pfSense 2.5.0 will not require AES-NI
-
I actually like the new AES-NI requirement that's coming down the road. Aside from the obvious benefits of better performance and security, it gives me an excuse to change out our old hardware in the office. If I were a home user, yea I probably wouldn't want to change out my hardware unless it's needed. Would I be mad about it? No. pfSense is free and awesome. New hardware is going to cost money, but pfSense has more than paid for itself already compared to some alternatives.
-
@JeGr I understand the benefits of AES-NI but for most users and especially home users a non-AES-NI option would be great. Users will continue to use non-AES-NI CPU if they have or might even buy now but there are plenty of alternatives if they want to go down the route. I think pfsense is a great tool sad to see it might go down a path that might not be up to everyone's needs :(
-
@Ragtag_fleet I beg to differ. It has already clearly been stated, why the need for AES-NI is beyond just "useful". It's just a thing in the mind of most people, that this has only sth. to do with "crypto" thingies and VPN stuff. If it is wider known and accepted, that the things AES-NI does and can do not only accelerate crypto "thingies" but protect against CPU "baddies", too coupled with more and more "mishaps" like spectre and meltdown happening, my hope is, that people will get the grasp, that this requirement comes from making communication and other tasks more secure and not only "just make VPNs faster".
With that in mind while buying new hardware in 2019 it should a) be a no-brainer and b) come to most as not that expensive, as even small(est) SOCs can already handle AES-NI. :)
-
@jegr two years later, (some four years after the initial announcement), and 2.5 is ready to drop.
Meanwhile, last year COVID happened and WFH as a direct result. VPNs from home became much more of a requirement, and AES-NI is very useful for VPN. This seems to have covered the "but I don't use VPN from home" objection voiced by @Ragtag_fleet and many others quite effectively.
Hindsight is 20/20, right?
Oh well, who could have known? ¯_(ツ)_/¯
What I learned is that no good deed goes unpunished. My attempt to let the community know of a upcoming requirement some 4 years in advance of their earliest ability to act on that requirement (and it's not like 2.4.5 just stops working) resulted in a ton of noise and pushback.
Far more heat that light, all because I said "if you're replacing hardware, get something that supports AES-NI".
I am reticent to repeat the experience.
-
Even though I now have hardware that supports AES-NI, I'm still glad it's optional. Certainly the business end of the VPN should use it, but the user end might not require the performance improvement.
BTW, as per other discussion, it appears the Netgate gear, with an ARM CPU, doesn't support hardware instructions. What happens with them, as they're more likely to be found in a business.
-
@jknott with 21.02, every ARM appliance we've shipped that is not EOL supports crypto offload, aka a crypto accelerator.
Also, the arm64 appliances we ship do support the equivalent of AES-NI instructions, but we've chosen to focus on the hw offload for now.
-
@jwt Actually I use VPN from a VPN provider but I also have my work computer on which I have their corporate VPN... For me, as the user end, I still don't need AES-NI function for my VPN use. I guess you or others use it but still good to have as an option
-
Even if you don't use a VPN, it's still a good idea to run hardware that supports those instructions. A lot of software uses encryption.
-
@jknott Yeap but only when I am looking to upgrade my equipment. ATM I don't see the need or have any bottlenecks so for me it's not useful to upgrade with AES-NI equipped hardware...
-
And did you buy said hardware over 4 years ago?
Then there is nothing to see here. Now if you bought your say 3 years ago after you had been warned well in advance that 2.5 could/would require aes-ni.
And now it doesn't - hey you dodged a bullet. But don't say you were not warned..
Waiting to see all the posts - Gawd Daggit @jwt you said I needed aes-ni, and I bought new hardware that week in prep for 2.5 - which is just now coming out and doesn't need it.. WTF!
no good deed goes unpunished.
Words to live by for sure ;)
-
Just read this entire thread. That's 4 minutes of my life I'll never have back.
MacOS 11 doesn't run on my Mac SE/30. Apple doesn't listen to the community.
-
Yeah I'm about ready to write MS a nasty email (that will teach them) I can't get windows 10 installed on my trs-80..
