From owner-freebsd-current@FreeBSD.ORG Tue Oct 31 21:29:39 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2C6B16A530 for ; Tue, 31 Oct 2006 21:29:39 +0000 (UTC) (envelope-from nb_root@videotron.ca) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3033743D45 for ; Tue, 31 Oct 2006 21:29:07 +0000 (GMT) (envelope-from nb_root@videotron.ca) Received: from clk01a ([24.202.77.103]) by VL-MH-MR002.ip.videotron.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0J8000057ROJTJ30@VL-MH-MR002.ip.videotron.ca> for freebsd-current@freebsd.org; Tue, 31 Oct 2006 16:29:07 -0500 (EST) Date: Tue, 31 Oct 2006 16:29:01 -0500 From: Nicolas Blais To: freebsd-current@freebsd.org Message-id: <200610311629.06271.nb_root@videotron.ca> MIME-version: 1.0 Content-type: multipart/signed; boundary=nextPart1854864.7RVcYb3NdI; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-transfer-encoding: 7bit User-Agent: KMail/1.9.4 Subject: Hifn 7955/7956 crypto accelerator questions X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Oct 2006 21:29:40 -0000 --nextPart1854864.7RVcYb3NdI Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 (hifn= =20 7956) to do some performance tests in a military environment with FreeBSD=20 systems. Since this is a big project and I don't want to jump in something= =20 destined to fail, I'll ask your expertise. 1. After searching the mailing lists for reports of performance with openss= l=20 and cryptop accelerators, I did not find anything that showed an increase i= n=20 performance with the cards (though some posts date back to FBSD4.8). Does=20 openssl today make correct use of the crypto hardware? 2. From what I understand, ssh is supposed to increase in performance with= =20 those cards. Assuming two FreeBSD computers with crypto accelerators are=20 transfering big files (say sftp) in a cipher that the card and driver=20 supports, would the transfer rate be at or near clear-text speed (in a=20 100mbps link)? 3. How does GEOM_ELI uses crypto hardware to accelerate working with encryp= ted=20 partitions? Again, with big file systems, would a gain in performance be=20 noticeable? 4. Also, it seems that asymmetric crypto support is not yet implemented in = the=20 hifn driver (according to the man page). Is it safe to assume that pgp will= =20 not be accelerated? Any plans to support it? (perhaps this is an OpenBSD=20 question...) The whole idea is to reduce conversion and transfer time with highly=20 sensitive, huge files (> 1 GB, sometimes near 10 GB). We currently use a=20 commercial software compatible with PGP, but there are security and=20 logistical issues with it (the commercial software, not PGP). Encrypting a= =20 2GB file with PGP, even on a modern machine, takes a long time. I've done=20 tests with geli and am so far satisfied with it, but it is a storage=20 encryption and doesn't allow us to safely transfer data unless we physicall= y=20 transfert the disk or use ssh. With geli, you also have to make sure that t= he=20 created partition is only readable/writeable by the user you want access=20 allowed to which reduces the total security of the information due to human= =20 negligeance. Nicolas. =2D-=20 =46reeBSD 7.0-CURRENT #9: Tue Oct 31 15:44:23 EST 2006 =20 nicblais@clk01a:/usr/obj/usr/src/sys/CLK01A=20 PGP? : http://www.clkroot.net/security/nb_root.asc --nextPart1854864.7RVcYb3NdI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFR8Ai4wTBlvcsbJURAl3PAJ9T6bda6jCNEbJk5C8HcPI/hn48/QCdEa9P f9345jEnNrfLr7aIPsfQTqU= =7OrR -----END PGP SIGNATURE----- --nextPart1854864.7RVcYb3NdI--