Bug #15841
closedSystem>Advanced>Miscellaneous
0%
Description
Hello Fellow Redmine Community Members,
I have recently learned with trail and error and help of Kristof Provost that selecting both IPsec-MB and Cryptographic Hardware results in the system using only one or the other.
For me this caused a decrease in speed that is substantial. I feel that the GUI should only allow the selection of one or the other at a time and now allow both.
As quoted from forum @kpovost,
"Either one will work. Things will even work if you have both activated, but then only one of them will do the work. We're not going to be splitting the cryptographic work between the two, or doing it twice just so both will get used."
Per Kristof Provost "JonathanLee I mean, you can't use both at the same time. The data's only ever going to be processed by one of them. I'd have to go dig deep in the code to tell you how the selection is made if both are enabled, but it looks like in this case it ends up using IIMB.
IIMB is fine, but probably not quite as fast as SafeXcel. You're getting crypto acceleration either way, just in a different way."
Can we please fix the GUI so only one can be selected at a time for use. This seemed to cause a speed issue with my equipment when both are enabled this would make the devices more efficient and free up some resources.
Files
Updated by Jim Pingle about 1 month ago
- Status changed from New to Rejected
We have already considered that and decided it was best to leave it up to the user. There are use cases where both might help, just not your use case.
IPsec-MB accelerates AES-GCM and ChaCha20-Poly1305
SafeXcel accelerates AES-CBC, AES-CCM, AES-GCM, AES-ICM, AES-XTS, SHA1, SHA256, SHA384, SHA512
The problem is if you are using AES-GCM where they overlap, when it is unpredictable which is selected and how.
If you have things using different ciphers then it may be possible to benefit from both.
Updated by Jonathan Lee about 1 month ago
I wish there was a way to warn users for this particular situation as I could not find on Netgate docs or anywhere else any information on this particular situation.