Discussion:
[pfSense] Configs or hardware?
Michael Munger
2018-02-15 14:14:27 UTC
Permalink
TL; DR.

On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.

Who's got working configs / hardware combos that do 1Gbps easily?

Background.

I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.

There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.
--
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
***@highpoweredhelp.com <mailto:***@highpoweredhelp.com>
Eero Volotinen
2018-02-15 14:28:23 UTC
Permalink
Hi,

This hardware can do gigabit (wirespeed) NAT/FW

https://www.amazon.com/gp/product/B016VHBA7C (tested on my home, using
symmetric gigabit line...)

but, I we use NetGate SG-8860 on our main offices:

https://www.voleatech.de/en/product/sg-8860-1u/?gclid=EAIaIQobChMIlbTj5o-o2QIVBJ8bCh1phgmKEAAYASAAEgKuzPD_BwE

Eero
Post by Michael Munger
TL; DR.
On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.
Who's got working configs / hardware combos that do 1Gbps easily?
Background.
I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.
There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.
--
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Eric W
2018-02-15 14:48:10 UTC
Permalink
I have an optiplex 970 (possibly 980, don’t recall) with 16GB RAM and a quad port Intel NIC that handles gigabit fiber with no issues at all. I managed to order a knockoff NIC (half the thing’s from eBay), so I’m surprised it’s performing this well, but it’s been rock solid. Granted it’s for home use, but my TV and phones are all handled via my network connection and I’ve had no issues and for things like that, it would be noticeable.

Sent from Der Isenphonen
Post by Eero Volotinen
Hi,
This hardware can do gigabit (wirespeed) NAT/FW
https://www.amazon.com/gp/product/B016VHBA7C (tested on my home, using
symmetric gigabit line...)
https://www.voleatech.de/en/product/sg-8860-1u/?gclid=EAIaIQobChMIlbTj5o-o2QIVBJ8bCh1phgmKEAAYASAAEgKuzPD_BwE
Eero
Post by Michael Munger
TL; DR.
On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.
Who's got working configs / hardware combos that do 1Gbps easily?
Background.
I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.
There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.
--
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Eric W
2018-02-15 14:51:08 UTC
Permalink
Also, this is an incredibly common question on the pfSense forums. (Not trying to be condescending, just stating.) I racked my mind trying to figure something out when, like you said, it’s a solved problem. Basically, get a reasonably powered computer and put some real Intel NICs in it and you’ll likely be fine. The processor you get will be decided based on what packages you’re running. My i7 is overkill, but it was also free.

Sent from Der Isenphonen
Post by Eero Volotinen
Hi,
This hardware can do gigabit (wirespeed) NAT/FW
https://www.amazon.com/gp/product/B016VHBA7C (tested on my home, using
symmetric gigabit line...)
https://www.voleatech.de/en/product/sg-8860-1u/?gclid=EAIaIQobChMIlbTj5o-o2QIVBJ8bCh1phgmKEAAYASAAEgKuzPD_BwE
Eero
Post by Michael Munger
TL; DR.
On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.
Who's got working configs / hardware combos that do 1Gbps easily?
Background.
I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.
There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.
--
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Joe Landman
2018-02-15 15:05:01 UTC
Permalink
Post by Michael Munger
TL; DR.
On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.
Who's got working configs / hardware combos that do 1Gbps easily?
My home pfSense system is a 16GB ram, 4 core Intel E3-1220 with a quad
port i350-t4 card.  I moved over to it yesterday from the VM I had been
using.  Performance difference is striking.  Best effort out of the VM
was about 44Mb/s for download on a 1Gb line.  Raw port was about 660
Mb/s.  "New" (old from Ebay) unit is about 800 Mb/s +/- some.

As you get to higher bit rates, you need a) sufficient processor power,
b) sufficiently powerful NIC hardware to offload the CPU for things the
CPU doesn't do as well as the NIC.  I expect to keep this combo going
until we get multi Gigabit service in our area.
Post by Michael Munger
Background.
I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.
There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.
This unit is a cheap version of the small 1U boxen I used at my previous
$dayjob for compute cluster/file system clients.  They were testing
boxes, not too powerful for the high end of compute/networking (40Gb
Infiniband), but able to drive load.  Lower spec boxes can't generally
hack high data rates for any number of reasons.
--
Joe Landman
t: @hpcjoe
g: https://github.com/joelandman
Ivo Tonev
2018-02-15 15:07:24 UTC
Permalink
Try increasing network buffers via "system tunables".
Post by Michael Munger
TL; DR.
On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.
Who's got working configs / hardware combos that do 1Gbps easily?
Background.
I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.
There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.
--
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Kyle Marek
2018-02-15 16:37:29 UTC
Permalink
This board does round-up gigabit (something like 976 Mb/s) in both
directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/

The key for me here was the interrupt coalescence of these particular
Intel NICs. A very similar board with Broadcom NICs that lacked this
feature maxed out the interrupt handler's CPU usage on Linux when
surpassing the forwarding of a single 1 Gb/s stream (1 Gb/s in on one
interface; 1 Gb/s out on another).

A potential downside is no AES-NI, which will affect any AES-utilizing
VPNs that you need to operate at gigabit speeds. I have no benchmarks at
the moment but can measure if this is necessary for you.
Post by Michael Munger
TL; DR.
On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.
Who's got working configs / hardware combos that do 1Gbps easily?
Background.
I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.
There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.
Eero Volotinen
2018-02-15 16:55:18 UTC
Permalink
Please note that next pfsense will not install hardware that is not
supporting aes-ni?

Eero
Post by Kyle Marek
This board does round-up gigabit (something like 976 Mb/s) in both
directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/
The key for me here was the interrupt coalescence of these particular
Intel NICs. A very similar board with Broadcom NICs that lacked this
feature maxed out the interrupt handler's CPU usage on Linux when
surpassing the forwarding of a single 1 Gb/s stream (1 Gb/s in on one
interface; 1 Gb/s out on another).
A potential downside is no AES-NI, which will affect any AES-utilizing
VPNs that you need to operate at gigabit speeds. I have no benchmarks at
the moment but can measure if this is necessary for you.
Post by Michael Munger
TL; DR.
On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.
Who's got working configs / hardware combos that do 1Gbps easily?
Background.
I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.
There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Kyle Marek
2018-02-15 17:01:13 UTC
Permalink
I have not had such an issue. Using 2.4.2 with System Information widget
saying "AES-NI CPU Crypto: No".
Post by Eero Volotinen
Please note that next pfsense will not install hardware that is not
supporting aes-ni?
Eero
Post by Kyle Marek
This board does round-up gigabit (something like 976 Mb/s) in both
directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/
The key for me here was the interrupt coalescence of these particular
Intel NICs. A very similar board with Broadcom NICs that lacked this
feature maxed out the interrupt handler's CPU usage on Linux when
surpassing the forwarding of a single 1 Gb/s stream (1 Gb/s in on one
interface; 1 Gb/s out on another).
A potential downside is no AES-NI, which will affect any AES-utilizing
VPNs that you need to operate at gigabit speeds. I have no benchmarks at
the moment but can measure if this is necessary for you.
Post by Michael Munger
TL; DR.
On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or the
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.
Who's got working configs / hardware combos that do 1Gbps easily?
Background.
I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem directly,
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.
There are several competing "router boards" (Microtik and the like), but
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Eero Volotinen
2018-02-15 17:14:00 UTC
Permalink
Well. Next version of pfsense (2.5) will not install into hardware that
does not support AES-NI,
so buying such hardware is not wise ?

Eero
Post by Kyle Marek
I have not had such an issue. Using 2.4.2 with System Information widget
saying "AES-NI CPU Crypto: No".
Post by Eero Volotinen
Please note that next pfsense will not install hardware that is not
supporting aes-ni?
Eero
Post by Kyle Marek
This board does round-up gigabit (something like 976 Mb/s) in both
directions on all 4 interfaces: https://www.amazon.com/dp/B00XNR4HE2/
The key for me here was the interrupt coalescence of these particular
Intel NICs. A very similar board with Broadcom NICs that lacked this
feature maxed out the interrupt handler's CPU usage on Linux when
surpassing the forwarding of a single 1 Gb/s stream (1 Gb/s in on one
interface; 1 Gb/s out on another).
A potential downside is no AES-NI, which will affect any AES-utilizing
VPNs that you need to operate at gigabit speeds. I have no benchmarks at
the moment but can measure if this is necessary for you.
Post by Michael Munger
TL; DR.
On 1Gbps downloads, our pfSense firewalls are performing poorly with
speed tests of ~400Mbps. It's either pfSense configs (not likely) or
the
Post by Eero Volotinen
Post by Kyle Marek
Post by Michael Munger
hardware (more likely). I do not want to buy a commercial box. For our
corporate network, we use HP DL360s, so zero problem there.I need
something that is the size of a router, but can do 1Gbps with pfSense.
Who's got working configs / hardware combos that do 1Gbps easily?
Background.
I've been using Alix boards (APU1D4 as of late). The problem is: these
boards seem to top out at 400Mbps download. I have several clients who
have gigabit fiber connections, and they have been complaining to the
ISP that their service is slow. When they connect to the modem
directly,
Post by Eero Volotinen
Post by Kyle Marek
Post by Michael Munger
they get 1G download. When they go through the pfSense firewall we put
together using these Alix boards from PC engines, it drops to ~400Mbps.
There are several competing "router boards" (Microtik and the like),
but
Post by Eero Volotinen
Post by Kyle Marek
Post by Michael Munger
I have zero experience with them, I don't know if they will run pfSense
or if they will do the speed. The Alix + pfSense combo has been GREAT
for many years. If I change to something else, I don't want to go
through growing pains since I figure this is a solved problem, and
someone on this list knows / has a recommendation.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Edwin Pers
2018-02-15 17:18:07 UTC
Permalink
I believe I read somewhere that the new version that requires aes-ni will be 3.x, and they plan to continue the 2.x line alongside it, as 3.x will be a major rewrite


-Ed

-----Original Message-----
From: List [mailto:list-***@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Thursday, February 15, 2018 12:14 PM
To: Kyle Marek <***@gmail.com>
Cc: pfSense Support and Discussion Mailing List <***@lists.pfsense.org>
Subject: Re: [pfSense] Configs or hardware?

Well. Next version of pfsense (2.5) will not install into hardware that does not support AES-NI, so buying such hardware is not wise ?

Eero
Eero Volotinen
2018-02-15 17:20:40 UTC
Permalink
Well:

https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are talking
about 2.5 not 3.x ?

"While we’re not revealing the extent of our plans, we do want to give
early notice that, in order to support the increased cryptographic loads
that we see as part of pfSense verison 2.5, pfSense Community Edition
version 2.5 will include a requirement that the CPU supports AES-NI. On
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one found on
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
used to increase performance of the AES algorithm on these platforms."


Eero
Post by Edwin Pers
I believe I read somewhere that the new version that requires aes-ni will
be 3.x, and they plan to continue the 2.x line alongside it, as 3.x will be
a major rewrite
-Ed
-----Original Message-----
Sent: Thursday, February 15, 2018 12:14 PM
Subject: Re: [pfSense] Configs or hardware?
Well. Next version of pfsense (2.5) will not install into hardware that
does not support AES-NI, so buying such hardware is not wise ?
Eero
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Kyle Marek
2018-02-15 17:37:50 UTC
Permalink
This is silly. I shouldn't have to replace my hardware to support a
feature I will not use...

I shame Netgate for such an artificial limitation...

Thank you for the information.
Post by Eero Volotinen
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are talking
about 2.5 not 3.x ?
"While we’re not revealing the extent of our plans, we do want to give
early notice that, in order to support the increased cryptographic loads
that we see as part of pfSense verison 2.5, pfSense Community Edition
version 2.5 will include a requirement that the CPU supports AES-NI. On
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one found on
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
used to increase performance of the AES algorithm on these platforms."
Eero
Post by Edwin Pers
I believe I read somewhere that the new version that requires aes-ni will
be 3.x, and they plan to continue the 2.x line alongside it, as 3.x will be
a major rewrite
-Ed
-----Original Message-----
Sent: Thursday, February 15, 2018 12:14 PM
Subject: Re: [pfSense] Configs or hardware?
Well. Next version of pfsense (2.5) will not install into hardware that
does not support AES-NI, so buying such hardware is not wise ?
Eero
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Walter Parker
2018-02-15 18:39:47 UTC
Permalink
Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
ago...

How long does a project need to wait before it can require a feature found
on all major x64 processors? Waiting 8-9 years seems reasonable to me.

Given the fact that the project is only supporting 64-bit and suggests
using a modern processor this requirement should be a non issue for most
users.

The only place where the AES-NI instructions are not found is in a small
number of embedded/dev boards using older Celeron processors.


Walter
Post by Kyle Marek
This is silly. I shouldn't have to replace my hardware to support a
feature I will not use...
I shame Netgate for such an artificial limitation...
Thank you for the information.
Post by Eero Volotinen
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
talking
Post by Eero Volotinen
about 2.5 not 3.x ?
"While we’re not revealing the extent of our plans, we do want to give
early notice that, in order to support the increased cryptographic loads
that we see as part of pfSense verison 2.5, pfSense Community Edition
version 2.5 will include a requirement that the CPU supports AES-NI. On
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one found on
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
used to increase performance of the AES algorithm on these platforms."
Eero
Post by Edwin Pers
I believe I read somewhere that the new version that requires aes-ni
will
Post by Eero Volotinen
Post by Edwin Pers
be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
will be
Post by Eero Volotinen
Post by Edwin Pers
a major rewrite
-Ed
-----Original Message-----
Sent: Thursday, February 15, 2018 12:14 PM
Subject: Re: [pfSense] Configs or hardware?
Well. Next version of pfsense (2.5) will not install into hardware that
does not support AES-NI, so buying such hardware is not wise ?
Eero
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
--
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
Eero Volotinen
2018-02-15 18:44:14 UTC
Permalink
something like that. (very cheap) Celeron J1900 firewall devices are not
supporting aes-ni.

Eero
Post by Walter Parker
Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
ago...
How long does a project need to wait before it can require a feature found
on all major x64 processors? Waiting 8-9 years seems reasonable to me.
Given the fact that the project is only supporting 64-bit and suggests
using a modern processor this requirement should be a non issue for most
users.
The only place where the AES-NI instructions are not found is in a small
number of embedded/dev boards using older Celeron processors.
Walter
Post by Kyle Marek
This is silly. I shouldn't have to replace my hardware to support a
feature I will not use...
I shame Netgate for such an artificial limitation...
Thank you for the information.
Post by Eero Volotinen
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
talking
Post by Eero Volotinen
about 2.5 not 3.x ?
"While we’re not revealing the extent of our plans, we do want to give
early notice that, in order to support the increased cryptographic
loads
Post by Kyle Marek
Post by Eero Volotinen
that we see as part of pfSense verison 2.5, pfSense Community Edition
version 2.5 will include a requirement that the CPU supports AES-NI. On
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one found
on
Post by Kyle Marek
Post by Eero Volotinen
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8
CPUs
Post by Kyle Marek
Post by Eero Volotinen
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can
be
Post by Kyle Marek
Post by Eero Volotinen
used to increase performance of the AES algorithm on these platforms."
Eero
Post by Edwin Pers
I believe I read somewhere that the new version that requires aes-ni
will
Post by Eero Volotinen
Post by Edwin Pers
be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
will be
Post by Eero Volotinen
Post by Edwin Pers
a major rewrite
-Ed
-----Original Message-----
Sent: Thursday, February 15, 2018 12:14 PM
Cc: pfSense Support and Discussion Mailing List <
Subject: Re: [pfSense] Configs or hardware?
Well. Next version of pfsense (2.5) will not install into hardware
that
Post by Kyle Marek
Post by Eero Volotinen
Post by Edwin Pers
does not support AES-NI, so buying such hardware is not wise ?
Eero
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
--
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Kyle Marek
2018-02-15 20:11:15 UTC
Permalink
I think you're missing the point that software support exists; pfSense
supports software AES *now*, and this is being removed. New technology
is cool; things not working anymore is not.

Anyway, what are are other projects such as the TLS libraries doing
about this? Is hardware acceleration really the only solution?
Post by Walter Parker
Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
ago...
How long does a project need to wait before it can require a feature found
on all major x64 processors? Waiting 8-9 years seems reasonable to me.
Given the fact that the project is only supporting 64-bit and suggests
using a modern processor this requirement should be a non issue for most
users.
The only place where the AES-NI instructions are not found is in a small
number of embedded/dev boards using older Celeron processors.
Walter
Post by Kyle Marek
This is silly. I shouldn't have to replace my hardware to support a
feature I will not use...
I shame Netgate for such an artificial limitation...
Thank you for the information.
Post by Eero Volotinen
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
talking
Post by Eero Volotinen
about 2.5 not 3.x ?
"While we’re not revealing the extent of our plans, we do want to give
early notice that, in order to support the increased cryptographic loads
that we see as part of pfSense verison 2.5, pfSense Community Edition
version 2.5 will include a requirement that the CPU supports AES-NI. On
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one found on
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
used to increase performance of the AES algorithm on these platforms."
Eero
Post by Edwin Pers
I believe I read somewhere that the new version that requires aes-ni
will
Post by Eero Volotinen
Post by Edwin Pers
be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
will be
Post by Eero Volotinen
Post by Edwin Pers
a major rewrite
-Ed
-----Original Message-----
Sent: Thursday, February 15, 2018 12:14 PM
Subject: Re: [pfSense] Configs or hardware?
Well. Next version of pfsense (2.5) will not install into hardware that
does not support AES-NI, so buying such hardware is not wise ?
Eero
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Kyle Marek
2018-02-16 00:47:51 UTC
Permalink
Mr. Marek,
I think you may be missing the point that this is about 2.5 and the RESTCONF interface, not any kind of VPN.
I became aware of this after reading the follow up post.
https://www.netgate.com/blog/more-on-aes-ni.html <https://www.netgate.com/blog/more-on-aes-ni.html>
Read the whole thing, please, and please remember that this was our attempt to explain what is coming for future pfSense, well before it would occur.
There is a whole rewrite that needs to occur for 2.5. All the PHP goes away, and, as we did with the 2.3 -> 2.4 transition, which eliminated support for 32-bit Intel), and we promised to continue to release 2.3 images for 32-bit Intel for at least a year past the date of 2.4.0-RELEASE, we are also on record for support the 2.4 series for at least a year after the 2.5.0-RELEASE.
As I understand, pfSense uses OpenSSL to implement these functions that
utilize AES-NI. Is slow bulk throughput the only reason why OpenSSL's
software implementations are not being allowed?
So many people want to make this about Netgate attempting to sell more appliances. This is not true, and anyone looking critically at the assertion would see the fallacy of it. I will attempt to outline why.
It’s now early 2018, and, unknown to us (or anyone else in the FreeBSD community) before December last year, Meltdown and Spectre are here. While the appliance model of pfSense is, as far as we can tell, unaffected by these (unless you load software from strange places), we’re committed to fixing them anyway. This will include support for 32-bit Intel on the 2.3 series as FreeBSD (our upstream) implements and releases same.
And, none too subtly, the Spectre attacks are (non-crypto) cache-timing attacks. Point-in-fact, the AES cache-timing attack that I referenced last May is, indeed, referenced on the first page of the Spectre paper.
https://spectreattack.com/spectre.pdf
I understand that Netgate offers support for non-Netgate hardware.
What did anyone running 2.3 on a 32-bit Intel or AMD CPU pay Netgate for this continued support?
Nothing.
So assume that a miracle occurs, and a year from now we have a 2.5.0-RELEASE on 15-Feb-2019. This would mean that the 2.4 series of pfSense software would continue to be supported until at least 15-Feb-2020.
What did anyone running 2.4 on a 64-bit Intel or AMD CPU that doesn’t implement AES-NI pay Netgate for this continued support?
Again, nothing.
I'm failing to see why any additional effort is needed to support
non-AES-NI AES implementations considering OpenSSL is implementing it.
Now remember that 2.5 is unlikely to occur by 15-Feb-2019, and thus 2.4 will continue to be supported beyond 15-Feb-2020. Were we to get a 2.5.0-RELEASE by 1 May 2019, 2.4.x would be supported until 1 May 2020, and this is three years after the initial announcement that 2.5 would require a CPU with AES-NI (or other hardware crypto offload. I’ll note that ARM8v CPUs have instructions similar to AES-NI, and that the ARM appliances released by Netgate have crypto offload available.)
So if the goal was to somehow coerce people into buying new appliances, it’s not working until at least then, and even then, all that occurs if you choose to remain on 2.4 is that some bugs won’t be fixed.
So your “shame” Mr. Marek, while noted, is, in my view, specious. I’ve documented the cache-timing attacks possible against AES-GCM, and you haven’t countered these.
I’ve explained (on the forum and elsewhere) that the bit sliced AES implementation in OpenSSL is too slow, and you haven’t countered these, either. Warning: some implementations look fast until you realize that they’re only fast on large (say 2048 byte) blocks, and that they don’t “scale down” (a 576 byte payload takes exactly the same amount of time.)
I’ll note that one can make a bit sliced AES implementation go faster with AVX instructions, but then one also has AES-NI, so the point is moot.
So any *shame*, Mr. Marek would be if I knowingly and willing put the security of the pfSense community at risk lest I be attacked.
To be clear, this has not occurred.
I apologize for my comments of shaming. I was under the impression that
this was a meritless artificial limitation rather than any kind of
support burden. However, I still don't understand why the existing
software solutions are insufficient in any way besides throughput.

I cannot counter the attack possibility, but I would like to ask: is
this unsolvable without hardware acceleration?
I side with Mr. Parker here. How long does a project have to wait before demanding certain features for future revisions, assuming it gives adequate warning to the existing and future users of that project? I’ll note that you didn’t answer his question.
I never answered the question because I did not think the answer or the
question was relevant. Until today, it was my understanding that AES-NI
was simply to improve throughput of applications utilizing AES. I had
previously not been presented with anything to indicate that it helps
with any security issues such as the timing attacks discussed here.

However, to address the question in some way, I do agree that features
like this should be taken advantage of as much as possible. However,
unlike other advances such as x86 to x86_64, AES-NI does not create any
new functionality that did not already exist. Until the security
benefits have been presented, I did not see any use case where AES-NI
would be necessary over the software implementation.

I would like to point out that AES-NI is not "in everything" since 2008
as previously indicated. While I understand these may not fall under the
"all major x64 processors" category, Intel has launched CPUs without
AES-NI within the past couple of years.

See:
https://ark.intel.com/Search/FeatureFilter?productType=processors&AESTech=false&BornOnDate=Q4%2716
And, finally, Mr. Volotinen called it exactly. We announced this in May last year, so that those buying hardware in the now would know about the future requirements. Anyone buying hardware now can make an informed decision as to if they want to buy or otherwise obtain a platform for pfSense that supports AES-NI, or not. Either will work as long as they are running a 2.4.x release of pfSense, and, as above, 2.4 has a plan that includes support until, at least, 2020.
This is acceptable. It just also just sucks, and I understand it must be
faced.

This is, however, beyond just replacing some networking equipment, as I
have to replace my primary VM host due to CPU replacements supporting
AES-NI not existing. Before knowing that the AES-NI requirement was to
address the timing attack, I felt as if I have to pay for new hardware
due to Netgate not "wanting" non-AES-NI AES implementations being
utilized. Until this, I have not exactly had software support issues
with even this aging hardware.

I understand that a lot of people are effectively threatening to switch
to OpnSense due to this, but I fear that I will *have to* if I can't
replace my hardware by the time support for software AES ends entirely.

See:
https://ark.intel.com/Search/FeatureFilter?productType=processors&SocketsSupported=LGA771&AESTech=true


I thank you for addressing this with me. I appreciate your conduct with
me despite my comment.
Jim
Post by Kyle Marek
I think you're missing the point that software support exists; pfSense
supports software AES *now*, and this is being removed. New technology
is cool; things not working anymore is not.
Anyway, what are are other projects such as the TLS libraries doing
about this? Is hardware acceleration really the only solution?
Post by Walter Parker
Well, both Intel and AMD starting shipping the AES-NI instructions 8 years
ago...
How long does a project need to wait before it can require a feature found
on all major x64 processors? Waiting 8-9 years seems reasonable to me.
Given the fact that the project is only supporting 64-bit and suggests
using a modern processor this requirement should be a non issue for most
users.
The only place where the AES-NI instructions are not found is in a small
number of embedded/dev boards using older Celeron processors.
Walter
Post by Kyle Marek
This is silly. I shouldn't have to replace my hardware to support a
feature I will not use...
I shame Netgate for such an artificial limitation...
Thank you for the information.
Post by Eero Volotinen
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
talking
Post by Eero Volotinen
about 2.5 not 3.x ?
"While we’re not revealing the extent of our plans, we do want to give
early notice that, in order to support the increased cryptographic loads
that we see as part of pfSense verison 2.5, pfSense Community Edition
version 2.5 will include a requirement that the CPU supports AES-NI. On
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one found on
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8 CPUs
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that can be
used to increase performance of the AES algorithm on these platforms."
Eero
Post by Edwin Pers
I believe I read somewhere that the new version that requires aes-ni
will
Post by Eero Volotinen
Post by Edwin Pers
be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
will be
Post by Eero Volotinen
Post by Edwin Pers
a major rewrite
-Ed
-----Original Message-----
Sent: Thursday, February 15, 2018 12:14 PM
Subject: Re: [pfSense] Configs or hardware?
Well. Next version of pfsense (2.5) will not install into hardware that
does not support AES-NI, so buying such hardware is not wise ?
Eero
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Walter Parker
2018-02-16 02:02:10 UTC
Permalink
I didn't say it was in everything since 2008. I said that both companies
widely released it by 2010 and that most of the x64 (64 Bit) processors
released in the past few years years do support them (except for some of
the low end systems, usually used in price constrained embedded style
processors). From the link you provided, the last server grade x64
processors without AES-NI were discontinued by 2011.

Also, the release of the AES-NI allows for systems to use cryptography
securely without a significant performance impact. I know I've heard people
argue for years that we shouldn't use HTTPS by default because it puts too
much of a load on the system. With AES-NI, this much less of an argument.

For something like OpenSSL and the software/hardware pieces of AES-NI,
managing all of the details and getting then right is not a simple process.
Just look at the number of times that OpenSSL has screwed up its own code.
Google and Amazon now have their own TLS code bases to prevent them from
having the same issues that OpenSSL has. Netgate is not a large company and
pfSense is not a large project, which means they have limited resources.
Making everything work for everyone is something that Microsoft did for
years and years. They stopped do this. Just try running Windows 10 on older
hardware. For that matter, try running old copies of Linux, FreeBSD,
Windows etc on the most recent Dell hardware (things like USB mice, SSDs,
Video don't work). It gets worse when you move to phones, were hardware may
only be supported for 1-2 years before updates stop flowing. In the mobile
phone world, this is were Apple has had longer lives than Microsoft.

Also, I can see Netgate looking at numbers (hypothetical, as I have not
seen the numbers) and see that if people put pfSense on hardware without
AES-NI and then complaining about performance. Worse, competitors could rig
the demos, and show crap results for pfSense as compared to their systems
(not the first or last time someone lied with benchmarks). With the ever
increasing speeds of networking: 100 megabit internet, 1 gig on desktop
common, 10 gig on servers not on common, 40-100 GB now found on higher end
server networks, with 2.5 and 5 gig cheap networking on way, I can see
Netgate wanting to prep for the day when AES-NI is a requirement for
encrypted traffic to keep up with speeds that people do and will expect.

I have plenty of sympathy for wanting to keep older hardware running (I too
have some 8 year old servers that don't have AES-NI). But this is why
equipment depreciates, it is supposed to be replaced when it ages out.
Given the speed increases, power savings, increased reliability, support
for newer technologies, you should be able to make a case for new hardware.
On your primary VM host, I would expect it to be at least 6 years old at a
minimum if it doesn't support AES-NI. Standard business practice is to
replace machines every 3-5 years. At the very least, add some used hardware
of only 3-5 years age that has AES-NI. Or, you know, move the firewall from
a VM to physical box that has AES-NI. Then all of your VM can continues to
run on the old server.

I view the threat of people to move the OpnSense to be largely hot air. I
think pfSense is great and and don't want to see them compromise the
project by trying to be everything to everyone. If they have to lose the
old end of the market (systems older than 6-8 years) to maintain the
standard of excellence that they have set, I'm fine with that (let OpnSense
have the bottom end of an market that costs more that it is worth). I don't
want pfSense to value growth or total support base over good quality and
newer/better systems.

Note, in 2020 (the earliest date when 2.4 could lose new support), your
main VM server would them be at least 10 years old. If you can't afford to
replace it this year, this gives you another couple of years to plan and
budget for upgrades and replacements in 2021. Modern servers are not like
houses, they are not meant to run for decades (that is one of the
differences between PCs and Mainframes).
Mr. Marek,
I think you may be missing the point that this is about 2.5 and the
RESTCONF interface, not any kind of VPN.
I became aware of this after reading the follow up post.
Yes, there are constant time implementations of AES, they’re quite slow,
https://www.netgate.com/blog/more-on-aes-ni.html <
https://www.netgate.com/blog/more-on-aes-ni.html>
Read the whole thing, please, and please remember that this was our
attempt to explain what is coming for future pfSense, well before it would
occur.
There is a whole rewrite that needs to occur for 2.5. All the PHP goes
away, and, as we did with the 2.3 -> 2.4 transition, which eliminated
support for 32-bit Intel), and we promised to continue to release 2.3
images for 32-bit Intel for at least a year past the date of 2.4.0-RELEASE,
we are also on record for support the 2.4 series for at least a year after
the 2.5.0-RELEASE.
As I understand, pfSense uses OpenSSL to implement these functions that
utilize AES-NI. Is slow bulk throughput the only reason why OpenSSL's
software implementations are not being allowed?
So many people want to make this about Netgate attempting to sell more
appliances. This is not true, and anyone looking critically at the
assertion would see the fallacy of it. I will attempt to outline why.
It’s now early 2018, and, unknown to us (or anyone else in the FreeBSD
community) before December last year, Meltdown and Spectre are here. While
the appliance model of pfSense is, as far as we can tell, unaffected by
these (unless you load software from strange places), we’re committed to
fixing them anyway. This will include support for 32-bit Intel on the 2.3
series as FreeBSD (our upstream) implements and releases same.
And, none too subtly, the Spectre attacks are (non-crypto) cache-timing
attacks. Point-in-fact, the AES cache-timing attack that I referenced last
May is, indeed, referenced on the first page of the Spectre paper.
https://spectreattack.com/spectre.pdf
I understand that Netgate offers support for non-Netgate hardware.
What did anyone running 2.3 on a 32-bit Intel or AMD CPU pay Netgate for
this continued support?
Nothing.
So assume that a miracle occurs, and a year from now we have a
2.5.0-RELEASE on 15-Feb-2019. This would mean that the 2.4 series of
pfSense software would continue to be supported until at least 15-Feb-2020.
What did anyone running 2.4 on a 64-bit Intel or AMD CPU that doesn’t
implement AES-NI pay Netgate for this continued support?
Again, nothing.
I'm failing to see why any additional effort is needed to support
non-AES-NI AES implementations considering OpenSSL is implementing it.
Now remember that 2.5 is unlikely to occur by 15-Feb-2019, and thus 2.4
will continue to be supported beyond 15-Feb-2020. Were we to get a
2.5.0-RELEASE by 1 May 2019, 2.4.x would be supported until 1 May 2020, and
this is three years after the initial announcement that 2.5 would require a
CPU with AES-NI (or other hardware crypto offload. I’ll note that ARM8v
CPUs have instructions similar to AES-NI, and that the ARM appliances
released by Netgate have crypto offload available.)
So if the goal was to somehow coerce people into buying new appliances,
it’s not working until at least then, and even then, all that occurs if you
choose to remain on 2.4 is that some bugs won’t be fixed.
So your “shame” Mr. Marek, while noted, is, in my view, specious. I’ve
documented the cache-timing attacks possible against AES-GCM, and you
haven’t countered these.
I’ve explained (on the forum and elsewhere) that the bit sliced AES
implementation in OpenSSL is too slow, and you haven’t countered these,
either. Warning: some implementations look fast until you realize that
they’re only fast on large (say 2048 byte) blocks, and that they don’t
“scale down” (a 576 byte payload takes exactly the same amount of time.)
I’ll note that one can make a bit sliced AES implementation go faster
with AVX instructions, but then one also has AES-NI, so the point is moot.
So any *shame*, Mr. Marek would be if I knowingly and willing put the
security of the pfSense community at risk lest I be attacked.
To be clear, this has not occurred.
I apologize for my comments of shaming. I was under the impression that
this was a meritless artificial limitation rather than any kind of
support burden. However, I still don't understand why the existing
software solutions are insufficient in any way besides throughput.
I cannot counter the attack possibility, but I would like to ask: is
this unsolvable without hardware acceleration?
I side with Mr. Parker here. How long does a project have to wait
before demanding certain features for future revisions, assuming it gives
adequate warning to the existing and future users of that project? I’ll
note that you didn’t answer his question.
I never answered the question because I did not think the answer or the
question was relevant. Until today, it was my understanding that AES-NI
was simply to improve throughput of applications utilizing AES. I had
previously not been presented with anything to indicate that it helps
with any security issues such as the timing attacks discussed here.
However, to address the question in some way, I do agree that features
like this should be taken advantage of as much as possible. However,
unlike other advances such as x86 to x86_64, AES-NI does not create any
new functionality that did not already exist. Until the security
benefits have been presented, I did not see any use case where AES-NI
would be necessary over the software implementation.
I would like to point out that AES-NI is not "in everything" since 2008
as previously indicated. While I understand these may not fall under the
"all major x64 processors" category, Intel has launched CPUs without
AES-NI within the past couple of years.
https://ark.intel.com/Search/FeatureFilter?productType=
processors&AESTech=false&BornOnDate=Q4%2716
And, finally, Mr. Volotinen called it exactly. We announced this in
May last year, so that those buying hardware in the now would know about
the future requirements. Anyone buying hardware now can make an informed
decision as to if they want to buy or otherwise obtain a platform for
pfSense that supports AES-NI, or not. Either will work as long as they are
running a 2.4.x release of pfSense, and, as above, 2.4 has a plan that
includes support until, at least, 2020.
This is acceptable. It just also just sucks, and I understand it must be
faced.
This is, however, beyond just replacing some networking equipment, as I
have to replace my primary VM host due to CPU replacements supporting
AES-NI not existing. Before knowing that the AES-NI requirement was to
address the timing attack, I felt as if I have to pay for new hardware
due to Netgate not "wanting" non-AES-NI AES implementations being
utilized. Until this, I have not exactly had software support issues
with even this aging hardware.
I understand that a lot of people are effectively threatening to switch
to OpnSense due to this, but I fear that I will *have to* if I can't
replace my hardware by the time support for software AES ends entirely.
https://ark.intel.com/Search/FeatureFilter?productType=
processors&SocketsSupported=LGA771&AESTech=true
I thank you for addressing this with me. I appreciate your conduct with
me despite my comment.
Jim
Post by Kyle Marek
I think you're missing the point that software support exists; pfSense
supports software AES *now*, and this is being removed. New technology
is cool; things not working anymore is not.
Anyway, what are are other projects such as the TLS libraries doing
about this? Is hardware acceleration really the only solution?
Post by Walter Parker
Well, both Intel and AMD starting shipping the AES-NI instructions 8
years
Post by Kyle Marek
Post by Walter Parker
ago...
How long does a project need to wait before it can require a feature
found
Post by Kyle Marek
Post by Walter Parker
on all major x64 processors? Waiting 8-9 years seems reasonable to me.
Given the fact that the project is only supporting 64-bit and suggests
using a modern processor this requirement should be a non issue for
most
Post by Kyle Marek
Post by Walter Parker
users.
The only place where the AES-NI instructions are not found is in a
small
Post by Kyle Marek
Post by Walter Parker
number of embedded/dev boards using older Celeron processors.
Walter
Post by Kyle Marek
This is silly. I shouldn't have to replace my hardware to support a
feature I will not use...
I shame Netgate for such an artificial limitation...
Thank you for the information.
Post by Eero Volotinen
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
talking
Post by Eero Volotinen
about 2.5 not 3.x ?
"While we’re not revealing the extent of our plans, we do want to
give
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
early notice that, in order to support the increased cryptographic
loads
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
that we see as part of pfSense verison 2.5, pfSense Community Edition
version 2.5 will include a requirement that the CPU supports AES-NI.
On
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one
found on
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM v8
CPUs
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that
can be
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
used to increase performance of the AES algorithm on these
platforms."
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
Eero
Post by Edwin Pers
I believe I read somewhere that the new version that requires aes-ni
will
Post by Eero Volotinen
Post by Edwin Pers
be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
will be
Post by Eero Volotinen
Post by Edwin Pers
a major rewrite
-Ed
-----Original Message-----
Eero
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
Post by Edwin Pers
Volotinen
Sent: Thursday, February 15, 2018 12:14 PM
Cc: pfSense Support and Discussion Mailing List <
Subject: Re: [pfSense] Configs or hardware?
Well. Next version of pfsense (2.5) will not install into hardware
that
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
Post by Edwin Pers
does not support AES-NI, so buying such hardware is not wise ?
Eero
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
--
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
Walter Parker
2018-02-16 02:40:15 UTC
Permalink
Post by Kyle Marek
Mr. Marek,
I think you may be missing the point that this is about 2.5 and the
RESTCONF interface, not any kind of VPN.
Post by Kyle Marek
I became aware of this after reading the follow up post.
Yes, there are constant time implementations of AES, they’re quite
https://www.netgate.com/blog/more-on-aes-ni.html <
https://www.netgate.com/blog/more-on-aes-ni.html>
Post by Kyle Marek
Read the whole thing, please, and please remember that this was our
attempt to explain what is coming for future pfSense, well before it would
occur.
Post by Kyle Marek
There is a whole rewrite that needs to occur for 2.5. All the PHP goes
away, and, as we did with the 2.3 -> 2.4 transition, which eliminated
support for 32-bit Intel), and we promised to continue to release 2.3
images for 32-bit Intel for at least a year past the date of 2.4.0-RELEASE,
we are also on record for support the 2.4 series for at least a year after
the 2.5.0-RELEASE.
Post by Kyle Marek
As I understand, pfSense uses OpenSSL to implement these functions that
utilize AES-NI. Is slow bulk throughput the only reason why OpenSSL's
software implementations are not being allowed?
So many people want to make this about Netgate attempting to sell more
appliances. This is not true, and anyone looking critically at the
assertion would see the fallacy of it. I will attempt to outline why.
Post by Kyle Marek
It’s now early 2018, and, unknown to us (or anyone else in the FreeBSD
community) before December last year, Meltdown and Spectre are here. While
the appliance model of pfSense is, as far as we can tell, unaffected by
these (unless you load software from strange places), we’re committed to
fixing them anyway. This will include support for 32-bit Intel on the 2.3
series as FreeBSD (our upstream) implements and releases same.
Post by Kyle Marek
And, none too subtly, the Spectre attacks are (non-crypto) cache-timing
attacks. Point-in-fact, the AES cache-timing attack that I referenced last
May is, indeed, referenced on the first page of the Spectre paper.
Post by Kyle Marek
https://spectreattack.com/spectre.pdf
I understand that Netgate offers support for non-Netgate hardware.
True, but the “support” I’m talking about here is that we continue to
maintain, build and test new releases of 2.3 and 2.4 for a period of time.
These are available to everyone, without charge.
Post by Kyle Marek
What did anyone running 2.3 on a 32-bit Intel or AMD CPU pay Netgate
for this continued support?
Post by Kyle Marek
Nothing.
So assume that a miracle occurs, and a year from now we have a
2.5.0-RELEASE on 15-Feb-2019. This would mean that the 2.4 series of
pfSense software would continue to be supported until at least 15-Feb-2020.
Post by Kyle Marek
What did anyone running 2.4 on a 64-bit Intel or AMD CPU that doesn’t
implement AES-NI pay Netgate for this continued support?
Post by Kyle Marek
Again, nothing.
I'm failing to see why any additional effort is needed to support
non-AES-NI AES implementations considering OpenSSL is implementing it.
If AES-NI is not available, OpenSSL will either use Vector Permutation AES
(VPAES https://www.shiftleft.org/papers/vector_aes/vector_aes.pdf) or
Bit-sliced AES (BSAES https://cryptojedi.org/papers/aesbs-20090616.pdf),
provided the SSSE3 instruction set extension is available. SSSE3 was first
introduced in 2006, so there is a fair chance that this will be available
in most computers used. Both of these techniques avoid data- and
key-dependent branches and memory references, and therefore are immune to
known timing attacks. VPAES is used for CBC encrypt, ECB and "obscure"
modes like OFB, CFB, while BSAES is used for CBC decrypt, CTR and XTS.
The bit sliced (constant-time) implementation in OpenSSL could be used,
but the GUI model with RESTCONF is very (very) different. Except for the
various “monitoring” widgets and graphs, a web browser running against
today’s pfsense is all but silent until something like an “Apply” button is
pushed. With RESTCONF, things are much more “chatty”.
This means that there is more load on the box to keep things encrypted.
The bit sliced implementation in OpenSSL is slow, especially on older
processors. I’ve run it on a J1900, and it’s glacial.
As I explained in the blog post, we’re going to move 2.5 to the RESTCONF
interface. We don’t have the resources to carry both the historic PHP and
RESTCONF interfaces forward.
Post by Kyle Marek
Now remember that 2.5 is unlikely to occur by 15-Feb-2019, and thus 2.4
will continue to be supported beyond 15-Feb-2020. Were we to get a
2.5.0-RELEASE by 1 May 2019, 2.4.x would be supported until 1 May 2020, and
this is three years after the initial announcement that 2.5 would require a
CPU with AES-NI (or other hardware crypto offload. I’ll note that ARM8v
CPUs have instructions similar to AES-NI, and that the ARM appliances
released by Netgate have crypto offload available.)
Post by Kyle Marek
So if the goal was to somehow coerce people into buying new appliances,
it’s not working until at least then, and even then, all that occurs if you
choose to remain on 2.4 is that some bugs won’t be fixed.
Post by Kyle Marek
So your “shame” Mr. Marek, while noted, is, in my view, specious.
I’ve documented the cache-timing attacks possible against AES-GCM, and you
haven’t countered these.
Post by Kyle Marek
I’ve explained (on the forum and elsewhere) that the bit sliced AES
implementation in OpenSSL is too slow, and you haven’t countered these,
either. Warning: some implementations look fast until you realize that
they’re only fast on large (say 2048 byte) blocks, and that they don’t
“scale down” (a 576 byte payload takes exactly the same amount of time.)
Post by Kyle Marek
I’ll note that one can make a bit sliced AES implementation go faster
with AVX instructions, but then one also has AES-NI, so the point is moot.
Post by Kyle Marek
So any *shame*, Mr. Marek would be if I knowingly and willing put the
security of the pfSense community at risk lest I be attacked.
Post by Kyle Marek
To be clear, this has not occurred.
I apologize for my comments of shaming. I was under the impression that
this was a meritless artificial limitation rather than any kind of
Post by Kyle Marek
support burden. However, I still don't understand why the existing
software solutions are insufficient in any way besides throughput.
If they’re fast, they’re problematic from a security standpoint.
On a Westmere (so one generation forward from your Xeons), AES GCM
performs at 3.54 cycles/byte.
Compare this with 10.68 cycles/byte got bitsliced AES GCM with table
lookups (not secure) or
21.99 cycles/byte without table lookups (much more difficult to mount a
side-channel attack) as implemented in OpenSSL.
On a V4 Xeon, AES-GCM runs at 0.77 cycles/byte, and on the newest Xeon
‘Scalable’ cores, it runs at 0.65 cycles/byte.
Since we just mentioned “really new hardware”… and yes, it’s off the
subject of OpenSSL, but possibly of some interest,
With TNSR (the DPDK re-write) on AWS we’re doing 4.59 gbps IPsec
(AES-GCM-128) or 4.58 gbps IPsec (AES-CBC-128 + HMAC-SHA1) between a pair
of C5.large instances (so those same Xeon ’Scalable’ cores), using a single
core. These instances have a maximum 5 gbps single stream ‘cap’. The
traffic generator hosts used iperf3 to send traffic. Tests were run both
with a single stream and with 4 streams.
The traffic generator hosts (outside the tunnel) had their MTU adjusted
down to 1500 (from the default value of 9001). Tests with iperf3 were
invoked with a flag that set the TCP MSS to 1375 in order to ensure that
each segment sent would not exceed 1500 bytes once the encapsulation
overhead (ESP header, initialization vector, padding, integrity check
value, outer IP header) is added.
Raw (no IPsec) throughput using iperf3 was 4.79 gbps. The measurements
taken by iperf3 use the amount of data sent in the TCP payload to calculate
throughput. The 32 byte TCP header (standard 20 byte TCP header plus 10
bytes for optional field containing timestamps and 2 bytes to pad optional
fields to a multiple of 4 bytes) and 20 byte IP header on each packet are
not included in the calculation. If 52 bytes from each 1500 byte packet are
considered overhead that is not included in the measurement, the maximum
result that iperf3 could achieve on a 5 gbps link would be approximately
4.83 gbps.
Additional overhead from ESP includes 20 bytes for an outer IP header, 8
bytes for an ESP header, 2 bytes for padding length & next header type, 16
(AES-CBC) or 8 (AES-GCM) bytes for an initialization vector, and 12
(HMAC-SHA1) or 16 (AES-GCM) bytes for an integrity check value. The total
extra overhead is 58 bytes (AES-CBC HMAC-SHA1) or 54 bytes (AES-GCM). Thus,
the maximum measurement possible using iperf3 on a 5 Gbps link is 4.63 gbps
for AES-CBC-128 HMAC-SHA1 and 4.65 gbps for AES-GCM-128 ICV16.
Net-net, it’s probably faster than that, since we’re obviously hitting the
Amazon-imposed bandwidth limit. Between a pair of i7-6950s (so Broadwell
cores) we see 13.7 gbps (single-stream) AES-GCM-128 and 7.42 gbps
AES-GCM-128 + HMAC-SHA1 (again, single-stream). Adding our CPIC QAT card
gets us to 32.68/32.73 gbps respectively.
Post by Kyle Marek
I cannot counter the attack possibility, but I would like to ask: is
this unsolvable without hardware acceleration?
It has a lot to do with what one might consider “acceptable” performance
of the web gui.
Post by Kyle Marek
I side with Mr. Parker here. How long does a project have to wait
before demanding certain features for future revisions, assuming it gives
adequate warning to the existing and future users of that project? I’ll
note that you didn’t answer his question.
Post by Kyle Marek
I never answered the question because I did not think the answer or the
question was relevant. Until today, it was my understanding that AES-NI
was simply to improve throughput of applications utilizing AES. I had
previously not been presented with anything to indicate that it helps
with any security issues such as the timing attacks discussed here.
"With AES you either design, test, and verify a bitslice software
implementation, (giving up a lot of performance in the process), leverage
hardware offloads, or leave the resulting system open to several known
attacks. We have selected the “leverage hardware offloads” path. The other
two options are either unthinkable, or involve a lot of effort for
diminishing returns.”
I’ve listed the performance of the various implementations in OpenSSL
above.
Post by Kyle Marek
However, to address the question in some way, I do agree that features
like this should be taken advantage of as much as possible. However,
unlike other advances such as x86 to x86_64, AES-NI does not create any
new functionality that did not already exist. Until the security
benefits have been presented, I did not see any use case where AES-NI
would be necessary over the software implementation.
I would like to point out that AES-NI is not "in everything" since 2008
as previously indicated. While I understand these may not fall under the
"all major x64 processors" category, Intel has launched CPUs without
AES-NI within the past couple of years.
It’s true that not everything Intel and AMD have released in the last
decade has AES-NI.
Post by Kyle Marek
https://ark.intel.com/Search/FeatureFilter?productType=
processors&AESTech=false&BornOnDate=Q4%2716
Post by Kyle Marek
And, finally, Mr. Volotinen called it exactly. We announced this in
May last year, so that those buying hardware in the now would know about
the future requirements. Anyone buying hardware now can make an informed
decision as to if they want to buy or otherwise obtain a platform for
pfSense that supports AES-NI, or not. Either will work as long as they are
running a 2.4.x release of pfSense, and, as above, 2.4 has a plan that
includes support until, at least, 2020.
Post by Kyle Marek
This is acceptable. It just also just sucks, and I understand it must be
faced.
This is, however, beyond just replacing some networking equipment, as I
have to replace my primary VM host due to CPU replacements supporting
AES-NI not existing. Before knowing that the AES-NI requirement was to
address the timing attack, I felt as if I have to pay for new hardware
due to Netgate not "wanting" non-AES-NI AES implementations being
utilized. Until this, I have not exactly had software support issues
with even this aging hardware.
Nor do you now. It’s only (at least) a year after the release of 2.5 that
we’ll stop supporting 2.4, and then it’s a matter of when a security issue
or other bug that is important enough to you switch gets addressed in 2.5
but not in 2.4 might occur (gosh that’s an awful sentence, Jim).
Post by Kyle Marek
I understand that a lot of people are effectively threatening to switch
to OpnSense due to this, but I fear that I will *have to* if I can't
replace my hardware by the time support for software AES ends entirely.
People should run what suits their purpose best. Perhaps someone else
will fork pfSense and continue the 2.4 train on a different track. That’s
the beauty of open source software.
Post by Kyle Marek
https://ark.intel.com/Search/FeatureFilter?productType=
processors&SocketsSupported=LGA771&AESTech=true
Post by Kyle Marek
I thank you for addressing this with me. I appreciate your conduct with
me despite my comment.
Sure thing. I also appreciate your response here.
Thanks,
Jim
Post by Kyle Marek
Jim
Post by Kyle Marek
I think you're missing the point that software support exists; pfSense
supports software AES *now*, and this is being removed. New technology
is cool; things not working anymore is not.
Anyway, what are are other projects such as the TLS libraries doing
about this? Is hardware acceleration really the only solution?
Post by Walter Parker
Well, both Intel and AMD starting shipping the AES-NI instructions 8
years
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
ago...
How long does a project need to wait before it can require a feature
found
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
on all major x64 processors? Waiting 8-9 years seems reasonable to me.
Given the fact that the project is only supporting 64-bit and suggests
using a modern processor this requirement should be a non issue for
most
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
users.
The only place where the AES-NI instructions are not found is in a
small
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
number of embedded/dev boards using older Celeron processors.
Walter
Post by Kyle Marek
This is silly. I shouldn't have to replace my hardware to support a
feature I will not use...
I shame Netgate for such an artificial limitation...
Thank you for the information.
Post by Eero Volotinen
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we are
talking
Post by Eero Volotinen
about 2.5 not 3.x ?
"While we’re not revealing the extent of our plans, we do want to
give
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
early notice that, in order to support the increased cryptographic
loads
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
that we see as part of pfSense verison 2.5, pfSense Community
Edition
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
version 2.5 will include a requirement that the CPU supports
AES-NI. On
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one
found on
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM
v8 CPUs
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that
can be
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
used to increase performance of the AES algorithm on these
platforms."
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
Eero
Post by Edwin Pers
I believe I read somewhere that the new version that requires
aes-ni
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
will
Post by Eero Volotinen
Post by Edwin Pers
be 3.x, and they plan to continue the 2.x line alongside it, as 3.x
will be
Post by Eero Volotinen
Post by Edwin Pers
a major rewrite
-Ed
-----Original Message-----
Eero
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
Post by Edwin Pers
Volotinen
Sent: Thursday, February 15, 2018 12:14 PM
Cc: pfSense Support and Discussion Mailing List <
Subject: Re: [pfSense] Configs or hardware?
Well. Next version of pfsense (2.5) will not install into hardware
that
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
Post by Edwin Pers
does not support AES-NI, so buying such hardware is not wise ?
Eero
Well Said.

Thank you for sharing the numbers.


Walter
--
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
Eero Volotinen
2018-02-19 15:10:40 UTC
Permalink
Well. Does it require so much power, that I cannot run it on intel core2
quad Q9400, 2.66Ghz processor (4 cores) ?



Eero
Post by Kyle Marek
Mr. Marek,
I think you may be missing the point that this is about 2.5 and the
RESTCONF interface, not any kind of VPN.
Post by Kyle Marek
I became aware of this after reading the follow up post.
Yes, there are constant time implementations of AES, they’re quite
https://www.netgate.com/blog/more-on-aes-ni.html <
https://www.netgate.com/blog/more-on-aes-ni.html>
Post by Kyle Marek
Read the whole thing, please, and please remember that this was our
attempt to explain what is coming for future pfSense, well before it
would
occur.
Post by Kyle Marek
There is a whole rewrite that needs to occur for 2.5. All the PHP
goes
away, and, as we did with the 2.3 -> 2.4 transition, which eliminated
support for 32-bit Intel), and we promised to continue to release 2.3
images for 32-bit Intel for at least a year past the date of
2.4.0-RELEASE,
we are also on record for support the 2.4 series for at least a year
after
the 2.5.0-RELEASE.
Post by Kyle Marek
As I understand, pfSense uses OpenSSL to implement these functions that
utilize AES-NI. Is slow bulk throughput the only reason why OpenSSL's
software implementations are not being allowed?
So many people want to make this about Netgate attempting to sell more
appliances. This is not true, and anyone looking critically at the
assertion would see the fallacy of it. I will attempt to outline why.
Post by Kyle Marek
It’s now early 2018, and, unknown to us (or anyone else in the FreeBSD
community) before December last year, Meltdown and Spectre are here.
While
the appliance model of pfSense is, as far as we can tell, unaffected by
these (unless you load software from strange places), we’re committed to
fixing them anyway. This will include support for 32-bit Intel on the
2.3
series as FreeBSD (our upstream) implements and releases same.
Post by Kyle Marek
And, none too subtly, the Spectre attacks are (non-crypto)
cache-timing
attacks. Point-in-fact, the AES cache-timing attack that I referenced
last
May is, indeed, referenced on the first page of the Spectre paper.
Post by Kyle Marek
https://spectreattack.com/spectre.pdf
I understand that Netgate offers support for non-Netgate hardware.
True, but the “support” I’m talking about here is that we continue to
maintain, build and test new releases of 2.3 and 2.4 for a period of
time.
These are available to everyone, without charge.
Post by Kyle Marek
What did anyone running 2.3 on a 32-bit Intel or AMD CPU pay Netgate
for this continued support?
Post by Kyle Marek
Nothing.
So assume that a miracle occurs, and a year from now we have a
2.5.0-RELEASE on 15-Feb-2019. This would mean that the 2.4 series of
pfSense software would continue to be supported until at least
15-Feb-2020.
Post by Kyle Marek
What did anyone running 2.4 on a 64-bit Intel or AMD CPU that doesn’t
implement AES-NI pay Netgate for this continued support?
Post by Kyle Marek
Again, nothing.
I'm failing to see why any additional effort is needed to support
non-AES-NI AES implementations considering OpenSSL is implementing it.
If AES-NI is not available, OpenSSL will either use Vector Permutation
AES
(VPAES https://www.shiftleft.org/papers/vector_aes/vector_aes.pdf) or
Bit-sliced AES (BSAES https://cryptojedi.org/papers/aesbs-20090616.pdf),
provided the SSSE3 instruction set extension is available. SSSE3 was
first
introduced in 2006, so there is a fair chance that this will be available
in most computers used. Both of these techniques avoid data- and
key-dependent branches and memory references, and therefore are immune to
known timing attacks. VPAES is used for CBC encrypt, ECB and "obscure"
modes like OFB, CFB, while BSAES is used for CBC decrypt, CTR and XTS.
The bit sliced (constant-time) implementation in OpenSSL could be used,
but the GUI model with RESTCONF is very (very) different. Except for
the
various “monitoring” widgets and graphs, a web browser running against
today’s pfsense is all but silent until something like an “Apply” button
is
pushed. With RESTCONF, things are much more “chatty”.
This means that there is more load on the box to keep things encrypted.
The bit sliced implementation in OpenSSL is slow, especially on older
processors. I’ve run it on a J1900, and it’s glacial.
As I explained in the blog post, we’re going to move 2.5 to the RESTCONF
interface. We don’t have the resources to carry both the historic PHP
and
RESTCONF interfaces forward.
Post by Kyle Marek
Now remember that 2.5 is unlikely to occur by 15-Feb-2019, and thus
2.4
will continue to be supported beyond 15-Feb-2020. Were we to get a
2.5.0-RELEASE by 1 May 2019, 2.4.x would be supported until 1 May 2020,
and
this is three years after the initial announcement that 2.5 would
require a
CPU with AES-NI (or other hardware crypto offload. I’ll note that ARM8v
CPUs have instructions similar to AES-NI, and that the ARM appliances
released by Netgate have crypto offload available.)
Post by Kyle Marek
So if the goal was to somehow coerce people into buying new
appliances,
it’s not working until at least then, and even then, all that occurs if
you
choose to remain on 2.4 is that some bugs won’t be fixed.
Post by Kyle Marek
So your “shame” Mr. Marek, while noted, is, in my view, specious.
I’ve documented the cache-timing attacks possible against AES-GCM, and
you
haven’t countered these.
Post by Kyle Marek
I’ve explained (on the forum and elsewhere) that the bit sliced AES
implementation in OpenSSL is too slow, and you haven’t countered these,
either. Warning: some implementations look fast until you realize that
they’re only fast on large (say 2048 byte) blocks, and that they don’t
“scale down” (a 576 byte payload takes exactly the same amount of time.)
Post by Kyle Marek
I’ll note that one can make a bit sliced AES implementation go faster
with AVX instructions, but then one also has AES-NI, so the point is
moot.
Post by Kyle Marek
So any *shame*, Mr. Marek would be if I knowingly and willing put the
security of the pfSense community at risk lest I be attacked.
Post by Kyle Marek
To be clear, this has not occurred.
I apologize for my comments of shaming. I was under the impression that
this was a meritless artificial limitation rather than any kind of
Post by Kyle Marek
support burden. However, I still don't understand why the existing
software solutions are insufficient in any way besides throughput.
If they’re fast, they’re problematic from a security standpoint.
On a Westmere (so one generation forward from your Xeons), AES GCM
performs at 3.54 cycles/byte.
Compare this with 10.68 cycles/byte got bitsliced AES GCM with table
lookups (not secure) or
21.99 cycles/byte without table lookups (much more difficult to mount a
side-channel attack) as implemented in OpenSSL.
On a V4 Xeon, AES-GCM runs at 0.77 cycles/byte, and on the newest Xeon
‘Scalable’ cores, it runs at 0.65 cycles/byte.
Since we just mentioned “really new hardware”… and yes, it’s off the
subject of OpenSSL, but possibly of some interest,
With TNSR (the DPDK re-write) on AWS we’re doing 4.59 gbps IPsec
(AES-GCM-128) or 4.58 gbps IPsec (AES-CBC-128 + HMAC-SHA1) between a pair
of C5.large instances (so those same Xeon ’Scalable’ cores), using a
single
core. These instances have a maximum 5 gbps single stream ‘cap’. The
traffic generator hosts used iperf3 to send traffic. Tests were run both
with a single stream and with 4 streams.
The traffic generator hosts (outside the tunnel) had their MTU adjusted
down to 1500 (from the default value of 9001). Tests with iperf3 were
invoked with a flag that set the TCP MSS to 1375 in order to ensure that
each segment sent would not exceed 1500 bytes once the encapsulation
overhead (ESP header, initialization vector, padding, integrity check
value, outer IP header) is added.
Raw (no IPsec) throughput using iperf3 was 4.79 gbps. The measurements
taken by iperf3 use the amount of data sent in the TCP payload to
calculate
throughput. The 32 byte TCP header (standard 20 byte TCP header plus 10
bytes for optional field containing timestamps and 2 bytes to pad
optional
fields to a multiple of 4 bytes) and 20 byte IP header on each packet are
not included in the calculation. If 52 bytes from each 1500 byte packet
are
considered overhead that is not included in the measurement, the maximum
result that iperf3 could achieve on a 5 gbps link would be approximately
4.83 gbps.
Additional overhead from ESP includes 20 bytes for an outer IP header, 8
bytes for an ESP header, 2 bytes for padding length & next header type,
16
(AES-CBC) or 8 (AES-GCM) bytes for an initialization vector, and 12
(HMAC-SHA1) or 16 (AES-GCM) bytes for an integrity check value. The total
extra overhead is 58 bytes (AES-CBC HMAC-SHA1) or 54 bytes (AES-GCM).
Thus,
the maximum measurement possible using iperf3 on a 5 Gbps link is 4.63
gbps
for AES-CBC-128 HMAC-SHA1 and 4.65 gbps for AES-GCM-128 ICV16.
Net-net, it’s probably faster than that, since we’re obviously hitting
the
Amazon-imposed bandwidth limit. Between a pair of i7-6950s (so Broadwell
cores) we see 13.7 gbps (single-stream) AES-GCM-128 and 7.42 gbps
AES-GCM-128 + HMAC-SHA1 (again, single-stream). Adding our CPIC QAT card
gets us to 32.68/32.73 gbps respectively.
Post by Kyle Marek
I cannot counter the attack possibility, but I would like to ask: is
this unsolvable without hardware acceleration?
It has a lot to do with what one might consider “acceptable” performance
of the web gui.
Post by Kyle Marek
I side with Mr. Parker here. How long does a project have to wait
before demanding certain features for future revisions, assuming it gives
adequate warning to the existing and future users of that project? I’ll
note that you didn’t answer his question.
Post by Kyle Marek
I never answered the question because I did not think the answer or the
question was relevant. Until today, it was my understanding that AES-NI
was simply to improve throughput of applications utilizing AES. I had
previously not been presented with anything to indicate that it helps
with any security issues such as the timing attacks discussed here.
"With AES you either design, test, and verify a bitslice software
implementation, (giving up a lot of performance in the process), leverage
hardware offloads, or leave the resulting system open to several known
attacks. We have selected the “leverage hardware offloads” path. The
other
two options are either unthinkable, or involve a lot of effort for
diminishing returns.”
I’ve listed the performance of the various implementations in OpenSSL
above.
Post by Kyle Marek
However, to address the question in some way, I do agree that features
like this should be taken advantage of as much as possible. However,
unlike other advances such as x86 to x86_64, AES-NI does not create any
new functionality that did not already exist. Until the security
benefits have been presented, I did not see any use case where AES-NI
would be necessary over the software implementation.
I would like to point out that AES-NI is not "in everything" since 2008
as previously indicated. While I understand these may not fall under
the
Post by Kyle Marek
"all major x64 processors" category, Intel has launched CPUs without
AES-NI within the past couple of years.
It’s true that not everything Intel and AMD have released in the last
decade has AES-NI.
Post by Kyle Marek
https://ark.intel.com/Search/FeatureFilter?productType=
processors&AESTech=false&BornOnDate=Q4%2716
Post by Kyle Marek
And, finally, Mr. Volotinen called it exactly. We announced this in
May last year, so that those buying hardware in the now would know about
the future requirements. Anyone buying hardware now can make an informed
decision as to if they want to buy or otherwise obtain a platform for
pfSense that supports AES-NI, or not. Either will work as long as they
are
running a 2.4.x release of pfSense, and, as above, 2.4 has a plan that
includes support until, at least, 2020.
Post by Kyle Marek
This is acceptable. It just also just sucks, and I understand it must
be
Post by Kyle Marek
faced.
This is, however, beyond just replacing some networking equipment, as I
have to replace my primary VM host due to CPU replacements supporting
AES-NI not existing. Before knowing that the AES-NI requirement was to
address the timing attack, I felt as if I have to pay for new hardware
due to Netgate not "wanting" non-AES-NI AES implementations being
utilized. Until this, I have not exactly had software support issues
with even this aging hardware.
Nor do you now. It’s only (at least) a year after the release of 2.5
that
we’ll stop supporting 2.4, and then it’s a matter of when a security
issue
or other bug that is important enough to you switch gets addressed in 2.5
but not in 2.4 might occur (gosh that’s an awful sentence, Jim).
Post by Kyle Marek
I understand that a lot of people are effectively threatening to switch
to OpnSense due to this, but I fear that I will *have to* if I can't
replace my hardware by the time support for software AES ends entirely.
People should run what suits their purpose best. Perhaps someone else
will fork pfSense and continue the 2.4 train on a different track.
That’s
the beauty of open source software.
Post by Kyle Marek
https://ark.intel.com/Search/FeatureFilter?productType=
processors&SocketsSupported=LGA771&AESTech=true
Post by Kyle Marek
I thank you for addressing this with me. I appreciate your conduct with
me despite my comment.
Sure thing. I also appreciate your response here.
Thanks,
Jim
Post by Kyle Marek
Jim
Post by Kyle Marek
I think you're missing the point that software support exists;
pfSense
Post by Kyle Marek
Post by Kyle Marek
supports software AES *now*, and this is being removed. New
technology
Post by Kyle Marek
Post by Kyle Marek
is cool; things not working anymore is not.
Anyway, what are are other projects such as the TLS libraries doing
about this? Is hardware acceleration really the only solution?
Post by Walter Parker
Well, both Intel and AMD starting shipping the AES-NI instructions 8
years
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
ago...
How long does a project need to wait before it can require a feature
found
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
on all major x64 processors? Waiting 8-9 years seems reasonable to
me.
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Given the fact that the project is only supporting 64-bit and
suggests
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
using a modern processor this requirement should be a non issue for
most
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
users.
The only place where the AES-NI instructions are not found is in a
small
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
number of embedded/dev boards using older Celeron processors.
Walter
Post by Kyle Marek
This is silly. I shouldn't have to replace my hardware to support a
feature I will not use...
I shame Netgate for such an artificial limitation...
Thank you for the information.
Post by Eero Volotinen
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html so we
are
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
talking
Post by Eero Volotinen
about 2.5 not 3.x ?
"While we’re not revealing the extent of our plans, we do want to
give
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
early notice that, in order to support the increased cryptographic
loads
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
that we see as part of pfSense verison 2.5, pfSense Community
Edition
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
version 2.5 will include a requirement that the CPU supports
AES-NI. On
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
ARM-based systems, the additional load from AES operations will be
offloaded to on-die cryptographic accelerators, such as the one
found on
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
our SG-1000 <https://www.netgate.com/products/sg-1000.html>. ARM
v8 CPUs
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
include instructions like AES-NI
<https://www.arm.com/files/downloads/ARMv8_Architecture.pdf> that
can be
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
used to increase performance of the AES algorithm on these
platforms."
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
Eero
Post by Edwin Pers
I believe I read somewhere that the new version that requires
aes-ni
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
will
Post by Eero Volotinen
Post by Edwin Pers
be 3.x, and they plan to continue the 2.x line alongside it, as
3.x
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
will be
Post by Eero Volotinen
Post by Edwin Pers
a major rewrite
-Ed
-----Original Message-----
Eero
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
Post by Edwin Pers
Volotinen
Sent: Thursday, February 15, 2018 12:14 PM
Cc: pfSense Support and Discussion Mailing List <
Subject: Re: [pfSense] Configs or hardware?
Well. Next version of pfsense (2.5) will not install into
hardware
that
Post by Kyle Marek
Post by Kyle Marek
Post by Walter Parker
Post by Kyle Marek
Post by Eero Volotinen
Post by Edwin Pers
does not support AES-NI, so buying such hardware is not wise ?
Eero
Well Said.
Thank you for sharing the numbers.
Walter
--
The greatest dangers to liberty lurk in insidious encroachment by men of
zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Paul Mather
2018-02-19 15:42:33 UTC
Permalink
Post by Eero Volotinen
Well. Does it require so much power, that I cannot run it on intel core2
quad Q9400, 2.66Ghz processor (4 cores) ?
What a curious question. It does not require "so much power" but it does require a minimum hardware spec, which that CPU will lack (no AESNI).

I can understand why people would be unhappy that their hardware becomes unsupported by a new release, but I also understand it's common in the computing industry and makes a lot of sense for Netgate to do this (reduced support costs; increased developer focus; etc.). It's nice, also, they've laid out a roadmap for doing this and telegraphed clearly how they plan to support older hardware and for how long. It's not like they just decided yesterday over a couple of pints at the pub to throw everyone without AESNI-capable CPUs under the bus right now.

I still have a CF NanoBSD-based pfSense installation running on Netgate hardware, and I appreciate they are still supporting 2.3, giving people like me time to migrate off to something else.

Cheers,

Paul.
Moshe Katz
2018-02-19 17:12:17 UTC
Permalink
Post by Paul Mather
Post by Eero Volotinen
Well. Does it require so much power, that I cannot run it on intel core2
quad Q9400, 2.66Ghz processor (4 cores) ?
What a curious question. It does not require "so much power" but it does
require a minimum hardware spec, which that CPU will lack (no AESNI).
I can understand why people would be unhappy that their hardware becomes
unsupported by a new release, but I also understand it's common in the
computing industry and makes a lot of sense for Netgate to do this (reduced
support costs; increased developer focus; etc.). It's nice, also, they've
laid out a roadmap for doing this and telegraphed clearly how they plan to
support older hardware and for how long. It's not like they just decided
yesterday over a couple of pints at the pub to throw everyone without
AESNI-capable CPUs under the bus right now.
I still have a CF NanoBSD-based pfSense installation running on Netgate
hardware, and I appreciate they are still supporting 2.3, giving people
like me time to migrate off to something else.
Cheers,
Paul.
It's also worth mentioning that the Q9400 is turning 10 years old this year.

I am a very enthusiastic proponent of reusing old computer hardware instead
of throwing it away, but there still comes a point in time at which it's
time to move on, and ten years is a very long life for commodity computing
hardware.

Moshe

--
Moshe Katz
-- ***@ymkatz.net
-- +1(301)867-3732
Eero Volotinen
2018-02-19 17:18:20 UTC
Permalink
Maybe. I think that hardware can still do full gigabit nat and firewalling.

--
Eero
Post by Paul Mather
Post by Paul Mather
Post by Eero Volotinen
Well. Does it require so much power, that I cannot run it on intel
core2
Post by Paul Mather
Post by Eero Volotinen
quad Q9400, 2.66Ghz processor (4 cores) ?
What a curious question. It does not require "so much power" but it does
require a minimum hardware spec, which that CPU will lack (no AESNI).
I can understand why people would be unhappy that their hardware becomes
unsupported by a new release, but I also understand it's common in the
computing industry and makes a lot of sense for Netgate to do this
(reduced
Post by Paul Mather
support costs; increased developer focus; etc.). It's nice, also,
they've
Post by Paul Mather
laid out a roadmap for doing this and telegraphed clearly how they plan
to
Post by Paul Mather
support older hardware and for how long. It's not like they just decided
yesterday over a couple of pints at the pub to throw everyone without
AESNI-capable CPUs under the bus right now.
I still have a CF NanoBSD-based pfSense installation running on Netgate
hardware, and I appreciate they are still supporting 2.3, giving people
like me time to migrate off to something else.
Cheers,
Paul.
It's also worth mentioning that the Q9400 is turning 10 years old this year.
I am a very enthusiastic proponent of reusing old computer hardware instead
of throwing it away, but there still comes a point in time at which it's
time to move on, and ten years is a very long life for commodity computing
hardware.
Moshe
--
Moshe Katz
-- +1(301)867-3732
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Joseph L. Casale
2018-02-15 22:15:47 UTC
Permalink
-----Original Message-----
From: List [mailto:list-***@lists.pfsense.org] On Behalf Of Kyle Marek
Sent: Thursday, February 15, 2018 10:38 AM
To: pfSense Support and Discussion Mailing List <***@lists.pfsense.org>; Eero
Volotinen <***@iki.fi>
Subject: Re: [pfSense] Configs or hardware?
Post by Kyle Marek
This is silly. I shouldn't have to replace my hardware to support a
feature I will not use...
I shame Netgate for such an artificial limitation...
Who pays the Netgate developers and employee wages? The commercial side, there
is nothing unreasonable about this or hard to comprehend. The fact we get the fruits
of the labor for free is remarkable.

So the question is, should Netgate pay their developers to maintain features that
commercial users would never desire, what would their ROI on that be. They may
be able to justify some, but obviously not this one.

I personally don't feel home owner grade hardware is worth their efforts and I certainly
don't fault them. However, that is only my opinion for what its worth...

jlc
Continue reading on narkive:
Loading...