Project

General

Profile

Actions

Bug #15841

closed

System>Advanced>Miscellaneous

Added by Jonathan Lee about 1 month ago. Updated about 1 month ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Cryptographic Modules
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
Affected Architecture:

Description

Hello Fellow Redmine Community Members,

I have recently learned with trail and error and help of Kristof Provost that selecting both IPsec-MB and Cryptographic Hardware results in the system using only one or the other.

For me this caused a decrease in speed that is substantial. I feel that the GUI should only allow the selection of one or the other at a time and now allow both.

As quoted from forum @kpovost,

"Either one will work. Things will even work if you have both activated, but then only one of them will do the work. We're not going to be splitting the cryptographic work between the two, or doing it twice just so both will get used."

Per Kristof Provost "JonathanLee I mean, you can't use both at the same time. The data's only ever going to be processed by one of them. I'd have to go dig deep in the code to tell you how the selection is made if both are enabled, but it looks like in this case it ends up using IIMB.

IIMB is fine, but probably not quite as fast as SafeXcel. You're getting crypto acceleration either way, just in a different way."

Can we please fix the GUI so only one can be selected at a time for use. This seemed to cause a speed issue with my equipment when both are enabled this would make the devices more efficient and free up some resources.


Files

Screenshot 2024-11-15 at 08.17.42.png (318 KB) Screenshot 2024-11-15 at 08.17.42.png System with both enabled and active Jonathan Lee, 11/15/2024 04:17 PM
Actions #1

Updated by Jim Pingle about 1 month ago

  • Status changed from New to Rejected

We have already considered that and decided it was best to leave it up to the user. There are use cases where both might help, just not your use case.

IPsec-MB accelerates AES-GCM and ChaCha20-Poly1305

SafeXcel accelerates AES-CBC, AES-CCM, AES-GCM, AES-ICM, AES-XTS, SHA1, SHA256, SHA384, SHA512

The problem is if you are using AES-GCM where they overlap, when it is unpredictable which is selected and how.

If you have things using different ciphers then it may be possible to benefit from both.

Actions #2

Updated by Jonathan Lee about 1 month ago

I wish there was a way to warn users for this particular situation as I could not find on Netgate docs or anywhere else any information on this particular situation.

Actions

Also available in: Atom PDF