From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 4DB50A04DD; Tue, 26 Nov 2019 09:13:43 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 2509B2B88; Tue, 26 Nov 2019 09:13:43 +0100 (CET) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by dpdk.org (Postfix) with ESMTP id 33F42235 for ; Tue, 26 Nov 2019 09:13:41 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Nov 2019 00:13:40 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,245,1571727600"; d="scan'208";a="211279175" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga003.jf.intel.com with ESMTP; 26 Nov 2019 00:13:22 -0800 Received: from fmsmsx156.amr.corp.intel.com (10.18.116.74) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 26 Nov 2019 00:13:22 -0800 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx156.amr.corp.intel.com (10.18.116.74) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 26 Nov 2019 00:13:22 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.108]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.2]) with mapi id 14.03.0439.000; Tue, 26 Nov 2019 16:13:20 +0800 From: "Zhang, Yuwei1" To: "Ma, LihongX" , "dts@dpdk.org" Thread-Topic: [dts][PATCH V1] test_plans: add test plan ipsec_gw_and_library Thread-Index: AQHVpDAOio0LI9r9CE+ppn/3DLc3RqedGkSg Date: Tue, 26 Nov 2019 08:13:19 +0000 Message-ID: References: <1574728692-17438-1-git-send-email-lihongx.ma@intel.com> In-Reply-To: <1574728692-17438-1-git-send-email-lihongx.ma@intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dts] [PATCH V1] test_plans: add test plan ipsec_gw_and_library X-BeenThere: dts@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: test suite reviews and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dts-bounces@dpdk.org Sender: "dts" Acked-by: Yuwei Zhang -----Original Message----- From: Ma, LihongX=20 Sent: Tuesday, November 26, 2019 8:38 AM To: dts@dpdk.org Cc: Zhang, Yuwei1 ; Ma, LihongX Subject: [dts][PATCH V1] test_plans: add test plan ipsec_gw_and_library Signed-off-by: lihong --- test_plans/ipsec_gw_and_library_test_plan.rst | 273 ++++++++++++++++++++++= ++++ 1 file changed, 273 insertions(+) create mode 100644 test_plans/ipsec_gw_and_library_test_plan.rst diff --git a/test_plans/ipsec_gw_and_library_test_plan.rst b/test_plans/ips= ec_gw_and_library_test_plan.rst new file mode 100644 index 0000000..fac2a7b --- /dev/null +++ b/test_plans/ipsec_gw_and_library_test_plan.rst @@ -0,0 +1,273 @@ +.. Copyright (c) <2019>, Intel Corporation + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + - Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + - Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + - Neither the name of Intel Corporation nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +IPSec gateway and library test plan +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + + +Description +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +This document provides the plan for DPDK IPSec library and gateway=20 +sample. DPDK IPsec could leverage CryptoDev API provides the ability to do= encryption/decryption by QAT or AESNI instruction set. + +The testing should be tested under either Intel QuickAssist Technology=20 +hardware accelerator or AES-NI library. + +AES-NI algorithm table: + +The table below contains AES-NI Algorithms with CryptoDev API. +Part of the algorithms are not supported currently. + ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| Algorithm | Mode | Detail = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| AES | CBC | Encrypt/Decrypt;Key size: 128, 256 bits = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| AES | CTR | Encrypt/Decrypt;Key size: 128 bits = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| SHA | | SHA-1 = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| HMAC | | Support SHA implementations SHA-1; = | +| | | = | +| | | Key Size versus Block size support: Key = Size must be <=3D block size; | +| | | = | +| | | Mac Len Supported SHA-1 10, 12, 16, 20 b= ytes; | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| 3DES | CBC | Encrypt/Decrypt; Key size: 128 bits = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ + + +QAT algorithm table: + +The table below contains Cryptographic Algorithm Validation with CryptoDev= API. +Part of the algorithms are not supported currently. + ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| Algorithm | Mode | Detail = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| AES | CBC | Encrypt/Decrypt;Key size: 128, 256 bits = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| AES | CTR | Encrypt/Decrypt;Key size: 128 bits = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| AES | GCM | Key Sizes:128, 192 bits; = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| SHA | | SHA-1 = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| HMAC | | Support SHA implementations SHA-1; = | +| | | = | +| | | Key Size versus Block size support: Key = Size must be <=3D block size; | +| | | = | +| | | Mac Len Supported SHA-1 10, 12, 16, 20 b= ytes; | +| | | = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| 3DES | CBC | Encrypt/Decrypt; Key size: 128 bits = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| NULL | | Encrypt/Decrypt; Key size: 0 b = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ + +AES-GCM algorithm table: + +The table below contains AES-GCM Algorithms with CryptoDev API. +Part of the algorithms are not supported currently. + ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| Algorithm | Mode | Detail = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ +| AES | GCM | Encrypt/Decrypt;Key size: 128 bits = | ++-----------+-------------------+-----------------------------------------= ----------------------------------+ + +Prerequisites +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +To test IPsec, an example ipsec-secgw is added into DPDK. + +The test commands of ipsec-secgw is below:: + + ./build/ipsec-secgw [EAL options] -- + -p PORTMASK -P -u PORTMASK -j FRAMESIZE + -l -w REPLAY_WINOW_SIZE -e -a + --config (port,queue,lcore)[,(port,queue,lcore)] + --single-sa SAIDX + --rxoffload MASK + --txoffload MASK + -f CONFIG_FILE_PATH + +compile the applications:: + + make -C ./examples/ipsec-secgw + +Configuration File Syntax: + + The ``-f CONFIG_FILE_PATH`` option enables the application read and + parse the configuration file specified, and configures the application + with a given set of SP, SA and Routing entries accordingly. The syntax= of + the configuration file will be explained in DPDK code directory + dpdk/doc/guides/sample_app_ug/ipsec_secgw.rst. + + +QAT/AES-NI installation +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +If CryptoDev needs to use QAT to do encryption/decryption, QAT should=20 +be installed correctly. The steps how to install QAT is described in=20 +DPDK code directory dpdk/doc/guides/cryptodevs/qat.rst. + +If CryptoDev needs to use AES-NI to do encryption/decryption, AES-NI=20 +library should be install correctly. The steps how to use AES-NI=20 +library is described in DPDK code directory dpdk/doc/guides/cryptodevs/aes= ni_mb.rst. + + +Test cases: IPSec Function test +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Description: +The SUT and DUT are connected through at least 2 NIC ports. + +One NIC port is expected to be managed by linux on both machines and=20 +will be used as a control path. + +The second NIC port (test-port) should be bound to DPDK on the SUT, and=20 +should be managed by linux on the DUT. + +The script starts ``ipsec-secgw`` with 2 NIC devices: ``test-port`` and=20 +``tap vdev``. + +It then configures the local tap interface and the remote interface and=20 +IPsec policies in the following way: + +Traffic going over the test-port in both directions has to be protected by= IPsec. + +Traffic going over the TAP port in both directions does not have to be pro= tected. + +Test Topology: +--------------- + +Two servers are connected with one cable, Tester run DPDK ipsec-secgw=20 +sample which includes 1 hardware NIC bind and a virtual device, DUT run=20 +linux kernal ipsec stack, This test will use linux kernal IPSec stack veri= fy DPDK IPSec stack:: + + +----------+ +----------+ + | | | | + 11.11.11.1/24 | Tester | 11.11.11.2/24 | DUT | + dtap0 ------------> | | --------------> | | + | | | | + +----------+ +----------+ + +Test case: basic functional test +--------------------------------- + +Cryptodev AES-NI algorithm validation matrix is showed in table below. + ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| Method | Cipher_algo | Cipher_op | Cipher_key | Auth_algo | = Auth_op | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| CIPHER_HASH | AES_CBC | ENCRYPT | 128 | SHA1_HMAC | GE= NERATE | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| CIPHER_HASH | AES_CBC | ENCRYPT | 256 | SHA1_HMAC | GE= NERATE | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| CIPHER_HASH | AES_CTR | ENCRYPT | 128 | SHA1_HMAC | GE= NERATE | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| CIPHER_HASH | 3DES_CBC | ENCRYPT | 128 | SHA1_HMAC | GE= NERATE | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ + +AESNI_MB device start cmd:: + + ./examples/ipsec-secgw/build/ipsec-secgw --socket-mem 2048,0 --legacy-= mem -w 0000:60:00.0 + --vdev=3Dnet_tap0,mac=3Dfixed --vdev crypto_aesni_mb_pmd_1 --vdev=3Dcr= ypto_aesni_mb_pmd_2 -l 9,10,11 -n 6 -- -P --config "(0,0,10),(1,0,11)" + -u 0x1 -p 0x3 -f /root/dts/local_conf/ipsec_test.cfg + +Cryptodev QAT algorithm validation matrix is showed in table below. + ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| Method | Cipher_algo | Cipher_op | Cipher_key | Auth_algo | = Auth_op | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| CIPHER_HASH | AES_CBC | ENCRYPT | 128 | SHA1_HMAC | GE= NERATE | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| CIPHER_HASH | AES_CBC | ENCRYPT | 256 | SHA1_HMAC | GE= NERATE | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| CIPHER_HASH | AES_CTR | ENCRYPT | 128 | SHA1_HMAC | GE= NERATE | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| CIPHER_HASH | 3DES_CBC | ENCRYPT | 128 | SHA1_HMAC | GE= NERATE | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ +| CIPHER_HASH | NULL | ENCRYPT | 0 | NULL | GE= NERATE | ++-------------+-------------+-------------+-------------+-------------+---= ----------+ + ++-------------+-------------+-------------+-------------+ +| Method | Aead_algo | Aead_op | Aead_key | ++-------------+-------------+-------------+-------------+ +| AEAD | AES_GCM | ENCRYPT | 128 | ++-------------+-------------+-------------+-------------+ + +QAT device start cmd:: + + ./examples/ipsec-secgw/build/ipsec-secgw --socket-mem 2048,0 --legacy-= mem --vdev=3Dnet_tap0,mac=3Dfixed -w 0000:60:00.0 + -w 0000:1a:01.0 -l 9,10,11 -n 6 -- -P --config "(0,0,10),(1,0,11)" -= u 0x1 -p 0x3 + -f /root/dts/local_conf/ipsec_test.cfg + +AES_GCM_PMD algorithm validation matrix is showed in table below. + ++-------------+-------------+-------------+-------------+ +| Method | Aead_algo | Aead_op | Aead_key | ++-------------+-------------+-------------+-------------+ +| AEAD | AES_GCM | ENCRYPT | 128 | ++-------------+-------------+-------------+-------------+ + +AESNI_GCM device start cmd:: + + ./examples/ipsec-secgw/build/ipsec-secgw --socket-mem 2048,0 --legacy-= mem -w 0000:60:00.0 --vdev=3Dnet_tap0,mac=3Dfixed + --vdev crypto_aesni_gcm_pmd_1 --vdev=3Dcrypto_aesni_gcm_pmd_2 -l 9,10,= 11 -n 6 -- -P --config "(0,0,10),(1,0,11)" + -u 0x1 -p 0x3 -f /root/dts/local_conf/ipsec_test.cfg + +Steps:: + + 1. start ipsec-secgw sample; + 2. config tester kernal IPSec; + 3. ping from DUT + # ping 11.11.11.1 + +Expected result:: + + the ping command should be get response normally. + +Test Case: Packet reassemble Test +--------------------------------- +Description:: + + This Case is used to verify that ipsec-secgw could handle fragmented p= ackets. + +Steps:: + + 1. start ipsec-secgw sample; + 2. config tester kernal IPSec; + 3. ping from DUT with a packets exceeds MTU + # ping 11.11.11.1 -s 3000 -- 2.7.4