Comment by mrb

Comment by mrb a day ago

20 replies

View on Hacker News

I can't think of a scenario where this is useful. They claim "Full-throttle, wire-speed hardware implementation of Wireguard VPN" but then go on implementing this on a board with a puny set of four 1 Gbps ports... The standard software implementation of Wireguard (Linux kernel) can already saturate Gbps links (wirespeed, check) and can even approach 10 Gbps on a mid-range CPU: https://news.ycombinator.com/item?id=42172082

If they had produced a platform with four 10 Gbps ports, then it would become interesting. But the whole hardware and bitstream would have to be redevelopped almost from scratch.

jasonwatkinspdx 20 hours ago

It's an educational project. No need to put it on blast over that. CE/EE students can buy a board for a couple hundred bucks and play around with this to learn.

A hypothetical ASIC implementation would beat a CPU rather soundly on a per watt and per dollar basis, which is why we have hardware acceleration for other protocols on high end network adaptors.

Personally, if I could buy a Wireguard appliance that was decent for the cost, I'd be interested in that. I ran a FreeBSD server in my closet to do similar things back in the day and don't feel the need to futz around with that again.

Reply View 1 reply
  • mrb 9 hours ago

    I agree that if the goal is to be educational, it's an excellent interesting project. But there is no need to make dishonest claims on their web page like "the software performance is far below the speed of wire"

    Reply View 0 replies
bri3d a day ago

There’s a strong air of grantware to it. The notion that it could be end-to-end auditable from the RTL up is interesting, though, and generally Wireguard performance will tank with a large routing table and small MTUs like you might suffer on a VPN endpoint server while this project seems to target line speed even at the absolute worst case routing x packets scenario.

Reply View 3 replies
  • asimovDev 21 hours ago

    what do you mean by grantware?

    Reply View 2 replies
    • roywashere 21 hours ago

      The project got a grant from NLnet. I think they do a great job, they gave grants to many nice projects (and also some projects that are going nowhere, but I guess that is all in the game). NLnet really deserves praise for what they are doing!! https://nlnet.nl/thema/NGI0CommonsFund.html

      Reply View 0 replies
    • bri3d 16 hours ago

      Academic projects which receive grant money to produce papers and slides. This still can advance the state of the art, to be clear, and I like the papers and slides coming out of this project. But I wouldn’t cross my fingers for a working solution anytime soon.

      Reply View 0 replies
Veserv 18 hours ago

Why would you even need dedicated hardware for just 40 Gb/s? That is within single-core decryption performance which should be the bottleneck for any halfway decent transport protocol. Are we talking 40 Gb/s at minimum packet size so you need to handle ~120 M packets/s?

Reply View 1 reply
  • wildzzz 15 hours ago

    Because the entire stack is auditable here. There's no Cisco backdoor, no Intel ME, no hidden malware from a zombie NPM package. It's all your hardware.

    Reply View 0 replies
vzaliva 15 hours ago

I can see this as a hardened VPN in a mission-critical deployment, which could not be as easily compromised as a software stack.

Reply View 0 replies
ssl-3 9 hours ago

My dude: As far as I know, it's the first implementation of Wireguard in an FPGA.

It does not have to be all things for all people today. It can be improved. (And it appears to be open-source under a BSD license; anyone can begin making improvements immediately if they wish.)

Concepts like "This proof-of-concept wasn't explored with multiple 10Gbps ports! It is therefore imperfect and thus disinteresting!" are... dismaying, to say the least.

It would be an interesting effort if it only worked with two 10Mbps ports, just because of the new way in which it accomplishes the task.

I don't want to live in a world where the worth of all ideas is reduced a binary concept, where all things are either perfect or useless.

(Fortunately for me, I do not live in such a world that is as binary as that.)

Reply View 0 replies
wmf 21 hours ago

IMO it would be cool if they added Wireguard to Corundum but it would be expensive enough that they wouldn't get any hobbyist cred.

Reply View 0 replies
brcmthrowaway 21 hours ago

If a PC can do 10Gbps, are there any cycles left for other stuff?

Reply View 1 reply
  • soneil 20 hours ago

    bps are easy. packets per second is the crunch. Say you've got 64 bytes per packet, which would be a worst-case-scenario - you're down to 150Mpacket/sec. Sending one byte after another is the easy bit, the decisions are made per-packet.

    Reply View 0 replies
renewiltord a day ago

Amusingly, a lot of people have always been convinced that doing 10 Gbps is impossible on VPN. I recall a two-year old post on /r/mikrotik where everyone was telling OP it was impossible with citations and sources of why but then it worked

https://old.reddit.com/r/mikrotik/comments/112mo4v/is_there_...

Reply View 6 replies
  • Avamander 20 hours ago

    Mikrotik's hardware often can't even do linespeed beyond basic switching, not to mention VPN, so yeah.

    Reply View 3 replies
    • renewiltord 15 hours ago

      I meant the comments. Sadly I've linked the wrong permalink and confused everyone.

      > > > I see. I'll terminate at the Ryzen 7950 box behind the router and see what I get.

      > > That will still be a no. Outside of very specialized solutions this level of the performance is not available. It is rarely needed in real life anyways. Only small amount of traffic neess to be protected this way; for everything else point to point protection with ssh or tls is adequate. I studied different router devices and most (ipsec is dominant) have low encryption truoughput compared to routing capabilities. I guess that matches market requrements.

      > It looks like I can get 8 Gbps with low CPU utilization using one of my x86 machines as terminal. This is pretty good. Don't need 10 G precisely. 8G is enough.

      I've done precisely this so easily. I just terminate the WG at a gateway node and switch in Linux. It's trivial and throughput can easily max the 10G. I had a 40G network behind that on obsolete hardware providing storage and lots of machines reading from that.

      Reading that thread was eye-opening since they should have just told him to terminate on the first machine behind. Which he eventually did and predictably worked.

      Reply View 2 replies
      • mrb 9 hours ago

        You are right. It's amusing how this pattern emerges often: an unoptimized tech stack gives mild performance results. This is "good enough" for most people. Over the years everyone seems to assume that's just the way it is and it will always be because the tech is inherently "complex". Then a competitor comes out of the water and their performance blows everyone out of the water, so everyone realized the tech could have been optimized all this way if anyone had just tried to.

        Reply View 1 reply
        • Avamander 3 hours ago

          Yeah, this is especially true with multi-gigabit networking. It's actually really depressing how hard it is to find performant solutions, be it for file sharing or just HTTP.

          Reply View 0 replies
  • Hikikomori 21 hours ago

    They're discussing mikrotik hardware specifically? Enterprise stuff or a powerful server can easily do it.

    Reply View 0 replies
  • esseph 20 hours ago

    It's highly going to depend on the hardware in use.

    Reply View 0 replies