how to pick cipher for AES-NI enabled AMD GX-412TC SOC tincd at 100% CPU
Fufu Fang
fangfufu2003 at gmail.com
Sat Apr 4 20:08:02 CEST 2020
I basically end up using the same cipher suite as Wireguard, it works
quite well on my Atom N2800, which does not have AES-NI. It is now 3
times as fast.
Cipher = chacha20-poly1305
Digest = blake2b512
On Sat, 2020-04-04 at 20:02 +0200, Jelle de Jong wrote:
> Hello everybody,
>
> First a big thanks for tinc-vpn I am still using it next to
> wireguard
> and openvpn.
>
> I am having a setup where the tinc debian appliance is at 100% cpu
> load
> doing about 7.5MB/s.
>
> Compression = 9
> PMTU = 1400
> PMTUDiscovery = yes
> Cipher = aes-128-cbc
>
> How can I pick a cipher that is the fasted for my CPU and don't
> create a
> CPU bottleneck at 100%.
>
> Kind regards,
>
> Jelle de Jong
>
> root at officelink01:~# lscpu
> Architecture: x86_64
> CPU op-mode(s): 32-bit, 64-bit
> Byte Order: Little Endian
> Address sizes: 40 bits physical, 48 bits virtual
> CPU(s): 4
> On-line CPU(s) list: 0-3
> Thread(s) per core: 1
> Core(s) per socket: 4
> Socket(s): 1
> NUMA node(s): 1
> Vendor ID: AuthenticAMD
> CPU family: 22
> Model: 48
> Model name: AMD GX-412TC SOC
> Stepping: 1
> CPU MHz: 775.729
> CPU max MHz: 1000.0000
> CPU min MHz: 600.0000
> BogoMIPS: 1996.08
> Virtualization: AMD-V
> L1d cache: 32K
> L1i cache: 32K
> L2 cache: 2048K
> NUMA node0 CPU(s): 0-3
> Flags: fpu vme de pse tsc msr pae mce cx8 apic sep
> mtrr
> pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx
> mmxext
> fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good acc_power nopl
> nonstop_tsc cpuid extd_apicid aperfmperf pni pclmulqdq monitor ssse3
> cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c lahf_lm
> cmp_legacy
> svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs
> skinit wdt topoext perfctr_nb bpext ptsc perfctr_llc cpb hw_pstate
> ssbd
> vmmcall bmi1 xsaveopt arat npt lbrv svm_lock nrip_save tsc_scale
> flushbyasid decodeassists pausefilter pfthreshold overflow_recov
>
> root at officelink01:~# openssl help
> Standard commands
> asn1parse ca ciphers cms
> crl crl2pkcs7 dgst dhparam
> dsa dsaparam ec ecparam
> enc engine errstr gendsa
> genpkey genrsa help list
> nseq ocsp passwd pkcs12
> pkcs7 pkcs8 pkey pkeyparam
> pkeyutl prime rand rehash
> req rsa rsautl s_client
> s_server s_time sess_id smime
> speed spkac srp storeutl
> ts verify version x509
>
> Message Digest commands (see the `dgst' command for more details)
> blake2b512 blake2s256 gost md4
> md5 rmd160 sha1 sha224
> sha256 sha3-224 sha3-256 sha3-384
> sha3-512 sha384 sha512 sha512-224
> sha512-256 shake128 shake256 sm3
>
> Cipher commands (see the `enc' command for more details)
> aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
> aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
> aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
> aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
> aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
> aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
> aria-256-ctr aria-256-ecb aria-256-ofb base64
> bf bf-cbc bf-cfb bf-ecb
> bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-
> cbc
> camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
> cast-cbc cast5-cbc cast5-cfb cast5-ecb
> cast5-ofb des des-cbc des-cfb
> des-ecb des-ede des-ede-cbc des-ede-cfb
> des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
> des-ede3-ofb des-ofb des3 desx
> rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
> rc2-cfb rc2-ecb rc2-ofb rc4
> rc4-40 seed seed-cbc seed-cfb
> seed-ecb seed-ofb sm4-cbc sm4-cfb
> sm4-ctr sm4-ecb sm4-ofb
>
> root at officelink01:~# openssl speed -elapsed -evp aes-128-cbc
> You have chosen to measure elapsed time instead of user CPU time.
> Doing aes-128-cbc for 3s on 16 size blocks: 13905799 aes-128-cbc's in
> 3.00s
> Doing aes-128-cbc for 3s on 64 size blocks: 6572120 aes-128-cbc's in
> 3.00s
> Doing aes-128-cbc for 3s on 256 size blocks: 2254183 aes-128-cbc's in
> 3.00s
> Doing aes-128-cbc for 3s on 1024 size blocks: 623111 aes-128-cbc's in
> 3.00s
> Doing aes-128-cbc for 3s on 8192 size blocks: 80058 aes-128-cbc's in
> 3.00s
> Doing aes-128-cbc for 3s on 16384 size blocks: 40180 aes-128-cbc's in
> 3.00s
> OpenSSL 1.1.1d 10 Sep 2019
> built on: Sat Oct 12 19:56:43 2019 UTC
> options:bn(64,64) rc4(8x,int) des(int) aes(partial) blowfish(ptr)
> compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall
> -Wa,--noexecstack -g -O2
> -fdebug-prefix-map=/build/openssl-YwazYa/openssl-1.1.1d=.
> -fstack-protector-strong -Wformat -Werror=format-security
> -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
> -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM
> -DGHASH_ASM
> -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time
> -D_FORTIFY_SOURCE=2
> The 'numbers' are in 1000s of bytes per second processed.
> type 16 bytes 64 bytes 256 bytes 1024
> bytes 8192
> bytes 16384 bytes
> aes-128-cbc 74164.26k 140205.23k 192356.95k 212688.55k
> 218611.71k 219436.37k
> root at officelink01:~# openssl speed -elapsed -evp aes-256-cbc
> You have chosen to measure elapsed time instead of user CPU time.
> Doing aes-256-cbc for 3s on 16 size blocks: 12322268 aes-256-cbc's in
> 3.00s
> Doing aes-256-cbc for 3s on 64 size blocks: 5283431 aes-256-cbc's in
> 3.00s
> Doing aes-256-cbc for 3s on 256 size blocks: 1686231 aes-256-cbc's in
> 3.00s
> Doing aes-256-cbc for 3s on 1024 size blocks: 454425 aes-256-cbc's in
> 3.00s
> Doing aes-256-cbc for 3s on 8192 size blocks: 58092 aes-256-cbc's in
> 3.00s
> Doing aes-256-cbc for 3s on 16384 size blocks: 29035 aes-256-cbc's in
> 3.00s
> OpenSSL 1.1.1d 10 Sep 2019
> built on: Sat Oct 12 19:56:43 2019 UTC
> options:bn(64,64) rc4(8x,int) des(int) aes(partial) blowfish(ptr)
> compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall
> -Wa,--noexecstack -g -O2
> -fdebug-prefix-map=/build/openssl-YwazYa/openssl-1.1.1d=.
> -fstack-protector-strong -Wformat -Werror=format-security
> -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
> -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM
> -DGHASH_ASM
> -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time
> -D_FORTIFY_SOURCE=2
> The 'numbers' are in 1000s of bytes per second processed.
> type 16 bytes 64 bytes 256 bytes 1024
> bytes 8192
> bytes 16384 bytes
> aes-256-cbc 65718.76k 112713.19k 143891.71k 155110.40k
> 158629.89k 158569.81k
> root at officelink01:~#
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
More information about the tinc
mailing list