Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hardware support for Intel QuickAssist?

    Scheduled Pinned Locked Moved Hardware
    43 Posts 15 Posters 30.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Intel's ARK site (http://ark.intel.com) does mention that the Xeon D-15x8 chips support AES-NI… Not seen is anything mentioning DPDK (maybe it's labeled as something else as that's a new one for me) or QuickAssist.

      QuickAssist is clearly identified on the Atom C2x58 chips.

      I just want to clarify two things here, at first I was also looking on a newer and stronger platform then the
      Intel Atom C2758 (Rangeley) and I was playing with the thought to go with new Intel Xeon E3-1200v5 CPU.
      But then based on that thread here someone was changing my mind to that direction to go with the newer
      Intel Xeon D-15x8 SoC, based on the information that this will be extra network accelerated and it comes
      together with AES-NI, Intel QuickAssist and DPDK (enabled) Software as options and functions delivered
      by the new SoC generation from the Intel Xeon D-15x8. Not more and not less. Link to this thread

      And then on top of this, that means in later in time, I was founding the column about the three
      networking accelerated SKUs from SuperMicro that comes with soldered on Intel Xeon D-15x8
      SoCs and in the first picture that is shown in that article you can see that there will be a small
      arrow in front of Intel QuickAssist Technology and the second image is showing the benefit from
      the DPDK (enabled software) against without using it, especially the Layer3 forwarding performance
      boost. Link to that article with the both pictures

      For sure that DPDKs API must be used to write code that this software will getting out any benefit from that
      DPDK or in short pfSense or what else software must be owing code that is written by using that DPDK API
      that this new SoC will then benefit from that. But the capability is given by the hardware and that means the SoC.

      And since that I was thinking of to get the ideal platform follower or replacement for the Intel Atom C2758.

      • stronger CPU cores for better single core performance
      • DPDK (enabled software) faster Layer3 performance
      • AES-NI likes before for IPSec VPN
      • Intel QuickAssist support

      And now, if this might be not so, I personally have to search also like all other once more again
      for a newer platform mislead by this thread and articles.

      1 Reply Last reply Reply Quote 0
      • B
        Blade Runner
        last edited by

        BlueKobold is correct although info is not readily apparent. The Xeon D 15x8 series does support AES-NI and QuickAssist Technology.

        Link 1

        http://www.servethehome.com/intel-xeon-d-15x8-networking-accelerated-skus/

        Link 2

        http://www.cpu-world.com/CPUs/Xeon_D/Intel-Xeon%20D-1518.html

        The above link shows AES instructions however it's identical to AES-NI.

        Do not be afraid to fail.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          The above link shows AES instructions however it's identical to AES-NI.

          AES-NI = AES-New Instructions

          1 Reply Last reply Reply Quote 0
          • B
            Blade Runner
            last edited by

            @BlueKobold:

            The above link shows AES instructions however it's identical to AES-NI.

            AES-NI = AES-New Instructions

            I give up.

            Do not be afraid to fail.

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              My reading on the this subject suggests that AES-NI and Quickassist is targeted at lower power CPU's since Standard AES is labor intensive for a CPU. In all actuality, AES-NI is an additional 7 instructions added to AES to speed it up. Additionally, Quickassist is essentially separate hardware accelerator that aids the processor by offloading encryption/decryption processes. Further investigation of these two wonderful technologies also suggests that they are intended to provide increased Data security. My issue is, and maybe I don't fully understand is how these to things will apply to communications security. Things like VPN, IPsec and such use TLS, SSL, etc over secure sockets/ports. AES, is widely understood as a general purpose encryption for data on your hard disk and any data to transmitted from an AES or AES-NI encrypted machine, must be decrypted before being re-encrypted to SSL or TLS.

              My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU since they have greater ability to crunch AES over Atom and lower CPU's. I base this assumption because on Intel's website, they list CPU's, motherboards etc that have these technologies and they all seem to be of the 20W TDP or lower. Stands to reason that Intel did this to make these low power system viable for high-end applications; but again that's my assumption.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                @jbhowlesr:

                My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU

                Not true at all. Not even close. Check the performance stats.
                http://store.netgate.com/ADI/QuickAssist8955.aspx

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  @cmb:

                  @jbhowlesr:

                  My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU

                  Not true at all. Not even close. Check the performance stats.
                  http://store.netgate.com/ADI/QuickAssist8955.aspx

                  Like I said…. My assumption. It's very hard to get a new perspective unless you engage conversation. So, instead of giving me a link, why not explain why you think I'm wrong.

                  1 Reply Last reply Reply Quote 0
                  • O
                    oletuv
                    last edited by

                    @cmb:

                    @jbhowlesr:

                    My assumption about AES-NI and QuickAssist is that they are widely unnecessary if you have medium to high power CPU

                    Not true at all. Not even close. Check the performance stats.
                    http://store.netgate.com/ADI/QuickAssist8955.aspx

                    I don´t get it. The 8955 adapter costs $899 while the Atom C2000 processors have QuickAssist built-in for a fraction of the cost.

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      Pardon my lack of being more descriptive in my assumption. What I am trying to say is that if you have a more powerful CPU, such as an i5, i7 or Xeon then having AES-NI and quick assist may not be necessary since these CPU's can crunch AES far more capably. Again, AES-NI and QuickAssist are designed to aid a CPU in performing this task and this is why I believe it comes only on low power CPU's. If I'm wrong, please explain. I'm trying to learn something here.

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        It all depends on who is doing what for how many and where, as I see it right.

                        And last buit not least it is more then a feature when the software you are using it is taking any kind
                        of advantage of it. With AES-NI you will today get something around of the x4 or x5 throughput of your
                        IPSec VPN and that is much in my eyes. And with OpenVPN 2.4 also OpenVPN will be getting more out
                        by using it depending on the new (HMAC) inside. Link to that information

                        Intel QuickAssist is coming in 2016 and then all peoples will be really able to use it or not likes he can do
                        it by the presence inside of the hardware he is using. It is a hardware related function, as the hardware
                        must be comes with Intel QuickAssist support or together with a add on card likes ADI or Netgate are
                        offering them in the shops to go for because the Intel Xeon D-15x8, E3 and E5 CPUs are only supporting
                        AES-NI and comes without Intel QuickAssist support.  Link to the Intel QuickAssist status

                        This all can even be differ each from another, but are being also on the other side two different points
                        AES-NI is in usage and runs good and so I will assume that it will also run very good for OpenVPN too.

                        Gaming hardware comes often with AES-NI support based of its CPU that comes with it inside, but
                        Intel QuickAssist is something that is more for servers or server grade hardware mostly used more
                        in the professional area. And I am glad about the situation that Intel is willing and doing it right as
                        today now, because they had one of this cards in earlier days, fu***ng hard to pay and it was then
                        a lame duck that will never fly! With capabilities of 20 GBit/s to 50 GBit/s of encrypted or compressed
                        packet flow we should all be sorted right and be lucky over that on top. For sure this is not for the cost
                        that any home user will be able to go with, but there fore the Intel Atom C2x58 (Rangeley) will be strong
                        enough. Please don´t forget that in many countries the hardware encryption or encryption in general will
                        be prohibited by law! And so this peoples will be able over the Intel Atom C2x58 SoC to get also their nice
                        VPN throughput accelerated fine as we all others.

                        I don´t get it. The 8955 adapter costs $899 while the Atom C2000 processors have QuickAssist built-in for a fraction of the cost.

                        Who goes with the Intel Atom SoC is not needing this adapter but all others who are using Intels Xeon
                        D-15x8, E3 or E5 CPUs will be able to benefiting too from Intel QuickAssist too over that adapters.

                        My assumption. It's very hard to get a new perspective unless you engage conversation. So, instead of giving me a link, why not explain why you think I'm wrong.

                        AES-NI is not in really inside of all CPUs and Intel QuickAssist is also not available in gaming hardware
                        and on top not done in Software likes DPDK (enabled software)!

                        Again, AES-NI and QuickAssist are designed to aid a CPU in performing this task and this is why I believe it comes only on low power CPU's. If I'm wrong, please explain. I'm trying to learn something here.

                        The Intel Atom C2x58 series is the only one I really know that comes beside with QuickAssist all others are
                        only coming with the AES-NI inside. And please see the adapters that are not really in a home, SOHO or Pro
                        range or area, it is more based on the enterprise or big data segment, base don the throughput numbers
                        this will be not really matching smaller SoCs but more bigger CPU to handle that amount of stuff likes
                        D-1500, E3- or E5 CPUs. See all the prices and then you will know that this will be not the same what
                        is inside of the lower end Intel Atom CPUs or SoCs.
                        ADI
                        Intel
                        Netgate
                        On Amazon.com

                        If I'm wrong, please explain.

                        I really don´t think that this Intel Atom SoC will be able to handle the same load of this adapters above.
                        But I am really lucky about that they are able to buy for anybody who want it. So if this might be only
                        inserted inside of lower Atom SoCs why then this adapters are needed? It is more a server side think
                        and not foe the end users with their lower end Atoms. You will need much more horse power to route and
                        perform 20 GBit/s - 50 GBit/s of encrypted or compressed traffic then an Intel Atom will be able to realize.

                        1 Reply Last reply Reply Quote 0
                        • O
                          oletuv
                          last edited by

                          @Blade:

                          BlueKobold is correct although info is not readily apparent. The Xeon D 15x8 series does support AES-NI and QuickAssist Technology.

                          Link 1

                          http://www.servethehome.com/intel-xeon-d-15x8-networking-accelerated-skus/

                          Link 2

                          http://www.cpu-world.com/CPUs/Xeon_D/Intel-Xeon%20D-1518.html

                          The above link shows AES instructions however it's identical to AES-NI.

                          The Xeon D-15x8 SKUs do not have onboard QuickAssist acceleration according to Patrick Kennedy @ STH. Here´s what he replied to my question regarding QA:

                          **Hi,

                          The Xeon D does not have an onboard QAT accelerator so you need a Coleto Creek QAT PCIe card for Quick Assist with this generation.

                          Regards,
                          Patrick**

                          1 Reply Last reply Reply Quote 0
                          • ?
                            Guest
                            last edited by

                            The Xeon D does not have an onboard QAT accelerator so you need a Coleto Creek QAT PCIe card for Quick Assist with this generation.

                            +1 from me for that information! This would clarifying it and bringing it to the point.

                            1 Reply Last reply Reply Quote 0
                            • O
                              oletuv
                              last edited by

                              @BlueKobold:

                              The Xeon D does not have an onboard QAT accelerator so you need a Coleto Creek QAT PCIe card for Quick Assist with this generation.

                              +1 from me for that information! This would clarifying it and bringing it to the point.

                              Thanks. Since support for QuickAssist probably will be added to pfSense during 2016, I think a Atom C2758 SKU would be a better option for a dedicated pfSense box. Personally I´m going to order a prebuilt Mini-ITX with A1SRi-2758F motherboard from Supermicro. QuickAssist onboard and a lot cheaper than a Xeon D-15x8 based config too.

                              1 Reply Last reply Reply Quote 0
                              • ?
                                Guest
                                last edited by

                                Thanks. Since support for QuickAssist probably will be added to pfSense during 2016,

                                As I was getting it out of another thread here it will be 2016 but not really when and in which version!
                                If in version 2.3 or 2.4 that was not clearly or directly told about.

                                I think a Atom C2758 SKU would be a better option for a dedicated pfSense box.

                                Yes this might be right but there will be a lack of DPDK (enabled software) and as I was thinking
                                before the newer D-15x8 platforms were coming with all three things together likes AES-NI, QAT
                                and DPDK, it owuld be for me and my self a more interesting solution as the Intel Atom C2x58 series.
                                And that not only for private usage!!!! Also for many productive networks. But ok I can live with that
                                status quo for now. Then I am going with the C2758 variant or the SG-8860 variant and the D-15x8
                                would be better to add a QuickAssist adapter then if needed.

                                Personally I´m going to order a prebuilt Mini-ITX with A1SRi-2758F motherboard from Supermicro. A lot cheaper than a Xeon D-15x8 based config too.

                                Cheap was not my really concern, so it was nice to think on to build a very heavy and strong sorted firewall
                                together with the M.2 MNVe SSD (Samsung950 Pro) and very fast RAM (DDR4-2133) and a 8C/16T SoC that
                                is supporting all three things. (AES-NI, QAT & DPDK) related to be more future proof and the QAT adapter was
                                more something what I was thinking for the higher level CPUs then likes E3 and E5 as an add on card. But again
                                I am pretty sure the QAT support will be a real bomb for pfSense as the OpenVPN AES-GCM support too.

                                So its really nice to know it now better, but I am also a little bit sad about that information.

                                1 Reply Last reply Reply Quote 0
                                • O
                                  oletuv
                                  last edited by

                                  @BlueKobold:

                                  –---
                                  So its really nice to know it now better, but I am also a little bit sad about that information.

                                  Yes, I was also very eager to buy a Xeon D-15x8 Mini-ITX pc and is very disappointed about the confirmation that the otherwise attractive Xeon D-15x8 processors don´t have QuickAssist onboard. Well, life will go on, sort of  :D

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    Guest
                                    last edited by

                                    this may be redundant by this point but I want to say that I'm personally a little bit disenfranchised with the AES-NI naming convention. It suggests that it is something new entirely when in this is not the case when in all actuality, it is more of an addition. I wish Intel would have provided a better name for this new tech but for me it helps to think of it this way; AES + NI = AES-NI because the chip is using the added instructions to assist AES.

                                    1 Reply Last reply Reply Quote 0
                                    • O
                                      oletuv
                                      last edited by

                                      @oletuv:

                                      Since support for QuickAssist probably will be added to pfSense during 2016, I think a Atom C2758 SKU would be a better option for a dedicated pfSense box. Personally I´m going to order a prebuilt Mini-ITX with A1SRi-2758F motherboard from Supermicro. QuickAssist onboard and a lot cheaper than a Xeon D-15x8 based config too.

                                      Hm.. Common sense tells me that Atom C2758 with onboard QuickAssist acceleration is a better option than the more costly Xeon D-15x8 with no onboard QuickAssist acceleration for a pfSense build. However, Atom Rangeley is an older processor released Q3/13 while the Xeon D-15x8 processors are newly released.

                                      I suppose the new Xeon D processors will outperform Atom Rangeley except for crypto-heavy stuff like VPN. I will configure my pfSense firewall with IPSEC or OpenVPN, but will probably use it infrequently, typically to access my home network in Norway from my Spanish home.

                                      The Supermicro X10SDV-6C+-TLN4F board (Xeon D-1528) with active CPU-cooling looks extremely tempting. ;)

                                      Frank, what do you think?  ;D

                                      1 Reply Last reply Reply Quote 0
                                      • ?
                                        Guest
                                        last edited by

                                        Hm.. Common sense tells me that Atom C2758 with onboard QuickAssist acceleration is a better option than the more costly Xeon D-15x8 with no onboard QuickAssist acceleration for a pfSense build.

                                        For SMB or home usage it will be easy to answer, for sure it is likes you were telling!

                                        However, Atom Rangeley is an older processor released Q3/13 while the Xeon D-15x8 processors are newly released.

                                        It is also the CPU design and the circumstance that not each cpu core is comparable to any other cpu core.
                                        If the netmap-fwd, QAT and perhaps DPDK over AVX/AVX2 registers will be available it could really be that
                                        the Intel Atom C2000 (Rangely) platform will be attractive as on its first release day or much more then this.

                                        I suppose the new Xeon D processors will outperform Atom Rangeley except for crypto-heavy stuff like VPN.

                                        QAT, netmap-fwd and OpenVPN 2.4 in pfSense 2.3 will be able to change many things.

                                        I will configure my pfSense firewall with IPSEC or OpenVPN, but will probably use it infrequently, typically to access my home network in Norway from my Spanish home.

                                        As for now I am still using IPSec VPN (AES-GCM) it is the best supported VPN form the AES-NI CPU instructions.
                                        If you have many side-to-side VPNs it will be really useful to get the best performance as it is able to realize
                                        and with AES-NI it is able to get something around the x4 or x5 of the normal throughput. Again, this can be
                                        turned around if the intel QAT is in usage inside of pfSense and then the cards will mixed up new again.

                                        Also the iOS devices from apple are coming together with IPSec APPs and it is a fine thing if on both
                                        side a pfSense firewall is able to use the AES-NI to speed up the entire IPSec tunnel.

                                        The Supermicro X10SDV-6C+-TLN4F board (Xeon D-1528) with active CPU-cooling looks extremely tempting. ;)

                                        M.2 SSD slot, 2 x 10 GbE ports, many CPU core, HT and TurboBoost, DDR4-2133MHz UDIMM support
                                        PCIe 3.0 x16 what should I say a really nice platform to go with and the ability to add if needed

                                        • Chelsio 2 Port 10 GbE NIC
                                        • Netgate Intel QAT Adapter
                                        • Intel QAT Adapter with 4 GBit/s LAN Ports

                                        Frank, what do you think?  ;D

                                        For home and for SMB usage go with the Intel Atom C2x58 SoC or similar from Negate store or the
                                        pfSense store. If you will needing more horse power and/or throughput the Xeon D-15x8 will be a
                                        really nice option to know too.

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          reggie14
                                          last edited by

                                          @oletuv:

                                          @oletuv:

                                          Since support for QuickAssist probably will be added to pfSense during 2016, I think a Atom C2758 SKU would be a better option for a dedicated pfSense box. Personally I´m going to order a prebuilt Mini-ITX with A1SRi-2758F motherboard from Supermicro. QuickAssist onboard and a lot cheaper than a Xeon D-15x8 based config too.

                                          Hm.. Common sense tells me that Atom C2758 with onboard QuickAssist acceleration is a better option than the more costly Xeon D-15x8 with no onboard QuickAssist acceleration for a pfSense build. However, Atom Rangeley is an older processor released Q3/13 while the Xeon D-15x8 processors are newly released.

                                          Just be aware that QAT support might not be coming to the C2758.

                                          When asked about QAT support earlier today, gonzopancho wrote:

                                          "When it's done." Maybe 2.4, and then maybe only for 895x and newer.
                                          I'm still not decided if it will go in the community edition.

                                          1 Reply Last reply Reply Quote 0
                                          • MikeV7896M
                                            MikeV7896
                                            last edited by

                                            All I'll say is I hope that isn't the case, both for the devices supported (C2x58 processors should be supported!) and for the lack of presence in the community edition. I have a lot more that I want to say, but I'll refrain for the time being, since there's still lots of time before it sees any sort of daylight in a released fashion.

                                            The S in IOT stands for Security

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.