Internet Protocol Security

Internet Protocol Security #

VPP Internet Protocol Security (IPsec) performance tests are executed for the following crypto plugins:

  • crypto_native, used for software based crypto leveraging CPU platform optimizations e.g. Intel’s AES-NI instruction set.
  • crypto_ipsecmb, used for hardware based crypto with Intel QAT PCIe cards.

IPsec with VPP Native SW Crypto #

CSIT implements following IPsec test cases relying on VPP native crypto (crypto_native plugin):

VPP Crypto Engine ESP Encryption ESP Integrity Scale Tested
crypto_native AES[128|256]-GCM GCM 1 to 60k tunnels
crypto_native AES128-CBC SHA[256|512] 1 to 60k tunnels

VPP IPsec with SW crypto are executed in both tunnel and policy modes, with tests running on 3-node testbeds: 3n-icx, 3n-tsh.

IPsec with Intel QAT HW #

CSIT implements following IPsec test cases relying on ipsecmb library (crypto_ipsecmb plugin) and Intel QAT 8950 (50G HW crypto card):

dpdk_cryptodev

VPP Crypto Engine VPP Crypto Workers ESP Encryption ESP Integrity Scale Tested
crypto_ipsecmb sync/all workers AES[128|256]-GCM GCM 1, 1k tunnels
crypto_ipsecmb sync/all workers AES[128]-CBC SHA[256|512] 1, 1k tunnels
crypto_ipsecmb async/crypto worker AES[128|256]-GCM GCM 1, 4, 1k tunnels
crypto_ipsecmb async/crypto worker AES[128]-CBC SHA[256|512] 1, 4, 1k tunnels

IPsec with Async Crypto Feature Workers #

TODO Description to be added

IPsec Uni-Directional Tests with VPP Native SW Crypto #

CSIT implements following IPsec uni-directional test cases relying on VPP native crypto (crypto_native plugin) in tunnel mode:

VPP Crypto Engine ESP Encryption ESP Integrity Scale Tested
crypto_native AES[128|256]-GCM GCM 4, 1k, 10k tunnels
crypto_native AES128-CBC SHA[512] 4, 1k, 10k tunnels

In policy mode:

VPP Crypto Engine ESP Encryption ESP Integrity Scale Tested
crypto_native AES[256]-GCM GCM 1, 40, 1k tunnels

The tests are running on 2-node testbeds: 2n-tx2. The uni-directional tests are partially addressing a weakness in 2-node testbed setups with T-Rex as the traffic generator. With just one DUT node, we can either encrypt or decrypt traffic in each direction.

The testcases are only doing encryption - packets are encrypted on the DUT and then arrive at TG where no additional packet processing is needed (just counting packets).

Decryption would require that the traffic generator generated encrypted packets which the DUT then would decrypt. However, T-Rex does not have the capability to encrypt packets.