SG-1100 Crypto Hardware

kejianshi

@PhlMike I see it like this. Lessons I learned from talking to girls when I was young seem to apply here... Maybe = no. Perhaps later = no. I'll think about it = no. I like to take my time = no. The only thing that means yes is yes. If these guys were working on it, they would be advertising their progress, but they aren't so its obviously not in the works if you ask me. I think they are waiting for someone else to develop opensource code and if that happens they might incorporate it but I seriously doubt there is a team assigned to creating this code at netgate. Never trust "The check is in the mail".

PhlMike

@kejianshi You have a point. Since tnsr came about PfSense got shoved to a back burner. Tnsr looks cool and all but at its price and the fact I don't need routing above 10gig and I like a web interface at least as a backup to central mgmt it's better to stick with PfSense.

So now we'll see Jim T's "further" ideas for a python html5 php as root free PfSense not happen by 3.0.

And I buy > $10k in negates a year. Not the 1100I only bought 3 of those. The 3100 I buy out. Still no promised wall mount for that one.

kejianshi

@PhlMike I hadn't even been paying any attention to tnsr. My impression of 2.5 and 3.0 pfsense is that its primarily designed to obsolete older hardware, force hardware updates and limit the hardware it will run on. (To hardware sold by netgate). If 2.5 comes out and the SG-1100 is supported but not with crypto acceleration while pfsense 2.5 will not run on other hardware without crypto acceleration, that will be the proof that pfsense could work fine on new and old hardware without crypto acceleration but they went out of their way to break it to sell new hardware.

dennis_s

@PhlMike for your question on wouldn't that be in a redmine the answer is yes. As it deals with the internal parts of the ARM processor, the work is done in a private manner and not open to the public.

Sorry.

@kejianshi We are not advertising our progress. Not because we are delaying it; but because it the process it is a bit more involved than just setting the Hardware crypto to enabled. We have engineering staff dedicated to getting this working as we believe it gives our customers the assurance they are running genuine pfSense software.

As for pfSense getting development getting pushed back with the launch of TNSR, that is just not correct. We have dedicated staff working to pushing both software products forward.

PhlMike

@dennis_s I understand you saying that pfSense isn't dead, but indicative of the sentiments of a large portion of the pfSense community we feel neglected as of late.

It's business, I run a business, I understand: TNSR is the new cash cow, non-free with yearly license fees. With behavior I have seen over the past two years, you needed the revenue to sustain operations. There was no way hardware alone was going to keep the boat afloat. Even with the release of sub $500 equipment. Margins are tight.

But pfSense was the shining light for people who abhorred the Cisco model, yet you still went that model with tnsr and double downed on it, with a $300/year fee. I learn by using, lots of people learn by using. The vast majority of people who use netgate/pfSense in business use it at home. We can't use tnsr at home. I'm not spending $300/year and succuming to an API or command line. I can understand, a $5+MM/year business spending that kind of money, but when you buy 10G+ internet the ISP includes a firewall, usually a Palo Alto and they charge under $1k/year for it. At that point would I spend $300/year to load TNSR on a $3,200 supermicro or two to run it? If I am going to buy 50-100-300 routers and needed 10G+ backbones, I can waltz in to Cisco, Palo Alto, Juniper, F5 and the likes and with that kind of weight I can assure you I'm not spending $300/fw/year. And I still get a web interface so I don't have to go all command line. At that point if I wanted to go commandline commando on a firewall I'd use Vyatta, it's 100% free and can run some blistering speeds.

If tnsr was the grand realization and next generation of pfsense, and had a model that worked for a person who wanted to stick it in his house and a web ui. We would be less offended by it. As it stands now, its a slap to our face and we feel betrayed. It's worse than if you sold out to Cisco and they started charging $100,000/second for pfsense.

Then we have this secrecy and privacy and vague answers. Day by day, you keep turning into those corporations we hate. No transparency, rising costs, innovations only for the super rich with deep pockets. We would rather have "We will have this out by 2023" and have you come out and say "Oh well it will be 2024 because we had issues" then "We are not advertising our progress". That makes us think the truth is, "Dude this is a $160 device and doesn't make us enough revenue to afford to put more than the intern from the mail room on, and it will get done and it gets done if at all and if you want that feature, open up your wallet you darn peasant and give us more money for a $400+ device"

dennis_s

@PhlMike, thanks for the candid feedback. I appreciate your frankness and points. There was a lot said, so I wanted to take some time and try to respond to each point…

...a large portion of the pfSense community we feel neglected as of late.

We get a significant and widely varied amount of feedback from forums, social media, email, support tickets, etc. - just as you might imagine. Can’t say that I was aware that “a large portion of the pfSense Community feels neglected of late”. But, you definitely have my attention. Not offered as a defense, but we continue to steward the project, contribute heavily to pfSense software build, test, package, distribution and more. We also design and build appliances that we believe are best in class. While we can and will do more (I’ll come to that below), it bothers me to hear “neglect”, so I’d love to speak with you directly in more detail - if you’re open to it - to get a deeper perspective on your point there.
TNSR runs on top of CentOS. pfSense, obviously, runs on FreeBSD. For those who might assume TNSR is the “only” future for Netgate, we recently employed Glen Barber (from the FreeBSD Project) to perform the continued release engineering of FreeBSD. We would not have done so if FreeBSD (and by extension, pfSense) was not important to the company.

...pfSense was the shining light for people who abhorred the Cisco model, yet you still went that model with TNSR and double downed on it, with a $300/year fee. I learn by using, lots of people learn by using.

First, no form of TNSR introduced to date was ever intended as a pfSense replacement, It is initially targeted at large enterprise and service provider type buyers. It’s a separate market space for Netgate altogether. Now, to be 100% clear, we are looking at ways to offer more management flexibility and performance adders that we believe will DIRECTLY appeal to a sizeable portion of our pfSense user base. We are close to being able to talk more about that. Believe me, I’m not dodging you, but I also can’t get too far out in front of upcoming plans.

The vast majority of people who use netgate/pfSense in business use it at home. We can't use tnsr at home. I'm not spending $300/year and succumbing to an API or command line. I can understand, a $5+MM/year business spending that kind of money, but when you buy 10G+ internet the ISP includes a firewall, usually a Palo Alto and they charge under $1k/year for it. At that point would I spend $300/year to load TNSR on a $3,200 supermicro or two to run it? If I am going to buy 50-100-300 routers and needed 10G+ backbones, I can waltz in to Cisco, Palo Alto, Juniper, F5 and the likes and with that kind of weight I can assure you I'm not spending $300/fw/year. And I still get a web interface so I don't have to go all command line. At that point if I wanted to go command line commando on a firewall I'd use Vyatta, it's 100% free and can run some blistering speeds. If tnsr was the grand realization and next generation of pfSense, and had a model that worked for a person who wanted to stick it in his house and a web ui. We would be less offended by it. As it stands now, it’s a slap to our face and we feel betrayed. It's worse than if you sold out to Cisco and they started charging $100,000/second for pfSense.

Ok, let’s dig into this a bit:

• A little less than half of our user base is consumer / power consumer. The rest is business, government education, etc.

• The business segment is quite stratified - with differing management, performance, and support needs

• With respect to Vyatta software, that is no longer available on the open market. We know about VyOS, but wouldn’t agree it has “blistering speeds”, at least, not compared to the (former) Vyatta 5600 product. Moreover, VyOS, while inexpensive, is no longer “100% free” unless you’re willing to build it yourself (and do that without their release engineering) or run on their version of a ‘pfSense snapshot’.

• You don’t need a $3,200 Supermicro box to run TNSR. It runs just fine on a SG-5100, at less than $700.

• If we are really talking about where TNSR is targeted, I’d gamble a Cisco or PAN solution would be considerably more than $300/firewall/year

• Your point...“There was no way hardware alone was going to keep the boat afloat…”

  • Our hardware business is, in fact, healthy. But what is important to understand is:

    • We serve multiple market segments - each with different needs and demands

    • One of those segments happens to be the “DIY” segment - who build their own pfSense appliance (or VM) for their own use at home. We’re builders and hobbyists too, so we fully appreciate and respect the profile. We don’t make any money there, but we’ve always said “security is a right, not a privilege” so we continue to serve it as best we can.

    • We also serve businesses - who we believe can and should pay if they are reusing our hard won value-add commercially. And, in this segment, we do tend to bristle at the ~3,000 appliances marketed with pfSense pre-loaded, when 1) none of the companies selling those products do anything to help pfSense the project, 2) absolutely use it to advance their business, and 3) do so at our expense.

  • That as a backdrop, here is a bit of (sometimes forgotten) history...

    • Netgate could have done a lot less work on pfSense over the past seven years - and pfSense would not be nearly as good as it is today. In 2012 and 2013, pfSense was stuck on FreeBSD 8, (which had EOL’d), was using PBIs for packages, and had a slew of other issues (no AES-GCM, no IKEv2, no ARM platform support, no embedded switch support, etc., etc.). These shortcomings were holding it back from achieving what it has become today.

    • So, our developers tend to frown at assertions that they’ve ever taken a code path “primarily designed to obsolete older hardware”.

• With specific regard to when crypto offload for the SG-1100 might arrive, I have it from our CTO that we still don’t have an exact date. It’s possible it could be added to an early 2020 release. Two paths have been investigated. The first is a HW crypto function which uses intellectual property licensed from SafeXcel on the Marvell Armada 3720 SoC. The second is based on A53 ARMv8 cores supporting instructions analogous to the “AES-NI” instructions found on Intel and AMD CPUs. Our early efforts were to write a driver for the SafeXcel HW offload. While a Linux driver exists, we can’t use it (due to GPL issues). Further, no similar driver exists for any of FreeBSD, OpenBSD, or NetBSD. We’ve called upon two experienced outside consultants to implement such a driver (and tie it into cryptodev). Yet, it just isn’t ready for production use. So, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set. With luck, that could make it into a release early next year.

• Now, I’d agree a $300 per year subscription with no GUI is a non-starter for many customers. Which is why we might be best served to just talk. Alternatively, if you’re able to hang on just a few weeks, you’ll likely hear more about upcoming product line plans. Regardless, based on our analysis of the market, we are moving towards compelling offers for buyers just like you - certainly relative to the brands you mention - with whom we already compete.

• I really don’t believe you’ll feel “betrayed” once we can share more

Then we have this secrecy and privacy and vague answers. Day by day, you keep turning into those corporations we hate. No transparency, rising costs, innovations only for the super rich with deep pockets. We would rather have "We will have this out by 2023" and have you come out and say "Oh well it will be 2024 because we had issues" then "We are not advertising our progress". That makes us think the truth is, "Dude this is a $160 device and doesn't make us enough revenue to afford to put more than the intern from the mailroom on, and it will get done and it gets done if at all and if you want that feature, open up your wallet you darn peasant and give us more money for a $400+ device.

We need to go a little deeper on this one as well :-)

• Netgate is not a huge corporation - by any measure. We do however serve consumers, power consumers, telecommuters, small / medium / large businesses and’ enterprises - across every vertical on every continent). Additionally, we serve local, state, and university educational institutions; and local, state, and federal government agencies.

• With respect secrecy, privacy, transparency…” that’s a tough place for us to “bat high”. There are so many moving parts in this business, many of which are simply out of our control. If we tipped towards sharing it all, it would whipsaw the community. So, we look for an appropriate balance point. I’m sure we miss at times. But, it is neither our DNA nor our heritage to be “secretive or closed” - especially where the project is concerned. Now, where our business is concerned? Well, like any company, we have to make judgement calls there every day - just as I’m sure you do. We try to be as transparent as we can. To substantiate, all project software snapshots are up for public review as they progress, and are revealed in press releases, blogs, and newsletters as soon as possible. All hardware initiatives are disclosed via press releases, blogs, and newsletters as soon as possible.

• But there are things that happen in virtually every software and hardware launch that throw us curves. Not to air dirty laundry (after all those are our problems, not yours), but by way of explanation…

  • When FreeBSD has driver issues, we have to deal with that
  • If a component manufacturer misses on a scheduled delivery, we have to deal with that
  • If we find a quality issue, we have to deal with that

• $160 devices are a sizeable percentage of our appliance business - because, frankly, they are extremely popular. As a result, we actually care quite a lot.

• We do not have a mail room with staff, but we do have an intern or two. And, to be clear, those too are valued employees, but they are far from alone. Come to Austin and take a tour of our facility. You’ll likely walk away with a very different impression.

• I won’t repeat myself on the “$300/$400” point, that was covered earlier.

To close, I really don’t share any of this out of defensiveness or a need to “win” arguments. I do want to share what I think might be useful information, though, so as not to wave off. I hope it comes across that way. As offered earlier, if there is a way for us to speak directly, I’m willing to hear more of your views, and figure out how we can turn that into a positive for the community and Netgate customers alike.

Best,
Dennis

Gertjan

@dennis_s Thank you for sharing all this information.

You should write the newsletters and blog posts

cosineslist

I do want to share what I think might be useful information, though, so as not to wave off.

Well, you certainly did just that. Thanks for the detailed info.

To anyone that comes here for the topic title:

With specific regard to when crypto offload for the SG-1100 might arrive, I have it from our CTO that we still don’t have an exact date. It’s possible it could be added to an early 2020 release. Two paths have been investigated. The first is a HW crypto function which uses intellectual property licensed from SafeXcel on the Marvell Armada 3720 SoC. The second is based on A53 ARMv8 cores supporting instructions analogous to the “AES-NI” instructions found on Intel and AMD CPUs. Our early efforts were to write a driver for the SafeXcel HW offload. While a Linux driver exists, we can’t use it (due to GPL issues). Further, no similar driver exists for any of FreeBSD, OpenBSD, or NetBSD. We’ve called upon two experienced outside consultants to implement such a driver (and tie it into cryptodev). Yet, it just isn’t ready for production use. So, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set. With luck, that could make it into a release early next year.

kejianshi

@dennis_s Its my fault because I assumed any device sold by netgate would support hardware encryption NOW after all the fuss netgate and pfsense made about hardware crypto being a requirement for pfsense devices in the future. Rest assured, its the last piece of pfsense hardware I will buy that isn't supported right away. I can see a possible scenario where netgate doesn't get it working and abandons the platform altogether for future releases of pfsense because its too much work to be bothered with as compared to just starting to sell atom devices the same size. I really do hope it comes out, but I'm not gullible enough to expect it at this point. What I do expect sometime not too far down the line is to read that, for some technical... Long and drawn out reason.... That Pfsense has decided to abandon the device and that I should buy a new device for continued service... At which point netgate will have sold their last device to me or anyone I can influence. So, I hope things go as you say, but I wasn't born yesterday, so I no longer expect it.

dennis_s

@kejianshi We learned from the early announcement that 2.5 would require AES-NI. As with everything, plans could change and with regards to the RESTCONF API it was no longer being planned for 2.5, therefore, AES-NI would not need to be required. There are no plans to abandon the SG-1100 and as I stated before, we’ve turned our focus back to the AES instructions implemented for the ARMv8 instruction set for the SG-1100 and hopefully, it makes it into a release early next year.

With that being said, if AES-NI is a requirement for you or your business all of our other appliances do support AES-NI.

PhlMike

@dennis_s
Thank you for the candid response. That level of detail was exactly what was needed. As for my feelings, I won't reiterate specifics but I have had a few run-ins with Netgate previously, I have a colleague that had a real big run-in that became quite sour and I have noticed on more than 1 occasion where an answer over pricing was a bit more than just terse and short. This lead me to use some experience driven speculation.

But in an environment light on facts, speculations reigns supreme.

The SG1100 doesn't appeal to me because it doesn't do well in 300MB/s pluss environments at least real world performance with my configs. Which is fine, the 3100 works perfectly up to a gig and it is priced low enough for me to purchase in bulk and replace the Watch guards and SonicWalls I used to purchase.

However there are people with lower budgets and higher expectations that would disagree with my statements. I am sure once hardware crypto is enabled a lot will still complain that it's not as big of an improvement as they hoped.

Maybe a 1500 or 1600 version between the 1100 and 3100 would bridge that gap.

Personally I don't care, I just want a wall mount and rack mount for the 3100. Or a wall mount and a rack mount version that is under $600 that can maybe do >150mbps on vpns.

maltehillmann

@dennis_s
Are there any news on this?

PhlMike

@maltehillmann
Netgate ended up releasing the SG-2100 which has the same processor and pfSense 2.5 is rounding 3rd base to completion. 2.5 should be out in February (or March), just in time for the SG-2100's to be in-stock and shipping. If 2.5 doesn't include AES-NI for the SG-1100 then I would tell you that chances are it never will.

But to be brutally honest, compared to Sonicwall's SOHO-250 at $234, Watchguard T15 (with 1 year support) at $278 and the Sophos XG 86 at $478, the SG-1100 is the cheapest on the block. I have seen Best Buy Linksys pieces of e-waste at higher prices than an SG-1100.

Now, the SG-2100 I haven't personally used. I liked the SG-3100's but I have started buying the SG-5100's because the SG-3100 still doesn't come with a wall mount and it is black metal. The white shows dirty fingerprints. It is annoying.

scurrier

@phlmike I note that the SG-2100 lists higher performance despite same processor. A potential clue that they've added the hardware acceleration?

ahking19

@phlmike AES-NI is an x86 instruction set so you will never see it on ARM product.

PhlMike

@ahking19 Netgate claimed when they released the SG-1100 that they would add in the hardware crypto acceleration. The chip they are using has some form of acceleration, but I do not know if it is 100% identical to x86 AES-NI. Clearly not, as it doesn't work out of the box. The issue at hand for most people that purchased the SG-1100 was that it was promised and thus far has been just that. However those references seem to have been removed from the marketing material.

@scurrier From looking at both products it is not the 100% same CPU. The SG-100 has a Marvell Armada 3720LP and the SG-2100 has the Non-LP variant which I am assuming means Low Power. So educated guess would be higher cooling capacity allows more power and thus performance. The SG-2100 also has NEON SIMD and FPU. More than likely the SG-2100 will support hardware crypto acceleration and use those extra instructions for it.

@maltehillmann I just went through the material again for the SG-1100. All reference to hardware crypto acceleration has been removed from what I can see. I think it proved too hard to do with too many roadblocks for what would be only nominal performance gains on that unit. I think HCA is dead on the SG-1100.

The Abstract on NEON: "NEON is a vector instruction set included in a large fraction of new ARM-based tablets and smartphones. ...NEON supports high-security cryptography at surprisingly high speeds"

My intuition or RPIA (random person on internet's assumption) is that the base Marvell Armada proved to be too much of a challenge to get HCA working so NG created the SG-2100 with the NEON to have it on that platform and abandoning the SG-1100.

stephenw10

A lot of the performance improvements for the SG-2100 are due to the fact it has two NICs.
mvneta(4) uses a single queue which means two NICs can use both CPU cores more efficiently.

It also has far more RAM which helps a lot, especially if you're running any packages.

An early version of the SafeXcel driver was included in 2.4.5 but mostly just for testing at that point. You can enable it but it only supports AES-128-CBC and doesn't accelerate much.
The current version is much better.

Steve

SteveITS

I went back and found an email I wrote my team from September and I am pretty sure the two products' pages showed the same CPU. If it's different that is a good thing. Also the 2100 has a separate WAN port whereas the 1100 has all ports on the same switch.

Another thread: https://forum.netgate.com/topic/151296/update-sg-1100-crypto-hardware/8

Also Netgate had said 2.5 would "require" AES-NI, which they backed away from. I'm assuming if they're going to launch the 2100 they won't be making it obsolete and un-upgradeable in the near future.

bigsy

@stephenw10 said in SG-1100 Crypto Hardware:

An early version of the SafeXcel driver was included in 2.4.5 but mostly just for testing at that point. You can enable it but it only supports AES-128-CBC and doesn't accelerate much.
The current version is much better.

Will that updated driver be included in pfSense 2.5.0?

The linked FreeBSD manual page says that "the safexcel driver first appeared in FreeBSD 13.0."

NOCling

Since I've had an SG-3100, I've been using HCA in the SG-1100 with AES_CBS128 for about 6 months.
No crash, no problems, just works.
50 Mbit / s corresponds to a CPU utilization of approx. 40%.

I think the SG-1100 and SG-2100 deliver roughly the same speed with the HCA on.