<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Hi Andreas<br>
<br>
According to [0] QAT supports:<br>
<ul>
<li>RSA with 2048, 3072, and 4096 bit keys</li>
<li>ECDH for the Montgomery Curve X25519 and NIST Prime Curves
P-256 and P-384</li>
<li>ECDSA for the NIST Prime Curves P-256 and P-384</li>
<li>AES-GCM with 128, 192, and 256 bit keys</li>
</ul>
<p>The tor-spec [1] shows that Tor only uses RSA with 1024 Bit Keys
and the ciphersuits only contain AES CBC and no AES GCM ones. I'm
not an expert but it looks like it's not that useful for Tor.<br>
</p>
<p>Tor doesn't scale well with multiple CPU cores but you can run 2
relays per IP to better use your hardware. On Debian / Ubuntu you
can use tor-instance-create <name> to create multiple relays
on the same host.</p>
[0]:
<a class="moz-txt-link-freetext" href="https://www.intel.com/content/www/us/en/developer/articles/guide/building-software-acceleration-features-in-the-intel-qat-engine-for-openssl.html">https://www.intel.com/content/www/us/en/developer/articles/guide/building-software-acceleration-features-in-the-intel-qat-engine-for-openssl.html</a>
<br>
<p>
[1]: <a class="moz-txt-link-freetext" href="https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt">https://gitweb.torproject.org/torspec.git/tree/tor-spec.txt</a> <br>
</p>
<p><br>
</p>
Regards<br>
Stefan<br>
<br>
<div class="moz-cite-prefix">On 11.04.22 21:13, Andreas Bollhalder
wrote:<br>
</div>
<blockquote type="cite" cite="mid:381d-62547e00-9-70bbce00@16436649">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Hello Kevin<br>
<br>
Thanks a lot for your response.<br>
<br>
1) Regarding the speedtest, my firewall is limiting the speed to
around 6.5Gbit/s. It's a fanless device and not capable to let me
use the full 10Gbit/s. I host my hardware in my living room and
can't install more powerfull, beacuse it would be too noisy and
too big... My wife and kids will kill me :-)<br>
<br>
2) For the NIC currently in use: it's an Intel I219-LM (rev 10).
Maybe the are better models around. But I don't believe, they
would lower the CPU usage by magnitude(s). But I let me educate if
I'm wrong.<br>
<br>
3) The CPU in use has the AES-NI flag set in "/proc/cpuinfo". So a
litte acceleration is already in use.<br>
<br>
In the old days when using pfSense on a PC Engines Alix, I was
using a mini PCI crypto accelerator card. And it could double or
tripple the OpenVPN speed. So it seemed to me, that QAT could do
the same for Tor.<br>
<br>
Andreas<br>
<br>
On Monday, April 11, 2022 15:58 CEST, Thoughts
<a class="moz-txt-link-rfc2396E" href="mailto:thoughts@kevinsthoughts.com"><thoughts@kevinsthoughts.com></a> wrote:<br>
<blockquote type="cite"
cite="9af3b12e-4615-722a-83ed-7eaa2d4d035d@kevinsthoughts.com">Two
suggestions:<br>
<br>
1) Run speedtest (<a class="moz-txt-link-freetext" href="https://www.speedtest.net">https://www.speedtest.net</a>) from behind your
firewall<br>
and verify your actual bandwidth (or at least get a good
approximation<br>
<smile>).<br>
<br>
2) Check the brand of NIC in your current machine. Intel NICs
are<br>
reportedly much more efficient than RealTek for handling large
number of<br>
packets - which is why they are recommended for most firewall
machines. <br>
Suspect that logic would apply for a Tor Relay as well.<br>
<br>
Suspect you also want a CPU with AES-NI support. Check the
specs on the<br>
web, AES-NI should be called out. "cat /proc/cpuinfo | grep
aes" will<br>
also tell you if your running some flavor of linux.<br>
<br>
Kevin<br>
<br>
ps. Dig around on the web for firewall hardware recommendations.
I know<br>
I've seen some tables on throughput for pfsense, shouldn't be
too hard<br>
to find and might throw some light on the situation.<br>
<br>
pps. Very jealous of your connectivity!<br>
<br>
On 4/10/2022 2:32 PM, Andreas Bollhalder wrote:<br>
> Hi all<br>
><br>
> I have my first Tor relay up und running. It's currently
installed on<br>
> a little desktop computer with an Intel i5 9500T CPU. My
Internet<br>
> connection is 10Gb/s symetric. From this bandwidth, I would
be able to<br>
> spend a good part for supporting the Tor network.<br>
><br>
> With that little machine, it seems that it would max out at
somewhere<br>
> at ~30 MBytes/s. For my definitive Tor relay hardware, I'm
currently<br>
> researching some options, which would be capable of
handling Tor<br>
> traffic at the rate of 200 to 300MBytes. Even it would be
used<br>
> nowadays, but who knows whats coming in the future and I
hope this<br>
> relay would last 5 years ore so.<br>
><br>
> It looks to me, that with a normal CPU, it's impossible to
reach my<br>
> goal. But then I encountered, that Intel has the Quick
Assist<br>
> Technoloy (QAT) integrated in some of their products (ie.
Atom C3xx8).<br>
> This QAT can be used with OpenSSL as a hardware accelerator
for<br>
> encryption. There also exist dedicated PCIe cards with QAT
(ie.<br>
> Netgate CPIC-8955).<br>
><br>
> Searching the Internet, I couldn't find any information if
QAT would<br>
> be helpful with Tor. But Tor uses the OpenSSL library and
this can use<br>
> the QAT acceleration. Is there anyone who has tried this
und can share<br>
> his expirience?<br>
><br>
> Thanks in advance<br>
> Andreas<br>
><br>
> _______________________________________________<br>
> tor-relays mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a><br>
>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br>
_______________________________________________<br>
tor-relays mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a><br>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a></blockquote>
<br>
<br>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
tor-relays mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>
</pre>
</blockquote>
</body>
</html>