diff options
author | Juraj Linkeš <juraj.linkes@pantheon.tech> | 2021-07-15 11:27:03 +0200 |
---|---|---|
committer | Tibor Frank <tifrank@cisco.com> | 2021-07-22 10:14:43 +0000 |
commit | dea4d7ff2a1b662cde1587b3a8d6c3d832f4920e (patch) | |
tree | b5be1ecadeb9b22c46929e00f63e469b49ffa97f /docs/report/introduction/methodology_ipsec.rst | |
parent | db7df7cdf09c33e7efb4adc7d1e8c44975b5456b (diff) |
Report: IPsec udir methodology
Update IPsec uni-directional tests methodology.
Remove Deep SPD Policy section as these tests are not in the report.
Change-Id: Idca538a03a05e12130c7d786c098b218fa88f7ef
Signed-off-by: Juraj Linkeš <juraj.linkes@pantheon.tech>
Diffstat (limited to 'docs/report/introduction/methodology_ipsec.rst')
-rw-r--r-- | docs/report/introduction/methodology_ipsec.rst | 45 |
1 files changed, 34 insertions, 11 deletions
diff --git a/docs/report/introduction/methodology_ipsec.rst b/docs/report/introduction/methodology_ipsec.rst index 2e6a324c3f..ce10bd2a55 100644 --- a/docs/report/introduction/methodology_ipsec.rst +++ b/docs/report/introduction/methodology_ipsec.rst @@ -24,7 +24,7 @@ on VPP native crypto (`crypto_native` plugin): +-------------------+------------------+----------------+------------------+ VPP IPsec with SW crypto are executed in both tunnel and policy modes, -with tests running on 3-node testbeds: 3n-skx. +with tests running on 3-node testbeds: 3n-skx, 3n-tsh. IPsec with Intel QAT HW ^^^^^^^^^^^^^^^^^^^^^^^ @@ -52,13 +52,36 @@ IPsec with Async Crypto Feature Workers *TODO Description to be added* -IPsec Uni-Directional Tests -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -*TODO Description to be added* - - -IPsec Deep SPD Policy Tests -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -*TODO Description to be added* +IPsec Uni-Directional Tests with VPP Native SW Crypto +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Currently |csit-release| implements following IPsec uni-directional test cases +relying on VPP native crypto (`crypto_native` plugin) in tunnel mode: + ++-------------------+------------------+---------------+--------------------+ +| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested | ++===================+==================+===============+====================+ +| crypto_native | AES[128|256]-GCM | GCM | 4, 1k, 10k tunnels | ++-------------------+------------------+---------------+--------------------+ +| crypto_native | AES128-CBC | SHA[512] | 4, 1k, 10k tunnels | ++-------------------+------------------+---------------+--------------------+ + +In policy mode: ++-------------------+----------------+---------------+-------------------+ +| VPP Crypto Engine | ESP Encryption | ESP Integrity | Scale Tested | ++===================+================+===============+===================+ +| crypto_native | AES[256]-GCM | GCM | 1, 40, 1k tunnels | ++-------------------+----------------+---------------+-------------------+ + +The tests are running on 2-node testbeds: 2n-tx2. The uni-directional tests +are partially addressing a weakness in 2-node testbed setups with T-Rex as +the traffic generator. With just one DUT node, we can either encrypt or decrypt +traffic in each direction. + +The testcases are only doing encryption - packets are encrypted on the DUT and +then arrive at TG where no additional packet processing is needed (just +counting packets). + +Decryption would require that the traffic generator generated encrypted packets +which the DUT then would decrypt. However, T-Rex does not have the capability +to encrypt packets. |