275. IPSec gateway and library test plan

275.1. Description

This document provides the plan for DPDK IPSec library and gateway sample. DPDK IPsec could leverage CryptoDev API provides the ability to do encryption/decryption by QAT or AESNI instruction set.

The testing should be tested under either Intel QuickAssist Technology hardware accelerator or AES-NI library.

AES-NI algorithm table:

The table below contains AES-NI Algorithms with CryptoDev API. Part of the algorithms are not supported currently.

Algorithm Mode Detail
AES CBC Encrypt/Decrypt;Key size: 128, 256 bits
AES CTR Encrypt/Decrypt;Key size: 128 bits
SHA   SHA-1
HMAC  

Support SHA implementations SHA-1;

Key Size versus Block size support: Key Size must be <= block size;

Mac Len Supported SHA-1 10, 12, 16, 20 bytes;

3DES CBC Encrypt/Decrypt; Key size: 128 bits

QAT algorithm table:

The table below contains Cryptographic Algorithm Validation with CryptoDev API. Part of the algorithms are not supported currently.

Algorithm Mode Detail
AES CBC Encrypt/Decrypt;Key size: 128, 256 bits
AES CTR Encrypt/Decrypt;Key size: 128 bits
AES GCM Key Sizes:128, 192 bits;
SHA   SHA-1
HMAC  

Support SHA implementations SHA-1;

Key Size versus Block size support: Key Size must be <= block size;

Mac Len Supported SHA-1 10, 12, 16, 20 bytes;

3DES CBC Encrypt/Decrypt; Key size: 128 bits
NULL   Encrypt/Decrypt; Key size: 0 b

AES-GCM algorithm table:

The table below contains AES-GCM Algorithms with CryptoDev API. Part of the algorithms are not supported currently.

Algorithm Mode Detail
AES GCM Encrypt/Decrypt;Key size: 128 bits

275.2. Prerequisites

To test IPsec, an example ipsec-secgw is added into DPDK.

The test commands of ipsec-secgw is below:

./build/ipsec-secgw [EAL options] --
    -p PORTMASK -P -u PORTMASK -j FRAMESIZE
    -l -w REPLAY_WINOW_SIZE -e -a
    --config (port,queue,lcore)[,(port,queue,lcore)]
    --single-sa SAIDX
    --rxoffload MASK
    --txoffload MASK
    -f CONFIG_FILE_PATH

compile the applications:

make -C ./examples/ipsec-secgw

Configuration File Syntax:

The -f CONFIG_FILE_PATH option enables the application read and parse the configuration file specified, and configures the application with a given set of SP, SA and Routing entries accordingly. The syntax of the configuration file will be explained in DPDK code directory dpdk/doc/guides/sample_app_ug/ipsec_secgw.rst.

275.3. QAT/AES-NI installation

If CryptoDev needs to use QAT to do encryption/decryption, QAT should be installed correctly. The steps how to install QAT is described in DPDK code directory dpdk/doc/guides/cryptodevs/qat.rst.

If CryptoDev needs to use AES-NI to do encryption/decryption, AES-NI library should be install correctly. The steps how to use AES-NI library is described in DPDK code directory dpdk/doc/guides/cryptodevs/aesni_mb.rst.

275.4. Test cases: IPSec Function test

Description: The SUT and DUT are connected through at least 2 NIC ports.

One NIC port is expected to be managed by linux on both machines and will be used as a control path.

The second NIC port (test-port) should be bound to DPDK on the SUT, and should be managed by linux on the DUT.

The script starts ipsec-secgw with 2 NIC devices: test-port and tap vdev.

It then configures the local tap interface and the remote interface and IPsec policies in the following way:

Traffic going over the test-port in both directions has to be protected by IPsec.

Traffic going over the TAP port in both directions does not have to be protected.

275.4.1. Test Topology:

Two servers are connected with one cable, Tester run DPDK ipsec-secgw sample which includes 1 hardware NIC bind and a virtual device, DUT run linux kernal ipsec stack, This test will use linux kernal IPSec stack verify DPDK IPSec stack:

                    +----------+                 +----------+
                    |          |                 |          |
    11.11.11.1/24   |   Tester | 11.11.11.2/24   |   DUT    |
dtap0 ------------> |          | --------------> |          |
                    |          |                 |          |
                    +----------+                 +----------+

275.4.2. Test case: basic functional test

Cryptodev AES-NI algorithm validation matrix is showed in table below.

Method Cipher_algo Cipher_op Cipher_key Auth_algo Auth_op
CIPHER_HASH AES_CBC ENCRYPT 128 SHA1_HMAC GENERATE
CIPHER_HASH AES_CBC ENCRYPT 256 SHA1_HMAC GENERATE
CIPHER_HASH AES_CTR ENCRYPT 128 SHA1_HMAC GENERATE
CIPHER_HASH 3DES_CBC ENCRYPT 128 SHA1_HMAC GENERATE

AESNI_MB device start cmd:

./examples/ipsec-secgw/build/ipsec-secgw --socket-mem 2048,0 --legacy-mem -w 0000:60:00.0
--vdev=net_tap0,mac=fixed --vdev crypto_aesni_mb_pmd_1 --vdev=crypto_aesni_mb_pmd_2 -l 9,10,11 -n 6  -- -P  --config "(0,0,10),(1,0,11)"
-u 0x1 -p 0x3 -f /root/dts/local_conf/ipsec_test.cfg

Cryptodev QAT algorithm validation matrix is showed in table below.

Method Cipher_algo Cipher_op Cipher_key Auth_algo Auth_op
CIPHER_HASH AES_CBC ENCRYPT 128 SHA1_HMAC GENERATE
CIPHER_HASH AES_CBC ENCRYPT 256 SHA1_HMAC GENERATE
CIPHER_HASH AES_CTR ENCRYPT 128 SHA1_HMAC GENERATE
CIPHER_HASH 3DES_CBC ENCRYPT 128 SHA1_HMAC GENERATE
CIPHER_HASH NULL ENCRYPT 0 NULL GENERATE
Method Aead_algo Aead_op Aead_key
AEAD AES_GCM ENCRYPT 128

QAT device start cmd:

./examples/ipsec-secgw/build/ipsec-secgw --socket-mem 2048,0 --legacy-mem --vdev=net_tap0,mac=fixed -w 0000:60:00.0
-w 0000:1a:01.0 -l 9,10,11 -n 6  -- -P  --config "(0,0,10),(1,0,11)" -u 0x1 -p 0x3
-f /root/dts/local_conf/ipsec_test.cfg

AES_GCM_PMD algorithm validation matrix is showed in table below.

Method Aead_algo Aead_op Aead_key
AEAD AES_GCM ENCRYPT 128

AESNI_GCM device start cmd:

./examples/ipsec-secgw/build/ipsec-secgw --socket-mem 2048,0 --legacy-mem -w 0000:60:00.0 --vdev=net_tap0,mac=fixed
--vdev crypto_aesni_gcm_pmd_1 --vdev=crypto_aesni_gcm_pmd_2 -l 9,10,11 -n 6  -- -P  --config "(0,0,10),(1,0,11)"
-u 0x1 -p 0x3 -f /root/dts/local_conf/ipsec_test.cfg

Steps:

1. start ipsec-secgw sample;
2. config tester kernal IPSec;
3. ping from DUT
# ping 11.11.11.1

Expected result:

the ping command should be get response normally.

275.4.3. Test Case: Packet reassemble Test

Description:

This Case is used to verify that ipsec-secgw could handle fragmented packets.

Steps:

1. start ipsec-secgw sample;
2. config tester kernal IPSec;
3. ping from DUT with a packets exceeds MTU
# ping 11.11.11.1 -s 3000