Will IPSec-MB be integrated at some point?

Started by REB00T, December 29, 2023, 01:49:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 29, 2023, 01:49:11 PM
pfSense managed to get some measurable performance improvements by integrating IPSec-MB. Can we expect a similar thing in a future release?
December 29, 2023, 02:29:22 PM #1
+1 for request to add.
December 29, 2023, 03:06:31 PM #2
It's already added.  :P

Code Select
# pkg search ipsec-mb
intel-ipsec-mb-1.5             Intel(R) Multi-Buffer Crypto for IPsec Library
December 29, 2023, 03:26:19 PM #3
Quote from: doktornotor on December 29, 2023, 03:06:31 PM
It's already added.  :P

Code Select
# pkg search ipsec-mb
intel-ipsec-mb-1.5             Intel(R) Multi-Buffer Crypto for IPsec Library

I'll try it out. Thanks for pointing it out!
December 29, 2023, 03:53:18 PM #4
Quote from: REB00T on December 29, 2023, 03:26:19 PM
Quote from: doktornotor on December 29, 2023, 03:06:31 PM
It's already added.  :P

Code Select
# pkg search ipsec-mb
intel-ipsec-mb-1.5             Intel(R) Multi-Buffer Crypto for IPsec Library

I'll try it out. Thanks for pointing it out!

Me too, just installed the package from the opnsense repo on a few different opnsense boxes with a S2S between them, one with IPSEC GCM and another with WG
December 29, 2023, 04:35:09 PM #5
Hi,

Do I need to add any tunables or settings to make use of IIMB?
Intel i7-8550U - Intel I211 - RAM 16GB - NVMe 120Gb
Intel i7-5550U - Intel I211 - RAM 8GB - NVMe 50Gb
February 13, 2024, 09:01:41 PM #6
Quote from: fadern on December 29, 2023, 04:35:09 PM
Hi,

Do I need to add any tunables or settings to make use of IIMB?

fadern,

I have been messing with this and am seeing quite a big performance enhancement, but not until i added the following Tunables.

kern.crypto.iimb.enable_aescbc
kern.crypto.iimb.enable_multiq

Both set to 1

Based on the following info
https://docs.netgate.com/pfsense/en/latest/hardware/cryptographic-accelerators.html#crypto-accel-tune-ipsec-mb
May 01, 2024, 09:27:04 PM #7
I have been reading this thread as I recently have been looking into the benefits of the implementation and wanted to share what I found.  I see that another member already found the PDF document from the conference (see atttached). 

However, I wanted to share the information I have available with everyone including the GitHub location of the Intel® Multi-Buffer Crypto for IPsec Library (a.k.a. IPsec-MB or IIMB)
=====================================================================
Intel GitHub location of the library - https://github.com/intel/intel-ipsec-mb
=====================================================================

=====================================================================
FreeBSD Port that includes the Intel Multi-Buffer Crypto Library
=====================================================================
https://www.freshports.org/security/intel-ipsec-mb/
=====================================================================
Port details
=====================================================================
intel-ipsec-mb Intel(R) Multi-Buffer Crypto for IPsec Library
=====================================================================
Last Update: 2024-02-25 13:19:43
=====================================================================
Intel Multi-Buffer Crypto for IPsec Library is highly-optimized software implementations of the core cryptographic processing for IPsec, which provides industry-leading performance on a range of Intel(R) Processors.
=====================================================================
Other Intel Links and Articles that may be relevant

Intel - Fast Multi-buffer IPsec Implementations on Intel® Architecture Processors
*Older Article that appears to go over requirements to implement and utilize library*
https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/fast-multi-buffer-ipsec-implementations-ia-processors-paper.pdf


Get Started with IPsec Acceleration in the FD.io* VPP Project
https://www.intel.com/content/www/us/en/developer/articles/guide/get-started-with-ipsec-acceleration-in-the-fdio-vpp-project.html

Intel® Multi-buffer Crypto for IPsec on DPDK - Get Started
https://www.intel.com/content/www/us/en/developer/videos/intel-multi-buffer-crypto-for-ipsec-on-dpdk-get-started.html


=====================================================================
The kernel module for the Intel® Multi-Buffer Crypto for IPsec Library (a.k.a. IPsec-MB or IIMB)
IPsec-MB is not limited to accelerating IPsec, despite the name.
It leverages CPU SIMD instructions to accelerate anything using kernel crypto functions for AES-GCM-128, AES-GCM-256, AES-CBC-128, AES-CBC-256, SHA1, SHA2, and ChaCha20/Poly1305.
This includes IPsec, WireGuard, OpenVPN DCO and more.
=====================================================================

System tuning values that are directly relevant to Intel IIMB performance:
=====================================================================
kern.crypto.iimb.enable_aescbc="1" # default 1 - disabled 0 - Enables handling of AES-CBC. IIMB can be slower than QAT for CBC so this is a toggle to disable handling for AES-CBC while accelerating other algorithms so IPsec-MB and QAT can coexist in such environments. Supported on x86-64 only.
kern.crypto.iimb.enable_multiq="1" # default value determined by number of CPU cores, =<4 CPU cores = "1", 5-8 CPU cores = "2", 9+ CPU Cores = "4" Value represents number of job threads, multiple queues to handle encryption jobs, i.e. each session is bound to a job thread
kern.crypto.iimb.use_engine="1" # default 1 - disable 0 - used to enable and disable iimb feature
kern.crypto.iimb.use_task="1" # default 0 - enable 1 - used to run seperate task queue for running the encryption job completion callbacks.
=====================================================================


Additionally enabling kernel handling of TLS could further lower CPU utilization as TLS processes are handled directly by the kernel
=====================================================================
All three tuner values have to be enabled in order to enable TLS in kernel, TLS in Kernel is supported in FreeBSD 13.0 or newer releases
=====================================================================
kern.ipc.mb_use_ext_pgs="1"
kern.ipc.tls.enable="1"
kern.ipc.tls.ifnet.permitted="1"
=====================================================================
May 01, 2024, 10:05:41 PM #8
Not applicable. The kernel module is available only for the paid version of the Netgate product. You can neither load it in OpnSense nor set the parameters.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
May 02, 2024, 06:28:09 AM #9
I am sorry, maybe I am misunderstanding your response but wouldn't OPNsense be able to use the FreeBSD and updated Intel Source version 1.5.1 to update or improve OPNsense support for the feature and improve overall performance?

or are you saying is not applicable? (the entire thing or just a specific part)
May 02, 2024, 08:15:22 AM #10
Seeing we work in open source we would have to currently rewrite intel-ipsec-mb as a kernel module as long as the "original" iimb.ko is not released / added to FreeBSD (ports).

As far as release engineering goes FreeBSD appears to be in no rush to release crypto optimization like their native multi-buffer support which never went to FreeBSD 13.x, but appears on 14.x even though the change was well suited for inclusion.

So... if we follow open source and FreeBSD releases... and as a general rule avoid point-zero releases like 14.0 we're looking at an adoption of FreeBSD 14.1 in the mid-term once that is out... which brings "improve overall performance" to OPNsense... just the natural and timely flow here.


Cheers,
Franco
May 02, 2024, 08:23:42 AM #11
Quote from: veritigo on May 02, 2024, 06:28:09 AM
I am sorry, maybe I am misunderstanding your response but wouldn't OPNsense be able to use the FreeBSD and updated Intel Source version 1.5.1 to update or improve OPNsense support for the feature and improve overall performance?

or are you saying is not applicable? (the entire thing or just a specific part)
The open source parts are just the library. The kernel module is closed source by Netgate and only available in their subscription editions.

OPNsense team would have to create their own kernel module from scratch. Probably not high on the priority list just now.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 02, 2024, 08:35:59 AM #12 Last Edit: May 02, 2024, 08:38:49 AM by meyergru
Quote from: veritigo on May 02, 2024, 06:28:09 AM
I am sorry, maybe I am misunderstanding your response but wouldn't OPNsense be able to use the FreeBSD and updated Intel Source version 1.5.1 to update or improve OPNsense support for the feature and improve overall performance?

or are you saying is not applicable? (the entire thing or just a specific part)

You cross-posted the same here and I answered in more detail there. The "information" you gave is misleading to a point where it becomes effectively plain wrong.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
Print
Go Up Pages1
User actions