Re: [tor-relays] Does Tor work with Intel QAT acceleration

Mailing Lists tor-relays
1

Hello Alex

Thank you for your nice hint ot QAT_Engine.

Yes, in theory it really seems to be possible. Looking at the Github repo of the QAT_Engine, it looks like there are still some issues with OpenSSL 3.0:

Support for QAT HW ECX, QAT SW ECX, QAT HW PRF and QAT HW HKDF is disabled when built
against OpenSSL 3.0 due to known issues instead it uses non-accelerated implementation
from OpenSSL.

I’m on Ubuntu 20.04, so I should be still using OpenSSL 1.x. There are plans for switching to OpenSSL 3.0 in Ubuntu 22.04. We’ll see…

So, one really has to test and I need to think about it. Wouldn’t be a cheep test, but if this platform can give me a medium power system (~50W) and great speed, then it’s definitively what I’m looking for. Otherwise I would prefer a Ryzen like the 5750GE.

Andreas

···

On Tuesday, April 12, 2022 03:42 CEST, Alex Xu alex@alxu.ca wrote:

Excerpts from Andreas Bollhalder’s message of April 10, 2022 3:32 pm:

Hi all

I have my first Tor relay up und running. It’s currently installed on a little desktop computer with an Intel i5 9500T CPU. My Internet connection is 10Gb/s symetric. From this bandwidth, I would be able to spend a good part for supporting the Tor network.

With that little machine, it seems that it would max out at somewhere at ~30 MBytes/s. For my definitive Tor relay hardware, I’m currently researching some options, which would be capable of handling Tor traffic at the rate of 200 to 300MBytes. Even it would be used nowadays, but who knows whats coming in the future and I hope this relay would last 5 years ore so.

It looks to me, that with a normal CPU, it’s impossible to reach my goal. But then I encountered, that Intel has the Quick Assist Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). This QAT can be used with OpenSSL as a hardware accelerator for encryption. There also exist dedicated PCIe cards with QAT (ie. Netgate CPIC-8955).

Searching the Internet, I couldn’t find any information if QAT would be helpful with Tor. But Tor uses the OpenSSL library and this can use the QAT acceleration. Is there anyone who has tried this und can share his expirience?

Thanks in advance
Andreas

tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

In theory, you should be able to enable QAT with “HardwareAccel 1” on
OpenSSL 1.x after installing GitHub - intel/QAT_Engine: Intel QuickAssist Technology( QAT) OpenSSL Engine (an OpenSSL Plug-In Engine) which provides cryptographic acceleration for both hardware and optimized software using Intel QuickAssist Technology enabled Intel platforms. https://developer.intel.com/quickassist. I’m
not sure about the process for OpenSSL 3.0; I believe it involves
editing OPENSSLDIR/openssl.cnf.

1 Like
2

Excerpts from Andreas Bollhalder's message of April 12, 2022 2:12 am:

Hello Alex

Thank you for your nice hint ot QAT_Engine.

Yes, in theory it really seems to be possible. Looking at the Github repo of the QAT_Engine, it looks like there are still some issues with OpenSSL 3.0:
Support for QAT HW ECX, QAT SW ECX, QAT HW PRF and QAT HW HKDF is disabled when built
against OpenSSL 3.0 due to known issues instead it uses non-accelerated implementation
from OpenSSL.I'm on Ubuntu 20.04, so I should be still using OpenSSL 1.x. There are plans for switching to OpenSSL 3.0 in Ubuntu 22.04. We'll see...

So, one really has to test and I need to think about it. Wouldn't be a cheep test, but if this platform can give me a medium power system (~50W) and great speed, then it's definitively what I'm looking for. Otherwise I would prefer a Ryzen like the 5750GE.

Andreas

If you don't already have a QAT device, I would not suggest getting one
specifically for Tor. In particular, Tor doesn't spend very much time
actually doing AES. It's mostly overhead from cell processing, TCP,
small packets, etc. Additionally, because Tor uses a large number of
relatively low-bandwidth connections, it will mostly send small chunks
to the hardware engine, which is not particularly efficient. In the
future, it may be possible to use KTLS, in which case QAT might actually
improve performance quite a bit. However, there are a number of blockers
to this, including that it messes with Tor's bandwidth limiting.

···

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like
3

Hello Alex

···

On Tuesday, April 12, 2022 16:19 CEST, “Alex Xu (Hello71)” alex_y_xu@yahoo.ca wrote:

If you don’t already have a QAT device, I would not suggest getting one
specifically for Tor. In particular, Tor doesn’t spend very much time
actually doing AES. It’s mostly overhead from cell processing, TCP,
small packets, etc. Additionally, because Tor uses a large number of
relatively low-bandwidth connections, it will mostly send small chunks
to the hardware engine, which is not particularly efficient. In the
future, it may be possible to use KTLS, in which case QAT might actually
improve performance quite a bit. However, there are a number of blockers
to this, including that it messes with Tor’s bandwidth limiting.

That’s a great advice I can really apreciate. So I better look for a good CPU / NIC combination and will have a look in the sysctl parameters some have posted. If KTLS would get supported, maybe mutli-threading will come too in another step…

Would be nice to have this sort of information in FAQ on Tor project website. But hopefully, one with the same idea will now find this thread by searching the web as I couldn’t.

Have a good day
Andreas

1 Like