Community discussions

 
bronco
just joined
Topic Author
Posts: 15
Joined: Mon Dec 08, 2014 12:09 pm

Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Sat Jun 01, 2019 10:34 pm

Hello,
the crypto engine of the MT7621 chipset (used for example in the hEX S model) supports by far more than only IPsec.
According to the SDK for the MT7621 chipset there is even OpenSSL support via an OpenSSL engine that is already available in the SDK as a kernel module
(look at page 215 and following: https://www.electrodragon.com/w/images/ ... Manual.pdf).
Could you please add full SSL crypto accelleration so that OpenVPN (ovpn) can also benefit from the features already just sleeping in hardware?

Greets,
bronco
 
mada3k
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Sun Jun 02, 2019 5:22 pm

This is the way generally all SoCs with hardware offload is implented and probably RouterOS as well. This is then interfaced to OpenSSL via Linux standard crypto API (see /proc/crypto)

OpenVPN on Linux uses the same standard crypto API if the correct ciphers i used (e.g AES128/256)
Manages some CCR's, RB750Gr3, RB922 and wAP's
 
bronco
just joined
Topic Author
Posts: 15
Joined: Mon Dec 08, 2014 12:09 pm

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Tue Jun 04, 2019 12:23 am

Hey mada3k,

I totally agree with you, but Mikrotik states only that there is IPSec encryption accelleration (compared to the datasheet of hEX S),
so I assume that there is no OpenSSL hardware encryption engine support :-(

Greets,
bronco
 
msatter
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Tue Jun 04, 2019 12:52 am

Hey mada3k,

I totally agree with you, but Mikrotik states only that there is IPSec encryption accelleration (compared to the datasheet of hEX S),
so I assume that there is no OpenSSL hardware encryption engine support :-(
Look at this page and you see that ECB in worse than CBC:

https://datalocker.com/what-is-the-diff ... ncryption/

As written by mada3K the AES 128/256 for IPSEC is not different than AES128/256 for OpenSSL.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.8
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
mada3k
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Tue Jun 04, 2019 10:01 pm

I assume that there is no OpenSSL hardware encryption engine support :-(
What do you mean by "OpenSSL encryption"? What ciphers are you refering to?
Manages some CCR's, RB750Gr3, RB922 and wAP's
 
bronco
just joined
Topic Author
Posts: 15
Joined: Mon Dec 08, 2014 12:09 pm

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Tue Jun 04, 2019 11:18 pm

OpenVPN uses as OpenSSL as a cipher library for several reasons, therefore the mentioned OpenSSL encryption engine should speed up OpenVPN (ovpn),
cause crypto hardware engines usually are much faster than plain software-based algorithms.
What do you mean by "OpenSSL encryption"? What ciphers are you refering to?
 
bronco
just joined
Topic Author
Posts: 15
Joined: Mon Dec 08, 2014 12:09 pm

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Tue Jun 04, 2019 11:25 pm

Hello msatter,
nobody ever mentioned ECB, therefore AES-256-CBC would be my preferred cipher, I totally agree with you in that point.
I also agree with you that AES 128/256 is the same algorithm for IPsec and OpenVPN, but according to MikroTik's
datasheet for the hEX S, encrpytion offloading for IPsec is supported (by whatever mechanism) and encryption offloading vor OpenVPN (which uses OpenSSL)
isn't supported... :-(

Greets,
bronco
Look at this page and you see that ECB in worse than CBC:
[...]
As written by mada3K the AES 128/256 for IPSEC is not different than AES128/256 for OpenSSL.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5893
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Wed Jun 05, 2019 11:24 am

Currently there is specific reason for this. maybe in the future you will see HW encryption not only for IpSec.
 
bronco
just joined
Topic Author
Posts: 15
Joined: Mon Dec 08, 2014 12:09 pm

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Sat Jun 08, 2019 11:32 pm

Hello mrz,

would you please be so kind and share your knowledge with us. What is the reason, that currently there is only
hardware encryption for IPsec and not for the other cryptographic stuff?
Currently there is specific reason for this. maybe in the future you will see HW encryption not only for IpSec.
Greetz,
bronco
 
mkx
Forum Guru
Forum Guru
Posts: 2482
Joined: Thu Mar 03, 2016 10:23 pm

Re: Feature request: full crypto speedup for MT7621 chipset (e.g. hEX S)

Sun Jun 09, 2019 11:34 am

My guess: MT devs implemented some HW accelerated crypto on kernel 3.3 (used by ROSv6), then management decided to speed up development of ROSv7 and devs went on to implement the rest of crypto in HW for ROSv7. So forget any new functionality in ROSv6 as all development time goes to v7.

I hope the above is a guess, not merely a wish ;-)
BR,
Metod

Who is online

Users browsing this forum: No registered users and 7 guests