On 2020-05-12 06:05, Matt Dunwoodie wrote: > I don't want to put misleading numbers out there and every use case > is different, therefore you should perform your own tests. In my > environment (tcbbench between two Lenovo x230 (i5-3320m), em(4) > ethernet) I was seeing 750mbit/s. This was compared to default > isakmpd(8) with a basic ike psk configuration, which achieved > 380mbit/s. Different configurations will behave differently, of > course, but I think we're off to a pretty good start here.
That is certainly more than fast enough for my purposes and at slower speeds will cause no issue with the bonus that hw that does not have AES-NI, will still be performant. However I assume that compared to using AES-NI, the machine will be running a lot hotter, using more power and be less usable for other tasks. Especially, less powerful systems will have far less performance when their hw support is not utilised and contrary to the wireguard paper. Many embedded systems do have AES hw support. I imagine supporting all those embedded hw variants is problematic and part of the reason AES might have been avoided? I just wonder. Is there scope in the design for adding AES-NI support, in the future as a config option even, rather than a runtime negotiation like OpenSSH facilitates?
