aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuraj Linkeš <juraj.linkes@pantheon.tech>2021-07-15 11:27:03 +0200
committerTibor Frank <tifrank@cisco.com>2021-07-22 10:14:58 +0000
commit966e9b8012dd79e01abc28fd339ddaa82d4dffc4 (patch)
tree5ff773a18c009aff6f7e270378418dfa945a6438
parent81e2c5626e09805682b4d94e4ef4ae099c6633ed (diff)
Report: IPsec udir methodology
Update IPsec uni-directional tests methodology. Remove Deep SPD Policy section as these tests are not in the report. Change-Id: Idca538a03a05e12130c7d786c098b218fa88f7ef Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech> (cherry picked from commit dea4d7ff2a1b662cde1587b3a8d6c3d832f4920e)
-rw-r--r--docs/report/introduction/methodology_ipsec.rst45
1 files changed, 34 insertions, 11 deletions
diff --git a/docs/report/introduction/methodology_ipsec.rst b/docs/report/introduction/methodology_ipsec.rst
index 2e6a324c3f..ce10bd2a55 100644
--- a/docs/report/introduction/methodology_ipsec.rst
+++ b/docs/report/introduction/methodology_ipsec.rst
@@ -24,7 +24,7 @@ on VPP native crypto (`crypto_native` plugin):
+-------------------+------------------+----------------+------------------+
VPP IPsec with SW crypto are executed in both tunnel and policy modes,
-with tests running on 3-node testbeds: 3n-skx.
+with tests running on 3-node testbeds: 3n-skx, 3n-tsh.
IPsec with Intel QAT HW
^^^^^^^^^^^^^^^^^^^^^^^
@@ -52,13 +52,36 @@ IPsec with Async Crypto Feature Workers
*TODO Description to be added*
-IPsec Uni-Directional Tests
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-*TODO Description to be added*
-
-
-IPsec Deep SPD Policy Tests
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-*TODO Description to be added*
+IPsec Uni-Directional Tests with VPP Native SW Crypto
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Currently |csit-release| implements following IPsec uni-directional test cases
+relying on VPP native crypto (`crypto_native` plugin) in tunnel mode:
+
++-------------------+------------------+---------------+--------------------+
+| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested |
++===================+==================+===============+====================+
+| crypto_native | AES[128|256]-GCM | GCM | 4, 1k, 10k tunnels |
++-------------------+------------------+---------------+--------------------+
+| crypto_native | AES128-CBC | SHA[512] | 4, 1k, 10k tunnels |
++-------------------+------------------+---------------+--------------------+
+
+In policy mode:
++-------------------+----------------+---------------+-------------------+
+| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested |
++===================+================+===============+===================+
+| crypto_native | AES[256]-GCM | GCM | 1, 40, 1k tunnels |
++-------------------+----------------+---------------+-------------------+
+
+The tests are running on 2-node testbeds: 2n-tx2. The uni-directional tests
+are partially addressing a weakness in 2-node testbed setups with T-Rex as
+the traffic generator. With just one DUT node, we can either encrypt or decrypt
+traffic in each direction.
+
+The testcases are only doing encryption - packets are encrypted on the DUT and
+then arrive at TG where no additional packet processing is needed (just
+counting packets).
+
+Decryption would require that the traffic generator generated encrypted packets
+which the DUT then would decrypt. However, T-Rex does not have the capability
+to encrypt packets.