Hardware support for Intel QuickAssist?

zanthos

Hi, does anyone know if pfSense (fully) supports Intel QuickAssist for hardware crypto and compression in IPSEC/openVPN?

Thanks!

Guest

There are some Intel based SoCs that supports Intel QuickAssist and also some Intel chips (coleto creek)
that can be assembled or soldered on add on PCIe cards or modules that are supporting Intel QuickAssist.

This SoCs and the Coleto Creek chips are used by ADI Engineering who is assembling the whole range of
hardware for the Netgate store and pfSense store. You might be able to buy either you want both parts,
PCIe cards and also appliances. Actual now, or as today this Intel QuickAssist code isn´t flown inside of
the pfSense code. I am pretty sure that we will see this working between the version 2.3 final and 3.0
final. This is not based on proofed informations that you can count on, but more a guess personally from
my self about this. And I am glad about that the developers were waiting with this function!

SG-2220, 2440, 4860, 8860 C2758 1U and XG-2758 appliances are using the Intel Atom C2x58 (Rangeley)
SoCs, but Intel is upgrading actual the whole Intel Xeon D-1500 SoC series and some SKUs will be extra
network accelerated SoCs and so it might be that the pfSense store is also changing their Intel based
Xeon D-15xx platforms against the newer ones that comes network accelerated. So we will some more
time waiting, but after this time we get perhaps two series of appliances that is using then Intel
QuickAssist and not only one.

This might be causing why this will be not inserted in pfSense actual yet. The newer Intel Xeon D-15x8
SoCs are coming with;

• AES-NI
• Intel QuickAssist
• DPDK support (enabled software)

The actual Intel Atom C2x58 (Rangely) SoC that is used is supporting;

• AES-NI
• Intel QuickAssist

IPSec is actually pushed by using the AES-NI instruction set to speed up the entire throughput
to the x4 or x5 by using the AES-GCM algorithm.

OpenVPN might be pushed over the Intel QuickAssist in the near future or it gets also the AES-GCM
algorithm inserted that it might be also benefiting from the AES-NI instruction set. Who knows?

As an upgrade for systems without Intel QuickAssist:
ADI Engineering PCIe Intel QuickAssist accelerator only
Netgate PCIe Intel QuickAssist accelerator w/ four Intel GB LAN Ports

nikkon

check this :
https://blog.pfsense.org/?p=1626

i expect better support in 2.3 :)
i own a C2758 and there's no difference from the old C2750

oletuv

@BlueKobold:

The newer Intel Xeon D-15x8 SoCs are coming with;

• AES-NI
• Intel QuickAssist
• DPDK support (enabled software)

The actual Intel Atom C2x58 (Rangely) SoC that is used is supporting;

• AES-NI
• Intel QuickAssist

IPSec is actually pushed by using the AES-NI instruction set to speed up the entire throughput
to the x4 or x5 by using the AES-GCM algorithm.

OpenVPN might be pushed over the Intel QuickAssist in the near future or it gets also the AES-GCM
algorithm inserted that it might be also benefiting from the AES-NI instruction set. Who knows?

As an upgrade for systems without Intel QuickAssist:
ADI Engineering PCIe Intel QuickAssist accelerator only
Netgate PCIe Intel QuickAssist accelerator w/ four Intel GB LAN Ports

I´ve been looking at the new Xeon D-1518 and Xeon D-1528 processors. I don´t find anything in the specifications stating support for Intel QuickAssist. Are you sure the new Xeon D-15x8 processors support QuickAssist?

Guest

Intel Xeon D-15x8 networking accelerated SKUs
Please watch out for the first picture in that thread from www.servethehome.com
There are only three Intel Xeon D-1518, D-1528 and 1548 platforms that are networking
accelerated and they are coming as I was understood it together with;

• AES-NI
• DPDK support (enabled software only)
• Intel QuickAssist

if you have other number or informations I will be urgently interested on this, because one of them
should be also my next base for a speedy pfSense box and if this Boards are lacking of QuickAssist
I can usually stay better with the older C2758 board! I was really long waiting until now, where the
newer network accelerated boards (D-15x8) were out now and now finding out that there will be no
QuickAssist will be a real pain for me.

MikeV7896

Intel's ARK site (http://ark.intel.com) does mention that the Xeon D-15x8 chips support AES-NI… Not seen is anything mentioning DPDK (maybe it's labeled as something else as that's a new one for me) or QuickAssist.

QuickAssist is clearly identified on the Atom C2x58 chips.

oletuv

@BlueKobold:

Intel Xeon D-15x8 networking accelerated SKUs
Please watch out for the first picture in that thread from www.servethehome.com
There are only three Intel Xeon D-1518, D-1528 and 1548 platforms that are networking
accelerated and they are coming as I was understood it together with;

• AES-NI
• DPDK support (enabled software only)
• Intel QuickAssist

if you have other number or informations I will be urgently interested on this, because one of them
should be also my next base for a speedy pfSense box and if this Boards are lacking of QuickAssist
I can usually stay better with the older C2758 board! I was really long waiting until now, where the
newer network accelerated boards (D-15x8) were out now and now finding out that there will be no
QuickAssist will be a real pain for me.

If you follow the links in my previous post it will take you to the Intel specifications  for the Xeon D-1518 and D-1528 processors. I don't see QuickAssist mentioned anywhere in the specifications.

Like you I'm considering between the older Atom C2758 and the new Xeon D-1518 processor for building a pfSense firewall. The main decision factor will be wether or not the Xeon D-1518 actually has QuickAssist built in like the Atom C2758.

I hope someone here is able to confirm whether or not the Xeon D-15x8 processors have QuickAssist.

Guest

Intel's ARK site (http://ark.intel.com) does mention that the Xeon D-15x8 chips support AES-NI… Not seen is anything mentioning DPDK (maybe it's labeled as something else as that's a new one for me) or QuickAssist.

QuickAssist is clearly identified on the Atom C2x58 chips.

I just want to clarify two things here, at first I was also looking on a newer and stronger platform then the
Intel Atom C2758 (Rangeley) and I was playing with the thought to go with new Intel Xeon E3-1200v5 CPU.
But then based on that thread here someone was changing my mind to that direction to go with the newer
Intel Xeon D-15x8 SoC, based on the information that this will be extra network accelerated and it comes
together with AES-NI, Intel QuickAssist and DPDK (enabled) Software as options and functions delivered
by the new SoC generation from the Intel Xeon D-15x8. Not more and not less. Link to this thread

And then on top of this, that means in later in time, I was founding the column about the three
networking accelerated SKUs from SuperMicro that comes with soldered on Intel Xeon D-15x8
SoCs and in the first picture that is shown in that article you can see that there will be a small
arrow in front of Intel QuickAssist Technology and the second image is showing the benefit from
the DPDK (enabled software) against without using it, especially the Layer3 forwarding performance
boost. Link to that article with the both pictures

For sure that DPDKs API must be used to write code that this software will getting out any benefit from that
DPDK or in short pfSense or what else software must be owing code that is written by using that DPDK API
that this new SoC will then benefit from that. But the capability is given by the hardware and that means the SoC.

And since that I was thinking of to get the ideal platform follower or replacement for the Intel Atom C2758.

• stronger CPU cores for better single core performance
• DPDK (enabled software) faster Layer3 performance
• AES-NI likes before for IPSec VPN
• Intel QuickAssist support

And now, if this might be not so, I personally have to search also like all other once more again
for a newer platform mislead by this thread and articles.

Blade Runner

BlueKobold is correct although info is not readily apparent. The Xeon D 15x8 series does support AES-NI and QuickAssist Technology.

Link 1

http://www.servethehome.com/intel-xeon-d-15x8-networking-accelerated-skus/

Link 2

http://www.cpu-world.com/CPUs/Xeon_D/Intel-Xeon%20D-1518.html

The above link shows AES instructions however it's identical to AES-NI.

Guest

The above link shows AES instructions however it's identical to AES-NI.

AES-NI = AES-New Instructions

Blade Runner

@BlueKobold:

The above link shows AES instructions however it's identical to AES-NI.

AES-NI = AES-New Instructions

I give up.

Guest

My reading on the this subject suggests that AES-NI and Quickassist is targeted at lower power CPU's since Standard AES is labor intensive for a CPU. In all actuality, AES-NI is an additional 7 instructions added to AES to speed it up. Additionally, Quickassist is essentially separate hardware accelerator that aids the processor by offloading encryption/decryption processes. Further investigation of these two wonderful technologies also suggests that they are intended to provide increased Data security. My issue is, and maybe I don't fully understand is how these to things will apply to communications security. Things like VPN, IPsec and such use TLS, SSL, etc over secure sockets/ports. AES, is widely understood as a general purpose encryption for data on your hard disk and any data to transmitted from an AES or AES-NI encrypted machine, must be decrypted before being re-encrypted to SSL or TLS.

My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU since they have greater ability to crunch AES over Atom and lower CPU's. I base this assumption because on Intel's website, they list CPU's, motherboards etc that have these technologies and they all seem to be of the 20W TDP or lower. Stands to reason that Intel did this to make these low power system viable for high-end applications; but again that's my assumption.

cmb

@jbhowlesr:

My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU

Not true at all. Not even close. Check the performance stats.
http://store.netgate.com/ADI/QuickAssist8955.aspx

Guest

@cmb:

@jbhowlesr:

My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU

Not true at all. Not even close. Check the performance stats.
http://store.netgate.com/ADI/QuickAssist8955.aspx

Like I said…. My assumption. It's very hard to get a new perspective unless you engage conversation. So, instead of giving me a link, why not explain why you think I'm wrong.

oletuv

@cmb:

@jbhowlesr:

My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU

Not true at all. Not even close. Check the performance stats.
http://store.netgate.com/ADI/QuickAssist8955.aspx

I don´t get it. The 8955 adapter costs $899 while the Atom C2000 processors have QuickAssist built-in for a fraction of the cost.

Guest

Pardon my lack of being more descriptive in my assumption. What I am trying to say is that if you have a more powerful CPU, such as an i5, i7 or Xeon then having AES-NI and quick assist may not be necessary since these CPU's can crunch AES far more capably. Again, AES-NI and QuickAssist are designed to aid a CPU in performing this task and this is why I believe it comes only on low power CPU's. If I'm wrong, please explain. I'm trying to learn something here.

Guest

It all depends on who is doing what for how many and where, as I see it right.

And last buit not least it is more then a feature when the software you are using it is taking any kind
of advantage of it. With AES-NI you will today get something around of the x4 or x5 throughput of your
IPSec VPN and that is much in my eyes. And with OpenVPN 2.4 also OpenVPN will be getting more out
by using it depending on the new (HMAC) inside. Link to that information

Intel QuickAssist is coming in 2016 and then all peoples will be really able to use it or not likes he can do
it by the presence inside of the hardware he is using. It is a hardware related function, as the hardware
must be comes with Intel QuickAssist support or together with a add on card likes ADI or Netgate are
offering them in the shops to go for because the Intel Xeon D-15x8, E3 and E5 CPUs are only supporting
AES-NI and comes without Intel QuickAssist support.  Link to the Intel QuickAssist status

This all can even be differ each from another, but are being also on the other side two different points
AES-NI is in usage and runs good and so I will assume that it will also run very good for OpenVPN too.

Gaming hardware comes often with AES-NI support based of its CPU that comes with it inside, but
Intel QuickAssist is something that is more for servers or server grade hardware mostly used more
in the professional area. And I am glad about the situation that Intel is willing and doing it right as
today now, because they had one of this cards in earlier days, fu***ng hard to pay and it was then
a lame duck that will never fly! With capabilities of 20 GBit/s to 50 GBit/s of encrypted or compressed
packet flow we should all be sorted right and be lucky over that on top. For sure this is not for the cost
that any home user will be able to go with, but there fore the Intel Atom C2x58 (Rangeley) will be strong
enough. Please don´t forget that in many countries the hardware encryption or encryption in general will
be prohibited by law! And so this peoples will be able over the Intel Atom C2x58 SoC to get also their nice
VPN throughput accelerated fine as we all others.

I don´t get it. The 8955 adapter costs $899 while the Atom C2000 processors have QuickAssist built-in for a fraction of the cost.

Who goes with the Intel Atom SoC is not needing this adapter but all others who are using Intels Xeon
D-15x8, E3 or E5 CPUs will be able to benefiting too from Intel QuickAssist too over that adapters.

My assumption. It's very hard to get a new perspective unless you engage conversation. So, instead of giving me a link, why not explain why you think I'm wrong.

AES-NI is not in really inside of all CPUs and Intel QuickAssist is also not available in gaming hardware
and on top not done in Software likes DPDK (enabled software)!

Again, AES-NI and QuickAssist are designed to aid a CPU in performing this task and this is why I believe it comes only on low power CPU's. If I'm wrong, please explain. I'm trying to learn something here.

The Intel Atom C2x58 series is the only one I really know that comes beside with QuickAssist all others are
only coming with the AES-NI inside. And please see the adapters that are not really in a home, SOHO or Pro
range or area, it is more based on the enterprise or big data segment, base don the throughput numbers
this will be not really matching smaller SoCs but more bigger CPU to handle that amount of stuff likes
D-1500, E3- or E5 CPUs. See all the prices and then you will know that this will be not the same what
is inside of the lower end Intel Atom CPUs or SoCs.
ADI
Intel
Netgate
On Amazon.com

If I'm wrong, please explain.

I really don´t think that this Intel Atom SoC will be able to handle the same load of this adapters above.
But I am really lucky about that they are able to buy for anybody who want it. So if this might be only
inserted inside of lower Atom SoCs why then this adapters are needed? It is more a server side think
and not foe the end users with their lower end Atoms. You will need much more horse power to route and
perform 20 GBit/s - 50 GBit/s of encrypted or compressed traffic then an Intel Atom will be able to realize.

oletuv

@Blade:

BlueKobold is correct although info is not readily apparent. The Xeon D 15x8 series does support AES-NI and QuickAssist Technology.

Link 1

http://www.servethehome.com/intel-xeon-d-15x8-networking-accelerated-skus/

Link 2

http://www.cpu-world.com/CPUs/Xeon_D/Intel-Xeon%20D-1518.html

The above link shows AES instructions however it's identical to AES-NI.

The Xeon D-15x8 SKUs do not have onboard QuickAssist acceleration according to Patrick Kennedy @ STH. Here´s what he replied to my question regarding QA:

**Hi,

The Xeon D does not have an onboard QAT accelerator so you need a Coleto Creek QAT PCIe card for Quick Assist with this generation.

Regards,
Patrick**

Guest

The Xeon D does not have an onboard QAT accelerator so you need a Coleto Creek QAT PCIe card for Quick Assist with this generation.

+1 from me for that information! This would clarifying it and bringing it to the point.

oletuv

@BlueKobold:

The Xeon D does not have an onboard QAT accelerator so you need a Coleto Creek QAT PCIe card for Quick Assist with this generation.

+1 from me for that information! This would clarifying it and bringing it to the point.

Thanks. Since support for QuickAssist probably will be added to pfSense during 2016, I think a Atom C2758 SKU would be a better option for a dedicated pfSense box. Personally I´m going to order a prebuilt Mini-ITX with A1SRi-2758F motherboard from Supermicro. QuickAssist onboard and a lot cheaper than a Xeon D-15x8 based config too.