diff mbox series

[v2] test/crypto-perf: support lookaside IPsec

Message ID 20211008201546.3496585-1-gakhil@marvell.com (mailing list archive)
State Superseded, archived
Delegated to: akhil goyal
Headers show
Series [v2] test/crypto-perf: support lookaside IPsec | expand

Checks

Context Check Description
ci/intel-Testing success Testing PASS
ci/Intel-compilation success Compilation OK
ci/iol-aarch64-compile-testing success Testing PASS
ci/iol-mellanox-Performance success Performance Testing PASS
ci/iol-x86_64-unit-testing success Testing PASS
ci/iol-intel-Performance success Performance Testing PASS
ci/iol-x86_64-compile-testing warning Testing issues
ci/iol-intel-Functional success Functional Testing PASS
ci/iol-broadcom-Performance success Performance Testing PASS
ci/iol-broadcom-Functional success Functional Testing PASS
ci/iol-spell-check-testing success Testing PASS
ci/github-robot: build success github build: passed
ci/checkpatch success coding style OK

Commit Message

Akhil Goyal Oct. 8, 2021, 8:15 p.m. UTC
Added support for lookaside IPsec protocol offload.
Supported cases:
-AEAD
-Cipher+auth

Command used for testing:
./dpdk-test-crypto-perf -c 0xf -- --devtype crypto_octeontx2 --ptest
throughput --optype ipsec --cipher-algo aes-cbc --pool-sz 16384
--cipher-op encrypt --cipher-key-sz 16 --cipher-iv-sz 16 --auth-algo
sha1-hmac --auth-op generate --digest-sz 16 --total-ops 10000000
--burst-sz 32 --buffer-sz 64,128,256,512,1024,1280,2048

./dpdk-test-crypto-perf -c 0xf -- --devtype crypto_octeontx2 --ptest
throughput --optype ipsec --aead-algo aes-gcm --pool-sz 16384
--aead-op encrypt --aead-key-sz 32 --aead-iv-sz 12 --aead-aad-sz 16
--digest-sz 16 --total-ops 10000000 --burst-sz 32
--buffer-sz 64,128,256,512,1024,1280,2048

Signed-off-by: Akhil Goyal <gakhil@marvell.com>
---
v2: added release notes.

 app/test-crypto-perf/cperf_ops.c             | 179 ++++++++++++++++---
 app/test-crypto-perf/cperf_options.h         |   1 +
 app/test-crypto-perf/cperf_options_parsing.c |   4 +
 app/test-crypto-perf/cperf_test_throughput.c |   3 +-
 app/test-crypto-perf/cperf_test_vectors.c    |   6 +-
 app/test-crypto-perf/main.c                  |   3 +-
 doc/guides/rel_notes/release_21_11.rst       |   1 +
 7 files changed, 166 insertions(+), 31 deletions(-)

Comments

Hemant Agrawal Oct. 20, 2021, 1:10 p.m. UTC | #1
Acked-by:  Hemant Agrawal <hemant.agrawal@nxp.com>

On 10/9/2021 1:45 AM, Akhil Goyal wrote:
> Added support for lookaside IPsec protocol offload.
> Supported cases:
> -AEAD
> -Cipher+auth
>
> Command used for testing:
> ./dpdk-test-crypto-perf -c 0xf -- --devtype crypto_octeontx2 --ptest
> throughput --optype ipsec --cipher-algo aes-cbc --pool-sz 16384
> --cipher-op encrypt --cipher-key-sz 16 --cipher-iv-sz 16 --auth-algo
> sha1-hmac --auth-op generate --digest-sz 16 --total-ops 10000000
> --burst-sz 32 --buffer-sz 64,128,256,512,1024,1280,2048
>
> ./dpdk-test-crypto-perf -c 0xf -- --devtype crypto_octeontx2 --ptest
> throughput --optype ipsec --aead-algo aes-gcm --pool-sz 16384
> --aead-op encrypt --aead-key-sz 32 --aead-iv-sz 12 --aead-aad-sz 16
> --digest-sz 16 --total-ops 10000000 --burst-sz 32
> --buffer-sz 64,128,256,512,1024,1280,2048
>
> Signed-off-by: Akhil Goyal <gakhil@marvell.com>
> ---
> v2: added release notes.
>
>   app/test-crypto-perf/cperf_ops.c             | 179 ++++++++++++++++---
>   app/test-crypto-perf/cperf_options.h         |   1 +
>   app/test-crypto-perf/cperf_options_parsing.c |   4 +
>   app/test-crypto-perf/cperf_test_throughput.c |   3 +-
>   app/test-crypto-perf/cperf_test_vectors.c    |   6 +-
>   app/test-crypto-perf/main.c                  |   3 +-
>   doc/guides/rel_notes/release_21_11.rst       |   1 +
>   7 files changed, 166 insertions(+), 31 deletions(-)
>
> diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
> index 4b7d66edb2..b2073f0738 100644
> --- a/app/test-crypto-perf/cperf_ops.c
> +++ b/app/test-crypto-perf/cperf_ops.c
> @@ -62,7 +62,13 @@ cperf_set_ops_security(struct rte_crypto_op **ops,
>   		sym_op->m_src = (struct rte_mbuf *)((uint8_t *)ops[i] +
>   							src_buf_offset);
>   
> -		if (options->op_type == CPERF_PDCP) {
> +		if (options->op_type == CPERF_PDCP ||
> +				options->op_type == CPERF_IPSEC) {
> +			/* In case of IPsec, headroom is consumed by PMD,
> +			 * hence resetting it.
> +			 */
> +			sym_op->m_src->data_off = options->headroom_sz;
> +
>   			sym_op->m_src->buf_len = options->segment_sz;
>   			sym_op->m_src->data_len = options->test_buffer_size;
>   			sym_op->m_src->pkt_len = sym_op->m_src->data_len;
> @@ -565,6 +571,123 @@ cperf_set_ops_aead(struct rte_crypto_op **ops,
>   	return 0;
>   }
>   
> +static struct rte_cryptodev_sym_session *
> +create_ipsec_session(struct rte_mempool *sess_mp,
> +		struct rte_mempool *priv_mp,
> +		uint8_t dev_id,
> +		const struct cperf_options *options,
> +		const struct cperf_test_vector *test_vector,
> +		uint16_t iv_offset)
> +{
> +	struct rte_crypto_sym_xform xform = {0};
> +	struct rte_crypto_sym_xform auth_xform = {0};
> +
> +	if (options->aead_algo != 0) {
> +		/* Setup AEAD Parameters */
> +		xform.type = RTE_CRYPTO_SYM_XFORM_AEAD;
> +		xform.next = NULL;
> +		xform.aead.algo = options->aead_algo;
> +		xform.aead.op = options->aead_op;
> +		xform.aead.iv.offset = iv_offset;
> +		xform.aead.key.data = test_vector->aead_key.data;
> +		xform.aead.key.length = test_vector->aead_key.length;
> +		xform.aead.iv.length = test_vector->aead_iv.length;
> +		xform.aead.digest_length = options->digest_sz;
> +		xform.aead.aad_length = options->aead_aad_sz;
> +	} else if (options->cipher_algo != 0 && options->auth_algo != 0) {
> +		/* Setup Cipher Parameters */
> +		xform.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
> +		xform.next = NULL;
> +		xform.cipher.algo = options->cipher_algo;
> +		xform.cipher.op = options->cipher_op;
> +		xform.cipher.iv.offset = iv_offset;
> +		xform.cipher.iv.length = test_vector->cipher_iv.length;
> +		/* cipher different than null */
> +		if (options->cipher_algo != RTE_CRYPTO_CIPHER_NULL) {
> +			xform.cipher.key.data = test_vector->cipher_key.data;
> +			xform.cipher.key.length =
> +				test_vector->cipher_key.length;
> +		} else {
> +			xform.cipher.key.data = NULL;
> +			xform.cipher.key.length = 0;
> +		}
> +
> +		/* Setup Auth Parameters */
> +		auth_xform.type = RTE_CRYPTO_SYM_XFORM_AUTH;
> +		auth_xform.next = NULL;
> +		auth_xform.auth.algo = options->auth_algo;
> +		auth_xform.auth.op = options->auth_op;
> +		auth_xform.auth.iv.offset = iv_offset +
> +				xform.cipher.iv.length;
> +		/* auth different than null */
> +		if (options->auth_algo != RTE_CRYPTO_AUTH_NULL) {
> +			auth_xform.auth.digest_length = options->digest_sz;
> +			auth_xform.auth.key.length =
> +						test_vector->auth_key.length;
> +			auth_xform.auth.key.data = test_vector->auth_key.data;
> +			auth_xform.auth.iv.length = test_vector->auth_iv.length;
> +		} else {
> +			auth_xform.auth.digest_length = 0;
> +			auth_xform.auth.key.length = 0;
> +			auth_xform.auth.key.data = NULL;
> +			auth_xform.auth.iv.length = 0;
> +		}
> +
> +		xform.next = &auth_xform;
> +	} else {
> +		return NULL;
> +	}
> +
> +#define CPERF_IPSEC_SRC_IP	0x01010101
> +#define CPERF_IPSEC_DST_IP	0x02020202
> +#define CPERF_IPSEC_SALT	0x0
> +#define CPERF_IPSEC_DEFTTL	64
> +	struct rte_security_ipsec_tunnel_param tunnel = {
> +		.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
> +		{.ipv4 = {
> +			.src_ip = { .s_addr = CPERF_IPSEC_SRC_IP},
> +			.dst_ip = { .s_addr = CPERF_IPSEC_DST_IP},
> +			.dscp = 0,
> +			.df = 0,
> +			.ttl = CPERF_IPSEC_DEFTTL,
> +		} },
> +	};
> +	struct rte_security_session_conf sess_conf = {
> +		.action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
> +		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
> +		{.ipsec = {
> +			.spi = rte_lcore_id(),
> +			/**< For testing sake, lcore_id is taken as SPI so that
> +			 * for every core a different session is created.
> +			 */
> +			.salt = CPERF_IPSEC_SALT,
> +			.options = { 0 },
> +			.replay_win_sz = 0,
> +			.direction =
> +				((options->cipher_op ==
> +					RTE_CRYPTO_CIPHER_OP_ENCRYPT) &&
> +				(options->auth_op ==
> +					RTE_CRYPTO_AUTH_OP_GENERATE)) ||
> +				(options->aead_op ==
> +					RTE_CRYPTO_AEAD_OP_ENCRYPT) ?
> +				RTE_SECURITY_IPSEC_SA_DIR_EGRESS :
> +				RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
> +			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
> +			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
> +			.tunnel = tunnel,
> +		} },
> +		.userdata = NULL,
> +		.crypto_xform = &xform
> +	};
> +
> +	struct rte_security_ctx *ctx = (struct rte_security_ctx *)
> +				rte_cryptodev_get_sec_ctx(dev_id);
> +
> +	/* Create security session */
> +	return (void *)rte_security_session_create(ctx,
> +				&sess_conf, sess_mp, priv_mp);
> +}
> +
>   static struct rte_cryptodev_sym_session *
>   cperf_create_session(struct rte_mempool *sess_mp,
>   	struct rte_mempool *priv_mp,
> @@ -675,6 +798,12 @@ cperf_create_session(struct rte_mempool *sess_mp,
>   		return (void *)rte_security_session_create(ctx,
>   					&sess_conf, sess_mp, priv_mp);
>   	}
> +
> +	if (options->op_type == CPERF_IPSEC) {
> +		return create_ipsec_session(sess_mp, priv_mp, dev_id,
> +				options, test_vector, iv_offset);
> +	}
> +
>   	if (options->op_type == CPERF_DOCSIS) {
>   		enum rte_security_docsis_direction direction;
>   
> @@ -872,44 +1001,40 @@ cperf_get_op_functions(const struct cperf_options *options,
>   
>   	op_fns->sess_create = cperf_create_session;
>   
> -	if (options->op_type == CPERF_ASYM_MODEX) {
> -		op_fns->populate_ops = cperf_set_ops_asym;
> -		return 0;
> -	}
> -
> -	if (options->op_type == CPERF_AEAD) {
> +	switch (options->op_type) {
> +	case CPERF_AEAD:
>   		op_fns->populate_ops = cperf_set_ops_aead;
> -		return 0;
> -	}
> +		break;
>   
> -	if (options->op_type == CPERF_AUTH_THEN_CIPHER
> -			|| options->op_type == CPERF_CIPHER_THEN_AUTH) {
> +	case CPERF_AUTH_THEN_CIPHER:
> +	case CPERF_CIPHER_THEN_AUTH:
>   		op_fns->populate_ops = cperf_set_ops_cipher_auth;
> -		return 0;
> -	}
> -	if (options->op_type == CPERF_AUTH_ONLY) {
> +		break;
> +	case CPERF_AUTH_ONLY:
>   		if (options->auth_algo == RTE_CRYPTO_AUTH_NULL)
>   			op_fns->populate_ops = cperf_set_ops_null_auth;
>   		else
>   			op_fns->populate_ops = cperf_set_ops_auth;
> -		return 0;
> -	}
> -	if (options->op_type == CPERF_CIPHER_ONLY) {
> +		break;
> +	case CPERF_CIPHER_ONLY:
>   		if (options->cipher_algo == RTE_CRYPTO_CIPHER_NULL)
>   			op_fns->populate_ops = cperf_set_ops_null_cipher;
>   		else
>   			op_fns->populate_ops = cperf_set_ops_cipher;
> -		return 0;
> -	}
> +		break;
> +	case CPERF_ASYM_MODEX:
> +		op_fns->populate_ops = cperf_set_ops_asym;
> +		break;
>   #ifdef RTE_LIB_SECURITY
> -	if (options->op_type == CPERF_PDCP) {
> +	case CPERF_PDCP:
> +	case CPERF_IPSEC:
> +	case CPERF_DOCSIS:
>   		op_fns->populate_ops = cperf_set_ops_security;
> -		return 0;
> -	}
> -	if (options->op_type == CPERF_DOCSIS) {
> -		op_fns->populate_ops = cperf_set_ops_security;
> -		return 0;
> -	}
> +		break;
>   #endif
> -	return -1;
> +	default:
> +		return -1;
> +	}
> +
> +	return 0;
>   }
> diff --git a/app/test-crypto-perf/cperf_options.h b/app/test-crypto-perf/cperf_options.h
> index f5ea2b90a5..031b238b20 100644
> --- a/app/test-crypto-perf/cperf_options.h
> +++ b/app/test-crypto-perf/cperf_options.h
> @@ -80,6 +80,7 @@ enum cperf_op_type {
>   	CPERF_AEAD,
>   	CPERF_PDCP,
>   	CPERF_DOCSIS,
> +	CPERF_IPSEC,
>   	CPERF_ASYM_MODEX
>   };
>   
> diff --git a/app/test-crypto-perf/cperf_options_parsing.c b/app/test-crypto-perf/cperf_options_parsing.c
> index 2a7acb0111..c244f81bbf 100644
> --- a/app/test-crypto-perf/cperf_options_parsing.c
> +++ b/app/test-crypto-perf/cperf_options_parsing.c
> @@ -458,6 +458,10 @@ parse_op_type(struct cperf_options *opts, const char *arg)
>   			cperf_op_type_strs[CPERF_DOCSIS],
>   			CPERF_DOCSIS
>   		},
> +		{
> +			cperf_op_type_strs[CPERF_IPSEC],
> +			CPERF_IPSEC
> +		},
>   		{
>   			cperf_op_type_strs[CPERF_ASYM_MODEX],
>   			CPERF_ASYM_MODEX
> diff --git a/app/test-crypto-perf/cperf_test_throughput.c b/app/test-crypto-perf/cperf_test_throughput.c
> index 76fcda47ff..ca65c3c883 100644
> --- a/app/test-crypto-perf/cperf_test_throughput.c
> +++ b/app/test-crypto-perf/cperf_test_throughput.c
> @@ -42,7 +42,8 @@ cperf_throughput_test_free(struct cperf_throughput_ctx *ctx)
>   		}
>   #ifdef RTE_LIB_SECURITY
>   		else if (ctx->options->op_type == CPERF_PDCP ||
> -			 ctx->options->op_type == CPERF_DOCSIS) {
> +			 ctx->options->op_type == CPERF_DOCSIS ||
> +			 ctx->options->op_type == CPERF_IPSEC) {
>   			struct rte_security_ctx *sec_ctx =
>   				(struct rte_security_ctx *)
>   					rte_cryptodev_get_sec_ctx(ctx->dev_id);
> diff --git a/app/test-crypto-perf/cperf_test_vectors.c b/app/test-crypto-perf/cperf_test_vectors.c
> index 4bba405961..e944583089 100644
> --- a/app/test-crypto-perf/cperf_test_vectors.c
> +++ b/app/test-crypto-perf/cperf_test_vectors.c
> @@ -448,7 +448,8 @@ cperf_test_vector_get_dummy(struct cperf_options *options)
>   		t_vec->modex.elen = sizeof(perf_mod_e);
>   	}
>   
> -	if (options->op_type ==	CPERF_PDCP) {
> +	if (options->op_type ==	CPERF_PDCP ||
> +			options->op_type == CPERF_IPSEC) {
>   		if (options->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
>   			t_vec->cipher_key.length = 0;
>   			t_vec->ciphertext.data = plaintext;
> @@ -579,7 +580,8 @@ cperf_test_vector_get_dummy(struct cperf_options *options)
>   		t_vec->auth_iv.length = options->auth_iv_sz;
>   	}
>   
> -	if (options->op_type == CPERF_AEAD) {
> +	if (options->op_type == CPERF_AEAD ||
> +			options->op_type == CPERF_IPSEC) {
>   		t_vec->aead_key.length = options->aead_key_sz;
>   		t_vec->aead_key.data = aead_key;
>   
> diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
> index 390380898e..6fdb92fb7c 100644
> --- a/app/test-crypto-perf/main.c
> +++ b/app/test-crypto-perf/main.c
> @@ -41,6 +41,7 @@ const char *cperf_op_type_strs[] = {
>   	[CPERF_AEAD] = "aead",
>   	[CPERF_PDCP] = "pdcp",
>   	[CPERF_DOCSIS] = "docsis",
> +	[CPERF_IPSEC] = "ipsec",
>   	[CPERF_ASYM_MODEX] = "modex"
>   };
>   
> @@ -278,9 +279,9 @@ cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
>   			/* Fall through */
>   		case CPERF_PDCP:
>   		case CPERF_DOCSIS:
> +		case CPERF_IPSEC:
>   			/* Fall through */
>   		default:
> -
>   			conf.ff_disable |= RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO;
>   		}
>   
> diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
> index dfaf7bdf38..84266aba7c 100644
> --- a/doc/guides/rel_notes/release_21_11.rst
> +++ b/doc/guides/rel_notes/release_21_11.rst
> @@ -134,6 +134,7 @@ New Features
>   
>     * Added support for asymmetric crypto throughput performance measurement.
>       Only modex is supported for now.
> +  * Added support for lookaside IPsec protocol offload throughput measurement.
>   
>   * **Added lookaside protocol (IPsec) tests in dpdk-test.**
>
diff mbox series

Patch

diff --git a/app/test-crypto-perf/cperf_ops.c b/app/test-crypto-perf/cperf_ops.c
index 4b7d66edb2..b2073f0738 100644
--- a/app/test-crypto-perf/cperf_ops.c
+++ b/app/test-crypto-perf/cperf_ops.c
@@ -62,7 +62,13 @@  cperf_set_ops_security(struct rte_crypto_op **ops,
 		sym_op->m_src = (struct rte_mbuf *)((uint8_t *)ops[i] +
 							src_buf_offset);
 
-		if (options->op_type == CPERF_PDCP) {
+		if (options->op_type == CPERF_PDCP ||
+				options->op_type == CPERF_IPSEC) {
+			/* In case of IPsec, headroom is consumed by PMD,
+			 * hence resetting it.
+			 */
+			sym_op->m_src->data_off = options->headroom_sz;
+
 			sym_op->m_src->buf_len = options->segment_sz;
 			sym_op->m_src->data_len = options->test_buffer_size;
 			sym_op->m_src->pkt_len = sym_op->m_src->data_len;
@@ -565,6 +571,123 @@  cperf_set_ops_aead(struct rte_crypto_op **ops,
 	return 0;
 }
 
+static struct rte_cryptodev_sym_session *
+create_ipsec_session(struct rte_mempool *sess_mp,
+		struct rte_mempool *priv_mp,
+		uint8_t dev_id,
+		const struct cperf_options *options,
+		const struct cperf_test_vector *test_vector,
+		uint16_t iv_offset)
+{
+	struct rte_crypto_sym_xform xform = {0};
+	struct rte_crypto_sym_xform auth_xform = {0};
+
+	if (options->aead_algo != 0) {
+		/* Setup AEAD Parameters */
+		xform.type = RTE_CRYPTO_SYM_XFORM_AEAD;
+		xform.next = NULL;
+		xform.aead.algo = options->aead_algo;
+		xform.aead.op = options->aead_op;
+		xform.aead.iv.offset = iv_offset;
+		xform.aead.key.data = test_vector->aead_key.data;
+		xform.aead.key.length = test_vector->aead_key.length;
+		xform.aead.iv.length = test_vector->aead_iv.length;
+		xform.aead.digest_length = options->digest_sz;
+		xform.aead.aad_length = options->aead_aad_sz;
+	} else if (options->cipher_algo != 0 && options->auth_algo != 0) {
+		/* Setup Cipher Parameters */
+		xform.type = RTE_CRYPTO_SYM_XFORM_CIPHER;
+		xform.next = NULL;
+		xform.cipher.algo = options->cipher_algo;
+		xform.cipher.op = options->cipher_op;
+		xform.cipher.iv.offset = iv_offset;
+		xform.cipher.iv.length = test_vector->cipher_iv.length;
+		/* cipher different than null */
+		if (options->cipher_algo != RTE_CRYPTO_CIPHER_NULL) {
+			xform.cipher.key.data = test_vector->cipher_key.data;
+			xform.cipher.key.length =
+				test_vector->cipher_key.length;
+		} else {
+			xform.cipher.key.data = NULL;
+			xform.cipher.key.length = 0;
+		}
+
+		/* Setup Auth Parameters */
+		auth_xform.type = RTE_CRYPTO_SYM_XFORM_AUTH;
+		auth_xform.next = NULL;
+		auth_xform.auth.algo = options->auth_algo;
+		auth_xform.auth.op = options->auth_op;
+		auth_xform.auth.iv.offset = iv_offset +
+				xform.cipher.iv.length;
+		/* auth different than null */
+		if (options->auth_algo != RTE_CRYPTO_AUTH_NULL) {
+			auth_xform.auth.digest_length = options->digest_sz;
+			auth_xform.auth.key.length =
+						test_vector->auth_key.length;
+			auth_xform.auth.key.data = test_vector->auth_key.data;
+			auth_xform.auth.iv.length = test_vector->auth_iv.length;
+		} else {
+			auth_xform.auth.digest_length = 0;
+			auth_xform.auth.key.length = 0;
+			auth_xform.auth.key.data = NULL;
+			auth_xform.auth.iv.length = 0;
+		}
+
+		xform.next = &auth_xform;
+	} else {
+		return NULL;
+	}
+
+#define CPERF_IPSEC_SRC_IP	0x01010101
+#define CPERF_IPSEC_DST_IP	0x02020202
+#define CPERF_IPSEC_SALT	0x0
+#define CPERF_IPSEC_DEFTTL	64
+	struct rte_security_ipsec_tunnel_param tunnel = {
+		.type = RTE_SECURITY_IPSEC_TUNNEL_IPV4,
+		{.ipv4 = {
+			.src_ip = { .s_addr = CPERF_IPSEC_SRC_IP},
+			.dst_ip = { .s_addr = CPERF_IPSEC_DST_IP},
+			.dscp = 0,
+			.df = 0,
+			.ttl = CPERF_IPSEC_DEFTTL,
+		} },
+	};
+	struct rte_security_session_conf sess_conf = {
+		.action_type = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+		.protocol = RTE_SECURITY_PROTOCOL_IPSEC,
+		{.ipsec = {
+			.spi = rte_lcore_id(),
+			/**< For testing sake, lcore_id is taken as SPI so that
+			 * for every core a different session is created.
+			 */
+			.salt = CPERF_IPSEC_SALT,
+			.options = { 0 },
+			.replay_win_sz = 0,
+			.direction =
+				((options->cipher_op ==
+					RTE_CRYPTO_CIPHER_OP_ENCRYPT) &&
+				(options->auth_op ==
+					RTE_CRYPTO_AUTH_OP_GENERATE)) ||
+				(options->aead_op ==
+					RTE_CRYPTO_AEAD_OP_ENCRYPT) ?
+				RTE_SECURITY_IPSEC_SA_DIR_EGRESS :
+				RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
+			.proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
+			.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
+			.tunnel = tunnel,
+		} },
+		.userdata = NULL,
+		.crypto_xform = &xform
+	};
+
+	struct rte_security_ctx *ctx = (struct rte_security_ctx *)
+				rte_cryptodev_get_sec_ctx(dev_id);
+
+	/* Create security session */
+	return (void *)rte_security_session_create(ctx,
+				&sess_conf, sess_mp, priv_mp);
+}
+
 static struct rte_cryptodev_sym_session *
 cperf_create_session(struct rte_mempool *sess_mp,
 	struct rte_mempool *priv_mp,
@@ -675,6 +798,12 @@  cperf_create_session(struct rte_mempool *sess_mp,
 		return (void *)rte_security_session_create(ctx,
 					&sess_conf, sess_mp, priv_mp);
 	}
+
+	if (options->op_type == CPERF_IPSEC) {
+		return create_ipsec_session(sess_mp, priv_mp, dev_id,
+				options, test_vector, iv_offset);
+	}
+
 	if (options->op_type == CPERF_DOCSIS) {
 		enum rte_security_docsis_direction direction;
 
@@ -872,44 +1001,40 @@  cperf_get_op_functions(const struct cperf_options *options,
 
 	op_fns->sess_create = cperf_create_session;
 
-	if (options->op_type == CPERF_ASYM_MODEX) {
-		op_fns->populate_ops = cperf_set_ops_asym;
-		return 0;
-	}
-
-	if (options->op_type == CPERF_AEAD) {
+	switch (options->op_type) {
+	case CPERF_AEAD:
 		op_fns->populate_ops = cperf_set_ops_aead;
-		return 0;
-	}
+		break;
 
-	if (options->op_type == CPERF_AUTH_THEN_CIPHER
-			|| options->op_type == CPERF_CIPHER_THEN_AUTH) {
+	case CPERF_AUTH_THEN_CIPHER:
+	case CPERF_CIPHER_THEN_AUTH:
 		op_fns->populate_ops = cperf_set_ops_cipher_auth;
-		return 0;
-	}
-	if (options->op_type == CPERF_AUTH_ONLY) {
+		break;
+	case CPERF_AUTH_ONLY:
 		if (options->auth_algo == RTE_CRYPTO_AUTH_NULL)
 			op_fns->populate_ops = cperf_set_ops_null_auth;
 		else
 			op_fns->populate_ops = cperf_set_ops_auth;
-		return 0;
-	}
-	if (options->op_type == CPERF_CIPHER_ONLY) {
+		break;
+	case CPERF_CIPHER_ONLY:
 		if (options->cipher_algo == RTE_CRYPTO_CIPHER_NULL)
 			op_fns->populate_ops = cperf_set_ops_null_cipher;
 		else
 			op_fns->populate_ops = cperf_set_ops_cipher;
-		return 0;
-	}
+		break;
+	case CPERF_ASYM_MODEX:
+		op_fns->populate_ops = cperf_set_ops_asym;
+		break;
 #ifdef RTE_LIB_SECURITY
-	if (options->op_type == CPERF_PDCP) {
+	case CPERF_PDCP:
+	case CPERF_IPSEC:
+	case CPERF_DOCSIS:
 		op_fns->populate_ops = cperf_set_ops_security;
-		return 0;
-	}
-	if (options->op_type == CPERF_DOCSIS) {
-		op_fns->populate_ops = cperf_set_ops_security;
-		return 0;
-	}
+		break;
 #endif
-	return -1;
+	default:
+		return -1;
+	}
+
+	return 0;
 }
diff --git a/app/test-crypto-perf/cperf_options.h b/app/test-crypto-perf/cperf_options.h
index f5ea2b90a5..031b238b20 100644
--- a/app/test-crypto-perf/cperf_options.h
+++ b/app/test-crypto-perf/cperf_options.h
@@ -80,6 +80,7 @@  enum cperf_op_type {
 	CPERF_AEAD,
 	CPERF_PDCP,
 	CPERF_DOCSIS,
+	CPERF_IPSEC,
 	CPERF_ASYM_MODEX
 };
 
diff --git a/app/test-crypto-perf/cperf_options_parsing.c b/app/test-crypto-perf/cperf_options_parsing.c
index 2a7acb0111..c244f81bbf 100644
--- a/app/test-crypto-perf/cperf_options_parsing.c
+++ b/app/test-crypto-perf/cperf_options_parsing.c
@@ -458,6 +458,10 @@  parse_op_type(struct cperf_options *opts, const char *arg)
 			cperf_op_type_strs[CPERF_DOCSIS],
 			CPERF_DOCSIS
 		},
+		{
+			cperf_op_type_strs[CPERF_IPSEC],
+			CPERF_IPSEC
+		},
 		{
 			cperf_op_type_strs[CPERF_ASYM_MODEX],
 			CPERF_ASYM_MODEX
diff --git a/app/test-crypto-perf/cperf_test_throughput.c b/app/test-crypto-perf/cperf_test_throughput.c
index 76fcda47ff..ca65c3c883 100644
--- a/app/test-crypto-perf/cperf_test_throughput.c
+++ b/app/test-crypto-perf/cperf_test_throughput.c
@@ -42,7 +42,8 @@  cperf_throughput_test_free(struct cperf_throughput_ctx *ctx)
 		}
 #ifdef RTE_LIB_SECURITY
 		else if (ctx->options->op_type == CPERF_PDCP ||
-			 ctx->options->op_type == CPERF_DOCSIS) {
+			 ctx->options->op_type == CPERF_DOCSIS ||
+			 ctx->options->op_type == CPERF_IPSEC) {
 			struct rte_security_ctx *sec_ctx =
 				(struct rte_security_ctx *)
 					rte_cryptodev_get_sec_ctx(ctx->dev_id);
diff --git a/app/test-crypto-perf/cperf_test_vectors.c b/app/test-crypto-perf/cperf_test_vectors.c
index 4bba405961..e944583089 100644
--- a/app/test-crypto-perf/cperf_test_vectors.c
+++ b/app/test-crypto-perf/cperf_test_vectors.c
@@ -448,7 +448,8 @@  cperf_test_vector_get_dummy(struct cperf_options *options)
 		t_vec->modex.elen = sizeof(perf_mod_e);
 	}
 
-	if (options->op_type ==	CPERF_PDCP) {
+	if (options->op_type ==	CPERF_PDCP ||
+			options->op_type == CPERF_IPSEC) {
 		if (options->cipher_algo == RTE_CRYPTO_CIPHER_NULL) {
 			t_vec->cipher_key.length = 0;
 			t_vec->ciphertext.data = plaintext;
@@ -579,7 +580,8 @@  cperf_test_vector_get_dummy(struct cperf_options *options)
 		t_vec->auth_iv.length = options->auth_iv_sz;
 	}
 
-	if (options->op_type == CPERF_AEAD) {
+	if (options->op_type == CPERF_AEAD ||
+			options->op_type == CPERF_IPSEC) {
 		t_vec->aead_key.length = options->aead_key_sz;
 		t_vec->aead_key.data = aead_key;
 
diff --git a/app/test-crypto-perf/main.c b/app/test-crypto-perf/main.c
index 390380898e..6fdb92fb7c 100644
--- a/app/test-crypto-perf/main.c
+++ b/app/test-crypto-perf/main.c
@@ -41,6 +41,7 @@  const char *cperf_op_type_strs[] = {
 	[CPERF_AEAD] = "aead",
 	[CPERF_PDCP] = "pdcp",
 	[CPERF_DOCSIS] = "docsis",
+	[CPERF_IPSEC] = "ipsec",
 	[CPERF_ASYM_MODEX] = "modex"
 };
 
@@ -278,9 +279,9 @@  cperf_initialize_cryptodev(struct cperf_options *opts, uint8_t *enabled_cdevs)
 			/* Fall through */
 		case CPERF_PDCP:
 		case CPERF_DOCSIS:
+		case CPERF_IPSEC:
 			/* Fall through */
 		default:
-
 			conf.ff_disable |= RTE_CRYPTODEV_FF_ASYMMETRIC_CRYPTO;
 		}
 
diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index dfaf7bdf38..84266aba7c 100644
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -134,6 +134,7 @@  New Features
 
   * Added support for asymmetric crypto throughput performance measurement.
     Only modex is supported for now.
+  * Added support for lookaside IPsec protocol offload throughput measurement.
 
 * **Added lookaside protocol (IPsec) tests in dpdk-test.**