Community discussions

MikroTik App
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jul 14, 2009 10:52 pm

New RB1100 Hardware acceleraion

Mon Feb 28, 2011 5:27 am

I always wonder whcih part of the RouterOS uses Hardware Acceleration. I'm pretty sure IPSec does but Profile Encryption also does? What about /interface ovpn-server server?

Thank you

MB
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: New RB1100 Hardware acceleraion

Mon Feb 28, 2011 5:45 am

This is pure conjecture on my part, but typically hardware acceleration is simply utilized by the underlying OS crypto libraries, so any facility using those libraries use the hardware acceleration.
Not every facility - for example - implements AES or SHA all over again. They use a shared library, and that library is linked against hardware acceleration modules.
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jul 14, 2009 10:52 pm

Re: New RB1100 Hardware acceleraion

Mon Feb 28, 2011 10:57 pm

Fewi,

Yes, that will be great if Mikrotik eng., could at least give more info on what would be accelerated using this hardware.

MB
 
wpeople
Member
Member
Posts: 380
Joined: Sat May 26, 2007 6:36 pm

Re: New RB1100 Hardware acceleraion

Sat Apr 09, 2011 12:16 pm

probably i'm fail, but SHA1 seems NOT to be accelerated.
On my test i could pass much LESS data thru VPN (AH only) what seems to be utilitise CPU (50-80mbps) very highly, while with ESP AES it's happily passed 200mbps (tcp) traffic with much less load.

If i'm right, AH only is header encryption, ESP is data (or) full frame encryption.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: New RB1100 Hardware acceleraion

Sat Apr 09, 2011 6:54 pm

ESP can still use SHA. A better comparison would be to try ESP with SHA, MD5, and null.

AH won't encrypt, but the encryption function of ESP isn't provided by hashing.
 
wpeople
Member
Member
Posts: 380
Joined: Sat May 26, 2007 6:36 pm

Re: New RB1100 Hardware acceleraion

Sat Apr 09, 2011 10:39 pm

hmmm
AH is Authentication Header (if i'm right, it's calculation an SHA1/MD5 hash of the header)
ESP is Frame Encryption (Encapsulating Security Payload)

this link http://wiki.mikrotik.com/wiki/Manual:IP ... algorithms says:
AH can use SHA1/MD5
ESP can use (3)DES, AES (128/192/256), Blow/TwoFish, Camellia

In fact, i don't understand what You mean with:
AH won't encrypt, but the encryption function of ESP isn't provided by hashing
ESP is NOT using hashing but encrypt (so NO SHA1/MD5 supported).

However, i can turn peer setting into ah/esp from esp only, if You are interested about results.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: New RB1100 Hardware acceleraion

Sat Apr 09, 2011 10:51 pm

You're mistaken.

AH only provides integrity and authentication. Integrity is provided by means of hashes, either SHA1 or MD5.

ESP provides integrity, authentication, and confidentiality. Confidentiality is provided by encryption, several methods are available. 3DES and AES are the most popular. The integrity part is still provided by means of hashes, either SHA1 or MD5.

http://wiki.mikrotik.com/wiki/Manual:IP ... algorithms: see the list of authentication and encryption methods for ESP.
 
wpeople
Member
Member
Posts: 380
Joined: Sat May 26, 2007 6:36 pm

Re: New RB1100 Hardware acceleraion

Sat Apr 09, 2011 11:22 pm

You are right.
AH provides ONLY authentication/integrity - with hashes (SHA1 or MD5).
ESP can provide confidentality AND/OR integrity, authentication.

As IPsec policy settings allow the following settings:
- AH
- AH & ESP
- ESP

i think (but not sure) it means the following:
- AH: Authentication headers to be used
- AH & ESP: ESP with confidentality and authentication/integrity
- ESP: ESP with confidentality only

I will check what's the thruput with AH&ESP settings.
Sadly no specification found about encryption engine, and also no info about accelerated algorithm. It also not mentioned if Hasing is accelerated or not.
(for example http://oldwiki.openwrt.org/HardwareAcce ... rypto.html says BCM5365 chip support to accelerate AES,DES, HMAC-SHA1 for 75mbps, but simple SHA1 seems not to be accelerated - only supported(?))

I will check on monday what's the thruput and CPU usage with AH / AH&ESP/ ESP and post here.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: New RB1100 Hardware acceleraion

Sat Apr 09, 2011 11:28 pm

I am curious what you will find.
 
wpeople
Member
Member
Posts: 380
Joined: Sat May 26, 2007 6:36 pm

Re: New RB1100 Hardware acceleraion

Mon Apr 11, 2011 2:34 pm

i've made tests for
ESP (aes256) ~300mbps thruput (acceptable cpu usage)
AH&ESP (AH: MD5/SHA ESP:aes256) much less ~200mbps, and high cpu usage -> seems hashing not accelerated

i will share screenshots and comparison chart too.

by the way, i've made routing thruput test as reference:
ConnTrack off: 980mbps
Conntrack on: ~700mbps
(cpu 95-100% in both cases)

Tests are done with jperf, between 2 windows desktop computer, no fine tuning, default frame size (what seems 1500byte)
 
wpeople
Member
Member
Posts: 380
Joined: Sat May 26, 2007 6:36 pm

Re: New RB1100 Hardware acceleraion

Mon Apr 11, 2011 8:57 pm

Here is the comparision chart.
The testbench can be ready for few more test if You want some.

The conntrack is turned off for all VPN measurement (and every other where is NOT noted to be turned on)
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 7 guests