RT-AX86U Pro / AES Instruction set / Hardware-based vpn acceleration?

[Skillz]

I'm currently looking into buying the AX86U Pro router and would like to get confirmation that the Pro also has hardware-based vpn acceleration.

thank you in advance

 

[drinkingbird]

I'm currently looking into buying the AX86U Pro router and would like to get confirmation that the Pro also has hardware-based vpn acceleration.

thank you in advance

They all have AES instruction sets in the CPU, depending on the VPN protocol you use (wireguard is the most efficient and should be the fastest) they all have similar performance. Probably 200-250M across most of the AX routers.

More than that you need to look at an x86 based box or something with a hardware encryption card in it.

 

[Skillz]

Thank you for confirming @drinkingbird.

Currently I'm using a Netgear R7000, which as far as I know doesn't have the hardware aes encryption, and because of this, limits my vpn speeds.

Switching to Asus (and Asuswrt-Merlin) will be a nice upgrade

 

[ColinTaylor]

They all have AES instruction sets in the CPU...

I'm not sure what "they" you are referring to. They - all AX86U Pro's, or they - all Asus routers. In the latter case, not all Asus router models currently sold have hardware AES support. I believe the AX86U Pro does though.

 

[drinkingbird]

I'm not sure what "they" you are referring to. They - all AX86U Pro's, or they - all Asus routers. In the latter case, not all Asus router models currently sold have hardware AES support. I believe the AX86U Pro does though.

Was under the impression all the AX would have it but at the very least all the AX8 series should (plus a bunch of the GT ones)?

EDIT looks like anything with ARMv8 so should be AC8 series, AX8 series, and anything above that (most of the GT ones).

 

[drinkingbird]

Thank you for confirming @drinkingbird.

Currently I'm using a Netgear R7000, which as far as I know doesn't have the hardware aes encryption, and because of this, limits my vpn speeds.

Switching to Asus (and Asuswrt-Merlin) will be a nice upgrade

Use a VPN provider that supports wireguard profile, should get you the best performance. If you have the correct MTU and MSS settings some report you might be able to get as high as 300-400. And merlin is working on (or possibly has released) a wireguard bypass so it will allow your non-VPN traffic to hit full line rate, which was an issue before (enabling VPN disabled hardware acceleration for normal traffic). Not a big concern if your ISP speed is on the lower end but 200 and up starts to become a concern.

 

[Darkje]

So i own a r7000 no hw aes. I also have a ac86u it has hw aes. I have a gt2900 also has hw aes. And I have a ax86u pro. It also has hw aes.

 

[drinkingbird]

So i own a r7000 no hw aes. I also have a ac86u it has hw aes. I have a gt2900 also has hw aes. And I have a ax86u pro. It also has hw aes.

Technically none of them really have hardware AES, they have an instruction set in the CPU that helps process it more efficiently. True hardware AES would typically be an ASIC. But yes, just nitpicking.

 

[L&LD]

Instruction sets in the CPU are hardware AES, afaik.

 

[drinkingbird]

Instruction sets in the CPU are hardware AES, afaik.

Eh, guess it is splitting hairs but I consider it more a way of telling the CPU how to handle something efficiently, which helps, but won't approach the performance of a dedicated chip (like if you look at an SED it has an extra chip on it specifically for handling the encryption). Or a Cisco router with a crypto card in it, again dedicated ASIC and CPU just for that.

For example a Cisco ASR-HX series router can do less than 1G of encryption with the main CPU but you can toss in crypto cards that will do tens of gigs at wire speed.

 

[L&LD]

Maybe we are splitting hairs. But I just see that as different levels of hardware, in the examples you give.

 

[Tech9]

Was under the impression all the AX would have it

CPUs with ARMv8 cores only. How to identify? From the current lineup - 1.8/2.0GHz CPU models only.

 

[drinkingbird]

Maybe we are splitting hairs. But I just see that as different levels of hardware, in the examples you give.

Well in that case everything is hardware since it hits the CPU

I guess I'd compare it to a cheap NIC with no TCP offloading, it relies heavily (but not completely) on the main CPU. Vs a NIC with a TCP offloading ASIC on it that barely makes the CPU flinch.

I consider an instruction set to be a mini program that runs within the CPU so that the CPU doesn't have to process everything in raw machine code. Whereas an ASIC is taking that little piece of software and putting it in a chip that is designed to do that one thing only.

Or maybe you could say the instruction set is the CPU saying "can you help me do this" whereas a dedicated processor/chip/asic/whatever is it saying "hey, do this for me, let me know the result".

All totally irrelevant I guess, point is, these routers can only do so much, if you want more, you need something designed for high throughput encryption.

 

[Tech9]

RT-AX68U
RT-AX86S/U/Pro
RT-AX88U/Pro
RT-AX92U
GT-AX6000
GT-AX11000/Pro
GT-AXE11000
GT-AXE16000
ZenWiFi Pro XT12
ZenWiFi Pro ET12

 

[RMerlin]

Just to confuse everyone even more: in addition to CPU instructions that can accelerate AES processing (which benefits OpenVPN), these routers also do have an additional hardware AES accelerator - the SPU (Security Processing Unit). However that unit's interface lives in kernel space, so it's currently mostly of benefit to IPSEC. OpenVPN residing in userland, the context switches would actually reduce throughput rather than improve it (I did a lot of testing back in the day using cryptodev + BCMSPU).

When I configured Strongswan to use the SPU, IPSEC throughput on a BCM4906 went from 133 Mbps to 250-300 Mbps.

 

[drinkingbird]

Just to confuse everyone even more: in addition to CPU instructions that can accelerate AES processing (which benefits OpenVPN), these routers also do have an additional hardware AES accelerator - the SPU (Security Processing Unit). However that unit's interface lives in kernel space, so it's currently mostly of benefit to IPSEC. OpenVPN residing in userland, the context switches would actually reduce throughput rather than improve it (I did a lot of testing back in the day using cryptodev + BCMSPU).

When I configured Strongswan to use the SPU, IPSEC throughput on a BCM4906 went from 133 Mbps to 250-300 Mbps.

Interesting, so it is more than just CPU instruction sets. But wonder what exactly it can accelerate, IPSEC can obviously be configured lots of different ways, with different crypto strenghths. Assuming it probably can't do NGE/Suite B but that is pretty limited to enterprise stuff anyway. If it is strictly IPSEC it wouldn't benefit wireguard I'm assuming, and it seems like wireguard can do about the same (or better), plus have the benefit of the bypass you're working on.

Someone needs to come up with a little hardware (or potentially x86) based VPN box you can just do a simple config and be up and running. Dangle it off the router of your choice.

 

[drinkingbird]

RT-AX68U
RT-AX86S/U/Pro
RT-AX88U/Pro
RT-AX92U
GT-AX6000
GT-AX11000/Pro
GT-AXE11000
GT-AXE16000
ZenWiFi Pro XT12
ZenWiFi Pro ET12

I have an old Pentium I with MMX extensions wonder if that would work.

 

[Tech9]

No, but Apple A10 Fusion SoC with Hurricane cores used in iPhone 7 from 2016 beats them all.

 

[RMerlin]

But wonder what exactly it can accelerate

The list is fairly long: various AES, SHA, MD5 variants, etc... Check the list of supported kernel cryptos, and look for all of these that says "module: bcmspu" in it.

cat /proc/crypto

My most recent test (from 2018) on the RT-AX88U allowed me to hit 387 Mbps, with lower CPU usage than another test done with pcrypto:

E:\Share>iperf -c 192.168.50.12 -N -M 1400 -t 20
------------------------------------------------------------
Client connecting to 192.168.50.12, TCP port 5001
TCP window size: 64.0 KByte (default)
------------------------------------------------------------
[316] local 10.10.10.1 port 14909 connected with 192.168.50.12 port 5001
[ ID] Interval       Transfer     Bandwidth
[316]  0.0-20.0 sec    924 MBytes    387 Mbits/sec
 
 
Mem: 434776K used, 469692K free, 0K shrd, 3888K buff, 36492K cached
CPU:  0.2% usr 20.7% sys  0.3% nic 59.7% idle  0.0% io  0.0% irq 18.9% sirq
Load average: 3.32 3.37 2.32 4/191 13694
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
  240     2 admin    RW       0  0.0   3 23.9 [pdc_rx]
  230     2 admin    RW       0  0.0   0 13.4 [bcmsw_rx]
 1170     1 admin    S N   9068  1.0   1  1.6 httpds -s -i br0 -p 8443

 2608     1 admin    R N  21208 2.3   1  0.4 aaews --sdk_log_dir=/tmp

BCMSPU usage stats can me monitored here:

[/FONT]
admin@stargate:/sys# cat kernel/debug/bcmspu/stats
Number of SPUs.........0
Current sessions.......0
Session count..........0
Cipher setkey..........0
Cipher Ops.............0
Hash Ops...............0
HMAC setkey............0
HMAC Ops...............0
AEAD setkey............0
AEAD Ops...............0
Bytes of req data......0
Bytes of resp data.....0
Channel full...........0
Channel send failures..0
Check ICV errors.......0
Packets blogged (us)...0
                (ds)...0

it wouldn't benefit wireguard I'm assuming

No, because Wireguard uses Chacha20. Faster performance than AES, but not hardware accelerated so it's more CPU intensive than a hardware-accelerated AES implementation.

 

[sfx2000]

They all have AES instruction sets in the CPU, depending on the VPN protocol you use (wireguard is the most efficient and should be the fastest) they all have similar performance. Probably 200-250M across most of the AX routers.

Wireguard does not use AES - chacha20-Poly1305 is used there...