Aesni.ko needed?
-
Hi, trying to understand,
System/ Advanced/ Miscellaneous - Cryptographic Hardware
Set to None, kldstat shows aesni.ko not loaded.
Set to AES-NI, kldstat shows aesni.ko loaded.In OpenVPN there is this setting, VPN/ OpenVPN/ Servers/ Edit - Hardware Crypto
1. Does this setting need aesni.ko?
2. How can one know if hardware crypto is actually being used?
3. Does BSD crypto engine in OpenVPN need aesni.ko?Tests i have done with OpenVPN, client->PFS->client (WAN<->LAN) show very little difference.
Both settings off
[ 4] 0.00-30.01 sec 538 MBytes 150 Mbits/secOnly System/ Advanced/ Miscellaneous - Cryptographic Hardware -> AES-NI
[ 4] 0.00-30.01 sec 570 MBytes 159 Mbits/secOnly VPN/ OpenVPN/ Servers/ Edit - Hardware Crypto -> BSD crypto engine
[ 4] 0.00-30.01 sec 571 MBytes 160 Mbits/secBoth AES-NI + BSD crypto engine
[ 4] 0.00-30.01 sec 561 MBytes 157 Mbits/sec4. According to top, CPU peaks to 90-100% but mostly around 75% in all tests. Should that burden not be lighter when hardware crypto is being used?
Trying to find where the bottleneck or maybe my mistake is.
Thanks.
-
Source thread
From the thread shown under the link above, you will be able to get more informations about that point
about encryption or AES-NI and Intel QAT.The following statements are matching:
-
OpenSSL is using AES-NI
OpenVPN is much more constrained by the tun/tap architecture than it is by crypto.
The other issue is that the HMAC (SHA-N, MD5) isn't accelerated by AES-NI, and it's pretty slow on a core. -
OpenVPN is using OpenSSL
Avoiding this requires either a crypto accelerator that can accelerate these (such as QuickAssist) or running an AEAD mode (such as the AES-GCM modes we put in FreeBSD/pfSense for IPsec). -
OpenVPN is using AES-CBC
AES-CBC is accelerated by AES-NI. The issue is that the HMAC is not. This is one of the two reasons why AES-GCM is faster. -
OpenVPN has no AES-GCM and no Intel QAT support in the moment
You're wrong. QuickAssist support should be available in 2016.
So in OpenVPN 2.4 HMAC (AES-GCM) will be there or inside and during the year 2016 in pfSense version 2.4
it could really be that the Intel QuickAssist support will be also available too.DevSummit 2016
Intel QuickAssist driver update1. Does this setting need aesni.ko?
This should be answered by someone from the staff.
2. How can one know if hardware crypto is actually being used?
- If AES-NI presence is detected it will be used automatecally by OpenSSL and OpenSSL is used by OpenVPN
perhaps this might be changing now at this time (version 2.3)
3. Does BSD crypto engine in OpenVPN need aesni.ko?
I guess not to be so, its using the raw CPU power, please don´t forget that cryptographic things are not
even in all countries are allowed to be in usage by private or any person.4. According to top, CPU peaks to 90-100% but mostly around 75% in all tests. Should that burden not be lighter when hardware crypto is being used?
Yes and no! It should be really offloading the CPU from cryptographic tasks and the entire math work to be
able to do more other things with that power. If you use perhaps IPSec together with AES-GCM instead of the
OpenVPN you will be able to see and fell more gain and support of that AES-NI instruction registers of your CPU.
Nearly 400% are able to get from a IPSec tunnel likes without using AES-NI, but the OpenVPN will be only able
since the usage of AES-GCM too.Trying to find where the bottleneck or maybe my mistake is.
IPSec together with AES-NI or wait until the Intel QAT is out later this year.
-
-
Hi Frank,
Thank you for the pointers, I know them and also the info they give and I think they not explain the outcome of my tests, please let me know how can I test in a better way :)
About OpenVPN 2.4 I know, so now and then I take a peak at the OVPN mailing lists.1. Does this setting need aesni.ko?
This should be answered by someone from the staff.Upfront, my knowledge is limited but from my tests it looks like aesni.ko does not improve substantially/at all.
That is why I'm trying to find the reason, just trying to understand.If AES-NI presence is detected it will be used automatecally by OpenSSL and OpenSSL is used by OpenVPN
Yes, I know but how to see it`s being used or not and is aesni.ko needed for that to happen?
Waiting staff here… ;DI guess not to be so, its using the raw CPU power
What I see in testing is the same CPU power being used, regardless of any setting!
Throughput is nearly the same in all tests when using encryption.
Unfortunately I could not find a htop pack because with top I see no ocf threads in any test I did.Without control/data channel encryption, 270 Mbits/sec is achieved with the same CPU power.
Without OpenVPN 945 Mbits/sec is achieved with much less CPU power.cryptographic things are not even in all countries
In Deutschland ist das wohl kein Problem, oder? ;D
Thanks.
-
Ok, found this post:
https://forum.pfsense.org/index.php?topic=91974.0Seems that when aesni.ko is loaded, OpenSSL will use that instead of on SoC.
So I will not load the module and not set BSD crypto engine as further testing showed that not using these two gives the most consistent results.
I think that the CPU is the cap or my laptop. Unfortunately I don`t have another more powerful machine to test but who knows in the future…
But still one thing puzzles me, when setting, cipher none and auth none, then 270 Mbits/sec is the max compared to 945 Mbits/sec without OpenVPN. All tests were done using no compression...
Thanks.
-
Ok, found this post:
https://forum.pfsense.org/index.php?topic=91974.0It is from 2015 and now we have the year 2016 and version 2.3 please don´t forget this!
I will not load the module and not set BSD crypto engine as further testing showed that not using these two gives the most consistent results.
Because something is done in software it must not be really bad or more bad then other things.
But still one thing puzzles me, when setting, cipher none and auth none, then 270 Mbits/sec is the max compared to 945 Mbits/sec without OpenVPN. All tests were done using no compression…
I would say it is more normal then not.
-
@BlueKobold:
Because something is done in software it must not be really bad or more bad then other things.
It
s not really about bad/bad more but more about what
s going on under the hood (and my lack of understanding).Thanks