aboutsummaryrefslogtreecommitdiffstats
path: root/docs/report/introduction/methodology_ipsec.rst
blob: 119ccfb719a196034d8dc290ff7139e5e8ffa473 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Internet Protocol Security (IPsec)
----------------------------------

VPP IPsec performance tests are executed for the following crypto
plugins:

- `crypto_native`, used for software based crypto leveraging CPU
  platform optimizations e.g. Intel's AES-NI instruction set.
- `crypto_ipsecmb`, used for hardware based crypto with Intel QAT PCIe
  cards.

IPsec with VPP Native SW Crypto
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Currently |csit-release| implements following IPsec test cases relying
on VPP native crypto (`crypto_native` plugin):

+-------------------+------------------+----------------+------------------+
| VPP Crypto Engine | ESP Encryption   | ESP Integrity  | Scale Tested     |
+===================+==================+================+==================+
| crypto_native     | AES[128|256]-GCM | GCM            | 1 to 60k tunnels |
+-------------------+------------------+----------------+------------------+
| crypto_native     | AES128-CBC       | SHA[256|512]   | 1 to 60k tunnels |
+-------------------+------------------+----------------+------------------+

VPP IPsec with SW crypto are executed in both tunnel and policy modes,
with tests running on 3-node testbeds: 3n-hsw and 3n-skx.

IPsec with Intel QAT HW
^^^^^^^^^^^^^^^^^^^^^^^

Currently |csit-release| implements following IPsec test cases relying
on ipsecmb library (`crypto_ipsecmb` plugin) and Intel QAT 8950 (50G HW
crypto card):

dpdk_cryptodev

+-------------------+---------------------+------------------+----------------+------------------+
| VPP Crypto Engine | VPP Crypto Workers  | ESP Encryption   | ESP Integrity  | Scale Tested     |
+===================+=====================+==================+================+==================+
| crypto_ipsecmb    | sync/all workers    | AES[128|256]-GCM | GCM            | 1, 1k tunnels    |
+-------------------+---------------------+------------------+----------------+------------------+
| crypto_ipsecmb    | sync/all workers    | AES[128]-CBC     | SHA[256|512]   | 1, 1k tunnels    |
+-------------------+---------------------+------------------+----------------+------------------+
| crypto_ipsecmb    | async/crypto worker | AES[128|256]-GCM | GCM            | 1, 4, 1k tunnels |
+-------------------+---------------------+------------------+----------------+------------------+
| crypto_ipsecmb    | async/crypto worker | AES[128]-CBC     | SHA[256|512]   | 1, 4, 1k tunnels |
+-------------------+---------------------+------------------+----------------+------------------+

VPP IPsec with HW crypto are executed in both tunnel and policy modes,
with tests running on 3-node Haswell testbeds (3n-hsw), as these are the
only testbeds equipped with Intel QAT cards.