Hello Alex
Thank you for your nice hint ot QAT_Engine.
Yes, in theory it really seems to be possible. Looking at the Github repo of the QAT_Engine, it looks like there are still some issues with OpenSSL 3.0: Support for QAT HW ECX, QAT SW ECX, QAT HW PRF and QAT HW HKDF is disabled when built against OpenSSL 3.0 due to known issues instead it uses non-accelerated implementation from OpenSSL.I'm on Ubuntu 20.04, so I should be still using OpenSSL 1.x. There are plans for switching to OpenSSL 3.0 in Ubuntu 22.04. We'll see...
So, one really has to test and I need to think about it. Wouldn't be a cheep test, but if this platform can give me a medium power system (~50W) and great speed, then it's definitively what I'm looking for. Otherwise I would prefer a Ryzen like the 5750GE.
Andreas
On Tuesday, April 12, 2022 03:42 CEST, Alex Xu alex@alxu.ca wrote: Excerpts from Andreas Bollhalder's message of April 10, 2022 3:32 pm:
Hi all
I have my first Tor relay up und running. It's currently installed on a little desktop computer with an Intel i5 9500T CPU. My Internet connection is 10Gb/s symetric. From this bandwidth, I would be able to spend a good part for supporting the Tor network.
With that little machine, it seems that it would max out at somewhere at ~30 MBytes/s. For my definitive Tor relay hardware, I'm currently researching some options, which would be capable of handling Tor traffic at the rate of 200 to 300MBytes. Even it would be used nowadays, but who knows whats coming in the future and I hope this relay would last 5 years ore so.
It looks to me, that with a normal CPU, it's impossible to reach my goal. But then I encountered, that Intel has the Quick Assist Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). This QAT can be used with OpenSSL as a hardware accelerator for encryption. There also exist dedicated PCIe cards with QAT (ie. Netgate CPIC-8955).
Searching the Internet, I couldn't find any information if QAT would be helpful with Tor. But Tor uses the OpenSSL library and this can use the QAT acceleration. Is there anyone who has tried this und can share his expirience?
Thanks in advance Andreas _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
In theory, you should be able to enable QAT with "HardwareAccel 1" on OpenSSL 1.x after installing https://github.com/intel/QAT_Engine. I'm not sure about the process for OpenSSL 3.0; I believe it involves editing OPENSSLDIR/openssl.cnf.
Excerpts from Andreas Bollhalder's message of April 12, 2022 2:12 am:
Hello Alex
Thank you for your nice hint ot QAT_Engine.
Yes, in theory it really seems to be possible. Looking at the Github repo of the QAT_Engine, it looks like there are still some issues with OpenSSL 3.0: Support for QAT HW ECX, QAT SW ECX, QAT HW PRF and QAT HW HKDF is disabled when built against OpenSSL 3.0 due to known issues instead it uses non-accelerated implementation from OpenSSL.I'm on Ubuntu 20.04, so I should be still using OpenSSL 1.x. There are plans for switching to OpenSSL 3.0 in Ubuntu 22.04. We'll see...
So, one really has to test and I need to think about it. Wouldn't be a cheep test, but if this platform can give me a medium power system (~50W) and great speed, then it's definitively what I'm looking for. Otherwise I would prefer a Ryzen like the 5750GE.
Andreas
If you don't already have a QAT device, I would not suggest getting one specifically for Tor. In particular, Tor doesn't spend very much time actually doing AES. It's mostly overhead from cell processing, TCP, small packets, etc. Additionally, because Tor uses a large number of relatively low-bandwidth connections, it will mostly send small chunks to the hardware engine, which is not particularly efficient. In the future, it may be possible to use KTLS, in which case QAT might actually improve performance quite a bit. However, there are a number of blockers to this, including that it messes with Tor's bandwidth limiting.
Hello Alex
On Tuesday, April 12, 2022 16:19 CEST, "Alex Xu (Hello71)" alex_y_xu@yahoo.ca wrote: If you don't already have a QAT device, I would not suggest getting one specifically for Tor. In particular, Tor doesn't spend very much time actually doing AES. It's mostly overhead from cell processing, TCP, small packets, etc. Additionally, because Tor uses a large number of relatively low-bandwidth connections, it will mostly send small chunks to the hardware engine, which is not particularly efficient. In the future, it may be possible to use KTLS, in which case QAT might actually improve performance quite a bit. However, there are a number of blockers to this, including that it messes with Tor's bandwidth limiting.That's a great advice I can really apreciate. So I better look for a good CPU / NIC combination and will have a look in the sysctl parameters some have posted. If KTLS would get supported, maybe mutli-threading will come too in another step...
Would be nice to have this sort of information in FAQ on Tor project website. But hopefully, one with the same idea will now find this thread by searching the web as I couldn't.
Have a good day Andreas
tor-relays@lists.torproject.org
-
Alex Xu (Hello71) -
Andreas Bollhalder