Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Aesni.ko needed?

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • PippinP
      Pippin
      last edited by

      Hi, trying to understand,

      System/ Advanced/ Miscellaneous - Cryptographic Hardware
      Set to None, kldstat shows aesni.ko not loaded.
      Set to AES-NI, kldstat shows aesni.ko loaded.

      In OpenVPN there is this setting, VPN/ OpenVPN/ Servers/ Edit - Hardware Crypto
      1. Does this setting need aesni.ko?
      2. How can one know if hardware crypto is actually being used?
      3. Does BSD crypto engine in OpenVPN need aesni.ko?

      Tests i have done with OpenVPN, client->PFS->client (WAN<->LAN) show very little difference.
      Both settings off
      [  4]  0.00-30.01  sec  538 MBytes  150 Mbits/sec

      Only System/ Advanced/ Miscellaneous - Cryptographic Hardware -> AES-NI
      [  4]  0.00-30.01  sec  570 MBytes  159 Mbits/sec

      Only VPN/ OpenVPN/ Servers/ Edit - Hardware Crypto -> BSD crypto engine
      [  4]  0.00-30.01  sec  571 MBytes  160 Mbits/sec

      Both AES-NI + BSD crypto engine
      [  4]  0.00-30.01  sec  561 MBytes  157 Mbits/sec

      4. According to top, CPU peaks to 90-100% but mostly around 75% in all tests. Should that burden not be lighter when hardware crypto is being used?

      Trying to find where the bottleneck or maybe my mistake is.

      Thanks.

      I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
      Halton Arp

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        Source thread
        From the thread shown under the link above, you will be able to get more informations about that point
        about encryption or AES-NI and Intel QAT.

        The following statements are matching:

        • OpenSSL is using AES-NI
          OpenVPN is much more constrained by the tun/tap architecture than it is by crypto.
          The other issue is that the HMAC (SHA-N, MD5) isn't accelerated by AES-NI, and it's pretty slow on a core.

        • OpenVPN is using OpenSSL
          Avoiding this requires either a crypto accelerator that can accelerate these (such as QuickAssist) or running an AEAD mode (such as the AES-GCM modes we put in FreeBSD/pfSense for IPsec).

        • OpenVPN is using AES-CBC
          AES-CBC is accelerated by AES-NI.  The issue is that the HMAC is not.  This is one of the two reasons why AES-GCM is faster.

        • OpenVPN has no AES-GCM and no Intel QAT support in the moment
          You're wrong.  QuickAssist support should be available in 2016.

        So in OpenVPN 2.4 HMAC  (AES-GCM) will be there or inside and during the year 2016 in pfSense version 2.4
        it could really be that the Intel QuickAssist support will be also available too.

        DevSummit 2016
        Intel QuickAssist driver update

        1. Does this setting need aesni.ko?

        This should be answered by someone from the staff.

        2. How can one know if hardware crypto is actually being used?

        • If AES-NI presence is detected it will be used automatecally by OpenSSL and OpenSSL is used by OpenVPN
          perhaps this might be changing now at this time (version 2.3)

        3. Does BSD crypto engine in OpenVPN need aesni.ko?

        I guess not to be so, its using the raw CPU power, please don´t forget that cryptographic things are not
        even in all countries are allowed to be in usage by private or any person.

        4. According to top, CPU peaks to 90-100% but mostly around 75% in all tests. Should that burden not be lighter when hardware crypto is being used?

        Yes and no! It should be really offloading the CPU from cryptographic tasks and the entire math work to be
        able to do more other things with that power. If you use perhaps IPSec together with AES-GCM instead of the
        OpenVPN you will be able to see and fell more gain and support of that AES-NI instruction registers of your CPU.
        Nearly 400% are able to get from a IPSec tunnel likes without using AES-NI, but the OpenVPN will be only able
        since the usage of AES-GCM too.

        Trying to find where the bottleneck or maybe my mistake is.

        IPSec together with AES-NI or wait until the Intel QAT is out later this year.

        1 Reply Last reply Reply Quote 0
        • PippinP
          Pippin
          last edited by

          Hi Frank,

          Thank you for the pointers, I know them and also the info they give and I think they not explain the outcome of my tests, please let me know how can I test in a better way  :)
          About OpenVPN 2.4 I know, so now and then I take a peak at the OVPN mailing lists.

          1. Does this setting need aesni.ko?
          This should be answered by someone from the staff.

          Upfront, my knowledge is limited but from my tests it looks like aesni.ko does not improve substantially/at all.
          That is why I'm trying to find the reason, just trying to understand.

          If AES-NI presence is detected it will be used automatecally by OpenSSL and OpenSSL is used by OpenVPN

          Yes, I know but how to see it`s being used or not and is aesni.ko needed for that to happen?
          Waiting staff here… ;D

          I guess not to be so, its using the raw CPU power

          What I see in testing is the same CPU power being used, regardless of any setting!
          Throughput is nearly the same in all tests when using encryption.
          Unfortunately I could not find a htop pack because with top I see no ocf threads in any test I did.

          Without control/data channel encryption, 270 Mbits/sec is achieved with the same CPU power.
          Without OpenVPN 945 Mbits/sec is achieved with much less CPU power.

          cryptographic things are not even in all countries

          In Deutschland ist das wohl kein Problem, oder?  ;D

          Thanks.

          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
          Halton Arp

          1 Reply Last reply Reply Quote 0
          • PippinP
            Pippin
            last edited by

            Ok, found this post:
            https://forum.pfsense.org/index.php?topic=91974.0

            Seems that when aesni.ko is loaded, OpenSSL will use that instead of on SoC.

            So I will not load the module and not set BSD crypto engine as further testing showed that not using these two gives the most consistent results.

            I think that the CPU is the cap or my laptop. Unfortunately I don`t have another more powerful machine to test but who knows in the future…

            But still one thing puzzles me, when setting, cipher none and auth none, then 270 Mbits/sec is the max compared to 945 Mbits/sec without OpenVPN. All tests were done using no compression...

            Thanks.

            I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
            Halton Arp

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              Ok, found this post:
              https://forum.pfsense.org/index.php?topic=91974.0

              It is from 2015 and now we have the year 2016 and version 2.3 please don´t forget this!

              I will not load the module and not set BSD crypto engine as further testing showed that not using these two gives the most consistent results.

              Because something is done in software it must not be really bad or more bad then other things.

              But still one thing puzzles me, when setting, cipher none and auth none, then 270 Mbits/sec is the max compared to 945 Mbits/sec without OpenVPN. All tests were done using no compression…

              I would say it is more normal then not.

              1 Reply Last reply Reply Quote 0
              • PippinP
                Pippin
                last edited by

                @BlueKobold:

                Because something is done in software it must not be really bad or more bad then other things.

                Its not really about bad/bad more but more about whats going on under the hood (and my lack of understanding).

                Thanks

                I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
                Halton Arp

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.