Hi,
Dreetjeh D wrote:
>
>
> Hello,
>
> > Date: Mon, 25 Apr 2016 17:59:39 +0200
> > From: g...@greenie.muc.de
> > To: dreet...@hotmail.com
> > CC: openvpn-users@lists.sourceforge.net
> > Subject: Re: [Openvpn-users] Log AES-NI
> >
> > Hi,
> >
> > On Mon, Apr 25, 2016 at 05:09:30PM +0200, Dreetjeh D wrote:
> > > Currently when "engine cryptodev" is set, it will show up in the
> OpenVPN log:
> > > "Initializing OpenSSL support for engine 'cryptodev'"
> > > On my NAS I use "engine cryptodev" (Armv7 so no aesni) in config.
> > > 1. engine cryptodev is software crypto, as in not offloading from CPU?
> >
> > No idea what cryptodev can do on ARM.
>
> This NAS has hardware encryption support. I mentioned it because the
> log shows
> "Initializing OpenSSL support for engine 'cryptodev'"
> and in the log on pfSense I do not find for example: "Initializing
> OpenSSL support for engine 'AES-NI'"
> But that I understand now, thanks.
>
> >
> > > On my new self build router pfSense box I have AES-NI support on
> SoC, N3150 CPU.
> > > 2. It is hardware crypto, as in offloading from CPU?
> > > If I understand correct, AES-NI will automatically be used by
> OpenSSL if available, so no need to write "engine aesni" in the config.
> >
> > Right.
> >
> > > 3. Would it be possible to log if OpenSSL is making use of AES-NI?
> >
> > We don't know - we call OpenSSL, and it will do something, and return
> > an encrypted/decrypted buffer to us.
>
> Hmm... not getting any wiser from viewing in top too...
>
openssl 1.0+ uses AESNI by default , unless explicitly left out during
compilation. As openvpn uses libcrypto.so from openssl it will
automagically pick up AESNI support or not.
You can test whether openssl supports AESNI by running
openssl speed -evp aes-256-cbc
then run
OPENSSL_ia32cap=0 openssl speed -evp aes-256-cbc
and compare the results; on a Sandy Bridge server I get
aes-256-cbc 265422.69k 278228.74k 281312.94k 282094.93k
282318.17k
vs
aes-256-cbc 42954.65k 46349.97k 47233.02k 114621.78k
115927.72k
> >
> > > In pfSense, when activating AES-NI in WebUI, a module aesni.ko
> gets loaded.
> > > 4. How would one know if AES-NI is actually being used, I mean
> looking at it in real time?
> >
> > Using AES-NI via kernel cryptodev is almost always a bad idea - because
> > it is much slower than just using the same AES-NI instructions in
> openssl
> > userland ("same CPU opcodes, less jump-to-kernel-and-back").
> >
> > So "just don't do that"...
>
> Ok, so I should not load that module and not write "engine something"
> to take advantage of AES-NI.
> The results I posted on the forum do not show a difference worth
> mentioning though.....
> Offloading encryption doesn`t seem to do anything.
> Maybe because AES-NI is used regardless..? Could not find a related
> setting in BIOS.
> The only difference is between OpenVPN unencrypted vs. encrypted.
>
> I`m going to do some more tests.
>
similar to the openssl command you can disable AESNI in OpenVPN by
running with the OPENSSL_ia32cap env var set to 0 ; performance will be
determined by other factors as well, however. Again, on my SB server I
get an iperf performance of 200 Mbps up/down over a gigabit link without
any tuning . When I run
OPENSSL_ia32cap=0 openvpn --config ....
I get an iperf performance of ~ 192 Mbps up and down - so that's a 4 %
loss. On a N3150 I'd expect the performance difference to be greater,
however.
When you increase the tun-mtu size (to e.g. 9000) the performance gap
will widen.
HTH,
JJK
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
