ODROID firewalls

Share here your ideas for new projects

Moderators: mdrjr, odroid, meveric

ODROID firewalls

Unread postby Superfritz » Wed Nov 05, 2014 12:00 am

We are in charge of administrating several schools and always look for affordable, powerful hardware to fuel our firewalls. In my opinion, an Odroid with integrated AES-accelerator and hardware-RNG onboard with like 3 NICs would be a perfect basis for all kinds of firewall/router tasks if combined with linux like IPcop or IPfire.

Maybe there are others out there who could use such a variant of an Odroid.
Superfritz
 
Posts: 10
Joined: Tue Nov 04, 2014 11:51 pm
languages_spoken: english, german

Re: ODROID firewalls

Unread postby LiquidAcid » Wed Nov 05, 2014 1:12 am

I don't see how AES factors into the firewall functionality.
LiquidAcid
 
Posts: 1080
Joined: Fri Oct 11, 2013 11:07 pm
languages_spoken: english
ODROIDs: X2

Re: ODROID firewalls

Unread postby Superfritz » Wed Nov 05, 2014 1:19 am

AES accelerator is very useful with OpenVPN, takes a lot of strain of the CPU.
Superfritz
 
Posts: 10
Joined: Tue Nov 04, 2014 11:51 pm
languages_spoken: english, german

Re: ODROID firewalls

Unread postby meveric » Wed Nov 05, 2014 6:58 am

I'm using my ODROID XU-Lite as a Router/Firewall, and don't have any issues with it yet.. the CPUs are mostly idle, i'm planing on activating OpenVPN soon and can report back on how much CPU that's using...
Donate to support my work on the ODROID GameStation Turbo Image for U2/U3 XU3/XU4 X2 X C1 as well as many other releases.
Check out the Games and Emulators section to find some of my work or check the files in my repository to find the software i build for ODROIDs.
If you want to add my repository to your image read my HOWTO integrate my repo into your image.
User avatar
meveric
 
Posts: 9067
Joined: Mon Feb 25, 2013 2:41 pm
languages_spoken: german, english
ODROIDs: X2, U2, U3, XU-Lite, XU3, XU3-Lite, C1, XU4, C2, C1+, XU4Q, HC1

Re: ODROID firewalls

Unread postby Superfritz » Wed Nov 05, 2014 5:53 pm

Would be nice if you could add throughput measures to that test, to see how many Mbits/s are possible before CPU saturation.
Superfritz
 
Posts: 10
Joined: Tue Nov 04, 2014 11:51 pm
languages_spoken: english, german

Re: ODROID firewalls

Unread postby meveric » Wed Nov 05, 2014 7:01 pm

hmm i have to see how i can configure my network for that, cause my internet will be to slow to do so. So i probably have to use my laptop or another ODROID directly connected to the XU to simulate that.
Donate to support my work on the ODROID GameStation Turbo Image for U2/U3 XU3/XU4 X2 X C1 as well as many other releases.
Check out the Games and Emulators section to find some of my work or check the files in my repository to find the software i build for ODROIDs.
If you want to add my repository to your image read my HOWTO integrate my repo into your image.
User avatar
meveric
 
Posts: 9067
Joined: Mon Feb 25, 2013 2:41 pm
languages_spoken: german, english
ODROIDs: X2, U2, U3, XU-Lite, XU3, XU3-Lite, C1, XU4, C2, C1+, XU4Q, HC1

Re: ODROID firewalls

Unread postby Superfritz » Wed Nov 05, 2014 10:29 pm

I would suggest to use the OpenSSL speed test to get a quick and easy result, here a documentation (for OpenWRT though):
http://wiki.openwrt.org/inbox/benchmark.openssl
Superfritz
 
Posts: 10
Joined: Tue Nov 04, 2014 11:51 pm
languages_spoken: english, german

Re: ODROID firewalls

Unread postby meveric » Wed Nov 05, 2014 11:25 pm

Code: Select all
openssl speed md5 sha1 sha256 sha512 des des-ede3 aes-128-cbc aes-192-cbc aes-256-cbc rsa2048 dsa2048 | tee /tmp/sslspeed
Doing md5 for 3s on 16 size blocks: 2395937 md5's in 2.99s
Doing md5 for 3s on 64 size blocks: 1909751 md5's in 2.98s
Doing md5 for 3s on 256 size blocks: 1215694 md5's in 3.00s
Doing md5 for 3s on 1024 size blocks: 475519 md5's in 3.00s
Doing md5 for 3s on 8192 size blocks: 71517 md5's in 3.00s
Doing sha1 for 3s on 16 size blocks: 2446696 sha1's in 3.00s
Doing sha1 for 3s on 64 size blocks: 1742487 sha1's in 3.00s
Doing sha1 for 3s on 256 size blocks: 945774 sha1's in 3.00s
Doing sha1 for 3s on 1024 size blocks: 335006 sha1's in 3.00s
Doing sha1 for 3s on 8192 size blocks: 47757 sha1's in 3.00s
Doing sha256 for 3s on 16 size blocks: 2727061 sha256's in 3.00s
Doing sha256 for 3s on 64 size blocks: 1514757 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 661069 sha256's in 3.00s
Doing sha256 for 3s on 1024 size blocks: 203774 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 27356 sha256's in 3.00s
Doing sha512 for 3s on 16 size blocks: 1590678 sha512's in 3.00s
Doing sha512 for 3s on 64 size blocks: 1591962 sha512's in 3.00s
Doing sha512 for 3s on 256 size blocks: 584484 sha512's in 3.00s
Doing sha512 for 3s on 1024 size blocks: 203125 sha512's in 3.00s
Doing sha512 for 3s on 8192 size blocks: 28677 sha512's in 3.00s
Doing des cbc for 3s on 16 size blocks: 5282236 des cbc's in 3.00s
Doing des cbc for 3s on 64 size blocks: 1370914 des cbc's in 3.00s
Doing des cbc for 3s on 256 size blocks: 347805 des cbc's in 3.00s
Doing des cbc for 3s on 1024 size blocks: 87284 des cbc's in 3.00s
Doing des cbc for 3s on 8192 size blocks: 10919 des cbc's in 3.00s
Doing des ede3 for 3s on 16 size blocks: 2071097 des ede3's in 3.00s
Doing des ede3 for 3s on 64 size blocks: 525162 des ede3's in 3.00s
Doing des ede3 for 3s on 256 size blocks: 132087 des ede3's in 3.00s
Doing des ede3 for 3s on 1024 size blocks: 33081 des ede3's in 3.00s
Doing des ede3 for 3s on 8192 size blocks: 4137 des ede3's in 3.00s
Doing aes-128 cbc for 3s on 16 size blocks: 11415438 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 64 size blocks: 3023286 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 782124 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 1024 size blocks: 197227 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 24716 aes-128 cbc's in 3.00s
Doing aes-192 cbc for 3s on 16 size blocks: 9971571 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 64 size blocks: 2621325 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 256 size blocks: 673675 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 1024 size blocks: 169569 aes-192 cbc's in 2.99s
Doing aes-192 cbc for 3s on 8192 size blocks: 21242 aes-192 cbc's in 3.00s
Doing aes-256 cbc for 3s on 16 size blocks: 8796422 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 2295686 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 587950 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 1024 size blocks: 147841 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 8192 size blocks: 18517 aes-256 cbc's in 3.00s
Doing 2048 bit private rsa's for 10s: 584 2048 bit private RSA's in 10.01s
Doing 2048 bit public rsa's for 10s: 19256 2048 bit public RSA's in 10.00s
Doing 2048 bit sign dsa's for 10s: 2006 2048 bit DSA signs in 9.99s
Doing 2048 bit verify dsa's for 10s: 1713 2048 bit DSA verify in 10.01s
OpenSSL 1.0.1f 6 Jan 2014
built on: Wed Oct 15 17:50:23 UTC 2014
options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) blowfish(ptr)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5              12821.07k    41014.79k   103739.22k   162310.49k   195289.09k
sha1             13049.05k    37173.06k    80706.05k   114348.71k   130408.45k
des cbc          28171.93k    29246.17k    29679.36k    29792.94k    29816.15k
des ede3         11045.85k    11203.46k    11271.42k    11291.65k    11296.77k
aes-128 cbc      60882.34k    64496.77k    66741.25k    67320.15k    67491.16k
aes-192 cbc      53181.71k    55921.60k    57486.93k    58073.13k    58004.82k
aes-256 cbc      46914.25k    48974.63k    50171.73k    50463.06k    50563.75k
sha256           14544.33k    32314.82k    56411.22k    69554.86k    74700.12k
sha512            8483.62k    33961.86k    49875.97k    69333.33k    78307.33k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.017140s 0.000519s     58.3   1925.6
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.004980s 0.005844s    200.8    171.1
linaro@walhalla:~$ echo "|" `awk 'match($0,/r[0-9]+/) {print substr($0,RSTART,RLENGTH)}' /etc/banner` `awk -v FS=": " -v ORS="" '/(Processor|BogoMIPS|Hardware|machine|cpu model|system type)/ { print "| " $2 " " } END { print "" }' /proc/cpuinfo` `awk -v ORS="" '$1 ~ /OpenSSL/ {print "| " $2 " |"} $1 ~ /(md5|sha)/ {print "  " $5 " |"} $1 ~ /(des|aes)/ {b = b "  " $6 " |"} $1 ~ /(rsa|dsa)/ {print b "  " $6 " |  " $7 " ";b=""} END { print "|" }' /tmp/sslspeed | sed 's/\.\(..\)k/\10/g'`
awk: cannot open /etc/banner (No such file or directory)
| | ARMv7 Processor rev 3 (v7l) | 1785.85 | 1785.85 | 1785.85 | 1785.85 | ODROIDXU | 1.0.1f | 162310490 | 114348710 | 69554860 | 69333330 | 29792940 | 11291650 | 67320150 | 58073130 | 50463060 | 58.3 | 1925.6 200.8 | 171.1 |


let's sort this a little:
Code: Select all
OS                    SoC             CPU                             Device            BogoMIPS    OpenSSL Version
--------------------------------------------------------------------------------------------------------------------
Ubuntu 14.04. LTS     Exynos 5410     ARMv7 Processor rev 3 (v7l)     ODROIDXU-Lite     1785.85     1.0.1f

MD5        SHA-1      SHA-256   SHA-512   DES       3DES      AES-128   AES-192   AES-256   RSA Sign  RSA Verify  DSA Sign  DSA Verify
---------------------------------------------------------------------------------------------------------------------------------------
162310490  114348710  69554860  69333330  29792940  11291650  67320150  58073130  50463060  58.3      1925.6      200.8     171.1

Donate to support my work on the ODROID GameStation Turbo Image for U2/U3 XU3/XU4 X2 X C1 as well as many other releases.
Check out the Games and Emulators section to find some of my work or check the files in my repository to find the software i build for ODROIDs.
If you want to add my repository to your image read my HOWTO integrate my repo into your image.
User avatar
meveric
 
Posts: 9067
Joined: Mon Feb 25, 2013 2:41 pm
languages_spoken: german, english
ODROIDs: X2, U2, U3, XU-Lite, XU3, XU3-Lite, C1, XU4, C2, C1+, XU4Q, HC1

Re: ODROID firewalls

Unread postby Superfritz » Thu Nov 06, 2014 12:03 am

Thank you very much, those results look pretty good, wouldn't have expected those from ARM architecture.
Superfritz
 
Posts: 10
Joined: Tue Nov 04, 2014 11:51 pm
languages_spoken: english, german

Re: ODROID firewalls

Unread postby meveric » Thu Nov 06, 2014 1:15 am

U3 results:
Code: Select all
OS                SoC                   CPU                             Device                  BogoMIPS    OpenSSL Version
----------------------------------------------------------------------------------------------------------------------------
Debian Wheezy     Exynos 4412 Prime     ARMv7 Processor rev 0 (v7l)     ODROID U3 rev. 0.2      3394.86     1.0.1e

MD5        SHA-1      SHA-256   SHA-512   DES       3DES      AES-128   AES-192   AES-256   RSA Sign  RSA Verify  DSA Sign  DSA Verify
---------------------------------------------------------------------------------------------------------------------------------------
148185430  109587110  68624380  55714470  28987390  10914820  59853480  52911100  46196740  51.4      1705.0      173.7     145.5


XU3 results:
Code: Select all
OS                   SoC              CPU                             Device          BogoMIPS   OpenSSL Version
-----------------------------------------------------------------------------------------------------------------
Ubuntu 14.04 LTS     Exynos 5422      ARMv7 Processor rev 3 (v7l)     ODROID XU3      120.00     1.0.1f

MD5        SHA-1      SHA-256   SHA-512   DES       3DES      AES-128   AES-192   AES-256   RSA Sign  RSA Verify  DSA Sign  DSA Verify
---------------------------------------------------------------------------------------------------------------------------------------
223471270  158871890  99253930  98067460  42521600  16025940  94912170  82566490  72019630  83.2      2722.1      285.7     248.8


Well looks like XU3 really has quite some punch.
Donate to support my work on the ODROID GameStation Turbo Image for U2/U3 XU3/XU4 X2 X C1 as well as many other releases.
Check out the Games and Emulators section to find some of my work or check the files in my repository to find the software i build for ODROIDs.
If you want to add my repository to your image read my HOWTO integrate my repo into your image.
User avatar
meveric
 
Posts: 9067
Joined: Mon Feb 25, 2013 2:41 pm
languages_spoken: german, english
ODROIDs: X2, U2, U3, XU-Lite, XU3, XU3-Lite, C1, XU4, C2, C1+, XU4Q, HC1

Re: ODROID firewalls

Unread postby Superfritz » Fri Nov 07, 2014 9:23 pm

It seems there is enough raw cpu power to make AES fast enough, still missing an hardware RNG to provide suficient entropy.
Superfritz
 
Posts: 10
Joined: Tue Nov 04, 2014 11:51 pm
languages_spoken: english, german

Re: ODROID firewalls

Unread postby LiquidAcid » Fri Nov 07, 2014 9:31 pm

Superfritz wrote:It seems there is enough raw cpu power to make AES fast enough, still missing an hardware RNG to provide suficient entropy.

exynos-rng
LiquidAcid
 
Posts: 1080
Joined: Fri Oct 11, 2013 11:07 pm
languages_spoken: english
ODROIDs: X2

Re: ODROID firewalls

Unread postby Superfritz » Fri Nov 07, 2014 10:46 pm

So there is a RNG integrated? Couldnt find any hint to it in the documentation.

EDIT:

Btw the Exynos 5433 with ARM8-A seems to have explicit AES acceleration integrated.
Superfritz
 
Posts: 10
Joined: Tue Nov 04, 2014 11:51 pm
languages_spoken: english, german

Re: ODROID firewalls

Unread postby Superfritz » Sat Nov 08, 2014 4:22 pm

Sry double post for pump:

Can someone give me the output of

cat /proc/sys/kernel/random/entropy_avail

To check how much entropy there is?
Superfritz
 
Posts: 10
Joined: Tue Nov 04, 2014 11:51 pm
languages_spoken: english, german

Re: ODROID firewalls

Unread postby meveric » Sat Nov 08, 2014 5:43 pm

that question makes no sense.
Entropy depends on the amount of random data collected on a device.
A newly booted devices will probably have none entropy at all, while a systems that runs for days/weeks/months and does alot of jobs (like web-server, firewall, etc.) has quite alot Entropy.
Even just having a system up for a month won't guarantee you have alot of entropy.. i have a ODROID that's running for a month straight, but has raher low Entropy which is normal, cause it's just sitting there idle and waits for me to do stuff, it's not doing anything on its own (i use it to build programs on it)

While my ODROID acting as a router with firewall and other stuff running is only up for 16 days without reboot, but has 10 times the Entropy of the other odroid.
Donate to support my work on the ODROID GameStation Turbo Image for U2/U3 XU3/XU4 X2 X C1 as well as many other releases.
Check out the Games and Emulators section to find some of my work or check the files in my repository to find the software i build for ODROIDs.
If you want to add my repository to your image read my HOWTO integrate my repo into your image.
User avatar
meveric
 
Posts: 9067
Joined: Mon Feb 25, 2013 2:41 pm
languages_spoken: german, english
ODROIDs: X2, U2, U3, XU-Lite, XU3, XU3-Lite, C1, XU4, C2, C1+, XU4Q, HC1

Re: ODROID firewalls

Unread postby Superfritz » Sat Nov 08, 2014 6:17 pm

It seems i got mislead, i was under the impression, that command would return the amount of generated entropy not the pool size.

Strange thing, on our HRNG equipt Alix firewalls, i get a return value of 12-13k, which would be a lot more than the supposed 4096 bit max pool size.
Superfritz
 
Posts: 10
Joined: Tue Nov 04, 2014 11:51 pm
languages_spoken: english, german

Re: ODROID firewalls

Unread postby meveric » Sat Nov 08, 2014 8:21 pm

What you're looking for is:
cat /proc/sys/kernel/random/poolsize

which is the maximal possible value and that should be 4096 for all ODROIDs
My router is actually hitting this value in the entropy_avail, but the other ODROIDs are far from that.
Donate to support my work on the ODROID GameStation Turbo Image for U2/U3 XU3/XU4 X2 X C1 as well as many other releases.
Check out the Games and Emulators section to find some of my work or check the files in my repository to find the software i build for ODROIDs.
If you want to add my repository to your image read my HOWTO integrate my repo into your image.
User avatar
meveric
 
Posts: 9067
Joined: Mon Feb 25, 2013 2:41 pm
languages_spoken: german, english
ODROIDs: X2, U2, U3, XU-Lite, XU3, XU3-Lite, C1, XU4, C2, C1+, XU4Q, HC1

Re: ODROID firewalls

Unread postby Superfritz » Sat Nov 08, 2014 9:40 pm

Seems like they modified the parameters for the IPfire distribution:

[*]# cat /proc/sys/kernel/random/poolsize
16384
[*]# cat /proc/sys/kernel/random/entropy_avail
12470

Maybe because it is custom made for firewall/router tasks.

Here copy rates from /dev/random and /dev/hwrng:

[*]# dd if=/dev/random of=random.bin
667+135 records in
749+0 records out
383488 bytes (383 kB) copied, 9.11594 seconds, 42.1 kB/s

[*]# dd if=/dev/random of=random2.bin
1224+232 records in
1365+0 records out
698880 bytes (699 kB) copied, 16.3079 seconds, 42.9 kB/s

[*]# dd if=/dev/hwrng of=random3.bin
4942+1 records in
4942+0 records out
2530304 bytes (2.5 MB) copied, 7.75796 seconds, 326 kB/s
Superfritz
 
Posts: 10
Joined: Tue Nov 04, 2014 11:51 pm
languages_spoken: english, german

Re: ODROID firewalls

Unread postby jimmyp » Thu May 19, 2016 7:48 pm

Superfritz wrote:We are in charge of administrating several schools and always look for affordable, powerful hardware to fuel our firewalls. In my opinion, an Odroid with integrated AES-accelerator and hardware-RNG onboard with like 3 NICs would be a perfect basis for all kinds of firewall/router tasks if combined with linux like IPcop or IPfire.

Maybe there are others out there who could use such a variant of an Odroid.


I think this hardware would be a great idea... would like to see it as I would want to buy a few.
C2 or XU4 with three NICs and AES would work very nicely for pfSense, OPNSense, IDS/IPS or the like.
User avatar
jimmyp
 
Posts: 4
Joined: Wed Jan 20, 2016 9:41 pm
languages_spoken: english
ODROIDs: ODROID-XU4

Re: ODROID firewalls

Unread postby stfNL » Sun Aug 07, 2016 11:51 am

Checkout this board: http://www.pcengines.ch/apu2c2.htm

Perfect for running pfSense.
stfNL
 
Posts: 12
Joined: Sun Aug 07, 2016 7:47 am
languages_spoken: English, Nederlands
ODROIDs: C2

Re: ODROID firewalls

Unread postby elatllat » Thu Jun 07, 2018 6:54 am

The N1 is ~10x faster at crypto than the XU4.

A pfsense build for odroid would be nice.

especially since it would be easy to verify infection unlike everyone's current home router (assuming no SPI);

https://arstechnica.com/information-tec ... e-thought/
elatllat
 
Posts: 1019
Joined: Tue Sep 01, 2015 8:54 am
languages_spoken: english
ODROIDs: XU4, N1


Return to The Ideas

Who is online

Users browsing this forum: No registered users and 3 guests