Hi JT, Thanks for the followup with your test results.
> It looks like a C2358 benefits more from having AES-NI enabled than an > i3-6100 does. Yes, and kind of makes sense. Also keep in mind the WireGuard VPN does not use AES, but rather ChaCha20-Poly1305 which leverages off the x86_64 CPU's SSSE3 and AVX instructions for additional performance. BTW, It is amazing how much faster the Core i3-6100U is from an Atom D525 ... by the simple numbers, same number of cores and hyper threading, i3-6100U clock is less than 2x faster, but a 100 Mbps WireGuard tunnel endpoint takes about 20-25% CPU for the D525, but only 3-5% CPU on the i3-6100U. Lonnie > On Feb 5, 2019, at 10:11 PM, authenti...@gmail.com wrote: > > Thanks Lonnie. Just for reference, here are my numbers: > > pbx ~ # system-vendor > Lanner FW-7525B NIC x4 > > pbx ~ # openssl speed -elapsed -evp aes-128-cbc > ... > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 153712.42k 235672.87k 282781.53k 297832.45k 302000.81k > > ## Disable AES-NI detection > pbx ~ # OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp > aes-128-cbc > ... > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 31603.19k 34203.54k 35166.63k 35390.46k 35485.01k > > It looks like a C2358 benefits more from having AES-NI enabled than an > i3-6100 does. > > OpenVPN: > > pbx ~ # openvpn --genkey --secret /tmp/secret > pbx ~ # time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu > 20000 --cipher aes-128-cbc > Tue Jan 29 19:39:58 2019 disabling NCP mode (--ncp-disable) because not in > P2MP client or server mode > > real 0m33.698s > user 0m33.618s > sys 0m0.011s > > This is close to the results on the FW-7525B documentation page, and close to > the results from FreeBSD: > > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openvpn --genkey --secret > /tmp/secret > [2.3.5-RELEASE][root@pfSense.localdomain]/root: time openvpn --test-crypto > --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc > 31.633u 0.039s 0:31.69 99.9% 747+177k 0+0io 1pf+0w > > JT > > On Sun, Jan 27, 2019 at 4:12 AM > <astlinux-users-requ...@lists.sourceforge.net> wrote: > Send Astlinux-users mailing list submissions to > astlinux-users@lists.sourceforge.net > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/astlinux-users > or, via email, send a message with subject or body 'help' to > astlinux-users-requ...@lists.sourceforge.net > > You can reach the person managing the list at > astlinux-users-ow...@lists.sourceforge.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Astlinux-users digest..." > > > Today's Topics: > > 1. Re: Enabling AES (Lonnie Abelbeck) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 26 Jan 2019 09:57:37 -0600 > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > To: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Enabling AES > Message-ID: <9f84d368-3e15-4983-a155-5d798ae0b...@lonnie.abelbeck.com> > Content-Type: text/plain; charset=us-ascii > > Hi JT, > > I can't explain the differences between different OpenSSL versions on > different platforms (Linus vs. FreeBSD), but there is a way to artificially > disable the AES-NI detection by setting OPENSSL_ia32cap="~0x200000200000000" > to disable AES-NI usage. > > For Example: > > pbx ~ # system-vendor > Qotom Q530G6 CPU i3-6100U NIC x6 > > pbx ~ # openssl speed -elapsed -evp aes-128-cbc > ... > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 732389.02k 806448.32k 822415.19k 826271.40k 832817.83k > > ## Disable AES-NI detection > pbx ~ # OPENSSL_ia32cap="~0x200000200000000" openssl speed -elapsed -evp > aes-128-cbc > ... > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > aes-128-cbc 213826.86k 224500.25k 227550.04k 229667.16k 229709.14k > > > About a 3.5x improvement with AES-NI enabled, as is the default. > > If you are comparing with pfSense, try a more real-world test, testing more > than just the AES-NI ... > > pbx ~ # openvpn --genkey --secret /tmp/secret > pbx ~ # time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu > 20000 --cipher aes-128-cbc > Sat Jan 26 09:39:25 2019 disabling NCP mode (--ncp-disable) because not in > P2MP client or server mode > > real 0m11.413s > > > BTW, I read the pfSense forums from time to time, and there is a lot of > confusion loading the "aesni-intel" (FreeBSD name may be different) kernel > module and using the "cryptodev" engine, as using the CPU's native AES-NI is > faster, but often confusing in the pfSense configuration. > > Lonnie > > > > > > On Jan 25, 2019, at 11:54 PM, authenti...@gmail.com wrote: > > > > Thank you Lonnie. Yes, I'm using the 64-bit image, version 1.3.4, on a > > Lanner FW-7525B. > > > > The reason I asked about enabling AES is because in Astlinux, openssl does > > not show the AES engine: > > > > ================= > > > > pbx ~ # openssl engine -t -c > > (rdrand) Intel RDRAND engine > > [RAND] > > [ available ] > > (dynamic) Dynamic engine loading support > > [ unavailable ] > > pbx ~ # openssl speed -evp aes-128-cbc > > Doing aes-128-cbc for 3s on 16 size blocks: 28745427 aes-128-cbc's in 2.99s > > Doing aes-128-cbc for 3s on 64 size blocks: 11017736 aes-128-cbc's in 3.00s > > Doing aes-128-cbc for 3s on 256 size blocks: 3308167 aes-128-cbc's in 2.99s > > Doing aes-128-cbc for 3s on 1024 size blocks: 871322 aes-128-cbc's in 3.00s > > Doing aes-128-cbc for 3s on 8192 size blocks: 110518 aes-128-cbc's in 2.99s > > OpenSSL 1.0.2p 14 Aug 2018 > > built on: reproducible build, date unspecified > > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) > > blowfish(idx) > > compiler: > > /var/lib/astlinux/tags/1.3.4/output/host/usr/bin/x86_64-unknown-linux-gnu-gcc > > -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB > > -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN > > -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -pipe -Os > > -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 > > -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM > > -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM > > -DECP_NISTZ256_ASM > > The 'numbers' are in 1000s of bytes per second processed. > > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 > > bytes > > aes-128-cbc 153821.68k 235045.03k 283241.05k 297411.24k > > 302797.14k > > > > ================= > > > > Running pfSense on the same machine, openssl shows the AES engine, and > > gives much faster numbers: > > > > ================= > > > > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl engine -t -c > > (cryptodev) BSD cryptodev engine > > [RSA, DSA, DH, AES-128-CBC, AES-192-CBC, AES-256-CBC] > > [ available ] > > (rsax) RSAX engine support > > [RSA] > > [ available ] > > (rdrand) Intel RDRAND engine > > [RAND] > > [ available ] > > (dynamic) Dynamic engine loading support > > [ unavailable ] > > [2.3.5-RELEASE][root@pfSense.localdomain]/root: openssl speed -evp > > aes-128-cbc > > Doing aes-128-cbc for 3s on 16 size blocks: 727014 aes-128-cbc's in 0.26s > > Doing aes-128-cbc for 3s on 64 size blocks: 687421 aes-128-cbc's in 0.34s > > Doing aes-128-cbc for 3s on 256 size blocks: 597433 aes-128-cbc's in 0.30s > > Doing aes-128-cbc for 3s on 1024 size blocks: 388056 aes-128-cbc's in 0.16s > > Doing aes-128-cbc for 3s on 8192 size blocks: 89167 aes-128-cbc's in 0.03s > > OpenSSL 1.0.1s-freebsd 1 Mar 2016 > > built on: date not available > > options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) > > blowfish(idx) > > compiler: clang > > The 'numbers' are in 1000s of bytes per second processed. > > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 > > bytes > > aes-128-cbc 45118.93k 127985.29k 501966.27k 2543163.80k > > 23374594.05k > > > > ================= > > > > What am I overlooking here? Thank you. > > > > JT _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
