diff options
| author |   Juraj Linkeš <juraj.linkes@pantheon.tech> | 2021-07-15 11:27:03 +0200 |
|---|---|---|
| committer |   Tibor Frank <tifrank@cisco.com> | 2021-07-22 10:14:58 +0000 |
| commit | 966e9b8012dd79e01abc28fd339ddaa82d4dffc4 (patch) | |
| tree | 5ff773a18c009aff6f7e270378418dfa945a6438 | |
| parent | 81e2c5626e09805682b4d94e4ef4ae099c6633ed (diff) | |
Report: IPsec udir methodology
Update IPsec uni-directional tests methodology.
Remove Deep SPD Policy section as these tests are not in the report.
Change-Id: Idca538a03a05e12130c7d786c098b218fa88f7ef
Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
(cherry picked from commit dea4d7ff2a1b662cde1587b3a8d6c3d832f4920e)
| -rw-r--r-- | docs/report/introduction/methodology_ipsec.rst | 45 |
1 files changed, 34 insertions, 11 deletions
diff --git a/docs/report/introduction/methodology_ipsec.rst b/docs/report/introduction/methodology_ipsec.rst index 2e6a324c3f..ce10bd2a55 100644 --- a/docs/report/introduction/methodology_ipsec.rst +++ b/docs/report/introduction/methodology_ipsec.rst @@ -24,7 +24,7 @@ on VPP native crypto (`crypto_native` plugin): +-------------------+------------------+----------------+------------------+ VPP IPsec with SW crypto are executed in both tunnel and policy modes, -with tests running on 3-node testbeds: 3n-skx. +with tests running on 3-node testbeds: 3n-skx, 3n-tsh. IPsec with Intel QAT HW ^^^^^^^^^^^^^^^^^^^^^^^ @@ -52,13 +52,36 @@ IPsec with Async Crypto Feature Workers *TODO Description to be added* -IPsec Uni-Directional Tests -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -*TODO Description to be added* - - -IPsec Deep SPD Policy Tests -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -*TODO Description to be added* +IPsec Uni-Directional Tests with VPP Native SW Crypto +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Currently |csit-release| implements following IPsec uni-directional test cases +relying on VPP native crypto (`crypto_native` plugin) in tunnel mode: + ++-------------------+------------------+---------------+--------------------+ +| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested | ++===================+==================+===============+====================+ +| crypto_native | AES[128|256]-GCM | GCM | 4, 1k, 10k tunnels | ++-------------------+------------------+---------------+--------------------+ +| crypto_native | AES128-CBC | SHA[512] | 4, 1k, 10k tunnels | ++-------------------+------------------+---------------+--------------------+ + +In policy mode: ++-------------------+----------------+---------------+-------------------+ +| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested | ++===================+================+===============+===================+ +| crypto_native | AES[256]-GCM | GCM | 1, 40, 1k tunnels | ++-------------------+----------------+---------------+-------------------+ + +The tests are running on 2-node testbeds: 2n-tx2. The uni-directional tests +are partially addressing a weakness in 2-node testbed setups with T-Rex as +the traffic generator. With just one DUT node, we can either encrypt or decrypt +traffic in each direction. + +The testcases are only doing encryption - packets are encrypted on the DUT and +then arrive at TG where no additional packet processing is needed (just +counting packets). + +Decryption would require that the traffic generator generated encrypted packets +which the DUT then would decrypt. However, T-Rex does not have the capability +to encrypt packets. |