Hardware support for Intel QuickAssist?
-
Intel's ARK site (http://ark.intel.com) does mention that the Xeon D-15x8 chips support AES-NI… Not seen is anything mentioning DPDK (maybe it's labeled as something else as that's a new one for me) or QuickAssist.
QuickAssist is clearly identified on the Atom C2x58 chips.
I just want to clarify two things here, at first I was also looking on a newer and stronger platform then the
Intel Atom C2758 (Rangeley) and I was playing with the thought to go with new Intel Xeon E3-1200v5 CPU.
But then based on that thread here someone was changing my mind to that direction to go with the newer
Intel Xeon D-15x8 SoC, based on the information that this will be extra network accelerated and it comes
together with AES-NI, Intel QuickAssist and DPDK (enabled) Software as options and functions delivered
by the new SoC generation from the Intel Xeon D-15x8. Not more and not less. Link to this threadAnd then on top of this, that means in later in time, I was founding the column about the three
networking accelerated SKUs from SuperMicro that comes with soldered on Intel Xeon D-15x8
SoCs and in the first picture that is shown in that article you can see that there will be a small
arrow in front of Intel QuickAssist Technology and the second image is showing the benefit from
the DPDK (enabled software) against without using it, especially the Layer3 forwarding performance
boost. Link to that article with the both picturesFor sure that DPDKs API must be used to write code that this software will getting out any benefit from that
DPDK or in short pfSense or what else software must be owing code that is written by using that DPDK API
that this new SoC will then benefit from that. But the capability is given by the hardware and that means the SoC.And since that I was thinking of to get the ideal platform follower or replacement for the Intel Atom C2758.
- stronger CPU cores for better single core performance
- DPDK (enabled software) faster Layer3 performance
- AES-NI likes before for IPSec VPN
- Intel QuickAssist support
And now, if this might be not so, I personally have to search also like all other once more again
for a newer platform mislead by this thread and articles. -
BlueKobold is correct although info is not readily apparent. The Xeon D 15x8 series does support AES-NI and QuickAssist Technology.
Link 1
http://www.servethehome.com/intel-xeon-d-15x8-networking-accelerated-skus/
Link 2
http://www.cpu-world.com/CPUs/Xeon_D/Intel-Xeon%20D-1518.html
The above link shows AES instructions however it's identical to AES-NI.
-
The above link shows AES instructions however it's identical to AES-NI.
AES-NI = AES-New Instructions
-
@BlueKobold:
The above link shows AES instructions however it's identical to AES-NI.
AES-NI = AES-New Instructions
I give up.
-
My reading on the this subject suggests that AES-NI and Quickassist is targeted at lower power CPU's since Standard AES is labor intensive for a CPU. In all actuality, AES-NI is an additional 7 instructions added to AES to speed it up. Additionally, Quickassist is essentially separate hardware accelerator that aids the processor by offloading encryption/decryption processes. Further investigation of these two wonderful technologies also suggests that they are intended to provide increased Data security. My issue is, and maybe I don't fully understand is how these to things will apply to communications security. Things like VPN, IPsec and such use TLS, SSL, etc over secure sockets/ports. AES, is widely understood as a general purpose encryption for data on your hard disk and any data to transmitted from an AES or AES-NI encrypted machine, must be decrypted before being re-encrypted to SSL or TLS.
My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU since they have greater ability to crunch AES over Atom and lower CPU's. I base this assumption because on Intel's website, they list CPU's, motherboards etc that have these technologies and they all seem to be of the 20W TDP or lower. Stands to reason that Intel did this to make these low power system viable for high-end applications; but again that's my assumption.
-
My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU
Not true at all. Not even close. Check the performance stats.
http://store.netgate.com/ADI/QuickAssist8955.aspx -
@cmb:
My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU
Not true at all. Not even close. Check the performance stats.
http://store.netgate.com/ADI/QuickAssist8955.aspxLike I said…. My assumption. It's very hard to get a new perspective unless you engage conversation. So, instead of giving me a link, why not explain why you think I'm wrong.
-
@cmb:
My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU
Not true at all. Not even close. Check the performance stats.
http://store.netgate.com/ADI/QuickAssist8955.aspxI don´t get it. The 8955 adapter costs $899 while the Atom C2000 processors have QuickAssist built-in for a fraction of the cost.
-
Pardon my lack of being more descriptive in my assumption. What I am trying to say is that if you have a more powerful CPU, such as an i5, i7 or Xeon then having AES-NI and quick assist may not be necessary since these CPU's can crunch AES far more capably. Again, AES-NI and QuickAssist are designed to aid a CPU in performing this task and this is why I believe it comes only on low power CPU's. If I'm wrong, please explain. I'm trying to learn something here.
-
It all depends on who is doing what for how many and where, as I see it right.
And last buit not least it is more then a feature when the software you are using it is taking any kind
of advantage of it. With AES-NI you will today get something around of the x4 or x5 throughput of your
IPSec VPN and that is much in my eyes. And with OpenVPN 2.4 also OpenVPN will be getting more out
by using it depending on the new (HMAC) inside. Link to that informationIntel QuickAssist is coming in 2016 and then all peoples will be really able to use it or not likes he can do
it by the presence inside of the hardware he is using. It is a hardware related function, as the hardware
must be comes with Intel QuickAssist support or together with a add on card likes ADI or Netgate are
offering them in the shops to go for because the Intel Xeon D-15x8, E3 and E5 CPUs are only supporting
AES-NI and comes without Intel QuickAssist support. Link to the Intel QuickAssist statusThis all can even be differ each from another, but are being also on the other side two different points
AES-NI is in usage and runs good and so I will assume that it will also run very good for OpenVPN too.Gaming hardware comes often with AES-NI support based of its CPU that comes with it inside, but
Intel QuickAssist is something that is more for servers or server grade hardware mostly used more
in the professional area. And I am glad about the situation that Intel is willing and doing it right as
today now, because they had one of this cards in earlier days, fu***ng hard to pay and it was then
a lame duck that will never fly! With capabilities of 20 GBit/s to 50 GBit/s of encrypted or compressed
packet flow we should all be sorted right and be lucky over that on top. For sure this is not for the cost
that any home user will be able to go with, but there fore the Intel Atom C2x58 (Rangeley) will be strong
enough. Please don´t forget that in many countries the hardware encryption or encryption in general will
be prohibited by law! And so this peoples will be able over the Intel Atom C2x58 SoC to get also their nice
VPN throughput accelerated fine as we all others.I don´t get it. The 8955 adapter costs $899 while the Atom C2000 processors have QuickAssist built-in for a fraction of the cost.
Who goes with the Intel Atom SoC is not needing this adapter but all others who are using Intels Xeon
D-15x8, E3 or E5 CPUs will be able to benefiting too from Intel QuickAssist too over that adapters.My assumption. It's very hard to get a new perspective unless you engage conversation. So, instead of giving me a link, why not explain why you think I'm wrong.
AES-NI is not in really inside of all CPUs and Intel QuickAssist is also not available in gaming hardware
and on top not done in Software likes DPDK (enabled software)!Again, AES-NI and QuickAssist are designed to aid a CPU in performing this task and this is why I believe it comes only on low power CPU's. If I'm wrong, please explain. I'm trying to learn something here.
The Intel Atom C2x58 series is the only one I really know that comes beside with QuickAssist all others are
only coming with the AES-NI inside. And please see the adapters that are not really in a home, SOHO or Pro
range or area, it is more based on the enterprise or big data segment, base don the throughput numbers
this will be not really matching smaller SoCs but more bigger CPU to handle that amount of stuff likes
D-1500, E3- or E5 CPUs. See all the prices and then you will know that this will be not the same what
is inside of the lower end Intel Atom CPUs or SoCs.
ADI
Intel
Netgate
On Amazon.comIf I'm wrong, please explain.
I really don´t think that this Intel Atom SoC will be able to handle the same load of this adapters above.
But I am really lucky about that they are able to buy for anybody who want it. So if this might be only
inserted inside of lower Atom SoCs why then this adapters are needed? It is more a server side think
and not foe the end users with their lower end Atoms. You will need much more horse power to route and
perform 20 GBit/s - 50 GBit/s of encrypted or compressed traffic then an Intel Atom will be able to realize. -
BlueKobold is correct although info is not readily apparent. The Xeon D 15x8 series does support AES-NI and QuickAssist Technology.
Link 1
http://www.servethehome.com/intel-xeon-d-15x8-networking-accelerated-skus/
Link 2
http://www.cpu-world.com/CPUs/Xeon_D/Intel-Xeon%20D-1518.html
The above link shows AES instructions however it's identical to AES-NI.
The Xeon D-15x8 SKUs do not have onboard QuickAssist acceleration according to Patrick Kennedy @ STH. Here´s what he replied to my question regarding QA:
**Hi,
The Xeon D does not have an onboard QAT accelerator so you need a Coleto Creek QAT PCIe card for Quick Assist with this generation.
Regards,
Patrick** -
The Xeon D does not have an onboard QAT accelerator so you need a Coleto Creek QAT PCIe card for Quick Assist with this generation.
+1 from me for that information! This would clarifying it and bringing it to the point.
-
@BlueKobold:
The Xeon D does not have an onboard QAT accelerator so you need a Coleto Creek QAT PCIe card for Quick Assist with this generation.
+1 from me for that information! This would clarifying it and bringing it to the point.
Thanks. Since support for QuickAssist probably will be added to pfSense during 2016, I think a Atom C2758 SKU would be a better option for a dedicated pfSense box. Personally I´m going to order a prebuilt Mini-ITX with A1SRi-2758F motherboard from Supermicro. QuickAssist onboard and a lot cheaper than a Xeon D-15x8 based config too.
-
Thanks. Since support for QuickAssist probably will be added to pfSense during 2016,
As I was getting it out of another thread here it will be 2016 but not really when and in which version!
If in version 2.3 or 2.4 that was not clearly or directly told about.I think a Atom C2758 SKU would be a better option for a dedicated pfSense box.
Yes this might be right but there will be a lack of DPDK (enabled software) and as I was thinking
before the newer D-15x8 platforms were coming with all three things together likes AES-NI, QAT
and DPDK, it owuld be for me and my self a more interesting solution as the Intel Atom C2x58 series.
And that not only for private usage!!!! Also for many productive networks. But ok I can live with that
status quo for now. Then I am going with the C2758 variant or the SG-8860 variant and the D-15x8
would be better to add a QuickAssist adapter then if needed.Personally I´m going to order a prebuilt Mini-ITX with A1SRi-2758F motherboard from Supermicro. A lot cheaper than a Xeon D-15x8 based config too.
Cheap was not my really concern, so it was nice to think on to build a very heavy and strong sorted firewall
together with the M.2 MNVe SSD (Samsung950 Pro) and very fast RAM (DDR4-2133) and a 8C/16T SoC that
is supporting all three things. (AES-NI, QAT & DPDK) related to be more future proof and the QAT adapter was
more something what I was thinking for the higher level CPUs then likes E3 and E5 as an add on card. But again
I am pretty sure the QAT support will be a real bomb for pfSense as the OpenVPN AES-GCM support too.So its really nice to know it now better, but I am also a little bit sad about that information.
-
@BlueKobold:
–---
So its really nice to know it now better, but I am also a little bit sad about that information.Yes, I was also very eager to buy a Xeon D-15x8 Mini-ITX pc and is very disappointed about the confirmation that the otherwise attractive Xeon D-15x8 processors don´t have QuickAssist onboard. Well, life will go on, sort of :D
-
this may be redundant by this point but I want to say that I'm personally a little bit disenfranchised with the AES-NI naming convention. It suggests that it is something new entirely when in this is not the case when in all actuality, it is more of an addition. I wish Intel would have provided a better name for this new tech but for me it helps to think of it this way; AES + NI = AES-NI because the chip is using the added instructions to assist AES.
-
Since support for QuickAssist probably will be added to pfSense during 2016, I think a Atom C2758 SKU would be a better option for a dedicated pfSense box. Personally I´m going to order a prebuilt Mini-ITX with A1SRi-2758F motherboard from Supermicro. QuickAssist onboard and a lot cheaper than a Xeon D-15x8 based config too.
Hm.. Common sense tells me that Atom C2758 with onboard QuickAssist acceleration is a better option than the more costly Xeon D-15x8 with no onboard QuickAssist acceleration for a pfSense build. However, Atom Rangeley is an older processor released Q3/13 while the Xeon D-15x8 processors are newly released.
I suppose the new Xeon D processors will outperform Atom Rangeley except for crypto-heavy stuff like VPN. I will configure my pfSense firewall with IPSEC or OpenVPN, but will probably use it infrequently, typically to access my home network in Norway from my Spanish home.
The Supermicro X10SDV-6C+-TLN4F board (Xeon D-1528) with active CPU-cooling looks extremely tempting. ;)
Frank, what do you think? ;D
-
Hm.. Common sense tells me that Atom C2758 with onboard QuickAssist acceleration is a better option than the more costly Xeon D-15x8 with no onboard QuickAssist acceleration for a pfSense build.
For SMB or home usage it will be easy to answer, for sure it is likes you were telling!
However, Atom Rangeley is an older processor released Q3/13 while the Xeon D-15x8 processors are newly released.
It is also the CPU design and the circumstance that not each cpu core is comparable to any other cpu core.
If the netmap-fwd, QAT and perhaps DPDK over AVX/AVX2 registers will be available it could really be that
the Intel Atom C2000 (Rangely) platform will be attractive as on its first release day or much more then this.I suppose the new Xeon D processors will outperform Atom Rangeley except for crypto-heavy stuff like VPN.
QAT, netmap-fwd and OpenVPN 2.4 in pfSense 2.3 will be able to change many things.
I will configure my pfSense firewall with IPSEC or OpenVPN, but will probably use it infrequently, typically to access my home network in Norway from my Spanish home.
As for now I am still using IPSec VPN (AES-GCM) it is the best supported VPN form the AES-NI CPU instructions.
If you have many side-to-side VPNs it will be really useful to get the best performance as it is able to realize
and with AES-NI it is able to get something around the x4 or x5 of the normal throughput. Again, this can be
turned around if the intel QAT is in usage inside of pfSense and then the cards will mixed up new again.Also the iOS devices from apple are coming together with IPSec APPs and it is a fine thing if on both
side a pfSense firewall is able to use the AES-NI to speed up the entire IPSec tunnel.The Supermicro X10SDV-6C+-TLN4F board (Xeon D-1528) with active CPU-cooling looks extremely tempting. ;)
M.2 SSD slot, 2 x 10 GbE ports, many CPU core, HT and TurboBoost, DDR4-2133MHz UDIMM support
PCIe 3.0 x16 what should I say a really nice platform to go with and the ability to add if needed- Chelsio 2 Port 10 GbE NIC
- Netgate Intel QAT Adapter
- Intel QAT Adapter with 4 GBit/s LAN Ports
Frank, what do you think? ;D
For home and for SMB usage go with the Intel Atom C2x58 SoC or similar from Negate store or the
pfSense store. If you will needing more horse power and/or throughput the Xeon D-15x8 will be a
really nice option to know too. -
Since support for QuickAssist probably will be added to pfSense during 2016, I think a Atom C2758 SKU would be a better option for a dedicated pfSense box. Personally I´m going to order a prebuilt Mini-ITX with A1SRi-2758F motherboard from Supermicro. QuickAssist onboard and a lot cheaper than a Xeon D-15x8 based config too.
Hm.. Common sense tells me that Atom C2758 with onboard QuickAssist acceleration is a better option than the more costly Xeon D-15x8 with no onboard QuickAssist acceleration for a pfSense build. However, Atom Rangeley is an older processor released Q3/13 while the Xeon D-15x8 processors are newly released.
Just be aware that QAT support might not be coming to the C2758.
When asked about QAT support earlier today, gonzopancho wrote:
"When it's done." Maybe 2.4, and then maybe only for 895x and newer.
I'm still not decided if it will go in the community edition. -
All I'll say is I hope that isn't the case, both for the devices supported (C2x58 processors should be supported!) and for the lack of presence in the community edition. I have a lot more that I want to say, but I'll refrain for the time being, since there's still lots of time before it sees any sort of daylight in a released fashion.
