pfSense 2.5.0 will not require AES-NI
-
There is great news or a bit of a lifeline and extension to non-AES-NI hardware as 2.5.0 will not require a hardware AES-NI or equivalent support based on Netgate's Development snapshot:
The original plan was to include a RESTCONF API in pfSense 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense 2.5.0 will not require AES-NI.
Source: https://www.netgate.com/blog/pfsense-2-5-0-development-snapshots-now-available.html
Original announcements on pfSense 2.5 and AES-NI https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html https://www.netgate.com/blog/more-on-aes-ni.html
Great to see pfSense team and Netgate listening to the community and modifying their approach!
-
@Ragtag_fleet said in pfSense 2.5.0 will not require AES-NI:
Great to see pfSense team and Netgate listening to the community and modifying their approach!
Sorry but that's nonsense. It has nothing to do with "listening to the community". It is as you cited a simple thing of the planned RESTCONF API not coming with 2.5.0 because of the work, that has to go into porting pfSense to FreeBSD 12 etc.
I won't say that for some small group that may come in handy but really: come on. AES-NI is old news and any halfway current CPU should have no problem with it. It was introduced in 2008, so I'm sorry but I never ever understood that artificial outcry as that was introduced almost 2 years ago. So even if they actually had that requirement now, with 2.5 release not even on the near horizon, that would make it round about 3 years from telling the community until the real introduction - that now is even further postponed. Every business I know plans for ~3 to max 5 years. Afterwards it's new hardware. Even at home it's around 5-7y normally. So a 10y old CPU instruction set becoming mandatory (in the future) is a problem? Sorry I can't see the drama in there. :) -
For me it is good message. I having old, but still good for pfSense home use, microserver HP N54L with amd cpu, that dont have AES-NI. Thx for that.
-
@marian78 said in pfSense 2.5.0 will not require AES-NI:
For me it is good message. I having old, but still good for pfSense home use, microserver HP N54L with amd cpu, that dont have AES-NI. Thx for that.
Don't take me wrong, if you already have hardware and can use that a little while longer: have fun and happiness to you. May it last long :)
But I simply don't get the attitude of "Yeah they dropped the required AES-NI BS, now let's buy some dirt cheap decade old crap for 5$ and run it to death for another 10years and cry a river when that requirement will come back later, because you 'just bought new hardware' et al." Totally can't make heads or tails of it
Looking for a new box/VM/anything in 2019/2020 I'd get some decent thing and be done with it - saves so much time and headaches later on :) -
I actually like the new AES-NI requirement that's coming down the road. Aside from the obvious benefits of better performance and security, it gives me an excuse to change out our old hardware in the office. If I were a home user, yea I probably wouldn't want to change out my hardware unless it's needed. Would I be mad about it? No. pfSense is free and awesome. New hardware is going to cost money, but pfSense has more than paid for itself already compared to some alternatives.
-
@JeGr I understand the benefits of AES-NI but for most users and especially home users a non-AES-NI option would be great. Users will continue to use non-AES-NI CPU if they have or might even buy now but there are plenty of alternatives if they want to go down the route. I think pfsense is a great tool sad to see it might go down a path that might not be up to everyone's needs :(
-
@Ragtag_fleet I beg to differ. It has already clearly been stated, why the need for AES-NI is beyond just "useful". It's just a thing in the mind of most people, that this has only sth. to do with "crypto" thingies and VPN stuff. If it is wider known and accepted, that the things AES-NI does and can do not only accelerate crypto "thingies" but protect against CPU "baddies", too coupled with more and more "mishaps" like spectre and meltdown happening, my hope is, that people will get the grasp, that this requirement comes from making communication and other tasks more secure and not only "just make VPNs faster".
With that in mind while buying new hardware in 2019 it should a) be a no-brainer and b) come to most as not that expensive, as even small(est) SOCs can already handle AES-NI. :)
-
@jegr two years later, (some four years after the initial announcement), and 2.5 is ready to drop.
Meanwhile, last year COVID happened and WFH as a direct result. VPNs from home became much more of a requirement, and AES-NI is very useful for VPN. This seems to have covered the "but I don't use VPN from home" objection voiced by @Ragtag_fleet and many others quite effectively.
Hindsight is 20/20, right?
Oh well, who could have known? ¯_(ツ)_/¯
What I learned is that no good deed goes unpunished. My attempt to let the community know of a upcoming requirement some 4 years in advance of their earliest ability to act on that requirement (and it's not like 2.4.5 just stops working) resulted in a ton of noise and pushback.
Far more heat that light, all because I said "if you're replacing hardware, get something that supports AES-NI".
I am reticent to repeat the experience.
-
Even though I now have hardware that supports AES-NI, I'm still glad it's optional. Certainly the business end of the VPN should use it, but the user end might not require the performance improvement.
BTW, as per other discussion, it appears the Netgate gear, with an ARM CPU, doesn't support hardware instructions. What happens with them, as they're more likely to be found in a business.
-
@jknott with 21.02, every ARM appliance we've shipped that is not EOL supports crypto offload, aka a crypto accelerator.
Also, the arm64 appliances we ship do support the equivalent of AES-NI instructions, but we've chosen to focus on the hw offload for now.
-
@jwt Actually I use VPN from a VPN provider but I also have my work computer on which I have their corporate VPN... For me, as the user end, I still don't need AES-NI function for my VPN use. I guess you or others use it but still good to have as an option
-
Even if you don't use a VPN, it's still a good idea to run hardware that supports those instructions. A lot of software uses encryption.
-
@jknott Yeap but only when I am looking to upgrade my equipment. ATM I don't see the need or have any bottlenecks so for me it's not useful to upgrade with AES-NI equipped hardware...
-
And did you buy said hardware over 4 years ago?
Then there is nothing to see here. Now if you bought your say 3 years ago after you had been warned well in advance that 2.5 could/would require aes-ni.
And now it doesn't - hey you dodged a bullet. But don't say you were not warned..
Waiting to see all the posts - Gawd Daggit @jwt you said I needed aes-ni, and I bought new hardware that week in prep for 2.5 - which is just now coming out and doesn't need it.. WTF!
no good deed goes unpunished.
Words to live by for sure ;)
-
Just read this entire thread. That's 4 minutes of my life I'll never have back.
MacOS 11 doesn't run on my Mac SE/30. Apple doesn't listen to the community.
-
Yeah I'm about ready to write MS a nasty email (that will teach them) I can't get windows 10 installed on my trs-80..
