I was at the FreeBSD Vendor Summit last week, and raised the AES-NI
issue as important to be solved in the next six months.
The issue and fix are understood, it just needs someone to implement
it (and then, presumably, backport it to 8.3, so we can release an
update to 2.1 (2.1.1 or similar).
Did you get the sense people with the relevant skill were open to a bounty
for implementing the necessary fixes?
On Mon, Nov 11, 2013 at 1:36 PM, Jim Thompson j...@netgate.com wrote:
I was at the FreeBSD Vendor Summit last week, and raised the AES-NI
issue as important to be solved in the
I think the people with the relevant skill are willing to fix it, when
they're show that what they did (cryptdev support) doesn't provide any
benefit.
read: it's being taken care of.
On Mon, Nov 11, 2013 at 1:20 PM, Vick Khera vi...@khera.org wrote:
Did you get the sense people with the
On Wed, Nov 6, 2013 at 8:29 AM, Jim Thompson j...@netgate.com wrote:
There are reports that FreeBSD doesn't support AES-NI very well.
I'm thinking it is either zero gain, or negative gain. On pfSense
2.1-RELEASE (aka FreeBSD 8.3 with OpenSSL 1.0.1e) we see:
% /usr/local/bin/openssl speed
On Wed, Nov 6, 2013 at 11:04 AM, Thinker Rix thinke...@rocketmail.comwrote:
What do you think is the reason for your VPN traffic maxing out at 20Mpbs
(I assume that your connection is not the traffic bottle neck, right?),
although your CPUs are almost idle?
I'm fairly sure it is the office
On Thu, Nov 7, 2013 at 9:44 AM, Vick Khera vi...@khera.org wrote:
CLEARLY it is killer fast for larger blocks.
I just pondered this for a few minutes... I think openssl's summary numbers
are misleading. They give you the time per CPU seconds used. So while the
CPU is not doing the
On 11/7/2013 8:51 AM, Vick Khera wrote:
On Wed, Nov 6, 2013 at 8:29 AM, Jim Thompson j...@netgate.com
mailto:j...@netgate.com wrote:
There are reports that FreeBSD doesn't support AES-NI very well.
I'm thinking it is either zero gain, or negative gain. On pfSense
2.1-RELEASE (aka
On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle li...@pingle.org wrote:
Also see the How To Test tab and other data here:
https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdE15eHB4dndHTXZYcU1mQm9Dc3V2elEusp=sharing
The sheet could really use some more data, so anyone who has an AES-NI
On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle li...@pingle.org wrote:
The sheet could really use some more data, so anyone who has an AES-NI
capable system, feel free to run through the tests and help fill out the
sheet. :-)
/usr/bin/openssl speed -evp aes-128-cbc -elapsed
The 'numbers' are in
On 11/7/2013 10:30 AM, Vick Khera wrote:
On Thu, Nov 7, 2013 at 9:54 AM, Jim Pingle li...@pingle.org
mailto:li...@pingle.org wrote:
The sheet could really use some more data, so anyone who has an AES-NI
capable system, feel free to run through the tests and help fill out the
On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix thinke...@rocketmail.comwrote:
Would pfSense use this CPU instructions so to hardware-encrypt/decrypt all
VPN traffic (openVPN)?
Woud pfSense benefit from this in any other way, too?
pfSense lists the AES-NI as a supported option for crypto
On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote:
pfSense lists the AES-NI as a supported option for crypto acceleration.
pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config
setting for it.
I'm not aware if any performance testing for AES-NI on
On 2013-11-06 15:22, Vick Khera wrote:
On Wed, Nov 6, 2013 at 12:53 AM, Thinker Rix thinke...@rocketmail.com
mailto:thinke...@rocketmail.com wrote:
Would pfSense use this CPU instructions so to
hardware-encrypt/decrypt all VPN traffic (openVPN)?
Woud pfSense benefit from this in
On 2013-11-06 15:29, Jim Thompson wrote:
On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote:
pfSense lists the AES-NI as a supported option for crypto acceleration.
pfSense will use it for OpenVPN and IPsec if you tell it to. There's a config
setting for it.
I'm not aware if any
On Nov 6, 2013, at 8:06 AM, Thinker Rix thinke...@rocketmail.com wrote:
On 2013-11-06 15:29, Jim Thompson wrote:
On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote:
pfSense lists the AES-NI as a supported option for crypto acceleration.
pfSense will use it for OpenVPN and IPsec if
On Nov 6, 2013, at 1:43 PM, Jim Thompson j...@netgate.com wrote:
On Nov 6, 2013, at 8:06 AM, Thinker Rix thinke...@rocketmail.com wrote:
On 2013-11-06 15:29, Jim Thompson wrote:
On Nov 6, 2013, at 7:22, Vick Khera vi...@khera.org wrote:
pfSense lists the AES-NI as a supported option for
I have done some brief testing of AES-NI a few months back, though I
can't seem to find the results at the moment and that test environment
isn't online currently. It doesn't give the performance benefit that
it should at this time. So the immediate benefit is minimal (except
for the fact the Xeon
The issue may not be that easy to fix.
Current theory is that it's is a structural issue in cryptdev.
-- Jim
On Nov 6, 2013, at 20:59, Chris Buechler c...@pfsense.org wrote:
I have done some brief testing of AES-NI a few months back, though I
can't seem to find the results at the moment
The Xeon CPUs are almost idle.
The old Intel 32-bit Pentium 4 2.4GHz dual core server, however is the other
end of that IPSEC tunnel. It's unlikely to be as idle as the Xeon.
-- Jim
On Nov 6, 2013, at 8:04, Thinker Rix thinke...@rocketmail.com wrote:
On 2013-11-06 15:22, Vick Khera
Hello all,
as I am planning to buy new hardware for pfSense, I was wondering if it
is worthy to buy a CPU that supports AES new instructions, i.e.
hardware-support for AES encyption.
Would pfSense use this CPU instructions so to hardware-encrypt/decrypt
all VPN traffic (openVPN)?
Woud
20 matches
Mail list logo