docs/report/introduction/methodology_ipsec.rst

   1 Internet Protocol Security (IPsec)
   2 ----------------------------------
   3
   4 VPP IPsec performance tests are executed for the following crypto
   5 plugins:
   6
   7 - `crypto_native`, used for software based crypto leveraging CPU
   8   platform optimizations e.g. Intel's AES-NI instruction set.
   9 - `crypto_ipsecmb`, used for hardware based crypto with Intel QAT PCIe
  10   cards.
  11
  12 IPsec with VPP Native SW Crypto
  13 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  14
  15 Currently |csit-release| implements following IPsec test cases relying
  16 on VPP native crypto (`crypto_native` plugin):
  17
  18 +-------------------+------------------+----------------+------------------+
  19 | VPP Crypto Engine | ESP Encryption   | ESP Integrity  | Scale Tested     |
  20 +===================+==================+================+==================+
  21 | crypto_native     | AES[128|256]-GCM | GCM            | 1 to 60k tunnels |
  22 +-------------------+------------------+----------------+------------------+
  23 | crypto_native     | AES128-CBC       | SHA[256|512]   | 1 to 60k tunnels |
  24 +-------------------+------------------+----------------+------------------+
  25
  26 VPP IPsec with SW crypto are executed in both tunnel and policy modes,
  27 with tests running on 3-node testbeds: 3n-skx, 3n-tsh.
  28
  29 IPsec with Intel QAT HW
  30 ^^^^^^^^^^^^^^^^^^^^^^^
  31
  32 Currently |csit-release| implements following IPsec test cases relying
  33 on ipsecmb library (`crypto_ipsecmb` plugin) and Intel QAT 8950 (50G HW
  34 crypto card):
  35
  36 dpdk_cryptodev
  37
  38 +-------------------+---------------------+------------------+----------------+------------------+
  39 | VPP Crypto Engine | VPP Crypto Workers  | ESP Encryption   | ESP Integrity  | Scale Tested     |
  40 +===================+=====================+==================+================+==================+
  41 | crypto_ipsecmb    | sync/all workers    | AES[128|256]-GCM | GCM            | 1, 1k tunnels    |
  42 +-------------------+---------------------+------------------+----------------+------------------+
  43 | crypto_ipsecmb    | sync/all workers    | AES[128]-CBC     | SHA[256|512]   | 1, 1k tunnels    |
  44 +-------------------+---------------------+------------------+----------------+------------------+
  45 | crypto_ipsecmb    | async/crypto worker | AES[128|256]-GCM | GCM            | 1, 4, 1k tunnels |
  46 +-------------------+---------------------+------------------+----------------+------------------+
  47 | crypto_ipsecmb    | async/crypto worker | AES[128]-CBC     | SHA[256|512]   | 1, 4, 1k tunnels |
  48 +-------------------+---------------------+------------------+----------------+------------------+
  49
  50 IPsec with Async Crypto Feature Workers
  51 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  52
  53 *TODO Description to be added*
  54
  55 IPsec Uni-Directional Tests with VPP Native SW Crypto
  56 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  57
  58 Currently |csit-release| implements following IPsec uni-directional test cases
  59 relying on VPP native crypto (`crypto_native` plugin) in tunnel mode:
  60
  61 +-------------------+------------------+---------------+--------------------+
  62 | VPP Crypto Engine | ESP Encryption   | ESP Integrity | Scale Tested       |
  63 +===================+==================+===============+====================+
  64 | crypto_native     | AES[128|256]-GCM | GCM           | 4, 1k, 10k tunnels |
  65 +-------------------+------------------+---------------+--------------------+
  66 | crypto_native     | AES128-CBC       | SHA[512]      | 4, 1k, 10k tunnels |
  67 +-------------------+------------------+---------------+--------------------+
  68
  69 In policy mode:
  70
  71 +-------------------+----------------+---------------+-------------------+
  72 | VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested      |
  73 +===================+================+===============+===================+
  74 | crypto_native     | AES[256]-GCM   | GCM           | 1, 40, 1k tunnels |
  75 +-------------------+----------------+---------------+-------------------+
  76
  77 The tests are running on 2-node testbeds: 2n-tx2. The uni-directional tests
  78 are partially addressing a weakness in 2-node testbed setups with T-Rex as
  79 the traffic generator. With just one DUT node, we can either encrypt or decrypt
  80 traffic in each direction.
  81
  82 The testcases are only doing encryption - packets are encrypted on the DUT and
  83 then arrive at TG where no additional packet processing is needed (just
  84 counting packets).
  85
  86 Decryption would require that the traffic generator generated encrypted packets
  87 which the DUT then would decrypt. However, T-Rex does not have the capability
  88 to encrypt packets.