Add 100k tunnels ipsec policy mode with fastpath enabled test suite

Signed-off-by: xinfeng zhao <xinfengx.zhao@intel.com>
Signed-off-by: Yulong Pei <yulong.pei@intel.com>
Change-Id: I3708253adf4c7421ff48eee6aefb735b39726359

diff --git a/resources/libraries/python/IPsecUtil.py b/resources/libraries/python/IPsecUtil.py
index 9c5337b..363558d 100644 (file)
--- a/resources/libraries/python/IPsecUtil.py
+++ b/resources/libraries/python/IPsecUtil.py
@@ -1887,10 +1887,6 @@ class IPsecUtil:
         sa_id_2 = 200000
         spi_1 = 300000
         spi_2 = 400000
-        dut1_local_outbound_range = ip_network(f"{tunnel_ip1}/8", False).\
-            with_prefixlen
-        dut1_remote_outbound_range = ip_network(f"{tunnel_ip2}/8", False).\
-            with_prefixlen
 
         crypto_key = gen_key(
             IPsecUtil.get_crypto_alg_key_len(crypto_alg)
@@ -1908,16 +1904,27 @@ class IPsecUtil:
 
         IPsecUtil.vpp_ipsec_add_spd(nodes[u"DUT1"], spd_id)
         IPsecUtil.vpp_ipsec_spd_add_if(nodes[u"DUT1"], spd_id, interface1)
-        IPsecUtil.vpp_ipsec_add_spd_entry(
-            nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=False,
-            proto=50, laddr_range=dut1_local_outbound_range,
-            raddr_range=dut1_remote_outbound_range
-        )
-        IPsecUtil.vpp_ipsec_add_spd_entry(
-            nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=True,
-            proto=50, laddr_range=dut1_remote_outbound_range,
-            raddr_range=dut1_local_outbound_range
-        )
+
+        addr_incr = 1 << (128 - 96) if ip_address(tunnel_ip1).version == 6 \
+            else 1 << (32 - 24)
+        for i in range(n_tunnels//(addr_incr**2)+1):
+            dut1_local_outbound_range = \
+                ip_network(f"{ip_address(tunnel_ip1) + i*(addr_incr**3)}/8",
+                False).with_prefixlen
+            dut1_remote_outbound_range = \
+                ip_network(f"{ip_address(tunnel_ip2) + i*(addr_incr**3)}/8",
+                False).with_prefixlen
+
+            IPsecUtil.vpp_ipsec_add_spd_entry(
+                nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=False,
+                proto=50, laddr_range=dut1_local_outbound_range,
+                raddr_range=dut1_remote_outbound_range
+            )
+            IPsecUtil.vpp_ipsec_add_spd_entry(
+                nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=True,
+                proto=50, laddr_range=dut1_remote_outbound_range,
+                raddr_range=dut1_local_outbound_range
+            )
 
         IPsecUtil.vpp_ipsec_add_sad_entries(
             nodes[u"DUT1"], n_tunnels, sa_id_1, spi_1, crypto_alg, crypto_key,
@@ -1950,16 +1957,24 @@ class IPsecUtil:
 
             IPsecUtil.vpp_ipsec_add_spd(nodes[u"DUT2"], spd_id)
             IPsecUtil.vpp_ipsec_spd_add_if(nodes[u"DUT2"], spd_id, interface2)
-            IPsecUtil.vpp_ipsec_add_spd_entry(
-                nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS,
-                inbound=False, proto=50, laddr_range=dut1_remote_outbound_range,
-                raddr_range=dut1_local_outbound_range
-            )
-            IPsecUtil.vpp_ipsec_add_spd_entry(
-                nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS,
-                inbound=True, proto=50, laddr_range=dut1_local_outbound_range,
-                raddr_range=dut1_remote_outbound_range
-            )
+            for i in range(n_tunnels//(addr_incr**2)+1):
+                dut2_local_outbound_range = \
+                    ip_network(f"{ip_address(tunnel_ip1) + i*(addr_incr**3)}/8",
+                    False).with_prefixlen
+                dut2_remote_outbound_range = \
+                    ip_network(f"{ip_address(tunnel_ip2) + i*(addr_incr**3)}/8",
+                    False).with_prefixlen
+
+                IPsecUtil.vpp_ipsec_add_spd_entry(
+                    nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS,
+                    inbound=False, proto=50, laddr_range=dut2_remote_outbound_range,
+                    raddr_range=dut2_local_outbound_range
+                )
+                IPsecUtil.vpp_ipsec_add_spd_entry(
+                    nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS,
+                    inbound=True, proto=50, laddr_range=dut2_local_outbound_range,
+                    raddr_range=dut2_remote_outbound_range
+                )
 
             IPsecUtil.vpp_ipsec_add_sad_entries(
                 nodes[u"DUT2"], n_tunnels, sa_id_1, spi_1, crypto_alg,

diff --git a/resources/libraries/python/VPPUtil.py b/resources/libraries/python/VPPUtil.py
index daeb568..0c60361 100644 (file)
--- a/resources/libraries/python/VPPUtil.py
+++ b/resources/libraries/python/VPPUtil.py
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 Cisco and/or its affiliates.
+# Copyright (c) 2023 Cisco and/or its affiliates.
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at:
@@ -410,3 +410,20 @@ class VPPUtil:
             reply = papi_exec.add(cmd, **args).get_reply()
 
         return reply[u"next_index"]
+
+    @staticmethod
+    def vpp_set_neighbor_limit_on_all_duts(nodes, count):
+        """VPP set neighbor count limit on all DUTs in the given topology.
+
+        :param nodes: Nodes in the topology.
+        :param count: Neighbor count need to set.
+        :type nodes: dict
+        :type count: int
+        """
+        for node in nodes.values():
+            if node[u"type"] == NodeType.DUT:
+                cmd = f"set ip neighbor-config ip4 limit {count}"
+                PapiSocketExecutor.run_cli_cmd(node, cmd)
+
+                cmd = f"set ip neighbor-config ip6 limit {count}"
+                PapiSocketExecutor.run_cli_cmd(node, cmd)

diff --git a/tests/vpp/perf/crypto/10ge2p1x710-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr.robot b/tests/vpp/perf/crypto/10ge2p1x710-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr.robot
new file mode 100644 (file)
index 0000000..a45dd7d
--- /dev/null
+++ b/tests/vpp/perf/crypto/10ge2p1x710-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr.robot
@@ -0,0 +1,178 @@
+# Copyright (c) 2023 Intel and/or its affiliates.
+# Copyright (c) 2023 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Resource | resources/libraries/robot/shared/default.robot
+| Resource | resources/libraries/robot/crypto/ipsec.robot
+|
+| Force Tags | 3_NODE_SINGLE_LINK_TOPO | PERFTEST | HW_ENV | NDRPDR | TNL_100000
+| ... | IP4FWD | IPSEC | IPSECSW | IPSECTUN | FASTPATH | NIC_Intel-X710 | SCALE
+| ... | AES_256_GCM | AES | DRV_VFIO_PCI
+| ... | RXQ_SIZE_0 | TXQ_SIZE_0
+| ... | ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm
+|
+| Suite Setup | Setup suite topology interfaces | performance
+| Suite Teardown | Tear down suite | performance
+| Test Setup | Setup test | performance
+| Test Teardown | Tear down test | performance
+|
+| Test Template | Local Template
+|
+| Documentation | **IPv4 IPsec tunnel mode performance test suite.**
+| ... |
+| ... | - **[Top] Network Topologies:** TG-DUT1-DUT2-TG 3-node circular \
+| ... | topology with single links between nodes.
+| ... |
+| ... | - **[Enc] Packet Encapsulations:** Eth-IPv4 on TG-DUTn, \
+| ... | Eth-IPv4-IPSec on DUT1-DUT2.
+| ... |
+| ... | - **[Cfg] DUT configuration:** DUT1 and DUT2 are configured with \
+| ... | multiple IPsec tunnels between them. DUTs get IPv4 traffic from TG, \
+| ... | encrypt it and send to another DUT, where packets are decrypted and \
+| ... | sent back to TG.
+| ... |
+| ... | - **[Ver] TG verification:** TG finds and reports throughput NDR (Non \
+| ... | Drop Rate) with zero packet loss tolerance and throughput PDR \
+| ... | (Partial Drop Rate) with non-zero packet loss tolerance (LT) \
+| ... | expressed in percentage of packets transmitted. NDR and PDR are \
+| ... | discovered for different Ethernet L2 frame sizes using MLRsearch \
+| ... | library.
+| ... | Test packets are generated by TG on \
+| ... | links to DUTs. TG traffic profile contains two L3 flow-groups \
+| ... | (flow-group per direction, number of flows per flow-group equals to \
+| ... | number of IPSec tunnels) with all packets \
+| ... | containing Ethernet header, IPv4 header with IP protocol=61 and \
+| ... | static payload. MAC addresses are matching MAC addresses of the TG \
+| ... | node interfaces. Incrementing of IP.dst (IPv4 destination address) \
+| ... | is applied to both streams.
+| ... |
+| ... | - **[Ref] Applicable standard specifications:** RFC4303 and RFC2544.
+
+*** Variables ***
+| @{plugins_to_enable}= | dpdk_plugin.so | perfmon_plugin.so
+| ... | crypto_native_plugin.so
+| ... | crypto_ipsecmb_plugin.so | crypto_openssl_plugin.so
+| ${crypto_type}= | ${None}
+| ${nic_name}= | Intel-X710
+| ${nic_driver}= | vfio-pci
+| ${nic_rxq_size}= | 0
+| ${nic_txq_size}= | 0
+| ${nic_pfs}= | 2
+| ${nic_vfs}= | 0
+| ${osi_layer}= | L3
+| ${overhead}= | ${54}
+| ${tg_if1_ip4}= | 192.168.10.254
+| ${dut1_if1_ip4}= | 192.168.10.11
+| ${dut1_if2_ip4}= | 100.0.0.1
+| ${dut2_if1_ip4}= | 200.0.0.102
+| ${dut2_if2_ip4}= | 192.168.20.11
+| ${tg_if2_ip4}= | 192.168.20.254
+| ${raddr_ip4}= | 20.0.0.0
+| ${laddr_ip4}= | 10.0.0.0
+| ${addr_range}= | ${24}
+| ${n_tunnels}= | ${100000}
+# Main heap size multiplicator
+| ${heap_size_mult}= | ${4}
+# Traffic profile:
+| ${traffic_profile}= | trex-stl-3n-ethip4-ip4dst${n_tunnels}
+
+*** Keywords ***
+| Local Template
+| | [Documentation]
+| | ... | - **[Cfg]** DUT runs IPSec tunneling AES_256_GCM config. \
+| | ... | Each DUT uses ${phy_cores} physical core(s) for worker threads.
+| | ... | - **[Ver]** Measure NDR and PDR values using MLRsearch algorithm.
+| |
+| | ... | *Arguments:*
+| | ... | - frame_size - Framesize in Bytes in integer or string (IMIX_v4_1).
+| | ... | Type: integer, string
+| | ... | - phy_cores - Number of physical cores. Type: integer
+| | ... | - search_type - NDR or PDR. Type: string
+| | ... | - rxq - Number of RX queues, default value: ${None}. Type: integer
+| | ... | - min_rate - Min rate for binary search, default value: ${50000}.
+| | ... | Type: integer
+| |
+| | [Arguments] | ${frame_size} | ${phy_cores} | ${rxq}=${None}
+| |
+| | Set Test Variable | \${frame_size}
+| |
+| | # These are enums (not strings) so they cannot be in Variables table.
+| | ${encr_alg}= | Crypto Alg AES GCM 256
+| | ${auth_alg}= | Set Variable | ${NONE}
+| | ${ipsec_proto}= | IPsec Proto ESP
+| |
+| | Given Set Max Rate And Jumbo
+| | And Add worker threads to all DUTs | ${phy_cores} | ${rxq}
+| | And Pre-initialize layer driver | ${nic_driver}
+| | And Enable IPsec SPD Fast Path IPv4 Inbound And Outbound
+| | ... | ${${n_tunnels}*10}
+| | And Apply startup configuration on all VPP DUTs
+| | When Initialize layer driver | ${nic_driver}
+| | And Initialize layer interface
+| | And VPP Set Neighbor Limit on all DUTs | ${nodes} | ${${n_tunnels}*2}
+| | And Initialize IPSec in 3-node circular topology
+| | And VPP IPsec Add Multiple Tunnels
+| | ... | ${nodes} | ${DUT1_${int}2}[0] | ${DUT2_${int}1}[0] | ${n_tunnels}
+| | ... | ${encr_alg} | ${auth_alg} | ${dut1_if2_ip4} | ${dut2_if1_ip4}
+| | ... | ${laddr_ip4} | ${raddr_ip4} | ${addr_range}
+| | Then Find NDR and PDR intervals using optimized search
+
+*** Test Cases ***
+| 64B-1c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | 64B | 1C
+| | frame_size=${64} | phy_cores=${1}
+
+| 64B-2c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | 64B | 2C
+| | frame_size=${64} | phy_cores=${2}
+
+| 64B-4c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | 64B | 4C
+| | frame_size=${64} | phy_cores=${4}
+
+| 1518B-1c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | 1518B | 1C
+| | frame_size=${1518} | phy_cores=${1}
+
+| 1518B-2c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | 1518B | 2C
+| | frame_size=${1518} | phy_cores=${2}
+
+| 1518B-4c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | 1518B | 4C
+| | frame_size=${1518} | phy_cores=${4}
+
+| 9000B-1c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | 9000B | 1C
+| | frame_size=${9000} | phy_cores=${1}
+
+| 9000B-2c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | 9000B | 2C
+| | frame_size=${9000} | phy_cores=${2}
+
+| 9000B-4c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | 9000B | 4C
+| | frame_size=${9000} | phy_cores=${4}
+
+| IMIX-1c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | IMIX | 1C
+| | frame_size=IMIX_v4_1 | phy_cores=${1}
+
+| IMIX-2c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | IMIX | 2C
+| | frame_size=IMIX_v4_1 | phy_cores=${2}
+
+| IMIX-4c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr
+| | [Tags] | IMIX | 4C
+| | frame_size=IMIX_v4_1 | phy_cores=${4}