Jump to content
Not connected, Your IP: 3.149.232.87
Borrible7

Routers with AES-256-CBC acceleration?

Recommended Posts

Hi, new user, very impressed with the company and the service so far. 

 

One thing that would be useful is a list -- community maintained would be fine or even ideal -- of routers and router platforms that have hardware accelerated AES-256-CBC.   I'm using an a 500MHz AMD Geode based SBC which has support only for AES-128-CBC; as a result the encryption is a performance bottleneck: at as little as 10mb/s openvpn is using 50% CPU.

 

I'm going to migrate to a Via C7 based mini-itx board I have lying around -- it has the Via Padlock engine which does 256 bit AES.   But it might be useful for users to have access to a sticky with a community-maintained list of consumer routers and low-cost computing platforms that have it.

Share this post


Link to post

I haven't found any "plastic" routers that do crypto acceleration of AES-256-CBC and OpenVPN, so the cheap options limit you to 5-20mbit/s.

 

Some approximate datapoints

- TP-Link WDR4900 / PowerPC P1014 processor at 800Mhz ~ 17mbit/s

- TP-Link WDR4300 / Atheros AR9344 at 560MHz ~ 8mbit/s

 

Both with latest OpenWRT and on AirVPN.

 

If you want to go higher, as you discovered you need processors with dedicated hardware acceleration of crypto (there are some addon-boards that do crypto-offload, but they are hit-and-miss with speedups; depending on the host platform, most of the time is wasted on interrupt handling and data handoff to the offload card so you can conceivably arrive at similar numbers as my TP-Links above, if not lower. Plus crypto offload-capable devices tend to come in really expensive).

 

I would be interested in how the Linksys WRT1900AC performs (it comes with a 1200mhz dual core ARM CPU, but I wasn't willing to spend over three times what the WDR4900 cost (which isn't all that cheap at 73€, either) just to find out.

 

Let us know what the c7 can do, please :-)

For situations where I want to break 50 or 100mbit/s, I tend to go with an Intel chip that has AES-NI (any of them will do, really, check on ARK if your prospective processor has that featureset). If you want to break a gbit/s over openvpn, a haswell i5 of any speed should do -- but then you are talking PC-as-router

Share this post


Link to post

I have the Asus ac68 and I can max my 25mbit line with AirVPN.  I've read others saying they can get up to 50mpbs with this router.

 

it comes stock with 800mhz dual core ARM but I've overclocked mine to 1000mhz.

 

It's a great router with merlin asus firmware, but will cost about $200

Share this post


Link to post

Hi,

 

i got with the synology diskstation 411 ca. 30 MBit/s to AirVPN (from Desktop PC with AirVPN Client ~ 89 Mbit/s).

 

Look at this Router: MikroTik Cloud Core Router CCR1009-8G-1S and this Website: http://forum.mikrotik.com/viewtopic.php?f=2&t=85895

 

Quote:

Both support HW accelerated aes-128-cbc -> aes-256-cbc.
CCR also supports sha1 HW offload.

 

I hope this helped you,

 

Bye

Share this post


Link to post

Great info so far.

 


Let us know what the c7 can do, please :-)

 

Okay, this is on a 1GHz Via "Esther" C7 (9w TDP) running a fairly recent OpenWRT trunk. 

 

Without padlock:

 

# rmmod cryptodev
# openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 948767 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 248350 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 256 size blocks: 62844 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 1024 size blocks: 15767 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 1972 aes-256-cbc's in 3.00s
[snip]
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc       5060.09k     5298.13k     5362.69k     5381.80k     5384.87k

 

With padlock:

 

# insmod cryptodev
# openssl speed -evp aes-256-cbc -engine cryptodev
Doing aes-256-cbc for 3s on 16 size blocks: 390710 aes-256-cbc's in 0.22s
Doing aes-256-cbc for 3s on 64 size blocks: 363830 aes-256-cbc's in 0.08s
Doing aes-256-cbc for 3s on 256 size blocks: 362181 aes-256-cbc's in 0.08s
Doing aes-256-cbc for 3s on 1024 size blocks: 281825 aes-256-cbc's in 0.05s
Doing aes-256-cbc for 3s on 8192 size blocks: 93755 aes-256-cbc's in 0.01s
[snip]
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-cbc      28415.27k   291064.00k  1158979.20k  5771776.00k 76804096.00k

 

In practice, without padlock I can get about 10mb/s on a standard internet speed test near the VPN endpoint.  With padlock I can saturate my 50mb/s vdsl connection, less various protocol overheads, with fairly low CPU use. 

 

In synthetic openssh tests to and from a host on the local gigabit LAN using padlock-accelerated aes-256-cbc, I get about 150mb/s.

Share this post


Link to post

I have the Asus ac68 and I can max my 25mbit line with AirVPN.  I've read others saying they can get up to 50mpbs with this router.

 

it comes stock with 800mhz dual core ARM but I've overclocked mine to 1000mhz.

 

It's a great router with merlin asus firmware, but will cost about $200

Well it wasn't cheap, but I bought a Asus AC68U and flashed it with Shibby Tomato firmware. The dual CPUs in this router definitely helps with VPN encryption. I'm finally seeing close to my actual cable internet speeds when connected to AirVPN now when I do speed tests or download a Linux Distro torrent for speed testing purposes.

Share this post


Link to post

Since this recently came up again for me personally and I don't want anybody else to get mislead:

 

 

Look at this Router: MikroTik Cloud Core Router CCR1009-8G-1S and this Website: http://forum.mikrotik.com/viewtopic.php?f=2&t=85895

 

Quote:

Both support HW accelerated aes-128-cbc -> aes-256-cbc.
CCR also supports sha1 HW offload.

 

Microtik has its own implementation of OpenVPN which does not support anything other than TCP (i.e. no UDP) and has no tls-auth support (i.e. definitely not gonna work with AirVPN, and somewhat less secure).

 

There is no OpenWRT (or indeed *WRT) for it because the Microtik does not release the full sources to their modified linux kernel (in particular their patched version of tilegx.c; apparently the tilegx driver in mainline in later kernels than the one they forked from does not work at all) and reverse engineering has not proven very successful (or is limited by time).

 

On paper the CCR-series boxes would rock for AirVPN (there is a forum post somewhere claiming they got 7gbps openvpn throughput from a ccr1009). In practice, no.

 

(as an aside, while I was able to test BF-CBC throughput of OpenVPN on a WRT1900ACS with Linksys stock firmware, it maxed out at 97mbit/s unidirectionally so I did not bother with trying to get OpenWRT on it to see what AES-256 with tls-auth would yield). The search for something-low-power-that-isn't-a-PC-with-AES-NI for high VPN throughput continues

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...