Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    (Solved) Intel QAT driver with WireGuard support

    Hardware
    6
    10
    619
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User last edited by A Former User

      I was not really knowing where to place this question, either it can be WireGuard and Hardware related looking. So I hope
      it is not the false section here in the forum.

      crypto/qat: add chacha-poly in ucs spc mode from 2021

      So I was thinking why not asking if there is or will be a way
      to Intel QAT support for WireGuard perhaps under pfSense (FreeBSD) too?

      Will be there a way using the Intel QAT driver and/or the DPDK to realize it?

      1 Reply Last reply Reply Quote 1
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        It's not yet possible with the current QAT driver but potentially it could be.

        Steve

        ? 1 Reply Last reply Reply Quote 2
        • ?
          A Former User @stephenw10 last edited by

          @stephenw10 Thanks for clear that up for me!

          1 Reply Last reply Reply Quote 0
          • G
            gabacho4 Rebel Alliance last edited by

            That was a great question Dobby. I’d gift you some clothing if I could. Looking forward to this possibly being implemented in the future!

            ? 1 Reply Last reply Reply Quote 0
            • ?
              A Former User @gabacho4 last edited by

              @gabacho4

              pfSense is using FreeBSD
              |---> Intel QAT Driver is supporting ChaCha-Poly
              |--->CryptoDev system is using the driver
              |---> WireGuard is using the CryptoDev system
              |---> DPDK was used to code the WireGuard packet

              1 Reply Last reply Reply Quote 0
              • SebM
                SebM last edited by

                I'm writing that in February 2023, and was wondering if the QAT driver in pfSense 23.01 can accelerate WireGuard...

                Thanks!

                1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  It cannot because the QAT driver there doesn't yet support any of the QAT hardware that supports chacha-poly. Namely Gen3 or above. But obviously even once that driver arrives you would still require Gen3 QAT hardware to actually accelerate it.

                  Steve

                  J 1 Reply Last reply Reply Quote 0
                  • Referenced by  stephenw10 stephenw10 
                  • J
                    jwt Netgate @stephenw10 last edited by jwt

                    @stephenw10 we actually have work slated for pfSense Plus 23.05 based on Intel’s IPSec-MBlibrary which uses SSE 4.2, AVX, AVX2, AVX-512 (including AVX-VNNI) to accelerate AES-CBC, AES-GCM, SHA, SHA2 (and variants), SHA3, and ChaCha20/Poly1305.

                    We have years of experience with this library in TNSR.

                    We have included working implementations for ARM64, including ARM’s NEON instructions. AES-CBC isn’t currently implemented for ARM64, but we’ll get to it.

                    The work “takes over” the existing implementations of these transforms in FreeBSD’s OCF, so all applications get accelerated once you load the module.

                    Remember that OpenVPN DCO and IPsec can both use ChaCha20/Poly1305. Netgate also did this work.

                    These are both faster than Wireguard when using ChaCha20/poly1305, and much faster when using AES-GCM.

                    There are papers about our work on IPsec-MB and OpenVPN DCO being presented at AsiaBSDCon 2023.

                    K 1 Reply Last reply Reply Quote 4
                    • K
                      keyser @jwt last edited by keyser

                      @jwt This is really interesting, but one thing eludes me. Is this still QAT gen3 only or are there parts of chacha20/poly1305 that can be accelerated on Gen2 hardware (like in the SG-x100 appliances)? As I read your statement you are not really using QAT for acceleration in the library but rather more advanced processor instructions.

                      In other words: Will the current Atom appliance boxes see hardware acceleration benefits in wireguard from this work/module in 23.05?

                      J 1 Reply Last reply Reply Quote 1
                      • J
                        jwt Netgate @keyser last edited by jwt

                        @keyser no QAT here. Just CPU.

                        The current atom boxes are what they are. The QAT in them doesn’t have any way to accelerate chacha20/poly1305.

                        They do, however, support SSE and AES-NI (and the SHA instructions).

                        A pair of SG-8200s were connected using their primary 10Gbps SFP network port. The iperf3 systems were connected to their secondary 10Gbps port.

                        OpenVPN AES-256-GCM w/DCO
                        OCF-async 1.50gbps
                        IIMB-async 2.50gbps
                        QAT 3.18gbps

                        IPsec AES-128-GCM
                        OCF-async 1.55gbps
                        IIMB-async 1.64gbps
                        QAT 1.70gbps

                        Wireguard (ChaCha20-Poly1305
                        OCF-async 1.50gbps
                        IIMB-async 2.05gbps

                        Newer Atoms (Gracemont) support VAES and AVX2. Using VPP (like tnsr) and a 40|-left aligned paragraphG card in a reference board, Intel has shown 14.99gbps on a single core for IPSec using AES-128-GCM using trex as a load generator.

                        I mentioned it above, but we also support ARM64.

                        1 Reply Last reply Reply Quote 2
                        • First post
                          Last post