SG-1100 Crypto Hardware



  • I recently purchased one of these goodies and I coming from "big iron" Intel box down to this baby so its taking a little getting used to on the relatively less horsepower and memory. So far so good just trying to get the optimal rule sets loaded for Suricata sorted out with so much less memory.

    Questions:

    1. The Dashboard indicates no cryptographic hardware even after toggling the Intel or the BSD options under (Advanced) I think. Does this device in fact have the ability to do hardware crypto?

    2. Is there the ability to do any hardware offloading by the NIC's? I haven't change anything in the configuration yet...

    Thanks


  • Rebel Alliance Netgate Administrator

    The Dashboard indicates no cryptographic hardware even after toggling the Intel or the BSD options under (Advanced) I think. Does this device in fact have the ability to do hardware crypto?

    We are still working on the hardware crypto driver. If the concern is "will this be supported in the future?" Yes we will support this for it's entire product life cycle.



  • I tried to find documentation how to activate this in the correct way. But i was not able too. Is there support for this now? In that case is there some documentation what setting should be active?

    5ca4b929-424b-4964-8044-3acf230c3901-image.png



  • Is it this setting i have to change? What should i choose?

    ec382c0e-893e-43cf-bac6-b88c3230d42d-image.png


  • Rebel Alliance Netgate Administrator

    We are still aggressively working on the driver for the SG-1100; there is no setting you need to change to enable it.


  • Netgate Administrator

    Yes, there is no way to enable it right now but you will want 'BSD crypto device' selected there to use the driver when it is included.

    Steve



  • @chrismacmahon said in SG-1100 Crypto Hardware:

    We are still aggressively working on the driver for the SG-1100; there is no setting you need to change to enable it.

    AH! Ok. Good. That was on my "to-do list".. One less point to worry about for me then ;) .. No rush for my sake! :)



  • @chrismacmahon So, what is the openvpn performance of this machine with no hardware crypto acceleration? (Which by the way is something that should have been in big bold red letters in the advertisements and specifications. I have an expectation that all new pfsense hardware will have WORKING hardware crypto acceleration. I do not like my first hint that it might not work yet being me getting the unit, turning it on and seeing "Crypto: (Inactive)". I do not trust "The check is in the mail" with no timeframes mentioned. If I built a pfsense of course unsupported features are not your problem, but when I buy direct from Netgate I have an expectation of a product with primary features that work. Crypto acceleration is a primary feature. If I didn't need/want it I could use a computer that is 2 decades old.



  • @kejianshi i have done tests with my 100Mbit line and VPN works great with top speed. I have 2 tunnels running and i think i have not seen any cpu usage above 50%.. I think i read somewhere that it can do 900Mbit but dont quote me on that.



  • @Taz79 I hope you are right. I don't need to max out gigabit ethernet or anything. Just run a few tunnels with relatively low bandwidth requirement. 10 - 30 MB/s. I just don't like being surprised (-;
    Thanks for your reply. Its encouraging. I just got this thing hooked up from about 8700 miles away and I'm really hoping its as stable as the box its replacing. I do like the low power, small form factor etc etc. I will configure the VPN and let you know how it performs long-haul.


  • Netgate Administrator

    I have seen ~150Mbps OpenVPN in local iperf3 testing here. Latency and packet size variation etc will impact that though.

    Steve



  • @kejianshi the 900Mbit i saw must have been the performance of the routing. Not the VPN speed when i think about it. But i have tested with 117Mbit/s that is my max speed of my connection and it works great. My box were up for 65 days before i needed to shut it down to move it :)



  • @stephenw10 Thanks old timer. Still at it huh? This tiny box is replacing a AMD X2 3800... I got a LOT of miles out of that box!


  • Netgate Administrator

    Yup, still here. 😀



  • Any ballpark estimates on the gains that will be seen by even supporting the hardware cryptography?
    I'm assuming in daily operation it won't matter so much but only on ipsec and openvpn.

    I bought a few of these, I might put one in place of my current home FW which is a 3rd gen Intel Core i5 on an Intel DQ77MK mobo. I have 500mbps internet and three ipsec vpn tunnels, and 2 vlans.


  • Rebel Alliance Netgate Administrator

    We are doing the work on our own on this, we do expect gains but to put out firm numbers would be a disservice to all involved.



  • @chrismacmahon
    Will there be any support for the crypto hardware on the SG-1000 (now EoS)?


  • Rebel Alliance Netgate Administrator

    That's a good question. Let me get back to you on that.


  • Rebel Alliance Netgate Administrator

    @bigsy We don't think the work will be impacting the SG-1000.



  • @chrismacmahon Thanks for all your hard work! What would be the best way to keep tabs on the development of this driver?


  • Rebel Alliance Netgate Administrator

    Our blog, twitter or in the forums. We will announce it when the time comes.

    You can also have a RSS feed on your dashboard in pfSense.



  • @chrismacmahon said in SG-1100 Crypto Hardware:

    We will announce it when the time comes.

    Is there any ETA for when ARM crypto hardware acceleration will be released for the SG-1100 and is it money-back guaranteed for people who purchase them? And is the performance of the ARM acceleration expected to be similar to AES-NI?

    I'm ready to purchase 2 firewalls but I'm leaning towards the Pc-Engines APU2D4 mainly because it has acceleration. I see that developers are working on it but I recognize that one possible outcome is that the devs could say "well, we tried to make it work but it just can't happen." So it would be nice to hear some inside knowledge about the progress and expectations.



  • @chrismacmahon

    Is this still being worked on? As the above person mentioned an ETA would be helpful. Even a very conservative ETA would be great, just to let people know that the feature is definitely coming.


  • Rebel Alliance Netgate Administrator

    Is this still being worked on: Most definitely.

    Do we have an ETA: I'm not aware of an ETA, there is a lot of work that goes into this.



  • Wouldn't that be in redmine? It should have a projected version that functionality would be in like 2.4.5 or 2.5, etc...

    Wouldn't that make it easier to track? I mean 2.5 should be here by 2020. So if you plan on having it done prior to 2.5 then you have a pretty decent ballpark of 3-6 months.



  • @PhlMike I see it like this. Lessons I learned from talking to girls when I was young seem to apply here... Maybe = no. Perhaps later = no. I'll think about it = no. I like to take my time = no. The only thing that means yes is yes. If these guys were working on it, they would be advertising their progress, but they aren't so its obviously not in the works if you ask me. I think they are waiting for someone else to develop opensource code and if that happens they might incorporate it but I seriously doubt there is a team assigned to creating this code at netgate. Never trust "The check is in the mail".



  • @kejianshi You have a point. Since tnsr came about PfSense got shoved to a back burner. Tnsr looks cool and all but at its price and the fact I don't need routing above 10gig and I like a web interface at least as a backup to central mgmt it's better to stick with PfSense.

    So now we'll see Jim T's "further" ideas for a python html5 php as root free PfSense not happen by 3.0.

    And I buy > $10k in negates a year. Not the 1100I only bought 3 of those. The 3100 I buy out. Still no promised wall mount for that one.



  • @PhlMike I hadn't even been paying any attention to tnsr. My impression of 2.5 and 3.0 pfsense is that its primarily designed to obsolete older hardware, force hardware updates and limit the hardware it will run on. (To hardware sold by netgate). If 2.5 comes out and the SG-1100 is supported but not with crypto acceleration while pfsense 2.5 will not run on other hardware without crypto acceleration, that will be the proof that pfsense could work fine on new and old hardware without crypto acceleration but they went out of their way to break it to sell new hardware.


  • Netgate

    @PhlMike for your question on wouldn't that be in a redmine the answer is yes. As it deals with the internal parts of the ARM processor, the work is done in a private manner and not open to the public.

    Sorry.

    @kejianshi We are not advertising our progress. Not because we are delaying it; but because it the process it is a bit more involved than just setting the Hardware crypto to enabled. We have engineering staff dedicated to getting this working as we believe it gives our customers the assurance they are running genuine pfSense software.

    As for pfSense getting development getting pushed back with the launch of TNSR, that is just not correct. We have dedicated staff working to pushing both software products forward.



  • @dennis_s I understand you saying that pfSense isn't dead, but indicative of the sentiments of a large portion of the pfSense community we feel neglected as of late.

    It's business, I run a business, I understand: TNSR is the new cash cow, non-free with yearly license fees. With behavior I have seen over the past two years, you needed the revenue to sustain operations. There was no way hardware alone was going to keep the boat afloat. Even with the release of sub $500 equipment. Margins are tight.

    But pfSense was the shining light for people who abhorred the Cisco model, yet you still went that model with tnsr and double downed on it, with a $300/year fee. I learn by using, lots of people learn by using. The vast majority of people who use netgate/pfSense in business use it at home. We can't use tnsr at home. I'm not spending $300/year and succuming to an API or command line. I can understand, a $5+MM/year business spending that kind of money, but when you buy 10G+ internet the ISP includes a firewall, usually a Palo Alto and they charge under $1k/year for it. At that point would I spend $300/year to load TNSR on a $3,200 supermicro or two to run it? If I am going to buy 50-100-300 routers and needed 10G+ backbones, I can waltz in to Cisco, Palo Alto, Juniper, F5 and the likes and with that kind of weight I can assure you I'm not spending $300/fw/year. And I still get a web interface so I don't have to go all command line. At that point if I wanted to go commandline commando on a firewall I'd use Vyatta, it's 100% free and can run some blistering speeds.

    If tnsr was the grand realization and next generation of pfsense, and had a model that worked for a person who wanted to stick it in his house and a web ui. We would be less offended by it. As it stands now, its a slap to our face and we feel betrayed. It's worse than if you sold out to Cisco and they started charging $100,000/second for pfsense.

    Then we have this secrecy and privacy and vague answers. Day by day, you keep turning into those corporations we hate. No transparency, rising costs, innovations only for the super rich with deep pockets. We would rather have "We will have this out by 2023" and have you come out and say "Oh well it will be 2024 because we had issues" then "We are not advertising our progress". That makes us think the truth is, "Dude this is a $160 device and doesn't make us enough revenue to afford to put more than the intern from the mail room on, and it will get done and it gets done if at all and if you want that feature, open up your wallet you darn peasant and give us more money for a $400+ device"


  • Netgate

    @PhlMike, thanks for the candid feedback. I appreciate your frankness and points. There was a lot said, so I wanted to take some time and try to respond to each point…

    ...a large portion of the pfSense community we feel neglected as of late.

    We get a significant and widely varied amount of feedback from forums, social media, email, support tickets, etc. - just as you might imagine. Can’t say that I was aware that “a large portion of the pfSense Community feels neglected of late”. But, you definitely have my attention. Not offered as a defense, but we continue to steward the project, contribute heavily to pfSense software build, test, package, distribution and more. We also design and build appliances that we believe are best in class. While we can and will do more (I’ll come to that below), it bothers me to hear “neglect”, so I’d love to speak with you directly in more detail - if you’re open to it - to get a deeper perspective on your point there.
    TNSR runs on top of CentOS. pfSense, obviously, runs on FreeBSD. For those who might assume TNSR is the “only” future for Netgate, we recently employed Glen Barber (from the FreeBSD Project) to perform the continued release engineering of FreeBSD. We would not have done so if FreeBSD (and by extension, pfSense) was not important to the company.

    ...pfSense was the shining light for people who abhorred the Cisco model, yet you still went that model with TNSR and double downed on it, with a $300/year fee. I learn by using, lots of people learn by using.

    First, no form of TNSR introduced to date was ever intended as a pfSense replacement, It is initially targeted at large enterprise and service provider type buyers. It’s a separate market space for Netgate altogether. Now, to be 100% clear, we are looking at ways to offer more management flexibility and performance adders that we believe will DIRECTLY appeal to a sizeable portion of our pfSense user base. We are close to being able to talk more about that. Believe me, I’m not dodging you, but I also can’t get too far out in front of upcoming plans.

    The vast majority of people who use netgate/pfSense in business use it at home. We can't use tnsr at home. I'm not spending $300/year and succumbing to an API or command line. I can understand, a $5+MM/year business spending that kind of money, but when you buy 10G+ internet the ISP includes a firewall, usually a Palo Alto and they charge under $1k/year for it. At that point would I spend $300/year to load TNSR on a $3,200 supermicro or two to run it? If I am going to buy 50-100-300 routers and needed 10G+ backbones, I can waltz in to Cisco, Palo Alto, Juniper, F5 and the likes and with that kind of weight I can assure you I'm not spending $300/fw/year. And I still get a web interface so I don't have to go all command line. At that point if I wanted to go command line commando on a firewall I'd use Vyatta, it's 100% free and can run some blistering speeds. If tnsr was the grand realization and next generation of pfSense, and had a model that worked for a person who wanted to stick it in his house and a web ui. We would be less offended by it. As it stands now, it’s a slap to our face and we feel betrayed. It's worse than if you sold out to Cisco and they started charging $100,000/second for pfSense.

    Ok, let’s dig into this a bit:

    • A little less than half of our user base is consumer / power consumer. The rest is business, government education, etc.

    • The business segment is quite stratified - with differing management, performance, and support needs

    • With respect to Vyatta software, that is no longer available on the open market. We know about VyOS, but wouldn’t agree it has “blistering speeds”, at least, not compared to the (former) Vyatta 5600 product. Moreover, VyOS, while inexpensive, is no longer “100% free” unless you’re willing to build it yourself (and do that without their release engineering) or run on their version of a ‘pfSense snapshot’.

    • You don’t need a $3,200 Supermicro box to run TNSR. It runs just fine on a SG-5100, at less than $700.

    • If we are really talking about where TNSR is targeted, I’d gamble a Cisco or PAN solution would be considerably more than $300/firewall/year

    • Your point...“There was no way hardware alone was going to keep the boat afloat…”

      • Our hardware business is, in fact, healthy. But what is important to understand is:

        • We serve multiple market segments - each with different needs and demands

        • One of those segments happens to be the “DIY” segment - who build their own pfSense appliance (or VM) for their own use at home. We’re builders and hobbyists too, so we fully appreciate and respect the profile. We don’t make any money there, but we’ve always said “security is a right, not a privilege” so we continue to serve it as best we can.

        • We also serve businesses - who we believe can and should pay if they are reusing our hard won value-add commercially. And, in this segment, we do tend to bristle at the ~3,000 appliances marketed with pfSense pre-loaded, when 1) none of the companies selling those products do anything to help pfSense the project, 2) absolutely use it to advance their business, and 3) do so at our expense.

      • That as a backdrop, here is a bit of (sometimes forgotten) history...

        • Netgate could have done a lot less work on pfSense over the past seven years - and pfSense would not be nearly as good as it is today. In 2012 and 2013, pfSense was stuck on FreeBSD 8, (which had EOL’d), was using PBIs for packages, and had a slew of other issues (no AES-GCM, no IKEv2, no ARM platform support, no embedded switch support, etc., etc.). These shortcomings were holding it back from achieving what it has become today.

        • So, our developers tend to frown at assertions that they’ve ever taken a code path “primarily designed to obsolete older hardware”.

    • With specific regard to when crypto offload for the SG-1100 might arrive, I have it from our CTO that we still don’t have an exact date. It’s possible it could be added to an early 2020 release. Two paths have been investigated. The first is a HW crypto function which uses intellectual property licensed from SafeXcel on the Marvell Armada 3720 SoC. The second is based on A53 ARMv8 cores supporting instructions analogous to the “AES-NI” instructions found on Intel and AMD CPUs. Our early efforts were to write a driver for the SafeXcel HW offload. While a Linux driver exists, we can’t use it (due to GPL issues). Further, no similar driver exists for any of FreeBSD, OpenBSD, or NetBSD. We’ve called upon two experienced outside consultants to implement such a driver (and tie it into cryptodev). Yet, it just isn’t ready for production use. So, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set. With luck, that could make it into a release early next year.

    • Now, I’d agree a $300 per year subscription with no GUI is a non-starter for many customers. Which is why we might be best served to just talk. Alternatively, if you’re able to hang on just a few weeks, you’ll likely hear more about upcoming product line plans. Regardless, based on our analysis of the market, we are moving towards compelling offers for buyers just like you - certainly relative to the brands you mention - with whom we already compete.

    • I really don’t believe you’ll feel “betrayed” once we can share more

    Then we have this secrecy and privacy and vague answers. Day by day, you keep turning into those corporations we hate. No transparency, rising costs, innovations only for the super rich with deep pockets. We would rather have "We will have this out by 2023" and have you come out and say "Oh well it will be 2024 because we had issues" then "We are not advertising our progress". That makes us think the truth is, "Dude this is a $160 device and doesn't make us enough revenue to afford to put more than the intern from the mailroom on, and it will get done and it gets done if at all and if you want that feature, open up your wallet you darn peasant and give us more money for a $400+ device.

    We need to go a little deeper on this one as well :-)

    • Netgate is not a huge corporation - by any measure. We do however serve consumers, power consumers, telecommuters, small / medium / large businesses and’ enterprises - across every vertical on every continent). Additionally, we serve local, state, and university educational institutions; and local, state, and federal government agencies.

    • With respect secrecy, privacy, transparency…” that’s a tough place for us to “bat high”. There are so many moving parts in this business, many of which are simply out of our control. If we tipped towards sharing it all, it would whipsaw the community. So, we look for an appropriate balance point. I’m sure we miss at times. But, it is neither our DNA nor our heritage to be “secretive or closed” - especially where the project is concerned. Now, where our business is concerned? Well, like any company, we have to make judgement calls there every day - just as I’m sure you do. We try to be as transparent as we can. To substantiate, all project software snapshots are up for public review as they progress, and are revealed in press releases, blogs, and newsletters as soon as possible. All hardware initiatives are disclosed via press releases, blogs, and newsletters as soon as possible.

    • But there are things that happen in virtually every software and hardware launch that throw us curves. Not to air dirty laundry (after all those are our problems, not yours), but by way of explanation…

      • When FreeBSD has driver issues, we have to deal with that
      • If a component manufacturer misses on a scheduled delivery, we have to deal with that
      • If we find a quality issue, we have to deal with that
    • $160 devices are a sizeable percentage of our appliance business - because, frankly, they are extremely popular. As a result, we actually care quite a lot.

    • We do not have a mail room with staff, but we do have an intern or two. And, to be clear, those too are valued employees, but they are far from alone. Come to Austin and take a tour of our facility. You’ll likely walk away with a very different impression.

    • I won’t repeat myself on the “$300/$400” point, that was covered earlier.

    To close, I really don’t share any of this out of defensiveness or a need to “win” arguments. I do want to share what I think might be useful information, though, so as not to wave off. I hope it comes across that way. As offered earlier, if there is a way for us to speak directly, I’m willing to hear more of your views, and figure out how we can turn that into a positive for the community and Netgate customers alike.

    Best,
    Dennis



  • @dennis_s Thank you for sharing all this information.

    You should write the newsletters and blog posts 👍



  • I do want to share what I think might be useful information, though, so as not to wave off.

    Well, you certainly did just that. Thanks for the detailed info.

    To anyone that comes here for the topic title:

    With specific regard to when crypto offload for the SG-1100 might arrive, I have it from our CTO that we still don’t have an exact date. It’s possible it could be added to an early 2020 release. Two paths have been investigated. The first is a HW crypto function which uses intellectual property licensed from SafeXcel on the Marvell Armada 3720 SoC. The second is based on A53 ARMv8 cores supporting instructions analogous to the “AES-NI” instructions found on Intel and AMD CPUs. Our early efforts were to write a driver for the SafeXcel HW offload. While a Linux driver exists, we can’t use it (due to GPL issues). Further, no similar driver exists for any of FreeBSD, OpenBSD, or NetBSD. We’ve called upon two experienced outside consultants to implement such a driver (and tie it into cryptodev). Yet, it just isn’t ready for production use. So, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set. With luck, that could make it into a release early next year.



  • @dennis_s Its my fault because I assumed any device sold by netgate would support hardware encryption NOW after all the fuss netgate and pfsense made about hardware crypto being a requirement for pfsense devices in the future. Rest assured, its the last piece of pfsense hardware I will buy that isn't supported right away. I can see a possible scenario where netgate doesn't get it working and abandons the platform altogether for future releases of pfsense because its too much work to be bothered with as compared to just starting to sell atom devices the same size. I really do hope it comes out, but I'm not gullible enough to expect it at this point. What I do expect sometime not too far down the line is to read that, for some technical... Long and drawn out reason.... That Pfsense has decided to abandon the device and that I should buy a new device for continued service... At which point netgate will have sold their last device to me or anyone I can influence. So, I hope things go as you say, but I wasn't born yesterday, so I no longer expect it.


  • Netgate

    @kejianshi We learned from the early announcement that 2.5 would require AES-NI. As with everything, plans could change and with regards to the RESTCONF API it was no longer being planned for 2.5, therefore, AES-NI would not need to be required. There are no plans to abandon the SG-1100 and as I stated before, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set for the SG-1100 and hopefully, it makes it into a release early next year.

    With that being said, if AES-NI is a requirement for you or your business all of our other appliances do support AES-NI.



  • @dennis_s
    Thank you for the candid response. That level of detail was exactly what was needed. As for my feelings, I won't reiterate specifics but I have had a few run-ins with Netgate previously, I have a colleague that had a real big run-in that became quite sour and I have noticed on more than 1 occasion where an answer over pricing was a bit more than just terse and short. This lead me to use some experience driven speculation.

    But in an environment light on facts, speculations reigns supreme.

    The SG1100 doesn't appeal to me because it doesn't do well in 300MB/s pluss environments at least real world performance with my configs. Which is fine, the 3100 works perfectly up to a gig and it is priced low enough for me to purchase in bulk and replace the Watch guards and SonicWalls I used to purchase.

    However there are people with lower budgets and higher expectations that would disagree with my statements. I am sure once hardware crypto is enabled a lot will still complain that it's not as big of an improvement as they hoped.

    Maybe a 1500 or 1600 version between the 1100 and 3100 would bridge that gap.

    Personally I don't care, I just want a wall mount and rack mount for the 3100. Or a wall mount and a rack mount version that is under $600 that can maybe do >150mbps on vpns.


Log in to reply