Re: [tor-relays] Does Tor work with Intel QAT acceleration
Hi, to saturate most of this bandwidth, you perhaps like to run multiple tor instances. Because mostly single core tor is cpu bottleneck. 2x tor per single IPv4 allowed for now. in current c tor we only got minimal TLS options: # HardwareAccel HardwareAccel 0|1 # If non-zero, try to use built-in (static) crypto hardware acceleration when # available. Can not be changed while tor is running. (Default: 0) HardwareAccel 1 # AccelName AccelName __NAME__ # When using OpenSSL hardware crypto acceleration attempt to load the dynamic # engine of this name. This must be used for any dynamic hardware engine. # Names can be verified with the openssl engine command. Can not be changed # while tor is running. list em with: openssl engine -vv # AccelDir AccelDir __DIR__ # Specify this option if using dynamic hardware acceleration and the engine # implementation library resides somewhere other than the OpenSSL default. # Can not be changed while tor is running. Good luck with setting up acceleration if even possible in current versions? Andreas Bollhalder: Hi all I have my first Tor relay up und running. It's currently installed on a little desktop computer with an Intel i5 9500T CPU. My Internet connection is 10Gb/s symetric. From this bandwidth, I would be able to spend a good part for supporting the Tor network. With that little machine, it seems that it would max out at somewhere at ~30 MBytes/s. For my definitive Tor relay hardware, I'm currently researching some options, which would be capable of handling Tor traffic at the rate of 200 to 300MBytes. Even it would be used nowadays, but who knows whats coming in the future and I hope this relay would last 5 years ore so. It looks to me, that with a normal CPU, it's impossible to reach my goal. But then I encountered, that Intel has the Quick Assist Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). This QAT can be used with OpenSSL as a hardware accelerator for encryption. There also exist dedicated PCIe cards with QAT (ie. Netgate CPIC-8955). Searching the Internet, I couldn't find any information if QAT would be helpful with Tor. But Tor uses the OpenSSL library and this can use the QAT acceleration. Is there anyone who has tried this und can share his expirience? Thanks in advance Andreas ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays OpenPGP_0x4A148E3AB438EC68.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Am 12.04.2022 um 16:23 schrieb Bauruine: The tor-spec [1] shows that Tor only uses RSA with 1024 Bit Keys and the ciphersuits only contain AES CBC and no AES GCM ones. I'm not an expert but it looks like it's not that useful for Tor. Yes and no? The limitation only apply tor protocol crypto itself afaik. The tor does relay-to-relay in-protocol crypto inside an outer TLS channel, which the latter currently using GCM afaik: http://eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/tpo/core/tor/-/blob/main/src/lib/tls/tortls_openssl.c#L415 OpenPGP_0x4A148E3AB438EC68.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Hello Stefan Wow, that's very good researched. I still didn't get that deep into this. So it really seems, there is no special hardware which helps with Tor beside AES-NI, high CPU clock and a good NIC with good drivers. Yes, I have two instances running. Would be great, to have IPv6 only Tor instances. But I know that it's currently not supported... Greetings Andreas On Tuesday, April 12, 2022 16:23 CEST, Bauruine wrote: Hi Andreas According to [0] QAT supports: * RSA with 2048, 3072, and 4096 bit keys * ECDH for the Montgomery Curve X25519 and NIST Prime Curves P-256 and P-384 * ECDSA for the NIST Prime Curves P-256 and P-384 * AES-GCM with 128, 192, and 256 bit keys The tor-spec [1] shows that Tor only uses RSA with 1024 Bit Keys and the ciphersuits only contain AES CBC and no AES GCM ones. I'm not an expert but it looks like it's not that useful for Tor. Tor doesn't scale well with multiple CPU cores but you can run 2 relays per IP to better use your hardware. On Debian / Ubuntu you can use tor-instance-create to create multiple relays on the same host. [0]: https://www.intel.com/content/www/us/en/developer/articles/guide/building-software-acceleration-features-in-the-intel-qat-engine-for-openssl.html [1]: https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt Regards Stefan On 11.04.22 21:13, Andreas Bollhalder wrote:Hello Kevin Thanks a lot for your response. 1) Regarding the speedtest, my firewall is limiting the speed to around 6.5Gbit/s. It's a fanless device and not capable to let me use the full 10Gbit/s. I host my hardware in my living room and can't install more powerfull, beacuse it would be too noisy and too big... My wife and kids will kill me :-) 2) For the NIC currently in use: it's an Intel I219-LM (rev 10). Maybe the are better models around. But I don't believe, they would lower the CPU usage by magnitude(s). But I let me educate if I'm wrong. 3) The CPU in use has the AES-NI flag set in "/proc/cpuinfo". So a litte acceleration is already in use. In the old days when using pfSense on a PC Engines Alix, I was using a mini PCI crypto accelerator card. And it could double or tripple the OpenVPN speed. So it seemed to me, that QAT could do the same for Tor. Andreas On Monday, April 11, 2022 15:58 CEST, Thoughts wrote: Two suggestions: 1) Run speedtest (https://www.speedtest.net) from behind your firewall and verify your actual bandwidth (or at least get a good approximation ). 2) Check the brand of NIC in your current machine. Intel NICs are reportedly much more efficient than RealTek for handling large number of packets - which is why they are recommended for most firewall machines. Suspect that logic would apply for a Tor Relay as well. Suspect you also want a CPU with AES-NI support. Check the specs on the web, AES-NI should be called out. "cat /proc/cpuinfo | grep aes" will also tell you if your running some flavor of linux. Kevin ps. Dig around on the web for firewall hardware recommendations. I know I've seen some tables on throughput for pfsense, shouldn't be too hard to find and might throw some light on the situation. pps. Very jealous of your connectivity! On 4/10/2022 2:32 PM, Andreas Bollhalder wrote: > Hi all > > I have my first Tor relay up und running. It's currently installed on > a little desktop computer with an Intel i5 9500T CPU. My Internet > connection is 10Gb/s symetric. From this bandwidth, I would be able to > spend a good part for supporting the Tor network. > > With that little machine, it seems that it would max out at somewhere > at ~30 MBytes/s. For my definitive Tor relay hardware, I'm currently > researching some options, which would be capable of handling Tor > traffic at the rate of 200 to 300MBytes. Even it would be used > nowadays, but who knows whats coming in the future and I hope this > relay would last 5 years ore so. > > It looks to me, that with a normal CPU, it's impossible to reach my > goal. But then I encountered, that Intel has the Quick Assist > Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). > This QAT can be used with OpenSSL as a hardware accelerator for > encryption. There also exist dedicated PCIe cards with QAT (ie. > Netgate CPIC-8955). > > Searching the Internet, I couldn't find any information if QAT would > be helpful with Tor. But Tor uses the OpenSSL library and this can use > the QAT acceleration. Is there anyone who has tried this und can share > his expirience? > > Thanks in advance > Andreas > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Hello Alex On Tuesday, April 12, 2022 16:19 CEST, "Alex Xu (Hello71)" wrote: If you don't already have a QAT device, I would not suggest getting one specifically for Tor. In particular, Tor doesn't spend very much time actually doing AES. It's mostly overhead from cell processing, TCP, small packets, etc. Additionally, because Tor uses a large number of relatively low-bandwidth connections, it will mostly send small chunks to the hardware engine, which is not particularly efficient. In the future, it may be possible to use KTLS, in which case QAT might actually improve performance quite a bit. However, there are a number of blockers to this, including that it messes with Tor's bandwidth limiting.That's a great advice I can really apreciate. So I better look for a good CPU / NIC combination and will have a look in the sysctl parameters some have posted. If KTLS would get supported, maybe mutli-threading will come too in another step... Would be nice to have this sort of information in FAQ on Tor project website. But hopefully, one with the same idea will now find this thread by searching the web as I couldn't. Have a good day Andreas ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Hi Andreas According to [0] QAT supports: * RSA with 2048, 3072, and 4096 bit keys * ECDH for the Montgomery Curve X25519 and NIST Prime Curves P-256 and P-384 * ECDSA for the NIST Prime Curves P-256 and P-384 * AES-GCM with 128, 192, and 256 bit keys The tor-spec [1] shows that Tor only uses RSA with 1024 Bit Keys and the ciphersuits only contain AES CBC and no AES GCM ones. I'm not an expert but it looks like it's not that useful for Tor. Tor doesn't scale well with multiple CPU cores but you can run 2 relays per IP to better use your hardware. On Debian / Ubuntu you can use tor-instance-create to create multiple relays on the same host. [0]: https://www.intel.com/content/www/us/en/developer/articles/guide/building-software-acceleration-features-in-the-intel-qat-engine-for-openssl.html [1]: https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt Regards Stefan On 11.04.22 21:13, Andreas Bollhalder wrote: Hello Kevin Thanks a lot for your response. 1) Regarding the speedtest, my firewall is limiting the speed to around 6.5Gbit/s. It's a fanless device and not capable to let me use the full 10Gbit/s. I host my hardware in my living room and can't install more powerfull, beacuse it would be too noisy and too big... My wife and kids will kill me :-) 2) For the NIC currently in use: it's an Intel I219-LM (rev 10). Maybe the are better models around. But I don't believe, they would lower the CPU usage by magnitude(s). But I let me educate if I'm wrong. 3) The CPU in use has the AES-NI flag set in "/proc/cpuinfo". So a litte acceleration is already in use. In the old days when using pfSense on a PC Engines Alix, I was using a mini PCI crypto accelerator card. And it could double or tripple the OpenVPN speed. So it seemed to me, that QAT could do the same for Tor. Andreas On Monday, April 11, 2022 15:58 CEST, Thoughts wrote: Two suggestions: 1) Run speedtest (https://www.speedtest.net) from behind your firewall and verify your actual bandwidth (or at least get a good approximation ). 2) Check the brand of NIC in your current machine. Intel NICs are reportedly much more efficient than RealTek for handling large number of packets - which is why they are recommended for most firewall machines. Suspect that logic would apply for a Tor Relay as well. Suspect you also want a CPU with AES-NI support. Check the specs on the web, AES-NI should be called out. "cat /proc/cpuinfo | grep aes" will also tell you if your running some flavor of linux. Kevin ps. Dig around on the web for firewall hardware recommendations. I know I've seen some tables on throughput for pfsense, shouldn't be too hard to find and might throw some light on the situation. pps. Very jealous of your connectivity! On 4/10/2022 2:32 PM, Andreas Bollhalder wrote: > Hi all > > I have my first Tor relay up und running. It's currently installed on > a little desktop computer with an Intel i5 9500T CPU. My Internet > connection is 10Gb/s symetric. From this bandwidth, I would be able to > spend a good part for supporting the Tor network. > > With that little machine, it seems that it would max out at somewhere > at ~30 MBytes/s. For my definitive Tor relay hardware, I'm currently > researching some options, which would be capable of handling Tor > traffic at the rate of 200 to 300MBytes. Even it would be used > nowadays, but who knows whats coming in the future and I hope this > relay would last 5 years ore so. > > It looks to me, that with a normal CPU, it's impossible to reach my > goal. But then I encountered, that Intel has the Quick Assist > Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). > This QAT can be used with OpenSSL as a hardware accelerator for > encryption. There also exist dedicated PCIe cards with QAT (ie. > Netgate CPIC-8955). > > Searching the Internet, I couldn't find any information if QAT would > be helpful with Tor. But Tor uses the OpenSSL library and this can use > the QAT acceleration. Is there anyone who has tried this und can share > his expirience? > > Thanks in advance > Andreas > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Excerpts from Andreas Bollhalder's message of April 12, 2022 2:12 am: > > Hello Alex > > Thank you for your nice hint ot QAT_Engine. > > Yes, in theory it really seems to be possible. Looking at the Github repo of > the QAT_Engine, it looks like there are still some issues with OpenSSL 3.0: > Support for QAT HW ECX, QAT SW ECX, QAT HW PRF and QAT HW HKDF is disabled > when built > against OpenSSL 3.0 due to known issues instead it uses non-accelerated > implementation > from OpenSSL.I'm on Ubuntu 20.04, so I should be still using OpenSSL 1.x. > There are plans for switching to OpenSSL 3.0 in Ubuntu 22.04. We'll see... > > So, one really has to test and I need to think about it. Wouldn't be a cheep > test, but if this platform can give me a medium power system (~50W) and great > speed, then it's definitively what I'm looking for. Otherwise I would prefer > a Ryzen like the 5750GE. > > Andreas If you don't already have a QAT device, I would not suggest getting one specifically for Tor. In particular, Tor doesn't spend very much time actually doing AES. It's mostly overhead from cell processing, TCP, small packets, etc. Additionally, because Tor uses a large number of relatively low-bandwidth connections, it will mostly send small chunks to the hardware engine, which is not particularly efficient. In the future, it may be possible to use KTLS, in which case QAT might actually improve performance quite a bit. However, there are a number of blockers to this, including that it messes with Tor's bandwidth limiting. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Hello Alex Thank you for your nice hint ot QAT_Engine. Yes, in theory it really seems to be possible. Looking at the Github repo of the QAT_Engine, it looks like there are still some issues with OpenSSL 3.0: Support for QAT HW ECX, QAT SW ECX, QAT HW PRF and QAT HW HKDF is disabled when built against OpenSSL 3.0 due to known issues instead it uses non-accelerated implementation from OpenSSL.I'm on Ubuntu 20.04, so I should be still using OpenSSL 1.x. There are plans for switching to OpenSSL 3.0 in Ubuntu 22.04. We'll see... So, one really has to test and I need to think about it. Wouldn't be a cheep test, but if this platform can give me a medium power system (~50W) and great speed, then it's definitively what I'm looking for. Otherwise I would prefer a Ryzen like the 5750GE. Andreas On Tuesday, April 12, 2022 03:42 CEST, Alex Xu wrote: Excerpts from Andreas Bollhalder's message of April 10, 2022 3:32 pm: > > Hi all > > I have my first Tor relay up und running. It's currently installed on a > little desktop computer with an Intel i5 9500T CPU. My Internet connection is > 10Gb/s symetric. From this bandwidth, I would be able to spend a good part > for supporting the Tor network. > > With that little machine, it seems that it would max out at somewhere at ~30 > MBytes/s. For my definitive Tor relay hardware, I'm currently researching > some options, which would be capable of handling Tor traffic at the rate of > 200 to 300MBytes. Even it would be used nowadays, but who knows whats coming > in the future and I hope this relay would last 5 years ore so. > > It looks to me, that with a normal CPU, it's impossible to reach my goal. But > then I encountered, that Intel has the Quick Assist Technoloy (QAT) > integrated in some of their products (ie. Atom C3xx8). This QAT can be used > with OpenSSL as a hardware accelerator for encryption. There also exist > dedicated PCIe cards with QAT (ie. Netgate CPIC-8955). > > Searching the Internet, I couldn't find any information if QAT would be > helpful with Tor. But Tor uses the OpenSSL library and this can use the QAT > acceleration. Is there anyone who has tried this und can share his expirience? > > Thanks in advance > Andreas > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > In theory, you should be able to enable QAT with "HardwareAccel 1" on OpenSSL 1.x after installing https://github.com/intel/QAT_Engine. I'm not sure about the process for OpenSSL 3.0; I believe it involves editing OPENSSLDIR/openssl.cnf. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Hello Kevin Thanks a lot for your response. 1) Regarding the speedtest, my firewall is limiting the speed to around 6.5Gbit/s. It's a fanless device and not capable to let me use the full 10Gbit/s. I host my hardware in my living room and can't install more powerfull, beacuse it would be too noisy and too big... My wife and kids will kill me :-) 2) For the NIC currently in use: it's an Intel I219-LM (rev 10). Maybe the are better models around. But I don't believe, they would lower the CPU usage by magnitude(s). But I let me educate if I'm wrong. 3) The CPU in use has the AES-NI flag set in "/proc/cpuinfo". So a litte acceleration is already in use. In the old days when using pfSense on a PC Engines Alix, I was using a mini PCI crypto accelerator card. And it could double or tripple the OpenVPN speed. So it seemed to me, that QAT could do the same for Tor. Andreas On Monday, April 11, 2022 15:58 CEST, Thoughts wrote: Two suggestions: 1) Run speedtest (https://www.speedtest.net) from behind your firewall and verify your actual bandwidth (or at least get a good approximation ). 2) Check the brand of NIC in your current machine. Intel NICs are reportedly much more efficient than RealTek for handling large number of packets - which is why they are recommended for most firewall machines. Suspect that logic would apply for a Tor Relay as well. Suspect you also want a CPU with AES-NI support. Check the specs on the web, AES-NI should be called out. "cat /proc/cpuinfo | grep aes" will also tell you if your running some flavor of linux. Kevin ps. Dig around on the web for firewall hardware recommendations. I know I've seen some tables on throughput for pfsense, shouldn't be too hard to find and might throw some light on the situation. pps. Very jealous of your connectivity! On 4/10/2022 2:32 PM, Andreas Bollhalder wrote: > Hi all > > I have my first Tor relay up und running. It's currently installed on > a little desktop computer with an Intel i5 9500T CPU. My Internet > connection is 10Gb/s symetric. From this bandwidth, I would be able to > spend a good part for supporting the Tor network. > > With that little machine, it seems that it would max out at somewhere > at ~30 MBytes/s. For my definitive Tor relay hardware, I'm currently > researching some options, which would be capable of handling Tor > traffic at the rate of 200 to 300MBytes. Even it would be used > nowadays, but who knows whats coming in the future and I hope this > relay would last 5 years ore so. > > It looks to me, that with a normal CPU, it's impossible to reach my > goal. But then I encountered, that Intel has the Quick Assist > Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). > This QAT can be used with OpenSSL as a hardware accelerator for > encryption. There also exist dedicated PCIe cards with QAT (ie. > Netgate CPIC-8955). > > Searching the Internet, I couldn't find any information if QAT would > be helpful with Tor. But Tor uses the OpenSSL library and this can use > the QAT acceleration. Is there anyone who has tried this und can share > his expirience? > > Thanks in advance > Andreas > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Two suggestions: 1) Run speedtest (https://www.speedtest.net) from behind your firewall and verify your actual bandwidth (or at least get a good approximation ). 2) Check the brand of NIC in your current machine. Intel NICs are reportedly much more efficient than RealTek for handling large number of packets - which is why they are recommended for most firewall machines. Suspect that logic would apply for a Tor Relay as well. Suspect you also want a CPU with AES-NI support. Check the specs on the web, AES-NI should be called out. "cat /proc/cpuinfo | grep aes" will also tell you if your running some flavor of linux. Kevin ps. Dig around on the web for firewall hardware recommendations. I know I've seen some tables on throughput for pfsense, shouldn't be too hard to find and might throw some light on the situation. pps. Very jealous of your connectivity! On 4/10/2022 2:32 PM, Andreas Bollhalder wrote: Hi all I have my first Tor relay up und running. It's currently installed on a little desktop computer with an Intel i5 9500T CPU. My Internet connection is 10Gb/s symetric. From this bandwidth, I would be able to spend a good part for supporting the Tor network. With that little machine, it seems that it would max out at somewhere at ~30 MBytes/s. For my definitive Tor relay hardware, I'm currently researching some options, which would be capable of handling Tor traffic at the rate of 200 to 300MBytes. Even it would be used nowadays, but who knows whats coming in the future and I hope this relay would last 5 years ore so. It looks to me, that with a normal CPU, it's impossible to reach my goal. But then I encountered, that Intel has the Quick Assist Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). This QAT can be used with OpenSSL as a hardware accelerator for encryption. There also exist dedicated PCIe cards with QAT (ie. Netgate CPIC-8955). Searching the Internet, I couldn't find any information if QAT would be helpful with Tor. But Tor uses the OpenSSL library and this can use the QAT acceleration. Is there anyone who has tried this und can share his expirience? Thanks in advance Andreas ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Does Tor work with Intel QAT acceleration
Hi all I have my first Tor relay up und running. It's currently installed on a little desktop computer with an Intel i5 9500T CPU. My Internet connection is 10Gb/s symetric. From this bandwidth, I would be able to spend a good part for supporting the Tor network. With that little machine, it seems that it would max out at somewhere at ~30 MBytes/s. For my definitive Tor relay hardware, I'm currently researching some options, which would be capable of handling Tor traffic at the rate of 200 to 300MBytes. Even it would be used nowadays, but who knows whats coming in the future and I hope this relay would last 5 years ore so. It looks to me, that with a normal CPU, it's impossible to reach my goal. But then I encountered, that Intel has the Quick Assist Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). This QAT can be used with OpenSSL as a hardware accelerator for encryption. There also exist dedicated PCIe cards with QAT (ie. Netgate CPIC-8955). Searching the Internet, I couldn't find any information if QAT would be helpful with Tor. But Tor uses the OpenSSL library and this can use the QAT acceleration. Is there anyone who has tried this und can share his expirience? Thanks in advance Andreas ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays