ARM Cortex vs Intel?

valnar · May 27, 2020, 2:10 PM

I've been using pfSense for 10 years and only on Intel boxes - mostly on the ALIX/APU2 series from PC Engines. I know within that timeframe, ARM processor support is relatively new. For the first time I'm considering "upgrading" to one of the smaller official Netgate boxes.

Is there anything I would be missing by moving from Intel --> ARM? 'Maybe not necessarily pfSense specific, but within FreeBSD? I see if you look at the official pfSense hardware they relegate ARM based boards to the lower tier, and keep Intel for the higher-end (I realize that is for speed, what's available within both chip makers, etc).

So what I'm basically asking is, is there anything I would give up, either in capability, reliability or maturity, by moving to an ARM Cortex based box?

bigsy · Jun 5, 2020, 3:38 PM

Crypto hardware support.

It never appeared for the SG-1000.
Appears to be "in development" for the SG-1100 but currently AES-128-CBC only.
Available on the SG-3100 which, AFAIK, supports AES-256-CBC but not AES-GCM.

stephenw10 · May 29, 2020, 12:00 AM

Yup work continues on the safexcel driver for the SG-1100 and others. It should support more than just aes-128-cbc, hopefully including aes-gcm which would give a good improvement in IPSec.

There are some packages that are not available on arm currently. Mostly because they have dependencies on other languages like RUST or GO which gives problems cross compiling. Notably Telegraf right now.

Steve

jimp · Jun 3, 2020, 7:45 PM

If you are coming from ALIX there is nothing to lose whatsoever.

Coming from APU is may depend on the age/specs of the APU if the bits mentioned by @stephenw10 are relevant or not, but your only real concern is performance.

bcruze · Jun 5, 2020, 3:38 PM

@bigsy said in ARM Cortex vs Intel?:

Crypto hardware support.

It never appeared for the SG-1000.
Appears to be "in development" for the SG-1100 but currently AES-128-CBC only.
Available on the SG-3100 which, AFAIK, supports AES-256-CBC but not AES-GCM.

So I have the 3100 and my openvpn tunnels list :

Jun 5 07:20:47 openvpn 50515 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

What am I missing?

bigsy · Jun 6, 2020, 5:57 AM

@bcruze Crypto algorithms not supported by the hardware crypto (Marvell CESA in the case of the SG-3100) will not be offloaded but will still be performed on the CPU. Whether you're "missing" anything or not will depend on your individual setup, connection speed etc. This Netgate document helps explain. It refers to now obsolete equipment but it's the same principles.

stephenw10 · Jun 6, 2020, 2:21 PM

Indeed, CESA does not support AES-GCM. If you want your OpenVPN tunnels to use it you must choose AES-CBC and select the BSD crypto hardware in the config.
https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_4_5/sys/dev/cesa/cesa.c#L1224

Steve

bcruze · Jun 6, 2020, 2:27 PM

@stephenw10 said in ARM Cortex vs Intel?:

Indeed, CESA does not support AES-GCM. If you want your OpenVPN tunnels to use it you must choose AES-CBC and select the BSD crypto hardware in the config.
https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_4_5/sys/dev/cesa/cesa.c#L1224

Steve

nice!

that is exactly what i am doing

valnar · Jun 6, 2020, 4:03 PM

I'm going back to the drawing board. I think at this point I should stick with something Intel based. Thanks for all the replies.