SG-1100 Crypto Hardware

kejianshi

@stephenw10 Thanks old timer. Still at it huh? This tiny box is replacing a AMD X2 3800... I got a LOT of miles out of that box!

stephenw10

Yup, still here.

PhlMike

Any ballpark estimates on the gains that will be seen by even supporting the hardware cryptography?
I'm assuming in daily operation it won't matter so much but only on ipsec and openvpn.

I bought a few of these, I might put one in place of my current home FW which is a 3rd gen Intel Core i5 on an Intel DQ77MK mobo. I have 500mbps internet and three ipsec vpn tunnels, and 2 vlans.

chrismacmahon

We are doing the work on our own on this, we do expect gains but to put out firm numbers would be a disservice to all involved.

bigsy

@chrismacmahon
Will there be any support for the crypto hardware on the SG-1000 (now EoS)?

chrismacmahon

That's a good question. Let me get back to you on that.

chrismacmahon

@bigsy We don't think the work will be impacting the SG-1000.

dhw

@chrismacmahon Thanks for all your hard work! What would be the best way to keep tabs on the development of this driver?

chrismacmahon

Our blog, twitter or in the forums. We will announce it when the time comes.

You can also have a RSS feed on your dashboard in pfSense.

Jeremy11one

@chrismacmahon said in SG-1100 Crypto Hardware:

We will announce it when the time comes.

Is there any ETA for when ARM crypto hardware acceleration will be released for the SG-1100 and is it money-back guaranteed for people who purchase them? And is the performance of the ARM acceleration expected to be similar to AES-NI?

I'm ready to purchase 2 firewalls but I'm leaning towards the Pc-Engines APU2D4 mainly because it has acceleration. I see that developers are working on it but I recognize that one possible outcome is that the devs could say "well, we tried to make it work but it just can't happen." So it would be nice to hear some inside knowledge about the progress and expectations.

cosineslist

@chrismacmahon

Is this still being worked on? As the above person mentioned an ETA would be helpful. Even a very conservative ETA would be great, just to let people know that the feature is definitely coming.

chrismacmahon

Is this still being worked on: Most definitely.

Do we have an ETA: I'm not aware of an ETA, there is a lot of work that goes into this.

PhlMike

Wouldn't that be in redmine? It should have a projected version that functionality would be in like 2.4.5 or 2.5, etc...

Wouldn't that make it easier to track? I mean 2.5 should be here by 2020. So if you plan on having it done prior to 2.5 then you have a pretty decent ballpark of 3-6 months.

kejianshi

@PhlMike I see it like this. Lessons I learned from talking to girls when I was young seem to apply here... Maybe = no. Perhaps later = no. I'll think about it = no. I like to take my time = no. The only thing that means yes is yes. If these guys were working on it, they would be advertising their progress, but they aren't so its obviously not in the works if you ask me. I think they are waiting for someone else to develop opensource code and if that happens they might incorporate it but I seriously doubt there is a team assigned to creating this code at netgate. Never trust "The check is in the mail".

PhlMike

@kejianshi You have a point. Since tnsr came about PfSense got shoved to a back burner. Tnsr looks cool and all but at its price and the fact I don't need routing above 10gig and I like a web interface at least as a backup to central mgmt it's better to stick with PfSense.

So now we'll see Jim T's "further" ideas for a python html5 php as root free PfSense not happen by 3.0.

And I buy > $10k in negates a year. Not the 1100I only bought 3 of those. The 3100 I buy out. Still no promised wall mount for that one.

kejianshi

@PhlMike I hadn't even been paying any attention to tnsr. My impression of 2.5 and 3.0 pfsense is that its primarily designed to obsolete older hardware, force hardware updates and limit the hardware it will run on. (To hardware sold by netgate). If 2.5 comes out and the SG-1100 is supported but not with crypto acceleration while pfsense 2.5 will not run on other hardware without crypto acceleration, that will be the proof that pfsense could work fine on new and old hardware without crypto acceleration but they went out of their way to break it to sell new hardware.

dennis_s

@PhlMike for your question on wouldn't that be in a redmine the answer is yes. As it deals with the internal parts of the ARM processor, the work is done in a private manner and not open to the public.

Sorry.

@kejianshi We are not advertising our progress. Not because we are delaying it; but because it the process it is a bit more involved than just setting the Hardware crypto to enabled. We have engineering staff dedicated to getting this working as we believe it gives our customers the assurance they are running genuine pfSense software.

As for pfSense getting development getting pushed back with the launch of TNSR, that is just not correct. We have dedicated staff working to pushing both software products forward.

PhlMike

@dennis_s I understand you saying that pfSense isn't dead, but indicative of the sentiments of a large portion of the pfSense community we feel neglected as of late.

It's business, I run a business, I understand: TNSR is the new cash cow, non-free with yearly license fees. With behavior I have seen over the past two years, you needed the revenue to sustain operations. There was no way hardware alone was going to keep the boat afloat. Even with the release of sub $500 equipment. Margins are tight.

But pfSense was the shining light for people who abhorred the Cisco model, yet you still went that model with tnsr and double downed on it, with a $300/year fee. I learn by using, lots of people learn by using. The vast majority of people who use netgate/pfSense in business use it at home. We can't use tnsr at home. I'm not spending $300/year and succuming to an API or command line. I can understand, a $5+MM/year business spending that kind of money, but when you buy 10G+ internet the ISP includes a firewall, usually a Palo Alto and they charge under $1k/year for it. At that point would I spend $300/year to load TNSR on a $3,200 supermicro or two to run it? If I am going to buy 50-100-300 routers and needed 10G+ backbones, I can waltz in to Cisco, Palo Alto, Juniper, F5 and the likes and with that kind of weight I can assure you I'm not spending $300/fw/year. And I still get a web interface so I don't have to go all command line. At that point if I wanted to go commandline commando on a firewall I'd use Vyatta, it's 100% free and can run some blistering speeds.

If tnsr was the grand realization and next generation of pfsense, and had a model that worked for a person who wanted to stick it in his house and a web ui. We would be less offended by it. As it stands now, its a slap to our face and we feel betrayed. It's worse than if you sold out to Cisco and they started charging $100,000/second for pfsense.

Then we have this secrecy and privacy and vague answers. Day by day, you keep turning into those corporations we hate. No transparency, rising costs, innovations only for the super rich with deep pockets. We would rather have "We will have this out by 2023" and have you come out and say "Oh well it will be 2024 because we had issues" then "We are not advertising our progress". That makes us think the truth is, "Dude this is a $160 device and doesn't make us enough revenue to afford to put more than the intern from the mail room on, and it will get done and it gets done if at all and if you want that feature, open up your wallet you darn peasant and give us more money for a $400+ device"

dennis_s

@PhlMike, thanks for the candid feedback. I appreciate your frankness and points. There was a lot said, so I wanted to take some time and try to respond to each point…

...a large portion of the pfSense community we feel neglected as of late.

We get a significant and widely varied amount of feedback from forums, social media, email, support tickets, etc. - just as you might imagine. Can’t say that I was aware that “a large portion of the pfSense Community feels neglected of late”. But, you definitely have my attention. Not offered as a defense, but we continue to steward the project, contribute heavily to pfSense software build, test, package, distribution and more. We also design and build appliances that we believe are best in class. While we can and will do more (I’ll come to that below), it bothers me to hear “neglect”, so I’d love to speak with you directly in more detail - if you’re open to it - to get a deeper perspective on your point there.
TNSR runs on top of CentOS. pfSense, obviously, runs on FreeBSD. For those who might assume TNSR is the “only” future for Netgate, we recently employed Glen Barber (from the FreeBSD Project) to perform the continued release engineering of FreeBSD. We would not have done so if FreeBSD (and by extension, pfSense) was not important to the company.

...pfSense was the shining light for people who abhorred the Cisco model, yet you still went that model with TNSR and double downed on it, with a $300/year fee. I learn by using, lots of people learn by using.

First, no form of TNSR introduced to date was ever intended as a pfSense replacement, It is initially targeted at large enterprise and service provider type buyers. It’s a separate market space for Netgate altogether. Now, to be 100% clear, we are looking at ways to offer more management flexibility and performance adders that we believe will DIRECTLY appeal to a sizeable portion of our pfSense user base. We are close to being able to talk more about that. Believe me, I’m not dodging you, but I also can’t get too far out in front of upcoming plans.

The vast majority of people who use netgate/pfSense in business use it at home. We can't use tnsr at home. I'm not spending $300/year and succumbing to an API or command line. I can understand, a $5+MM/year business spending that kind of money, but when you buy 10G+ internet the ISP includes a firewall, usually a Palo Alto and they charge under $1k/year for it. At that point would I spend $300/year to load TNSR on a $3,200 supermicro or two to run it? If I am going to buy 50-100-300 routers and needed 10G+ backbones, I can waltz in to Cisco, Palo Alto, Juniper, F5 and the likes and with that kind of weight I can assure you I'm not spending $300/fw/year. And I still get a web interface so I don't have to go all command line. At that point if I wanted to go command line commando on a firewall I'd use Vyatta, it's 100% free and can run some blistering speeds. If tnsr was the grand realization and next generation of pfSense, and had a model that worked for a person who wanted to stick it in his house and a web ui. We would be less offended by it. As it stands now, it’s a slap to our face and we feel betrayed. It's worse than if you sold out to Cisco and they started charging $100,000/second for pfSense.

Ok, let’s dig into this a bit:

• A little less than half of our user base is consumer / power consumer. The rest is business, government education, etc.

• The business segment is quite stratified - with differing management, performance, and support needs

• With respect to Vyatta software, that is no longer available on the open market. We know about VyOS, but wouldn’t agree it has “blistering speeds”, at least, not compared to the (former) Vyatta 5600 product. Moreover, VyOS, while inexpensive, is no longer “100% free” unless you’re willing to build it yourself (and do that without their release engineering) or run on their version of a ‘pfSense snapshot’.

• You don’t need a $3,200 Supermicro box to run TNSR. It runs just fine on a SG-5100, at less than $700.

• If we are really talking about where TNSR is targeted, I’d gamble a Cisco or PAN solution would be considerably more than $300/firewall/year

• Your point...“There was no way hardware alone was going to keep the boat afloat…”

  • Our hardware business is, in fact, healthy. But what is important to understand is:

    • We serve multiple market segments - each with different needs and demands

    • One of those segments happens to be the “DIY” segment - who build their own pfSense appliance (or VM) for their own use at home. We’re builders and hobbyists too, so we fully appreciate and respect the profile. We don’t make any money there, but we’ve always said “security is a right, not a privilege” so we continue to serve it as best we can.

    • We also serve businesses - who we believe can and should pay if they are reusing our hard won value-add commercially. And, in this segment, we do tend to bristle at the ~3,000 appliances marketed with pfSense pre-loaded, when 1) none of the companies selling those products do anything to help pfSense the project, 2) absolutely use it to advance their business, and 3) do so at our expense.

  • That as a backdrop, here is a bit of (sometimes forgotten) history...

    • Netgate could have done a lot less work on pfSense over the past seven years - and pfSense would not be nearly as good as it is today. In 2012 and 2013, pfSense was stuck on FreeBSD 8, (which had EOL’d), was using PBIs for packages, and had a slew of other issues (no AES-GCM, no IKEv2, no ARM platform support, no embedded switch support, etc., etc.). These shortcomings were holding it back from achieving what it has become today.

    • So, our developers tend to frown at assertions that they’ve ever taken a code path “primarily designed to obsolete older hardware”.

• With specific regard to when crypto offload for the SG-1100 might arrive, I have it from our CTO that we still don’t have an exact date. It’s possible it could be added to an early 2020 release. Two paths have been investigated. The first is a HW crypto function which uses intellectual property licensed from SafeXcel on the Marvell Armada 3720 SoC. The second is based on A53 ARMv8 cores supporting instructions analogous to the “AES-NI” instructions found on Intel and AMD CPUs. Our early efforts were to write a driver for the SafeXcel HW offload. While a Linux driver exists, we can’t use it (due to GPL issues). Further, no similar driver exists for any of FreeBSD, OpenBSD, or NetBSD. We’ve called upon two experienced outside consultants to implement such a driver (and tie it into cryptodev). Yet, it just isn’t ready for production use. So, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set. With luck, that could make it into a release early next year.

• Now, I’d agree a $300 per year subscription with no GUI is a non-starter for many customers. Which is why we might be best served to just talk. Alternatively, if you’re able to hang on just a few weeks, you’ll likely hear more about upcoming product line plans. Regardless, based on our analysis of the market, we are moving towards compelling offers for buyers just like you - certainly relative to the brands you mention - with whom we already compete.

• I really don’t believe you’ll feel “betrayed” once we can share more

Then we have this secrecy and privacy and vague answers. Day by day, you keep turning into those corporations we hate. No transparency, rising costs, innovations only for the super rich with deep pockets. We would rather have "We will have this out by 2023" and have you come out and say "Oh well it will be 2024 because we had issues" then "We are not advertising our progress". That makes us think the truth is, "Dude this is a $160 device and doesn't make us enough revenue to afford to put more than the intern from the mailroom on, and it will get done and it gets done if at all and if you want that feature, open up your wallet you darn peasant and give us more money for a $400+ device.

We need to go a little deeper on this one as well :-)

• Netgate is not a huge corporation - by any measure. We do however serve consumers, power consumers, telecommuters, small / medium / large businesses and’ enterprises - across every vertical on every continent). Additionally, we serve local, state, and university educational institutions; and local, state, and federal government agencies.

• With respect secrecy, privacy, transparency…” that’s a tough place for us to “bat high”. There are so many moving parts in this business, many of which are simply out of our control. If we tipped towards sharing it all, it would whipsaw the community. So, we look for an appropriate balance point. I’m sure we miss at times. But, it is neither our DNA nor our heritage to be “secretive or closed” - especially where the project is concerned. Now, where our business is concerned? Well, like any company, we have to make judgement calls there every day - just as I’m sure you do. We try to be as transparent as we can. To substantiate, all project software snapshots are up for public review as they progress, and are revealed in press releases, blogs, and newsletters as soon as possible. All hardware initiatives are disclosed via press releases, blogs, and newsletters as soon as possible.

• But there are things that happen in virtually every software and hardware launch that throw us curves. Not to air dirty laundry (after all those are our problems, not yours), but by way of explanation…

  • When FreeBSD has driver issues, we have to deal with that
  • If a component manufacturer misses on a scheduled delivery, we have to deal with that
  • If we find a quality issue, we have to deal with that

• $160 devices are a sizeable percentage of our appliance business - because, frankly, they are extremely popular. As a result, we actually care quite a lot.

• We do not have a mail room with staff, but we do have an intern or two. And, to be clear, those too are valued employees, but they are far from alone. Come to Austin and take a tour of our facility. You’ll likely walk away with a very different impression.

• I won’t repeat myself on the “$300/$400” point, that was covered earlier.

To close, I really don’t share any of this out of defensiveness or a need to “win” arguments. I do want to share what I think might be useful information, though, so as not to wave off. I hope it comes across that way. As offered earlier, if there is a way for us to speak directly, I’m willing to hear more of your views, and figure out how we can turn that into a positive for the community and Netgate customers alike.

Best,
Dennis

Gertjan

@dennis_s Thank you for sharing all this information.

You should write the newsletters and blog posts