pfSense 2.5.0 will not require AES-NI



  • There is great news or a bit of a lifeline and extension to non-AES-NI hardware as 2.5.0 will not require a hardware AES-NI or equivalent support based on Netgate's Development snapshot:

    The original plan was to include a RESTCONF API in pfSense 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus pfSense 2.5.0 will not require AES-NI.

    Source: https://www.netgate.com/blog/pfsense-2-5-0-development-snapshots-now-available.html

    Original announcements on pfSense 2.5 and AES-NI https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html https://www.netgate.com/blog/more-on-aes-ni.html

    Great to see pfSense team and Netgate listening to the community and modifying their approach!


  • Rebel Alliance Moderator

    @Ragtag_fleet said in pfSense 2.5.0 will not require AES-NI:

    Great to see pfSense team and Netgate listening to the community and modifying their approach!

    Sorry but that's nonsense. It has nothing to do with "listening to the community". It is as you cited a simple thing of the planned RESTCONF API not coming with 2.5.0 because of the work, that has to go into porting pfSense to FreeBSD 12 etc.
    I won't say that for some small group that may come in handy but really: come on. AES-NI is old news and any halfway current CPU should have no problem with it. It was introduced in 2008, so I'm sorry but I never ever understood that artificial outcry as that was introduced almost 2 years ago. So even if they actually had that requirement now, with 2.5 release not even on the near horizon, that would make it round about 3 years from telling the community until the real introduction - that now is even further postponed. Every business I know plans for ~3 to max 5 years. Afterwards it's new hardware. Even at home it's around 5-7y normally. So a 10y old CPU instruction set becoming mandatory (in the future) is a problem? Sorry I can't see the drama in there. :)



  • For me it is good message. I having old, but still good for pfSense home use, microserver HP N54L with amd cpu, that dont have AES-NI. Thx for that.


  • Rebel Alliance Moderator

    @marian78 said in pfSense 2.5.0 will not require AES-NI:

    For me it is good message. I having old, but still good for pfSense home use, microserver HP N54L with amd cpu, that dont have AES-NI. Thx for that.

    Don't take me wrong, if you already have hardware and can use that a little while longer: have fun and happiness to you. May it last long :)
    But I simply don't get the attitude of "Yeah they dropped the required AES-NI BS, now let's buy some dirt cheap decade old crap for 5$ and run it to death for another 10years and cry a river when that requirement will come back later, because you 'just bought new hardware' et al." Totally can't make heads or tails of it 😵
    Looking for a new box/VM/anything in 2019/2020 I'd get some decent thing and be done with it - saves so much time and headaches later on :)



  • I actually like the new AES-NI requirement that's coming down the road. Aside from the obvious benefits of better performance and security, it gives me an excuse to change out our old hardware in the office. If I were a home user, yea I probably wouldn't want to change out my hardware unless it's needed. Would I be mad about it? No. pfSense is free and awesome. New hardware is going to cost money, but pfSense has more than paid for itself already compared to some alternatives.



  • @JeGr I understand the benefits of AES-NI but for most users and especially home users a non-AES-NI option would be great. Users will continue to use non-AES-NI CPU if they have or might even buy now but there are plenty of alternatives if they want to go down the route. I think pfsense is a great tool sad to see it might go down a path that might not be up to everyone's needs :(


  • Rebel Alliance Moderator

    @Ragtag_fleet I beg to differ. It has already clearly been stated, why the need for AES-NI is beyond just "useful". It's just a thing in the mind of most people, that this has only sth. to do with "crypto" thingies and VPN stuff. If it is wider known and accepted, that the things AES-NI does and can do not only accelerate crypto "thingies" but protect against CPU "baddies", too coupled with more and more "mishaps" like spectre and meltdown happening, my hope is, that people will get the grasp, that this requirement comes from making communication and other tasks more secure and not only "just make VPNs faster".

    With that in mind while buying new hardware in 2019 it should a) be a no-brainer and b) come to most as not that expensive, as even small(est) SOCs can already handle AES-NI. :)


Log in to reply