diff options
3 files changed, 235 insertions, 25 deletions
diff --git a/resources/libraries/python/IPsecUtil.py b/resources/libraries/python/IPsecUtil.py index 9c5337b8d4..363558dcaf 100644 --- a/resources/libraries/python/IPsecUtil.py +++ b/resources/libraries/python/IPsecUtil.py @@ -1887,10 +1887,6 @@ class IPsecUtil: sa_id_2 = 200000 spi_1 = 300000 spi_2 = 400000 - dut1_local_outbound_range = ip_network(f"{tunnel_ip1}/8", False).\ - with_prefixlen - dut1_remote_outbound_range = ip_network(f"{tunnel_ip2}/8", False).\ - with_prefixlen crypto_key = gen_key( IPsecUtil.get_crypto_alg_key_len(crypto_alg) @@ -1908,16 +1904,27 @@ class IPsecUtil: IPsecUtil.vpp_ipsec_add_spd(nodes[u"DUT1"], spd_id) IPsecUtil.vpp_ipsec_spd_add_if(nodes[u"DUT1"], spd_id, interface1) - IPsecUtil.vpp_ipsec_add_spd_entry( - nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=False, - proto=50, laddr_range=dut1_local_outbound_range, - raddr_range=dut1_remote_outbound_range - ) - IPsecUtil.vpp_ipsec_add_spd_entry( - nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=True, - proto=50, laddr_range=dut1_remote_outbound_range, - raddr_range=dut1_local_outbound_range - ) + + addr_incr = 1 << (128 - 96) if ip_address(tunnel_ip1).version == 6 \ + else 1 << (32 - 24) + for i in range(n_tunnels//(addr_incr**2)+1): + dut1_local_outbound_range = \ + ip_network(f"{ip_address(tunnel_ip1) + i*(addr_incr**3)}/8", + False).with_prefixlen + dut1_remote_outbound_range = \ + ip_network(f"{ip_address(tunnel_ip2) + i*(addr_incr**3)}/8", + False).with_prefixlen + + IPsecUtil.vpp_ipsec_add_spd_entry( + nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=False, + proto=50, laddr_range=dut1_local_outbound_range, + raddr_range=dut1_remote_outbound_range + ) + IPsecUtil.vpp_ipsec_add_spd_entry( + nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=True, + proto=50, laddr_range=dut1_remote_outbound_range, + raddr_range=dut1_local_outbound_range + ) IPsecUtil.vpp_ipsec_add_sad_entries( nodes[u"DUT1"], n_tunnels, sa_id_1, spi_1, crypto_alg, crypto_key, @@ -1950,16 +1957,24 @@ class IPsecUtil: IPsecUtil.vpp_ipsec_add_spd(nodes[u"DUT2"], spd_id) IPsecUtil.vpp_ipsec_spd_add_if(nodes[u"DUT2"], spd_id, interface2) - IPsecUtil.vpp_ipsec_add_spd_entry( - nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS, - inbound=False, proto=50, laddr_range=dut1_remote_outbound_range, - raddr_range=dut1_local_outbound_range - ) - IPsecUtil.vpp_ipsec_add_spd_entry( - nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS, - inbound=True, proto=50, laddr_range=dut1_local_outbound_range, - raddr_range=dut1_remote_outbound_range - ) + for i in range(n_tunnels//(addr_incr**2)+1): + dut2_local_outbound_range = \ + ip_network(f"{ip_address(tunnel_ip1) + i*(addr_incr**3)}/8", + False).with_prefixlen + dut2_remote_outbound_range = \ + ip_network(f"{ip_address(tunnel_ip2) + i*(addr_incr**3)}/8", + False).with_prefixlen + + IPsecUtil.vpp_ipsec_add_spd_entry( + nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS, + inbound=False, proto=50, laddr_range=dut2_remote_outbound_range, + raddr_range=dut2_local_outbound_range + ) + IPsecUtil.vpp_ipsec_add_spd_entry( + nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS, + inbound=True, proto=50, laddr_range=dut2_local_outbound_range, + raddr_range=dut2_remote_outbound_range + ) IPsecUtil.vpp_ipsec_add_sad_entries( nodes[u"DUT2"], n_tunnels, sa_id_1, spi_1, crypto_alg, diff --git a/resources/libraries/python/VPPUtil.py b/resources/libraries/python/VPPUtil.py index daeb568bda..0c603616a2 100644 --- a/resources/libraries/python/VPPUtil.py +++ b/resources/libraries/python/VPPUtil.py @@ -1,4 +1,4 @@ -# Copyright (c) 2022 Cisco and/or its affiliates. +# Copyright (c) 2023 Cisco and/or its affiliates. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: @@ -410,3 +410,20 @@ class VPPUtil: reply = papi_exec.add(cmd, **args).get_reply() return reply[u"next_index"] + + @staticmethod + def vpp_set_neighbor_limit_on_all_duts(nodes, count): + """VPP set neighbor count limit on all DUTs in the given topology. + + :param nodes: Nodes in the topology. + :param count: Neighbor count need to set. + :type nodes: dict + :type count: int + """ + for node in nodes.values(): + if node[u"type"] == NodeType.DUT: + cmd = f"set ip neighbor-config ip4 limit {count}" + PapiSocketExecutor.run_cli_cmd(node, cmd) + + cmd = f"set ip neighbor-config ip6 limit {count}" + PapiSocketExecutor.run_cli_cmd(node, cmd) diff --git a/tests/vpp/perf/crypto/10ge2p1x710-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr.robot b/tests/vpp/perf/crypto/10ge2p1x710-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr.robot new file mode 100644 index 0000000000..a45dd7d095 --- /dev/null +++ b/tests/vpp/perf/crypto/10ge2p1x710-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr.robot @@ -0,0 +1,178 @@ +# Copyright (c) 2023 Intel and/or its affiliates. +# Copyright (c) 2023 Cisco and/or its affiliates. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +*** Settings *** +| Resource | resources/libraries/robot/shared/default.robot +| Resource | resources/libraries/robot/crypto/ipsec.robot +| +| Force Tags | 3_NODE_SINGLE_LINK_TOPO | PERFTEST | HW_ENV | NDRPDR | TNL_100000 +| ... | IP4FWD | IPSEC | IPSECSW | IPSECTUN | FASTPATH | NIC_Intel-X710 | SCALE +| ... | AES_256_GCM | AES | DRV_VFIO_PCI +| ... | RXQ_SIZE_0 | TXQ_SIZE_0 +| ... | ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm +| +| Suite Setup | Setup suite topology interfaces | performance +| Suite Teardown | Tear down suite | performance +| Test Setup | Setup test | performance +| Test Teardown | Tear down test | performance +| +| Test Template | Local Template +| +| Documentation | **IPv4 IPsec tunnel mode performance test suite.** +| ... | +| ... | - **[Top] Network Topologies:** TG-DUT1-DUT2-TG 3-node circular \ +| ... | topology with single links between nodes. +| ... | +| ... | - **[Enc] Packet Encapsulations:** Eth-IPv4 on TG-DUTn, \ +| ... | Eth-IPv4-IPSec on DUT1-DUT2. +| ... | +| ... | - **[Cfg] DUT configuration:** DUT1 and DUT2 are configured with \ +| ... | multiple IPsec tunnels between them. DUTs get IPv4 traffic from TG, \ +| ... | encrypt it and send to another DUT, where packets are decrypted and \ +| ... | sent back to TG. +| ... | +| ... | - **[Ver] TG verification:** TG finds and reports throughput NDR (Non \ +| ... | Drop Rate) with zero packet loss tolerance and throughput PDR \ +| ... | (Partial Drop Rate) with non-zero packet loss tolerance (LT) \ +| ... | expressed in percentage of packets transmitted. NDR and PDR are \ +| ... | discovered for different Ethernet L2 frame sizes using MLRsearch \ +| ... | library. +| ... | Test packets are generated by TG on \ +| ... | links to DUTs. TG traffic profile contains two L3 flow-groups \ +| ... | (flow-group per direction, number of flows per flow-group equals to \ +| ... | number of IPSec tunnels) with all packets \ +| ... | containing Ethernet header, IPv4 header with IP protocol=61 and \ +| ... | static payload. MAC addresses are matching MAC addresses of the TG \ +| ... | node interfaces. Incrementing of IP.dst (IPv4 destination address) \ +| ... | is applied to both streams. +| ... | +| ... | - **[Ref] Applicable standard specifications:** RFC4303 and RFC2544. + +*** Variables *** +| @{plugins_to_enable}= | dpdk_plugin.so | perfmon_plugin.so +| ... | crypto_native_plugin.so +| ... | crypto_ipsecmb_plugin.so | crypto_openssl_plugin.so +| ${crypto_type}= | ${None} +| ${nic_name}= | Intel-X710 +| ${nic_driver}= | vfio-pci +| ${nic_rxq_size}= | 0 +| ${nic_txq_size}= | 0 +| ${nic_pfs}= | 2 +| ${nic_vfs}= | 0 +| ${osi_layer}= | L3 +| ${overhead}= | ${54} +| ${tg_if1_ip4}= | 192.168.10.254 +| ${dut1_if1_ip4}= | 192.168.10.11 +| ${dut1_if2_ip4}= | 100.0.0.1 +| ${dut2_if1_ip4}= | 200.0.0.102 +| ${dut2_if2_ip4}= | 192.168.20.11 +| ${tg_if2_ip4}= | 192.168.20.254 +| ${raddr_ip4}= | 20.0.0.0 +| ${laddr_ip4}= | 10.0.0.0 +| ${addr_range}= | ${24} +| ${n_tunnels}= | ${100000} +# Main heap size multiplicator +| ${heap_size_mult}= | ${4} +# Traffic profile: +| ${traffic_profile}= | trex-stl-3n-ethip4-ip4dst${n_tunnels} + +*** Keywords *** +| Local Template +| | [Documentation] +| | ... | - **[Cfg]** DUT runs IPSec tunneling AES_256_GCM config. \ +| | ... | Each DUT uses ${phy_cores} physical core(s) for worker threads. +| | ... | - **[Ver]** Measure NDR and PDR values using MLRsearch algorithm. +| | +| | ... | *Arguments:* +| | ... | - frame_size - Framesize in Bytes in integer or string (IMIX_v4_1). +| | ... | Type: integer, string +| | ... | - phy_cores - Number of physical cores. Type: integer +| | ... | - search_type - NDR or PDR. Type: string +| | ... | - rxq - Number of RX queues, default value: ${None}. Type: integer +| | ... | - min_rate - Min rate for binary search, default value: ${50000}. +| | ... | Type: integer +| | +| | [Arguments] | ${frame_size} | ${phy_cores} | ${rxq}=${None} +| | +| | Set Test Variable | \${frame_size} +| | +| | # These are enums (not strings) so they cannot be in Variables table. +| | ${encr_alg}= | Crypto Alg AES GCM 256 +| | ${auth_alg}= | Set Variable | ${NONE} +| | ${ipsec_proto}= | IPsec Proto ESP +| | +| | Given Set Max Rate And Jumbo +| | And Add worker threads to all DUTs | ${phy_cores} | ${rxq} +| | And Pre-initialize layer driver | ${nic_driver} +| | And Enable IPsec SPD Fast Path IPv4 Inbound And Outbound +| | ... | ${${n_tunnels}*10} +| | And Apply startup configuration on all VPP DUTs +| | When Initialize layer driver | ${nic_driver} +| | And Initialize layer interface +| | And VPP Set Neighbor Limit on all DUTs | ${nodes} | ${${n_tunnels}*2} +| | And Initialize IPSec in 3-node circular topology +| | And VPP IPsec Add Multiple Tunnels +| | ... | ${nodes} | ${DUT1_${int}2}[0] | ${DUT2_${int}1}[0] | ${n_tunnels} +| | ... | ${encr_alg} | ${auth_alg} | ${dut1_if2_ip4} | ${dut2_if1_ip4} +| | ... | ${laddr_ip4} | ${raddr_ip4} | ${addr_range} +| | Then Find NDR and PDR intervals using optimized search + +*** Test Cases *** +| 64B-1c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | 64B | 1C +| | frame_size=${64} | phy_cores=${1} + +| 64B-2c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | 64B | 2C +| | frame_size=${64} | phy_cores=${2} + +| 64B-4c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | 64B | 4C +| | frame_size=${64} | phy_cores=${4} + +| 1518B-1c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | 1518B | 1C +| | frame_size=${1518} | phy_cores=${1} + +| 1518B-2c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | 1518B | 2C +| | frame_size=${1518} | phy_cores=${2} + +| 1518B-4c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | 1518B | 4C +| | frame_size=${1518} | phy_cores=${4} + +| 9000B-1c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | 9000B | 1C +| | frame_size=${9000} | phy_cores=${1} + +| 9000B-2c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | 9000B | 2C +| | frame_size=${9000} | phy_cores=${2} + +| 9000B-4c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | 9000B | 4C +| | frame_size=${9000} | phy_cores=${4} + +| IMIX-1c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | IMIX | 1C +| | frame_size=IMIX_v4_1 | phy_cores=${1} + +| IMIX-2c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | IMIX | 2C +| | frame_size=IMIX_v4_1 | phy_cores=${2} + +| IMIX-4c-ethip4ipsec100000tnlsw-ip4base-policy-fastpath-aes256gcm-ndrpdr +| | [Tags] | IMIX | 4C +| | frame_size=IMIX_v4_1 | phy_cores=${4} |