From owner-freebsd-security Fri Feb 7 10:25:31 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C68537B40B for ; Fri, 7 Feb 2003 10:25:29 -0800 (PST) Received: from ebb.errno.com (ebb.errno.com [66.127.85.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3ACD343FB1 for ; Fri, 7 Feb 2003 10:25:28 -0800 (PST) (envelope-from sam@errno.com) Received: from melange (melange.errno.com [66.127.85.82]) (authenticated bits=0) by ebb.errno.com (8.12.5/8.12.1) with ESMTP id h17IPRnN074021 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Fri, 7 Feb 2003 10:25:27 -0800 (PST)?g (envelope-from sam@errno.com)œ X-Authentication-Warning: ebb.errno.com: Host melange.errno.com [66.127.85.82] claimed to be melange Message-ID: <05d201c2ced6$49f96700$52557f42@errno.com> From: "Sam Leffler" To: "Jack Xiao" , References: Subject: Re: hardware encryption under freebsd Date: Fri, 7 Feb 2003 10:25:27 -0800 Organization: Errno Consulting MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > It's said "A new in-kernel cryptographic framework (see crypto(4) and > crypto(9)) has been imported from OpenBSD. It provides a consistent > interface to hardware and software implementations of cryptographic > algorithms for use by the kernel and access to cryptographic hardware for > user-mode applications. Hardware device drivers are provided to support > hifn-based cards ( hifn(4)) and Broadcom-based cards ( ubsec(4))." > > "A FAST_IPSEC kernel option now allows the IPsec implementation to use the > kernel crypto(4) framework, along with its support for hardware > cryptographic acceleration. More information can be found in the > fast_ipsec(4) manual page." > > In this case, if I want to use hardware encryption/decryption, should I use > fast_ipsec instead of ipsec in the kenerl option? By the way, I am using > FreeBSD 4.7 Release. I am also curious if anybody has such experience in > this group before my trial. How's the performance? 4.7-release does not have the new ipsec code. I can't recall if the crypto code got in. Performance depends on many factors. Give particulars about a configuration and the setup of the machine (e.g. firewall, client, server) and I can give you hints. In general I see 100% utilization of the crypto h/w under IPsec or user load when machines are connected back-to-back with gigE interfaces. Start loading the host with other duties (e.g. running ipfw rules) or changing the NIC's and I can't say what you'll get. Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message