From dea4d7ff2a1b662cde1587b3a8d6c3d832f4920e Mon Sep 17 00:00:00 2001 From: =?utf8?q?Juraj=20Linke=C5=A1?= Date: Thu, 15 Jul 2021 11:27:03 +0200 Subject: [PATCH] Report: IPsec udir methodology MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Update IPsec uni-directional tests methodology. Remove Deep SPD Policy section as these tests are not in the report. Change-Id: Idca538a03a05e12130c7d786c098b218fa88f7ef Signed-off-by: Juraj Linkeš --- docs/report/introduction/methodology_ipsec.rst | 45 +++++++++++++++++++------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/docs/report/introduction/methodology_ipsec.rst b/docs/report/introduction/methodology_ipsec.rst index 2e6a324c3f..ce10bd2a55 100644 --- a/docs/report/introduction/methodology_ipsec.rst +++ b/docs/report/introduction/methodology_ipsec.rst @@ -24,7 +24,7 @@ on VPP native crypto (`crypto_native` plugin): +-------------------+------------------+----------------+------------------+ VPP IPsec with SW crypto are executed in both tunnel and policy modes, -with tests running on 3-node testbeds: 3n-skx. +with tests running on 3-node testbeds: 3n-skx, 3n-tsh. IPsec with Intel QAT HW ^^^^^^^^^^^^^^^^^^^^^^^ @@ -52,13 +52,36 @@ IPsec with Async Crypto Feature Workers *TODO Description to be added* -IPsec Uni-Directional Tests -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -*TODO Description to be added* - - -IPsec Deep SPD Policy Tests -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -*TODO Description to be added* +IPsec Uni-Directional Tests with VPP Native SW Crypto +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Currently |csit-release| implements following IPsec uni-directional test cases +relying on VPP native crypto (`crypto_native` plugin) in tunnel mode: + ++-------------------+------------------+---------------+--------------------+ +| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested | ++===================+==================+===============+====================+ +| crypto_native | AES[128|256]-GCM | GCM | 4, 1k, 10k tunnels | ++-------------------+------------------+---------------+--------------------+ +| crypto_native | AES128-CBC | SHA[512] | 4, 1k, 10k tunnels | ++-------------------+------------------+---------------+--------------------+ + +In policy mode: ++-------------------+----------------+---------------+-------------------+ +| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested | ++===================+================+===============+===================+ +| crypto_native | AES[256]-GCM | GCM | 1, 40, 1k tunnels | ++-------------------+----------------+---------------+-------------------+ + +The tests are running on 2-node testbeds: 2n-tx2. The uni-directional tests +are partially addressing a weakness in 2-node testbed setups with T-Rex as +the traffic generator. With just one DUT node, we can either encrypt or decrypt +traffic in each direction. + +The testcases are only doing encryption - packets are encrypted on the DUT and +then arrive at TG where no additional packet processing is needed (just +counting packets). + +Decryption would require that the traffic generator generated encrypted packets +which the DUT then would decrypt. However, T-Rex does not have the capability +to encrypt packets. -- 2.16.6