How to find out if my CPU is AES-NI capable ?

Guest · May 15, 2017, 5:04 PM

Mine supports it. PCEngines APU2C4

security_paranoid · May 15, 2017, 5:07 PM

@marjohn56:

Mine supports it. PCEngines APU2C4

You are really lucky. I guess I will have to move to IPcop.

Guest · May 15, 2017, 5:10 PM

Or just replace your hardware.

Pfsense 2.4 and previous versions will still work anyway.

security_paranoid · May 15, 2017, 5:13 PM

@marjohn56:

Or just replace your hardware.

Pfsense 2.4 and previous versions will still work anyway.

I don't have the cash right now. If I run an old version of pfSense dont you think that will be a security risk?

Guest · May 15, 2017, 5:25 PM

@security_paranoid:

@marjohn56:

Or just replace your hardware.

Pfsense 2.4 and previous versions will still work anyway.

I don't have the cash right now. If I run an old version of pfSense dont you think that will be a security risk?

No I don't, Quote "The purpose of the instruction set is to improve the speed of applications performing encryption and decryption using the Advanced Encryption Standard (AES)"

In other words it speeds up certain functions, the same functions are still carried in software/firmware if you do not have AES, it's just more processor intensive.

Using AES you can do away with those software/firmware routines and it's all handled by the processor.

Even if you cannot upgrade to 2.5 pfSense will still be secure.

fredfox_uk · May 15, 2017, 7:12 PM

There is still some considerable time until 2.5 is here and 2.4 is no longer supported, by which time you may be able to upgrade.

security_paranoid · May 15, 2017, 8:51 PM

@fredfox_uk:

There is still some considerable time until 2.5 is here and 2.4 is no longer supported, by which time you may be able to upgrade.

Thats good news.

pfBasic · May 16, 2017, 4:50 AM

At least in 2.4.0 BETA, you just look on your dashboard now 8).

Cost wise this requirement has (IMO) been blown way out of proportion where home users are concerned.

Very few home users have any need for a CPU exceeding the capabilities of a modern SoC celeron.
You can pick those up new today for $55 (that's motherboard + CPU), so in 2-3 years when this requirement is actually relevant, you will probably be able to pick one up for <$30.

For those home users that do need a powerful system, AES-NI has been around for something like a decade now. eBay is literally full of old SFF desktops from office buildings.

http://www.ebay.com/itm/Lenovo-ThinkCentre-M91p-SSF-i5-2400-3-1GHz-8-GB-500GB-Windows-10-Free-Ship-/252930866220?hash=item3ae3dabc2c:g:Jd0AAOSwaeRZEzw-

Just going off the CPU I use on pfSense and a quick eBay search, $120 gets you an i5-2400 (virtually the same passmark as an i3-7100[not that passmark is a great comparison, but you get the general idea]) with 8GB RAM and a HDD. Add $15 for an i340-t2 and you're set for probably 95%+ of home use scenarios for pfSense. This of course assumes that you are starting out with nothing, and it's today's prices. These things aren't getting more expensive.

All that is to say that you do not need to spend a lot of money to get AES-NI, it's old tech by now.

apple4ever · May 21, 2017, 5:05 AM

@security_paranoid:

Thanks for that link.

Just curious what will you do when pfSense drops support for non AES-NI processors ?

WIll you buy new hardware or move to a different firewall ? I am really frustrated with this development.

Well my hope is they will change their mind, because it's clearly an incorrect decision. After that, My first plan is to hack it in there, because the developers would have to go out of their way to remove support, so it shouldn't be too hard to add it back in. The second is to move to another firewall. It's too bad, I wanted to support the project via Gold, and was literally going to buy it the week the news hit.

pfBasic · May 21, 2017, 5:46 AM

You would go to all that effort to avoid spending a few bucks on a cpu from the last decade?

Guest · May 21, 2017, 9:44 AM

Bizarre…

It's called evolution...

P3R · May 21, 2017, 11:59 AM

@security_paranoid:

Just curious what will you do when pfSense drops support for non AES-NI processors ?

WIll you buy new hardware…

Yes of course, but only when I need to.

Jailer · May 21, 2017, 12:04 PM

@security_paranoid:

I don't have the cash right now.

Well you have about 2 years or so to save up so start saving.

P3R · May 21, 2017, 12:08 PM

@security_paranoid:

I don't have the cash right now.

That's not a problem because you don't need it now. You have years to save up for more modern hardware.

Why are you worrying now about something that will happen in a pretty distant future? Your (and mine) old firewall hardware may already have failed and been replaced when the lack of AES-NI is even starting to become an issue.

Relax!

ivor · May 21, 2017, 1:54 PM

@apple4ever:

It's too bad, I wanted to support the project via Gold, and was literally going to buy it the week the news hit.

Buy a supported CPU instead.

security_paranoid · May 22, 2017, 3:17 AM

2 years is long enough for me to but new hardware.

Thanks for your replies.