aboutsummaryrefslogtreecommitdiffstats
path: root/docs/report/introduction/methodology_ipsec.rst
diff options
context:
space:
mode:
authorMaciek Konstantynowicz <mkonstan@cisco.com>2020-10-05 14:06:18 +0100
committerTibor Frank <tifrank@cisco.com>2020-10-14 09:52:45 +0000
commitef9bab0a1b87871a8365e766a19971f0ec0b7ed8 (patch)
tree06b52d2bbbc841762f032429af19b6396e6c7018 /docs/report/introduction/methodology_ipsec.rst
parentf8f509571e8cc3fc8596f39ddd5118b4f2d85374 (diff)
report: updates to methodology section including nat44, acl, ipsec
Change-Id: I13464728d903cba14feedd3cfb78226d50f3d4a1 Signed-off-by: Maciek Konstantynowicz <mkonstan@cisco.com>
Diffstat (limited to 'docs/report/introduction/methodology_ipsec.rst')
-rw-r--r--docs/report/introduction/methodology_ipsec.rst52
1 files changed, 52 insertions, 0 deletions
diff --git a/docs/report/introduction/methodology_ipsec.rst b/docs/report/introduction/methodology_ipsec.rst
new file mode 100644
index 0000000000..ee0572ffc5
--- /dev/null
+++ b/docs/report/introduction/methodology_ipsec.rst
@@ -0,0 +1,52 @@
+Internet Protocol Security (IPsec)
+----------------------------------
+
+VPP IPsec performance tests are executed for the following crypto
+plugins:
+
+- `crypto_native`, used for software based crypto leveraging CPU
+ platform optimizations e.g. Intel's AES-NI instruction set.
+- `crypto_ipsecmb`, used for hardware based crypto with Intel QAT PCIe
+ cards.
+
+IPsec with VPP Native SW Crypto
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Currently |csit-release| implements following IPsec test cases relying
+on VPP native crypto (`crypto_native` plugin):
+
++-------------------+------------------+----------------+------------------+
+| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested |
++===================+===================+===============+==================+
+| crypto_native | AES[128|256]-GCM | GCM | 1 to 60k tunnels |
++-------------------+------------------+----------------+------------------+
+| crypto_native | AES128-CBC | SHA[256|512] | 1 to 60k tunnels |
++-------------------+------------------+----------------+------------------+
+
+VPP IPsec with SW crypto are executed in both tunnel and policy modes,
+with tests running on 3-node testbeds: 3n-hsw and 3n-skx.
+
+IPsec with Intel QAT HW
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Currently |csit-release| implements following IPsec test cases relying
+on ipsecmb library (`crypto_ipsecmb` plugin) and Intel QAT 8950 (50G HW
+crypto card):
+
+dpdk_cryptodev
+
++-------------------+---------------------+------------------+----------------+------------------+
+| VPP Crypto Engine | VPP Crypto Workers | ESP Encryption | ESP Integrity | Scale Tested |
++===================+=====================+==================+================+==================+
+| crypto_ipsecmb | sync/all workers | AES[128|256]-GCM | GCM | 1, 1k tunnels |
++-------------------+---------------------+------------------+----------------+------------------+
+| crypto_ipsecmb | sync/all workers | AES[128]-CBC | SHA[256|512] | 1, 1k tunnels |
++-------------------+---------------------+------------------+----------------+------------------+
+| crypto_ipsecmb | async/crypto worker | AES[128|256]-GCM | GCM | 1, 4, 1k tunnels |
++-------------------+---------------------+------------------+----------------+------------------+
+| crypto_ipsecmb | async/crypto worker | AES[128]-CBC | SHA[256|512] | 1, 4, 1k tunnels |
++-------------------+---------------------+------------------+----------------+------------------+
+
+VPP IPsec with HW crypto are executed in both tunnel and policy modes,
+with tests running on 3-node Haswell testbeds (3n-hsw), as these are the
+only testbeds equipped with Intel QAT cards.