AES-NI inoperative on pfSense 2.2?
-
I have two Netgate FW-7551 boxes set up for a "lab" test. The WAN ports are connected to an Ethernet switch and each FW-7551 has a Windows 7 laptop connected to its LAN port.
[Laptop]–---[FW-7551]==[Gigabit Switch]==[FW-7551]–----[Laptop]
On each FW-7551, I have verified that the Intel AES-NI feature is enabled in the BIOS. AES-NI is selected as the "Cryptographic Hardware" in pfSense under System>Advanced>Miscellaneous.
The FW-7551s are configured with an OpenVPN tunnel that uses a shared key and AES-128-CBC encryption. Hardware acceleration is enabled (BSD Cryptodev Engine). All interfaces have negotiated 1 Gb/s Ethernet port speeds. The tunnel connects successfully and is well behaved.
Here's the problem. None of the AES-NI settings have the slightest effect on the tunnel performance. The traffic graph and the workstations show that the maximum transfer rate is 100 Mb/s and CPU utilization stays at around 50%. Only turning off encryption has any impact - the maximum data rate then hits 200 Mb/s.
Before you start thinking that the two computers are at fault, I can tell you that the file transfer speed approaches 850 Mb/s when the laptops are connected directly to the switch.AES-NI operates at several levels; BIOS, FreeBSD kernel drivers, application support (pfSense). I have been able to confirm that the first and last pieces are in place, I have not established the presence of the kernel drivers in the middle. I would appreciate comments from anyone who is familiar with how the Intel QuickAssist technology ( http://www.intel.com/content/www/us/en/io/quickassist-technology/quickassist-technology-developer.html ) works with pfSense v2.2.
Cheers,
Ed -
AES-NI has little to no affect on AES-CBC. Its benefit comes with AES-GCM, which is supported by IPsec (and tested to increase its maximum throughput around 4-5 times over, up to near 2 Gbps with the packet filter enabled). OpenVPN doesn't yet offer AES-GCM support, though it's coming in a future release.
-
From my experience, AESNI does improve AES-CBC encryption a lot.
With AESNI enable, my NUC is reaching 350MB/s in openssl aes128CBC benchmark.
It works fine for me in 2.2, in previous versions you had to make sure that aesni.ko does not get loaded otherwise you got very poor performance and high CPU load.
You can try an openssl benchmark to test if it is working properly (openssl speed -evp aes-128-cbc )
In my openvpn config I did not select any hardware acceleration, it seems openssl is just using aesni fine on its own.
-
Read this:
https://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-niPerformance Improvement
The performance improvement expected with the use of AES-NI would depend on the applications and how much of the application time is spent in encryption and decryption. At the algorithm level, using AES-NI can provide significant speedup of AES. For non-parallel modes of AES operation such as CBC-encrypt AES-NI can provide a 2-3 fold gain in performance over a completely software approach. For parallelizable modes such as CBC-decrypt and CTR, AES-NI can provide a 10x improvement over software solutions.