | GCM               | 1, 4, 1k tunnels
  40  crypto_ipsecmb        | async/crypto worker    | AES[128]-CBC       | SHA[256\|512]     | 1, 4, 1k tunnels
  41
  42 ## IPsec with Async Crypto Feature Workers
  43
  44 *TODO Description to be added*
  45
  46 ## IPsec Uni-Directional Tests with VPP Native SW Crypto
  47
  48 CSIT implements following IPsec uni-directional test cases relying on VPP native
  49 crypto (`crypto_native` plugin) in tunnel mode:
  50
  51  **VPP Crypto Engine** | **ESP Encryption** | **ESP Integrity** | **Scale Tested**
  52 ----------------------:|-------------------:|------------------:|-------------------:
  53  crypto_native         | AES[128\|256]-GCM  | GCM               | 4, 1k, 10k tunnels
  54  crypto_native         | AES128-CBC         | SHA[512]          | 4, 1k, 10k tunnels
  55
  56 In policy mode:
  57
  58  **VPP Crypto Engine** | **ESP Encryption** | **ESP Integrity** | **Scale Tested**
  59 ----------------------:|-------------------:|------------------:|------------------:
  60  crypto_native         | AES[256]-GCM       | GCM               | 1, 40, 1k tunnels
  61
  62 The tests are running on 2-node testbeds: 2n-tx2. The uni-directional tests
  63 are partially addressing a weakness in 2-node testbed setups with T-Rex as
  64 the traffic generator. With just one DUT node, we can either encrypt or decrypt
  65 traffic in each direction.
  66
  67 The testcases are only doing encryption - packets are encrypted on the DUT and
  68 then arrive at TG where no additional packet processing is needed (just
  69 counting packets).
  70
  71 Decryption would require that the traffic generator generated encrypted packets
  72 which the DUT then would decrypt. However, T-Rex does not have the capability
  73 to encrypt packets.