From owner-freebsd-security@FreeBSD.ORG Fri Feb 18 05:53:18 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E34416A4CE for ; Fri, 18 Feb 2005 05:53:18 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0144543D49 for ; Fri, 18 Feb 2005 05:53:18 +0000 (GMT) (envelope-from sekchye@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so387512wra for ; Thu, 17 Feb 2005 21:53:17 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=XLQnQ1r/jG0BViS7wsgTG4kRCweFMdSC/KLLZTXJkQHvVH/xg/qEkxVMTjQJ1xFxsQWA1ow7zYdAgUS/o7zU9gpQ7lvtf6jVzGr3irwlaBosSECBx8nH3u3Q9UmUkWZ8hVhlTCdr9W9AWxwnaSQbbn7HshNro9vmWuuntLZiuv4= Received: by 10.54.13.59 with SMTP id 59mr346336wrm; Thu, 17 Feb 2005 21:53:17 -0800 (PST) Received: by 10.54.38.73 with HTTP; Thu, 17 Feb 2005 21:53:17 -0800 (PST) Message-ID: <21f8a77b050217215355da2672@mail.gmail.com> Date: Fri, 18 Feb 2005 13:53:17 +0800 From: sekchye goh To: Sam Leffler In-Reply-To: <42157B60.8000404@errno.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <21f8a77b0502172000693da743@mail.gmail.com> <42157B60.8000404@errno.com> cc: freebsd-security@freebsd.org Subject: Re: multiple crypto accelerator cards in one FreeBSD box X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sekchye goh List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2005 05:53:18 -0000 HI Sam thanks for the enlightening answer. Initially, we are thinking of building a super duper IPSEC VPN concentrator using FreeBSD with multiple crypto accelerator cards like Soekris VPN1401 and a Gigabit interface card to terminate many many IPSEC connections in one single box. After reading your reply, I guess we will just use one crypto accelerator card in each FreeBSD box and scale up by adding more boxes. Thanks! On Thu, 17 Feb 2005 21:21:36 -0800, Sam Leffler wrote: > sekchye goh wrote: > > Hi there! > > we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus > > version VPN1401 cards in a FreeBSD box using hifn support.. > > From the technical specs in Soekris website > > http://www.soekris.com/vpn1401.htm, > > each card can support 24 to 70 connections. The question is if we > > put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support > > 3 x (24 to 70) IPSEC connections ? > > > > Not sure where the 24-70 connection numbers come from. If it's based on > alllocating session state in on-chip SDRAM then that was removed a while > ago by moving the session state allocation to host memory. If the > numbers are representative of peak performance then I'd be curious where > they came from. Understand that you're likely to be bus-limited for > performance and adding additional cards isn't going to help unless cards > are on separate pci buses. Beware however that the current crypto code > does not manage multiple cards well. If you decide to go with multiple > cards you'll want to do some load balancing. > > Sam >