how to pick cipher for AES-NI enabled AMD GX-412TC SOC tincd at 100% CPU
Jelle de Jong
jelledejong at powercraft.nl
Sat Apr 4 20:02:40 CEST 2020
Hello everybody,
First a big thanks for tinc-vpn I am still using it next to wireguard
and openvpn.
I am having a setup where the tinc debian appliance is at 100% cpu load
doing about 7.5MB/s.
Compression = 9
PMTU = 1400
PMTUDiscovery = yes
Cipher = aes-128-cbc
How can I pick a cipher that is the fasted for my CPU and don't create a
CPU bottleneck at 100%.
Kind regards,
Jelle de Jong
root at officelink01:~# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
Address sizes: 40 bits physical, 48 bits virtual
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
NUMA node(s): 1
Vendor ID: AuthenticAMD
CPU family: 22
Model: 48
Model name: AMD GX-412TC SOC
Stepping: 1
CPU MHz: 775.729
CPU max MHz: 1000.0000
CPU min MHz: 600.0000
BogoMIPS: 1996.08
Virtualization: AMD-V
L1d cache: 32K
L1i cache: 32K
L2 cache: 2048K
NUMA node0 CPU(s): 0-3
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr
pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext
fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good acc_power nopl
nonstop_tsc cpuid extd_apicid aperfmperf pni pclmulqdq monitor ssse3
cx16 sse4_1 sse4_2 movbe popcnt aes xsave avx f16c lahf_lm cmp_legacy
svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs
skinit wdt topoext perfctr_nb bpext ptsc perfctr_llc cpb hw_pstate ssbd
vmmcall bmi1 xsaveopt arat npt lbrv svm_lock nrip_save tsc_scale
flushbyasid decodeassists pausefilter pfthreshold overflow_recov
root at officelink01:~# openssl help
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 gost md4
md5 rmd160 sha1 sha224
sha256 sha3-224 sha3-256 sha3-384
sha3-512 sha384 sha512 sha512-224
sha512-256 shake128 shake256 sm3
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb
seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb
root at officelink01:~# openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 13905799 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 6572120 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 2254183 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 623111 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 80058 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 40180 aes-128-cbc's in 3.00s
OpenSSL 1.1.1d 10 Sep 2019
built on: Sat Oct 12 19:56:43 2019 UTC
options:bn(64,64) rc4(8x,int) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall
-Wa,--noexecstack -g -O2
-fdebug-prefix-map=/build/openssl-YwazYa/openssl-1.1.1d=.
-fstack-protector-strong -Wformat -Werror=format-security
-DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM
-DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time
-D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes 16384 bytes
aes-128-cbc 74164.26k 140205.23k 192356.95k 212688.55k
218611.71k 219436.37k
root at officelink01:~# openssl speed -elapsed -evp aes-256-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-256-cbc for 3s on 16 size blocks: 12322268 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 64 size blocks: 5283431 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 256 size blocks: 1686231 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 1024 size blocks: 454425 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 8192 size blocks: 58092 aes-256-cbc's in 3.00s
Doing aes-256-cbc for 3s on 16384 size blocks: 29035 aes-256-cbc's in 3.00s
OpenSSL 1.1.1d 10 Sep 2019
built on: Sat Oct 12 19:56:43 2019 UTC
options:bn(64,64) rc4(8x,int) des(int) aes(partial) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall
-Wa,--noexecstack -g -O2
-fdebug-prefix-map=/build/openssl-YwazYa/openssl-1.1.1d=.
-fstack-protector-strong -Wformat -Werror=format-security
-DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM
-DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time
-D_FORTIFY_SOURCE=2
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192
bytes 16384 bytes
aes-256-cbc 65718.76k 112713.19k 143891.71k 155110.40k
158629.89k 158569.81k
root at officelink01:~#
More information about the tinc
mailing list