This week we have something that STH readers will be excited about. Before I started writing for STH, I was a reader and had been longing for QuickAssist support ever since STH’s first Rangeley article over three and a half years ago. It was clear from the get-go that Rangeley was going to be the preeminent firewall appliance platform of its day. The scope of products that were impacted by the Intel Atom C2000 series bug showed us it was indeed. For my personal firewalls, I use pfSense on that Rangeley platform so I have been waiting to use QuickAssist with my hardware for almost an entire product generation.
New Hardware and QuickAssist Incoming to pfSense (Finally)
pfSense (and a few other firewalls) are based on FreeBSD. FreeBSD tends to lag driver support behind mainstream Linux but it is popular for embedded security appliances. While STH is the only site to have done QuickAssist benchmarks for OpenSSL and IPSec VPNs pre-Skylake, we expect more platforms to use it now that the new Intel Xeon Scalable Processor Family is out. With the Xeon Scalable platforms, the “Lewisburg” PCH has QuickAssist options of up to 100Gbps, or 2.5x faster than the previous generation add-in cards we tested (40Gbps.) We now have more and better hardware for QAT, but we were still devoid of a viable FreeBSD QAT driver from Intel. That has changed.
Our Intel Xeon Scalable Processor Family (Skylake-SP) Launch Coverage Central has been the focus of the STH team’s attention this week. There was another important update from Intel that got buried, a publicly available Intel QuickAssist driver for FreeBSD. You can find the driver on 01.org here dated July 12, 2017.
Drivers are great, but we still need support to be enabled in the OS and at the application layer. Patrick forwarded me this tweet from Jim Thompson (lead at Netgate the company behind pfSense):
QuickAssist driver for #freebsd dropped. Fast crypto offload coming to #pfSense soon. pic.twitter.com/wApLTEKbur
— Jim Thompson (@gonzopancho) July 13, 2017
The Netgate team has been a key company pushing QuickAssist appliances in the market, usually based on Linux. To see that QAT is coming to FreeBSD and that they were working to integrate into “pfSense soon” is more than welcome.
For STH readers, get ready. It appears to be actually and finally happening. QuickAssist on FreeBSD and pfSense
Apparently this driver ONLY works with the Intel “Coleto Creek” add-in PCIe card, not with the Rangeley/Denverton Atom integrated version or the Lewisburg PCH version. (Source: https://mobile.twitter.com/gonzopancho/status/885862474712526848 )
That’s a huge disappointment, it means this won’t provide acceleration on the Rangeley-based pfSense gateways Netgate sells. Any way to find out when those will get QAT support? If they ever will?
This looks to be a v1.6 driver. So poor Rangeley seems to be abandonware.
My 2 cents here, but Rangeley looked like a long shot anyway for last 1+year. I think challenge was too great for PFsense team, and newer hardware is where they will make money. Rangeley is abandon hardware for QA, but still good for low power non-QA type router/utm. PFsense team could give up Rangeley QA claims, and start socializing idea of 2 versions of software, unless they take hit over completely retiring Rangeley owners.