From owner-freebsd-security@FreeBSD.ORG Mon Feb 14 20:43:10 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E841416A4CE for ; Mon, 14 Feb 2005 20:43:10 +0000 (GMT) Received: from poczta.pol-net.com.pl (poczta.pol-net.com.pl [195.136.108.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6050243D1F for ; Mon, 14 Feb 2005 20:43:10 +0000 (GMT) (envelope-from slaanesh@flug.org.pl) Received: from [195.136.10.91] (ip-10-91.pol-net.com.pl [195.136.10.91]) by poczta.pol-net.com.pl (Postfix) with ESMTP id C87C1DAE02 for ; Mon, 14 Feb 2005 21:42:56 +0100 (CET) Message-ID: <42110D53.9020500@flug.org.pl> Date: Mon, 14 Feb 2005 21:42:59 +0100 From: Slaanesh User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AntiVirus System at poczta.pol-net.com.pl Subject: new nmap X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 20:43:11 -0000 new nmap!!! www.insecure.org slaanesh From owner-freebsd-security@FreeBSD.ORG Tue Feb 15 17:08:49 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8879816A4CE; Tue, 15 Feb 2005 17:08:49 +0000 (GMT) Received: from f23.mail.ru (f23.mail.ru [194.67.57.149]) by mx1.FreeBSD.org (Postfix) with ESMTP id A489843D49; Tue, 15 Feb 2005 17:08:48 +0000 (GMT) (envelope-from vip3r@inbox.ru) Received: from mail by f23.mail.ru with local id 1D16Br-000F4G-00; Tue, 15 Feb 2005 20:08:47 +0300 Received: from [194.105.194.164] by win.mail.ru with HTTP; Tue, 15 Feb 2005 20:08:47 +0300 From: Mikhail To: freebsd-security@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [194.105.194.164] Date: Tue, 15 Feb 2005 20:08:47 +0300 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: cc: freebsd-ipfw@freebsd.org Subject: weird queue keep-state behavior X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Mikhail List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 17:08:49 -0000 I'm just one of those weirdos, who wanna make a powerfull queues shaper (not QoS but near) with ipfw2 on their freebsd 4.x-stable. My server is using frequently used configuration with NAT+FW ADSL router with one external ip on external network interface (we're using ADSL modem in bringe mode). I've configured single pipe, configured queues to use that pipe, add queues with different weights distinct on destination ports. //i'm doing nat with that rules: 03400 divert 8668 ip from { 192.168.132.0/24,192.168.10.0/24,172.16.1.0/24,10.10.10.0/24 or me } to any out via bfe0 03600 divert 8668 ip from any to me in via bfe0 //here are defined queues 09600 queue 1 udp from me to any dst-port 53,123 out via bfe0 keep-state 09800 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay iplen 32-68 established 10000 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay established 10200 queue 2 tcp from any 1024-65535 to any out via bfe0 iptos lowdelay setup keep-state 10400 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 iplen 32-68 established 10600 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 established 10800 queue 3 tcp from any 1024-65535 to any dst-port 22,194,5190,23 out via bfe0 setup keep-state 11000 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 iplen 32-68 established 11200 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 established 11400 queue 4 tcp from any 1024-65535 to any dst-port 21,80,8080,443,8101,8081 out via bfe0 setup keep-state 11600 queue 5 tcp from any 1024-65535 to any out via bfe0 iplen 32-68 established 11800 queue 5 tcp from any 1024-65535 to any out via bfe0 established 12000 queue 5 tcp from any 1024-65535 to any out via bfe0 setup keep-state 12200 queue 6 udp from any 1024-65535 to any out via bfe0 keep-state 12400 allow tcp from any to 192.168.132.0/24,192.168.10.0/24,172.16.1.0/24,10.10.10.0/24 in via bfe0 established //last rule is for weird packets that natd is pushing to the stack When client is downloading file via passive ftp from nat'ed internal network he has ${ADSL_INBOUND_SPEED} speed (55KByte/s) Here is the problem: When i ssh'ing to server and starting the SAME connection with wget i'm having only 14KByte/s. Hitting many times "ipfw show" i've discovered that in the first case counters of 12000 rule are incrementing slowly and counters of rule 12400 are incrementing very fast. In the second case only counters of rule number 12000 are incrementing relative to the first case fast. So here is the question: Should I remove "keep-state" statement and use stateless firewall with adding "esatablished" rules or this is bug (that tracking state of data flow in queue in both directions is bad, because in that case we limiting speed of inbound connection and outbound too (last is desired)). Thanks beforehand. PS: I can post here my rc.firewall on demand or exec what you want me to exec. From owner-freebsd-security@FreeBSD.ORG Tue Feb 15 19:33:45 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5EE416A4CE for ; Tue, 15 Feb 2005 19:33:45 +0000 (GMT) Received: from pantera.slonce.com (fouk.org [193.219.28.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C0C143D3F for ; Tue, 15 Feb 2005 19:33:45 +0000 (GMT) (envelope-from pch@pantera.slonce.com) Received: from pch by pantera.slonce.com with local (Exim 4.43 (FreeBSD)) id 1D18S7-0009aA-2d for freebsd-security@freebsd.org; Tue, 15 Feb 2005 20:33:43 +0100 Date: Tue, 15 Feb 2005 20:33:43 +0100 From: Piotr Chytla To: freebsd-security@freebsd.org Message-ID: <20050215193342.GA19313@fouk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline X-GPG-Key-URL: http://fouk.org/~pch/pch.gpg.asc X-PGP-Key-URL: http://fouk.org/~pch/pch.pgp.asc User-Agent: Mutt/1.5.6i Sender: =?ISO-8859-1?Q?Piotr_Chyt=B3a?= Subject: Identd in jail. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Feb 2005 19:33:45 -0000 Hi Few days ago I've problem with running identd in jail on 4.10-stable I've found that getcred() sysctl isn't permitted from within jail on 4.x. R.Watson suggest some "cheap hack" for this but I've solved this without patching the kernel. My patched ident gets result of getcred() sysctl from jauthd daemon via unix socket. Jauthd is simply getcred proxy, it gets two sockadddr_in from jailed process and sends ucred. Jauthd daemon can be extend to verify data recived from jailed process, and of course to listen in many jails . I know that this isn't far better then "cheap hack" :)) but for sure it don't give getcred sysctl for everyone in the system, and in all jails. http://fouk.org/~pch/patches/builtins.c.patch applay this patch to /usr/src/usr.sbin/inetd/builtins.c and add AUTHJAIL to Makefile http://fouk.org/~pch/patches/jauthd.c /pch From owner-freebsd-security@FreeBSD.ORG Fri Feb 18 04:00:04 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B32B416A4CE for ; Fri, 18 Feb 2005 04:00:04 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4E3C543D54 for ; Fri, 18 Feb 2005 04:00:04 +0000 (GMT) (envelope-from sekchye@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so377059wra for ; Thu, 17 Feb 2005 20:00:03 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=cnL4USQsQYj1nONayvCuVMt/UyfnkgOKRSlc2O7jfVl6qU53kIyWV1c5DOqcyrWBHep8RZfgHLyukV1m+shURw5FgF3pIDRwKnmUL4phRTGJjXv/k7NZC57CSwzCSMioDzMtecINEJL4Zdh3OzvJmN2+16iX70Hbtill0viFECk= Received: by 10.54.41.71 with SMTP id o71mr291225wro; Thu, 17 Feb 2005 20:00:03 -0800 (PST) Received: by 10.54.38.73 with HTTP; Thu, 17 Feb 2005 20:00:02 -0800 (PST) Message-ID: <21f8a77b0502172000693da743@mail.gmail.com> Date: Fri, 18 Feb 2005 12:00:02 +0800 From: sekchye goh To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: multiple crypto accelerator cards in one FreeBSD box X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sekchye goh List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 04:00:04 -0000 Hi there! we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus version VPN1401 cards in a FreeBSD box using hifn support.. From the technical specs in Soekris website http://www.soekris.com/vpn1401.htm, each card can support 24 to 70 connections. The question is if we put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support 3 x (24 to 70) IPSEC connections ? Thanks in advance for the clarification and advice! Best regards Sekchye From owner-freebsd-security@FreeBSD.ORG Fri Feb 18 05:53:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E34416A4CE for ; Fri, 18 Feb 2005 05:53:18 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0144543D49 for ; Fri, 18 Feb 2005 05:53:18 +0000 (GMT) (envelope-from sekchye@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so387512wra for ; Thu, 17 Feb 2005 21:53:17 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=XLQnQ1r/jG0BViS7wsgTG4kRCweFMdSC/KLLZTXJkQHvVH/xg/qEkxVMTjQJ1xFxsQWA1ow7zYdAgUS/o7zU9gpQ7lvtf6jVzGr3irwlaBosSECBx8nH3u3Q9UmUkWZ8hVhlTCdr9W9AWxwnaSQbbn7HshNro9vmWuuntLZiuv4= Received: by 10.54.13.59 with SMTP id 59mr346336wrm; Thu, 17 Feb 2005 21:53:17 -0800 (PST) Received: by 10.54.38.73 with HTTP; Thu, 17 Feb 2005 21:53:17 -0800 (PST) Message-ID: <21f8a77b050217215355da2672@mail.gmail.com> Date: Fri, 18 Feb 2005 13:53:17 +0800 From: sekchye goh To: Sam Leffler In-Reply-To: <42157B60.8000404@errno.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <21f8a77b0502172000693da743@mail.gmail.com> <42157B60.8000404@errno.com> cc: freebsd-security@freebsd.org Subject: Re: multiple crypto accelerator cards in one FreeBSD box X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sekchye goh List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 05:53:18 -0000 HI Sam thanks for the enlightening answer. Initially, we are thinking of building a super duper IPSEC VPN concentrator using FreeBSD with multiple crypto accelerator cards like Soekris VPN1401 and a Gigabit interface card to terminate many many IPSEC connections in one single box. After reading your reply, I guess we will just use one crypto accelerator card in each FreeBSD box and scale up by adding more boxes. Thanks! On Thu, 17 Feb 2005 21:21:36 -0800, Sam Leffler wrote: > sekchye goh wrote: > > Hi there! > > we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus > > version VPN1401 cards in a FreeBSD box using hifn support.. > > From the technical specs in Soekris website > > http://www.soekris.com/vpn1401.htm, > > each card can support 24 to 70 connections. The question is if we > > put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support > > 3 x (24 to 70) IPSEC connections ? > > > > Not sure where the 24-70 connection numbers come from. If it's based on > alllocating session state in on-chip SDRAM then that was removed a while > ago by moving the session state allocation to host memory. If the > numbers are representative of peak performance then I'd be curious where > they came from. Understand that you're likely to be bus-limited for > performance and adding additional cards isn't going to help unless cards > are on separate pci buses. Beware however that the current crypto code > does not manage multiple cards well. If you decide to go with multiple > cards you'll want to do some load balancing. > > Sam > From owner-freebsd-security@FreeBSD.ORG Fri Feb 18 06:17:33 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F239716A4CE for ; Fri, 18 Feb 2005 06:17:33 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 924DE43D41 for ; Fri, 18 Feb 2005 06:17:33 +0000 (GMT) (envelope-from sekchye@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so389612wra for ; Thu, 17 Feb 2005 22:17:33 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=g514vVaFlh+Y+jwFzt/mFxBGt4OJvsz7VVFOQlDlYW9bEmX1QCJIVUVVDfxM+IYmCnH7h8KPPT5xVwy7IPGZcgtQwA/SgC6t3U3wVZK96ASSdOeg4T4RgdnbYpl63R3ZU8xSJY4vCUsIqjgbbkjM/UkSkvnvhxqYLzxBBdcZoos= Received: by 10.54.5.47 with SMTP id 47mr290871wre; Thu, 17 Feb 2005 22:17:32 -0800 (PST) Received: by 10.54.38.73 with HTTP; Thu, 17 Feb 2005 22:17:32 -0800 (PST) Message-ID: <21f8a77b05021722173994d3bf@mail.gmail.com> Date: Fri, 18 Feb 2005 14:17:32 +0800 From: sekchye goh To: Sam Leffler In-Reply-To: <42157B60.8000404@errno.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <21f8a77b0502172000693da743@mail.gmail.com> <42157B60.8000404@errno.com> cc: freebsd-security@freebsd.org Subject: Re: multiple crypto accelerator cards in one FreeBSD box X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sekchye goh List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 06:17:34 -0000 Hi Sam, On Thu, 17 Feb 2005 21:21:36 -0800, Sam Leffler wrote: > Beware however that the current crypto code > does not manage multiple cards well. If you decide to go with multiple > cards you'll want to do some load balancing. just to explore the load balancing, I searched but cannot find much info on IPSEC load balancing with multiple crypto acceleretor cards. How do I do IPSEC load balancing with multiple cards in FreeBSD? Any pointers will be much appreciated. Thanks! Best regards Goh Sek Chye From owner-freebsd-security@FreeBSD.ORG Fri Feb 18 05:20:59 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FDDC16A4CE for ; Fri, 18 Feb 2005 05:20:59 +0000 (GMT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 436A043D3F for ; Fri, 18 Feb 2005 05:20:59 +0000 (GMT) (envelope-from sam@errno.com) Received: from [66.127.85.89] ([66.127.85.89]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id j1I5KwWi081458 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Feb 2005 21:20:58 -0800 (PST) (envelope-from sam@errno.com) Message-ID: <42157B60.8000404@errno.com> Date: Thu, 17 Feb 2005 21:21:36 -0800 From: Sam Leffler Organization: Errno Consulting User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: sekchye goh References: <21f8a77b0502172000693da743@mail.gmail.com> In-Reply-To: <21f8a77b0502172000693da743@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 18 Feb 2005 13:15:29 +0000 cc: freebsd-security@freebsd.org Subject: Re: multiple crypto accelerator cards in one FreeBSD box X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 05:20:59 -0000 sekchye goh wrote: > Hi there! > we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus > version VPN1401 cards in a FreeBSD box using hifn support.. > From the technical specs in Soekris website > http://www.soekris.com/vpn1401.htm, > each card can support 24 to 70 connections. The question is if we > put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support > 3 x (24 to 70) IPSEC connections ? > Not sure where the 24-70 connection numbers come from. If it's based on alllocating session state in on-chip SDRAM then that was removed a while ago by moving the session state allocation to host memory. If the numbers are representative of peak performance then I'd be curious where they came from. Understand that you're likely to be bus-limited for performance and adding additional cards isn't going to help unless cards are on separate pci buses. Beware however that the current crypto code does not manage multiple cards well. If you decide to go with multiple cards you'll want to do some load balancing. Sam From owner-freebsd-security@FreeBSD.ORG Fri Feb 18 18:16:36 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90D0916A4CE for ; Fri, 18 Feb 2005 18:16:36 +0000 (GMT) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5228D43D1F for ; Fri, 18 Feb 2005 18:16:36 +0000 (GMT) (envelope-from sam@errno.com) Received: from [66.127.85.91] (sam@[66.127.85.91]) (authenticated bits=0) by ebb.errno.com (8.12.9/8.12.6) with ESMTP id j1IIGZWi084775 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 Feb 2005 10:16:35 -0800 (PST) (envelope-from sam@errno.com) Message-ID: <4216312F.10609@errno.com> Date: Fri, 18 Feb 2005 10:17:19 -0800 From: Sam Leffler User-Agent: Mozilla Thunderbird 1.0RC1 (X11/20041208) X-Accept-Language: en-us, en MIME-Version: 1.0 To: sekchye goh References: <21f8a77b0502172000693da743@mail.gmail.com> <42157B60.8000404@errno.com> <21f8a77b05021722173994d3bf@mail.gmail.com> In-Reply-To: <21f8a77b05021722173994d3bf@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 18 Feb 2005 19:11:22 +0000 cc: freebsd-security@freebsd.org Subject: Re: multiple crypto accelerator cards in one FreeBSD box X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 18:16:36 -0000 sekchye goh wrote: > Hi Sam, > > On Thu, 17 Feb 2005 21:21:36 -0800, Sam Leffler wrote: > >>Beware however that the current crypto code >>does not manage multiple cards well. If you decide to go with multiple >>cards you'll want to do some load balancing. > > > just to explore the load balancing, I searched but cannot find much > info on IPSEC load balancing with multiple crypto acceleretor cards. > How do I do IPSEC load balancing with multiple cards in FreeBSD? > Any pointers will be much appreciated. Thanks! The load balancing I mentioned was for the crypto subsystem. openbsd has a small change to round-robin session allocation across devices so you can actually use more than one crypto card in a machine. You could try that though I think you'd find the results unsatisfying. I did a prototype load balancer a while back that was more intelligent but never got it to the point where it could be committed. I'd like to revisit that work this year but it will depend on time+funding. Sam From owner-freebsd-security@FreeBSD.ORG Fri Feb 18 19:41:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A798716A4CE for ; Fri, 18 Feb 2005 19:41:18 +0000 (GMT) Received: from deliver.epitech.net (deliver.epitech.net [163.5.255.125]) by mx1.FreeBSD.org (Postfix) with SMTP id DD45043D5E for ; Fri, 18 Feb 2005 19:41:17 +0000 (GMT) (envelope-from bevand_m@epita.fr) Received: from epita.fr ([163.5.255.10]) by deliver.epitech.net (SMSSMTP 4.0.0.59) with SMTP id M2005021820411206972 ; Fri, 18 Feb 2005 20:41:12 +0100 Received: from marx (marx.epita.fr [10.42.14.11]) by epita.fr id j1IJfBq08303 Fri, 18 Feb 2005 20:41:11 +0100 (CET) Date: Fri, 18 Feb 2005 20:41:13 +0100 From: Marc Bevand To: sekchye goh Message-ID: <20050218194113.GA1082@marx.epita.fr> References: <21f8a77b0502172000693da743@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <21f8a77b0502172000693da743@mail.gmail.com> User-Agent: Mutt/1.4i X-Mailman-Approved-At: Sat, 19 Feb 2005 08:56:43 +0000 cc: freebsd-security@freebsd.org Subject: Re: multiple crypto accelerator cards in one FreeBSD box X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 19:41:18 -0000 sekchye goh wrote: | Hi there! | we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus | version VPN1401 cards in a FreeBSD box using hifn support.. | From the technical specs in Soekris website | http://www.soekris.com/vpn1401.htm, | each card can support 24 to 70 connections. The question is if we | put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support | 3 x (24 to 70) IPSEC connections ? No, the 24 or 70 figure refers to the number of new connections per second (where each new connection involves 1 sign or verify public key operation, such operations are usually the bottleneck). But if you want something really fast, and if you can spend another couple of hundreds of dollars on the motherboard/CPU, do the crypto in software, it will be faster than a hardware solution using those Soekris vpn14x1 cards. According to their tech specs, the highest throughput they support while doing encryption is 460 Mbps. For reference, a 1.8 GHz Opteron (x44) can encrypt with RC4 at 2500 Mbps. As an example, this means you can choose to limit the throughput to 1250 Mbps, and keep 50% of you CPU time for other applications, or just add a second CPU to your system. A 2.2 GHz Opteron (x48) scales to 3100 Mbps, a 2.6 GHz one (x52) would scale to 3700 Mbps. The performance/price ratio depends on which CPU and which crypto card are compared, sometimes the hardware solution has the advantage, sometimes it's the software solution. The downside of the software solution is that some algorithms are quite slow (DES), while other are blazing fast (RC4, MD5). Depending on your security requirements, this may be a problem, or not. -- Marc Bevand http://epita.fr/~bevand_m Computer Science School EPITA - System, Network and Security Dept.