I always wonder whcih part of the RouterOS uses Hardware Acceleration. I’m pretty sure IPSec does but Profile Encryption also does? What about /interface ovpn-server server?
Thank you
MB
This is pure conjecture on my part, but typically hardware acceleration is simply utilized by the underlying OS crypto libraries, so any facility using those libraries use the hardware acceleration.
Not every facility - for example - implements AES or SHA all over again. They use a shared library, and that library is linked against hardware acceleration modules.
Fewi,
Yes, that will be great if Mikrotik eng., could at least give more info on what would be accelerated using this hardware.
MB
probably i’m fail, but SHA1 seems NOT to be accelerated.
On my test i could pass much LESS data thru VPN (AH only) what seems to be utilitise CPU (50-80mbps) very highly, while with ESP AES it’s happily passed 200mbps (tcp) traffic with much less load.
If i’m right, AH only is header encryption, ESP is data (or) full frame encryption.
ESP can still use SHA. A better comparison would be to try ESP with SHA, MD5, and null.
AH won’t encrypt, but the encryption function of ESP isn’t provided by hashing.
hmmm
AH is Authentication Header (if i’m right, it’s calculation an SHA1/MD5 hash of the header)
ESP is Frame Encryption (Encapsulating Security Payload)
this link http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Encryption_algorithms says:
AH can use SHA1/MD5
ESP can use (3)DES, AES (128/192/256), Blow/TwoFish, Camellia
In fact, i don’t understand what You mean with:
AH won’t encrypt, but the encryption function of ESP isn’t provided by hashing
ESP is NOT using hashing but encrypt (so NO SHA1/MD5 supported).
However, i can turn peer setting into ah/esp from esp only, if You are interested about results.
You’re mistaken.
AH only provides integrity and authentication. Integrity is provided by means of hashes, either SHA1 or MD5.
ESP provides integrity, authentication, and confidentiality. Confidentiality is provided by encryption, several methods are available. 3DES and AES are the most popular. The integrity part is still provided by means of hashes, either SHA1 or MD5.
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Encryption_algorithms: see the list of authentication and encryption methods for ESP.
You are right.
AH provides ONLY authentication/integrity - with hashes (SHA1 or MD5).
ESP can provide confidentality AND/OR integrity, authentication.
As IPsec policy settings allow the following settings:
- AH
- AH & ESP
- ESP
i think (but not sure) it means the following:
- AH: Authentication headers to be used
- AH & ESP: ESP with confidentality and authentication/integrity
- ESP: ESP with confidentality only
I will check what’s the thruput with AH&ESP settings.
Sadly no specification found about encryption engine, and also no info about accelerated algorithm. It also not mentioned if Hasing is accelerated or not.
(for example http://oldwiki.openwrt.org/HardwareAcceleratedCrypto.html says BCM5365 chip support to accelerate AES,DES, HMAC-SHA1 for 75mbps, but simple SHA1 seems not to be accelerated - only supported(?))
I will check on monday what’s the thruput and CPU usage with AH / AH&ESP/ ESP and post here.
I am curious what you will find.
i’ve made tests for
ESP (aes256) ~300mbps thruput (acceptable cpu usage)
AH&ESP (AH: MD5/SHA ESP:aes256) much less ~200mbps, and high cpu usage → seems hashing not accelerated
i will share screenshots and comparison chart too.
by the way, i’ve made routing thruput test as reference:
ConnTrack off: 980mbps
Conntrack on: ~700mbps
(cpu 95-100% in both cases)
Tests are done with jperf, between 2 windows desktop computer, no fine tuning, default frame size (what seems 1500byte)
Here is the comparision chart.
The testbench can be ready for few more test if You want some.
The conntrack is turned off for all VPN measurement (and every other where is NOT noted to be turned on)
