The Crypto Engine in Edgerouter X

MediaTek made a deal to license crypto core IP from Authentec Inc in 2011, a company acquired by Apple in 2012. Safe to bet that this IP core is ubiquitously used in MediaTek's SoC offerings, including MT7621 used in Edgerouter X.

Authentec calls its IP, EIP-93 Packet Engine. It consists of three functional units: packet engine control (PEC), packet engine datapath (PED) and the optional public key processor (PKP).

*MT7621 with EIP-93 Crypto*

Authentec offers EIP-93 in several configurations. Hard for outsiders to guess but Edgerouter X's firmware release notes give us some hints. It's safe to say MediaTek goes with the most feature rich configuration, EIP-93ies or a custom variant of it. EIP-93ies is capable of:

  • IPsec ESP and SRTP acceleration
  • MD5, SHA1, SHA224, SHA256 hashing
  • AES 128, 196 and 256-bit key crypto
  • SSL, TLS and DTLS
  • 450 Kpps for 64-byte packets
  • 54 Kpps for "large" packets

I believe PKP is responsible for SSL/TLS/DTLS acceleration which, for example, can speed up webpages over HTTPS. This feature is left unused in EdgeOS.

Authentec quotes EIP-93 can do 300-500 Mbit/s IPsec dependent on actual clock frequency after integration. MediaTek quotes a lower number for MT7621, 200Mbit/s IPsec.

Ubiquiti seems to recognise this performance in EdgeOS. ER-X users showed v1.9 beta firmware can achieve >200Mbit/s with ESP AES256/SHA1. EIP-93 shall have equal performance with 128 or 256-bit AES. These test results corroborate this assertion.

OpenVPN operating in user space is not the reason that HW crypto is not enabled. EIP-93 can well accelerate OpenVPN. My guess it is not enabled in EdgeOS because MediaTek's SDK likely does not ship with OpenSSL support. Or maybe they do but Cavium does not for its older chips. Now if you see what I meant.

Between Cavium platform e.g. ER-L and ER-Pro and ER-X platform, the accelerated crypto is pretty much same from my check. I could have missed a thing or two. Notably though Cavium based models cannot do SHA-256 but ER-X could. That's great news to ER-X owners since SHA1 is considered broken.

Like many interesting tech firms, Authentec no longer exists. EIP-93 is owned and offered by a different company.

comments powered by Disqus