Why are you surprised? If you are trying to make a point that AES-NI is common, just say so. Trying to do so by saying the opposite and expecting people will pick up on the sarcasm through a pure text medium without necessarily sharing the same knowledge to know whether that statement is true or not just adds confusion to the conversation.
The point itself is useful, but the manner in which you expressed it emphasizes the delivery over the content, to the degree the content is sometimes obscured.
If this was a move to sell more hardware, why wouldn't we make the decision for 2.4 (which is imminent) rather than 2.5, which is based on FreeBSD 12, when 12.0R isn't even scheduled?
There is a difference between a design decision reasonable people can disagree, even forcefully, about, and a design decision that is actually a deceptive attempt to get people to buy new hardware.
“in order to support the increased cryptographic loads that we see as part of pfSense verison 2.5, pfSense Community Edition version 2.5 will include a requirement that the CPU supports AES-NI”
You may disagree with that but it's intellectually dishonest to argue as if they didn't provide clear, technically defensible rationale, especially at a time when much of the industry has been moving to hardware offload.
That point no makes sense as this decision cuts out a lot of the cheaper hardware people ran pfSense on previously so when they look at their options now your own lower priced stuff becomes more attractive and oh yes it has AES-NI and is fully compatible.
This really feels like a long con to get people to upgrade their hardware to a pfSense unit.
If I had to guess, I'd say Netgate is working on an SD-WAN service of sorts. Many players in this market are displacing the edge firewall, and offering a built-in service of their own or in partnership with a third-party might be a smart move.
I see pfSense playing two possible roles the SD-WAN. The first is customer-centric, and will allow pfSense edge devices to connect to a third-party SD-WAN service or one provided by Netgate itself. The other is vendor-centric, and will allow SD-WAN vendors to use pfSense for their Point-of-Presence software when building the geographically distributed network for SD-WAN traffic optimization.
Both are smart strategies and well within your core competency. As long as you're not building your own SD-WAN service you're golden.
TL, DR:
If you are building a pfSense box with an x86 chip made in the past ~7 years [1], stop reading and carry on.
Those of you on a power budget, and want e.g. VPN support at closer to wire speeds, you're being advised to select a CPU with AES-NI to get hardware crypto offload. It's great we have software crypto in the first place, but under load it's likely to put a cap on your max throughput.
Kudos to pfSense/Netgate announcing this ahead of time.
AMD has shipped AES-NI in every processor family starting with Bulldozer in 2011.
Intel started in 2010 with Westmere, but kept it out of the lower-end models like Pentium, Celeron, and i3 for several generations. Only since Skylake (2015) is it included in every model produced from a supporting architecture. At least for Intel processors, the generalization above, absent other disclaimers, does not apply.
Actual lookup tables are linked in other posts like this one [1].
The immediate predecessor to the Netgate SG-2220 ( I forget the Model, but it was based off of the the PC Engines apu1d [1]) does not support AES-NI. It has the AMD G series T40E, which is based off of the Bobcat architecture [2] [3]). I use pfsense as a home router, and while I am very happy with it, I will be forced to upgrade that hardware, and I do not use any feature sets that require the use of AES-NI.
In addition, the Netgate SG-2220 uses an Atom C2338, which was susceptible to the LPC bus failure [4] [5]. So as of right now, I would also be extremely hesitant to purchase the Netgate SG-2220 without some sort of assurance that the router I got is not affected by it.
Well, to get 2.5 running I am going to have to build another box. I'll need a CPU and motherboard. Possibly RAM. I'd like to find that for under $300. Under $150 would be more ideal.
I'm certainly not ruling anything out. I simply want to be able to get a working PFSense instance up and running.
^- While cheap toy SoCs like those found in SBCs do (all?) have NEON, which includes hardware acceleration for SHA1/2 and AES, don't assume good performance. A x86 desktop core is faster in software than those SoCs with hardware.
However, the poor I/O capabilities of most/all toy SoCs rule use as a high-bandwidth router out; you can't do Gigabit routing with just one built-in MAC and the other connected to a USB 2.0 port or somesuch.
That's not at all what the board's block diagram [0] depicts, but apparently they don't care to make that accurate. While the photographs do make it clear that there are three Ethernet ports, it's wrong to say that there are three Ethernet interfaces; the SoC only supports two and it's misleading to count the extra switched ports as extra interfaces because they do not even have the theoretical possibility of contributing to better routing capabilities.
The Celeron J1900 (released 2013) does not support AES-NI. It's popular in low-powered mini PC devices, many of which come preinstalled with pfSense when purchased from Aliexpress.
It's usually not even worth the cost of electricity to keep running hardware that old. Upgrading to modern power efficient hardware pays for itself pretty quickly with lower electrical bills.
This is quite obviously an attempt to cut out the flood of cheap embedded PCs which are ideal for pfSense and steer more sales to their own hardware. Systems such as "The vault" sold by protectli.com are completely adequate for the home network (I am capable of pushing > 100Mbit/s over OpenVPN at ~35% CPU). These run older celeron processors and are dirt cheap.
Hints:
1) The post implies this restriction will only be for the community (free) edition.
"pfSense Community Edition version 2.5 will include a requirement that the CPU supports AES-NI"
2) There is zero reason to require AES-NI, as running with a software fallback will simply yield lower performance. Taking this option away makes no sense unless you want to encourage those who don't pay for software support to buy your hardware, while those already paying for support are free to use their existing gear.
Timing, data cache, BTB, you name it: doing software AES exposes you to All The Side Channels, and AES is somewhat notoriously hard to implement safely in software compared to other software-profile ciphers. This is the big selling point for ChaPoly.
Most/all software implementations of AES had various side channels in the past. Considering AES-GCM, as far as I'm aware no software implementation is considered "safe". Some libraries do not support AES-GCM without hardware instructions that make it safe (e.g. libsodium choose that way).
This is mainly due to AES relying heavily on substitution boxes, i.e. small arrays that are indexed with secrets, which is easy to implement safely in hardware, but difficult in software that runs on a processor with caches and such.
In the GCM case, it's also because the polynomial hash in GHASH wants fast polynomial multiplication, which PCLMULQDQ provides, and which you want (unsafe) lookup tables for otherwise.
This may be a good time to try a new relative open source product. OPNSense is a fork of PFSense with some philosophical and practical differences. Here are some notes on what and why https://docs.opnsense.org/fork/thefork.html
Oh yes, OPNsense. Those sure are some philosophical and practical differences. Differences as in:
- code theft
- copyright abuse
- attempt to steal pfSense trademark in Europe
- toxic project members who publicly attack anyone who dares to point out issues (including assault on all major pfSense developers).
- hiding serious vulnerabilities
- downplaying serious vulnerabilities
I think it would be healthy for you to 1) read about what copyright actually is and 2) read about what various licenses permit. There seems to be a disconnect between what is actually occurring and your understanding (and subsequent nerd-rage).
I have read your comments, visited your linked website. I think you may have some points.. To be clear I am testing OPNSense now for the first time. I thought their license is Apache. I will consider your points during my testing. I will also continue reading your posts on reddit and compare it to testing and repository data. Thank you for your comment, though somewhat harsh.
I'd recommend people take a look at VyOS[1] as well. It's a great router distribution, which comes with a lot of batteries included to do many, many things.
I guess I might still use pfSense when I need a _firewall_. I'd immediately grab VyOS whenever I need a router. Both can do routing and firewalling, though.
Isn't a linux headless box a great alternative to pfsense for non-commercial use? The problem here seems to be that home users now have to shell out more.
If you're going to use OpenVPN and other common software, why not just move to linux side of things? It seems that for home use you wouldn't need any enterprise grade software which I feel is the big advantage of pfSense. Sure pf is great but iptables isn't terrible either.
I find that the BSDs are becoming increasingly reluctant to any change that goes against their principles which I sometimes find a tad misplaced.
> I find that the BSDs are becoming increasingly reluctant to
> any change that goes against their principles which I
> sometimes find a tad misplaced.
This seems a bit uncharitable. pfsense is an open source firewall product, made/released by a company that sells support and services. I wouldn't call it "one of the BSDs" any more than I would call say.. Sophos Firewall or Smoothwall as linux distributions.
Running a properly configured, headless linux box as a firewall would indeed be a fine choice for those technically capable, similarly so would a FreeBSD or OpenBSD install.
I'm not calling it one of the BSDs, but you still have to consider who's running the show. The FreeBSD part behind pfSense is as important as the Debian beind VyOS (although I'm not suggesting VyOS here).
If things are completely same from a management/security perspective, then I'd be wrong but it does make a difference when it comes to management, updates, and compatibility etc.
Your definition of technically capable is a bit vague. What can a technically capable user do? It can vary from barely being able to use the cli and minimal understanding of basic networking, to being able to compile/tune the kernel by themselves and write drivers in case they are missing.
I look after a pfsense box for a school on a 9 year old E2200 that is obsolete by this.
On one hand I cannot complain because the server is 9 years old and lasted well, but on the other hand, why not an option for those just needing a packet filter to bypass this?
Lovely. Due to this behaviour by pfSense employees I no longer want to use pfSense. Had no issues with the software and was considering purchasing their hardware.
Their employees are major tripping. I asked them a simple question, why do we need AES-NI hardware crypto if we don't use VPN's or anything that uses AES? And he refused to answer then banned.
Honestly I do not want to use it anymore and I shant be recommending it anymore to anyone.
At this point my advice would be for you guys to just leave it be. Stand up and walk away from the computer and go watch a movie for the night. You've made your call on this issue, you have unspecified "plans" and unless you care to reveal them or you care to change your stance on this issue there's nothing more to say or do here. You just need to let the anger blow over.
You don't gain anything by further antagonizing users at this point. And from your stance here - you don't actually want these people as users, correct? Essentially you've decided that these users are so-called "devil customers" - they're not profitable and you want them out of your clientele.
That's why you're essentially hardforking away from their hardware. So their opinions are no longer relevant to you, are they? As such this is literally a no-win move for you, the only thing it can do is hurt your business's image.
Just walk away, this isn't a good look for you guys.
I shouldn't have brought this discussion here. I was angry after being banned (in my opinion for asking a legitimate question) and did try to spread the drama. That wasn't the right thing to do.
Lots of bans going on over at /r/pfsense where users are asking straightforward questions and the staff are just banning them. Read the edits made to the posts there crazy....
Seeming more and more like this is a cash grab thing to get people to upgrade to their hardware.
You were banned because you violated rules. You were incredibly rude and then even threatened us. If that wasn't enough you attempted to start a brand new drama thread. "Cash grab thing" assertion proves we were right to ban you.
I have to say, the way that the pfense team is handling it, and the moderators over on reddit, while I had been considering using it, I think I'll use ubiquiti when I upgrade the network
This is a real shame. I am going to have to find a different solution, as it turns out that pfSense is one of those projects that happily moves on without you, and I just can't understand why.
My Atom board has been perfect, but there is no hardware upgrade option.
I guess I'll have to find another project. And, yes, I used to recommend this project to everyone I know, even donated. Oh, well.
89 comments
[ 3.0 ms ] story [ 120 ms ] threadEdit: /s ... ?!
My desktop and laptop have them and they're mid-high end but not upper high end.
[1] https://en.wikipedia.org/wiki/AES_instruction_set
With AES-NI: http://ark.intel.com/Search/FeatureFilter?productType=proces...
Without: http://ark.intel.com/Search/FeatureFilter?productType=proces...
Why are you surprised? If you are trying to make a point that AES-NI is common, just say so. Trying to do so by saying the opposite and expecting people will pick up on the sarcasm through a pure text medium without necessarily sharing the same knowledge to know whether that statement is true or not just adds confusion to the conversation.
The point itself is useful, but the manner in which you expressed it emphasizes the delivery over the content, to the degree the content is sometimes obscured.
“in order to support the increased cryptographic loads that we see as part of pfSense verison 2.5, pfSense Community Edition version 2.5 will include a requirement that the CPU supports AES-NI”
You may disagree with that but it's intellectually dishonest to argue as if they didn't provide clear, technically defensible rationale, especially at a time when much of the industry has been moving to hardware offload.
Since we don't even attempt same, my point stands.
This really feels like a long con to get people to upgrade their hardware to a pfSense unit.
Both are smart strategies and well within your core competency. As long as you're not building your own SD-WAN service you're golden.
Thanks! Running our own SD-WAN service seems a lot like opening a cute little coffee shop: A fine way to spend a lot of money with no result.
There is a third option, which is also customer-centric: Allow the customer to run their own SD-WAN.
Those of you on a power budget, and want e.g. VPN support at closer to wire speeds, you're being advised to select a CPU with AES-NI to get hardware crypto offload. It's great we have software crypto in the first place, but under load it's likely to put a cap on your max throughput.
Kudos to pfSense/Netgate announcing this ahead of time.
[1] https://en.wikipedia.org/wiki/AES_instruction_set#Supporting...
Intel started in 2010 with Westmere, but kept it out of the lower-end models like Pentium, Celeron, and i3 for several generations. Only since Skylake (2015) is it included in every model produced from a supporting architecture. At least for Intel processors, the generalization above, absent other disclaimers, does not apply.
Actual lookup tables are linked in other posts like this one [1].
[1] https://news.ycombinator.com/item?id=14240007
In addition, the Netgate SG-2220 uses an Atom C2338, which was susceptible to the LPC bus failure [4] [5]. So as of right now, I would also be extremely hesitant to purchase the Netgate SG-2220 without some sort of assurance that the router I got is not affected by it.
[1] https://pcengines.ch/apu1d4.htm
[2] https://en.wikipedia.org/wiki/List_of_AMD_accelerated_proces...
[3] https://en.wikipedia.org/wiki/Bobcat_(microarchitecture)
[4] https://www.netgate.com/products/sg-2220.html
[5] http://www.anandtech.com/show/11110/semi-critical-intel-atom...
EDIT: Interestingly enough, someone from Netgate said that the PC Engines APU is unaffected: https://www.reddit.com/r/PFSENSE/comments/68nd6y/pfsense_25_... EDIT2: Seems they edited that, the APU1d won't be compatible.
https://www.newegg.com/Product/Product.aspx?Item=N82E1681911...
Do newer, but still cheap CPU's work with AES-NI?
I'm certainly not ruling anything out. I simply want to be able to get a working PFSense instance up and running.
However, the poor I/O capabilities of most/all toy SoCs rule use as a high-bandwidth router out; you can't do Gigabit routing with just one built-in MAC and the other connected to a USB 2.0 port or somesuch.
It sells for $49 on Amazon. https://www.amazon.com/dp/B06Y3V2FBK
AES-GCM runs quite well on ARMv8:
https://www.rsaconference.com/writable/presentations/file_up...
We have a 3 port ARM board (one port has a switch on it) being announced on Thursday.
[0] http://espressobin.net/wp-content/uploads/2017/01/ESPRESSObi...
Hints:
1) The post implies this restriction will only be for the community (free) edition. "pfSense Community Edition version 2.5 will include a requirement that the CPU supports AES-NI"
2) There is zero reason to require AES-NI, as running with a software fallback will simply yield lower performance. Taking this option away makes no sense unless you want to encourage those who don't pay for software support to buy your hardware, while those already paying for support are free to use their existing gear.
This is mainly due to AES relying heavily on substitution boxes, i.e. small arrays that are indexed with secrets, which is easy to implement safely in hardware, but difficult in software that runs on a processor with caches and such.
- code theft - copyright abuse - attempt to steal pfSense trademark in Europe - toxic project members who publicly attack anyone who dares to point out issues (including assault on all major pfSense developers). - hiding serious vulnerabilities - downplaying serious vulnerabilities
Oh yes, that's a very different project. I documented most of it here https://www.reddit.com/r/OPNscam/
I guess I might still use pfSense when I need a _firewall_. I'd immediately grab VyOS whenever I need a router. Both can do routing and firewalling, though.
[1]: https://wiki.vyos.net/wiki/Main_Page
If you're going to use OpenVPN and other common software, why not just move to linux side of things? It seems that for home use you wouldn't need any enterprise grade software which I feel is the big advantage of pfSense. Sure pf is great but iptables isn't terrible either.
I find that the BSDs are becoming increasingly reluctant to any change that goes against their principles which I sometimes find a tad misplaced.
Running a properly configured, headless linux box as a firewall would indeed be a fine choice for those technically capable, similarly so would a FreeBSD or OpenBSD install.
If things are completely same from a management/security perspective, then I'd be wrong but it does make a difference when it comes to management, updates, and compatibility etc.
Your definition of technically capable is a bit vague. What can a technically capable user do? It can vary from barely being able to use the cli and minimal understanding of basic networking, to being able to compile/tune the kernel by themselves and write drivers in case they are missing.
On one hand I cannot complain because the server is 9 years old and lasted well, but on the other hand, why not an option for those just needing a packet filter to bypass this?
Am I missing something?
My comments are visible here: https://i.imgur.com/8oZVSJO.png
Lovely. Due to this behaviour by pfSense employees I no longer want to use pfSense. Had no issues with the software and was considering purchasing their hardware.
Not any more.
archived view of the thread: https://archive.fo/pBoAY
https://i.imgur.com/NR87PO6.png
Their employees are major tripping. I asked them a simple question, why do we need AES-NI hardware crypto if we don't use VPN's or anything that uses AES? And he refused to answer then banned.
Honestly I do not want to use it anymore and I shant be recommending it anymore to anyone.
Here it is: https://i.imgur.com/FlF8E1Q.png
You deleted your own posts. This is the archive of some of them: https://archive.fo/pBoAY
I don't have an archive of the deeper posts, but they weren't particularly pleasant.
You don't gain anything by further antagonizing users at this point. And from your stance here - you don't actually want these people as users, correct? Essentially you've decided that these users are so-called "devil customers" - they're not profitable and you want them out of your clientele.
That's why you're essentially hardforking away from their hardware. So their opinions are no longer relevant to you, are they? As such this is literally a no-win move for you, the only thing it can do is hurt your business's image.
Just walk away, this isn't a good look for you guys.
We detached this subthread from https://news.ycombinator.com/item?id=14240207 and marked it off-topic.
Seeming more and more like this is a cash grab thing to get people to upgrade to their hardware.
You told me to "Chill for 30 days". Maybe you need to chill instead of damaging your brand by lashing out at people?
Was there a third user you banned?
https://news.ycombinator.com/newsguidelines.html
https://news.ycombinator.com/newswelcome.html
We detached this comment from https://news.ycombinator.com/item?id=14242458 and marked it off-topic.
https://www.reddit.com/r/PFSENSE/comments/68nd6y/pfsense_25_...
My Atom board has been perfect, but there is no hardware upgrade option.
I guess I'll have to find another project. And, yes, I used to recommend this project to everyone I know, even donated. Oh, well.